下载漏洞扫描工具Nikto
Nikto是一个开源的WEB扫描评估软件,可以对Web服务器进行多项安全测试,能在230多种服务器上扫描出 2600多种有潜在危险的文件、CGI及其他问题。Nikto可以扫描指定主机的WEB类型、主机名、指定目录、特定CGI漏洞、返回主机允许的 http模式等。
安装部署了nginx+modsecurity以后,需要检查一下是否存在漏洞
因此,需要用到这款漏洞扫描工具
以下是Nikto的一些主要功能:
SSL支持(带有OpenSSL的Unix或带有ActiveState的Perl / NetSSL的Windows )全面的HTTP代理支持检查过时的服务器组件以纯文本,XML,HTML,NBE或CSV保存报告可使用模板自定义报告扫描服务器上的多个端口,或者通过其他工具的输出(例如nmap)扫描多个服务器LibWhisker的IDS编码技术通过标题,网站图标和文件识别已安装的软件使用Basic和NTLM进行主机身份验证子域名猜测Apache和cgiwrap用户名枚举
1、下载Nikto
[root@CetnOS-GUI /usr/local/src]# git clone https://github.com/sullo/niktoCloning into 'nikto'...remote: Enumerating objects: 44, done.remote: Counting objects: 100% (44/44), done.remote: Compressing objects: 100% (33/33), done.remote: Total 6136 (delta 22), reused 27 (delta 11), pack-reused 6092Receiving objects: 100% (6136/6136), 4.09 MiB | 10.00 KiB/s, done.Resolving deltas: 100% (4442/4442), done.
2、使用
[root@CetnOS-GUI /usr/local/src/nikto]# perl program/nikto.pl -h localhost- ***** SSL support not available (see docs for SSL install) *****- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 127.0.0.1+ Target Hostname: localhost+ Target Port: 80+ Message: Multiple IP addresses found: 127.0.0.1, 127.0.0.1+ Start Time: 2020-12-22 14:17:39 (GMT8)---------------------------------------------------------------------------+ Server: nginx/1.16.1+ The anti-clickjacking X-Frame-Options header is not present.+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.+ No CGI Directories found (use '-C all' to force check all possible dirs)+ 7855 requests: 0 error(s) and 2 item(s) reported on remote host+ End Time: 2020-12-22 14:18:35 (GMT8) (56 seconds)---------------------------------------------------------------------------+ 1 host(s) tested[root@CetnOS-GUI /usr/local/src/nikto]#
结果:7855 requests: 0 error(s) and 2 item(s) reported on remote host
有2个漏洞