wapiti使我的ASP.NET项目崩溃。为什么?我该如何修复它?
wapiti使我的ASP.NET项目崩溃。为什么?我该如何修复它?
提问于 2010-02-12 11:39:44
这是一张Wapiti的扫描图。我注意到当我上传图片(用户可以上传)时,我在Launching module crlf之前就崩溃了。所以我只是使用我的网站的一个新的实例,我运行了这个,并得到了下面的结果。
我的问题是: 1.如何修复崩溃2.如何找出导致崩溃的原因。我使用-v 2来找出url并将它们记录到我的应用程序中。在这两种情况下,我都没有看到任何问题,并且项目在我的代码3之外崩溃了。那么我如何解决下面的unicode警告呢?
Wapiti-2.2.1 (wapiti.sourceforge.net)
..............................
Notice
========
This scan has been saved in the file C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src/s
cans/localhost:17357.xml
You can use it to perform attacks without scanning again the web site with the "
-k" parameter
[*] Loading modules :
mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess
, mod_blindsql, mod_permanentxss, mod_nikto
[+] Launching module crlf
[+] Launching module exec
[+] Launching module file
[+] Launching module sql
C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\attack\mod_sql.py:185: UnicodeWarning:
Unicode equal comparison failed to convert both arguments to Unicode - interpre
ting them as being unequal
if (page, tmp) not in self.attackedPOST:
[+] Launching module xss
Traceback (most recent call last):
File "wapiti.py", line 449, in <module>
wap.attack()
File "wapiti.py", line 266, in attack
x.attack(self.urls, self.forms)
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\attack\attack.py", line 121, i
n attack
self.attackGET(page, dictio, headers)
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\attack\mod_xss.py", line 71, i
n attackGET
self.findXSS(page, {}, "", code, "", payloads, headers["link_encoding"])
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\attack\mod_xss.py", line 306,
in findXSS
dat = self.HTTP.send(url).getPage()
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\net\HTTP.py", line 94, in send
info, data = self.h.request(target, headers = _headers)
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\net\httplib2\__init__.py", lin
e 1084, in request
(response, content) = self._request(conn, authority, uri, request_uri, metho
d, body, headers, redirections, cachekey)
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\net\httplib2\__init__.py", lin
e 888, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, he
aders)
File "C:\unzipped\wapiti-2.2.1\wapiti-2.2.1\src\net\httplib2\__init__.py", lin
e 853, in _conn_request
response = conn.getresponse()
File "C:\dev\bin\Python26\lib\httplib.py", line 974, in getresponse
response.begin()
File "C:\dev\bin\Python26\lib\httplib.py", line 391, in begin
version, status, reason = self._read_status()
File "C:\dev\bin\Python26\lib\httplib.py", line 349, in _read_status
line = self.fp.readline()
File "C:\dev\bin\Python26\lib\socket.py", line 397, in readline
data = recv(1)
socket.error: [Errno 10054] An existing connection was forcibly closed by the re
mote host回答 1
Stack Overflow用户
回答已采纳
发布于 2010-02-13 04:17:52
Wapiti会使应用程序崩溃,因为它使用了大量的应用程序。执行XSS测试时跟踪的Wapiti堆栈,我认为xss测试不会使应用程序崩溃。但是,通过提交大量的1种类型的请求,这可能会导致DoS条件。您需要追踪Wapiti发出的最后一个请求。Wapiti有一个冗长的模式,我认为它是-v,它会打印出它发出的每个请求。一旦你有了崩溃的文件,你应该手动检查它。
Wapiti的盲目sql注入攻击模块使用mysql的()函数,该函数将对您的mysql服务器执行DoS,如果您在扫描整个站点时遇到问题,我建议您关闭此函数。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/2249528
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号