设为首页收藏本站
开启辅助访问

【AWVS】python调AWVS接口 新建扫描并导出扫描报告(一)

 您所在的位置:网站首页 django怎么调用别人的接口 【AWVS】python调AWVS接口 新建扫描并导出扫描报告(一)

【AWVS】python调AWVS接口 新建扫描并导出扫描报告(一)

2024-07-15 04:15| 来源: 网络整理| 查看: 265

文章目录 前言一、先上完整python代码二、AWVS介绍三、准备工作1.获取 API-KEY2.Header 设置1.接口介绍2.python代码 3.屏蔽警告 四、接口验证1.查看Targets扫描队列1.接口介绍2.python代码3.返回结果4.参数说明 2.添加任务到Targets扫描队列,并返回target_id1.接口介绍2.python代码3.返回结果 3.添加targets队列中的任务到scans1.接口介绍2.data介绍3.python代码4.发送参数说明 4.获取scan_id1.接口介绍2.代码3.返回结果4.返回参数说明 5.导出报告-生成gennerate1.接口介绍2.data介绍3.python代码4.返回结果5.发送参数说明6.返回参数说明 6.导出报告-html/pdf1.接口介绍2.python代码 总结

前言

本文详细介绍了利用python调用AWVS 14.x中提供的四个内置接口,验证的流程为:

1.将目标URL添加到targets队列,扫描准备; 2.将targets队列中任务添加到scans队列,进行扫描; 3.将scans队列中的任务通过generate添加到reports队列,生成扫描报告; 4.从reports队列中导出扫描报告。

验证的三个接口为:

/api/v1/targets /api/v1/scans /api/v1/reports

本人的B站讲解视频:https://www.bilibili.com/video/BV1NY4y1B7p2/ 第二期实现批量扫描:https://blog.csdn.net/qq_45859826/article/details/124082529

一、先上完整python代码 import json import time from datetime import datetime import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) tarurl = "https://localhost:3443" apikey = "1986ad8c0a5b3df4d7028d5f3c06e936c1fc7e549ff144a089c34a12b23d572fa" headers = {"X-Auth": apikey, "Content-type": "application/json;charset=utf8"} # 查看所有目标结果 def targets(): api_url = tarurl + '/api/v1/targets' r = requests.get(url=api_url, headers=headers, verify=False) print(r.json()) # 添加targets目标,获取target_id def post_targets(url): api_url = tarurl + '/api/v1/targets' data = { "address": url, "description": "wyt_target", "criticality": "10" } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers, data=data_json, verify=False) target_id = r.json().get("target_id") print('target_id:', target_id) return target_id # 添加scans def scans(url): api_url = tarurl + '/api/v1/scans' data = { "target_id": url, "profile_id": "11111111-1111-1111-1111-111111111112", "schedule": {"disable": False, "start_date": None, "time_sensitive": False } } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers, data=data_json, verify=False) # target_id = r.json().get("target_id") # print(r.json) # 获取scan_id,通过start_date可知,最新生成的为第一个 def scan_id(): api_url = tarurl + '/api/v1/scans' # print(api_url) r = requests.get(url=api_url, headers=headers, verify=False) scan_id = r.json().get("scans")[0].get("scan_id") print('scan_id:', scan_id) return scan_id # 添加generate,并获取generate_id def generate(url): api_url = tarurl + '/api/v1/reports' data = { "template_id": "11111111-1111-1111-1111-111111111115", "source": { "list_type": "scans", "id_list": [url] } } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers, data=data_json, verify=False) # print(r.json) # 生成扫描报告,每次新生成的都在第一个 def html(): api_url = tarurl + '/api/v1/reports' # print(api_url) r = requests.get(url=api_url, headers=headers, verify=False) html = r.json().get("reports")[0].get("download")[0] url_html = tarurl + html print('报告地址:', url_html) r_html = requests.get(url=url_html, headers=headers, verify=False) time_now = datetime.now().strftime('%Y-%m-%d %H%M%S') with open("report-" + time_now + ".html", "wb") as code: code.write(r_html.content) code.close() def pdf(): api_url = tarurl + '/api/v1/reports' # print(api_url) r = requests.get(url=api_url, headers=headers, verify=False) pdf = r.json().get("reports")[0].get("download")[1] url_pdf = tarurl + pdf print('报告地址:', url_pdf) r_html = requests.get(url=url_pdf, headers=headers, verify=False) time_now = datetime.now().strftime('%Y-%m-%d %H%M%S') with open("report-" + time_now + ".pdf", "wb") as code: code.write(r_html.content) code.close() if __name__ == '__main__': # targets() # 添加到targets队列 target_id = post_targets("http://8.8.8.8/") time.sleep(5) # 添加到scans队列 scans(target_id) time.sleep(5) # 获取scan_id,并生成generate scan_id = scan_id() generate(scan_id) time.sleep(5) # 生成扫描报告 # pdf() html()

返回结果: 在这里插入图片描述 在这里插入图片描述

二、AWVS介绍

Acunetix是一个专业好用的漏洞扫描工具,提供一些内置API接口,可供调用。因毕业设计,对其中一些接口进行了测试,以下为测试文档。

三、准备工作 1.获取 API-KEY

在这里插入图片描述 「Administrator」-「Profile」-「API Key」-「Copy」

API-KEY:1986ad8c0a5b3df4d7028d5f3c06e936c1fc7e549ff144a089c34a12b23d572fa 2.Header 设置 1.接口介绍 X-Auth:API-KEY Content-type:application/json;charset=utf8 2.python代码 apikey = "1986ad8c0a5b3df4d7028d5f3c06e936c1fc7e549ff144a089c34a12b23d572fa" headers = {"X-Auth": apikey, "Content-type": "application/json;charset=utf8"} tarurl = "https://localhost:3443" 3.屏蔽警告 from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 四、接口验证 1.查看Targets扫描队列 1.接口介绍 Method: GET URL: /api/v1/targets 2.python代码 api_url = tarurl + '/api/v1/targets' r = requests.get(url=api_url, headers=headers, verify=False) print(r.json()) #返回结果为json格式 3.返回结果 { 'targets': [ { 'address': 'http://192.168.137.129/', 'continuous_mode': False, 'criticality': 10, 'default_scanning_profile_id': None, 'deleted_at': None, 'description': 'http://192.168.137.129/', 'fqdn': '192.168.137.129', 'fqdn_hash': '4d9a6f1d9e94cce236acd2d397fdc5ce', 'fqdn_status': 'new', 'fqdn_tm_hash': 'f3c47dc4029759660937dd3f55c685c2', 'issue_tracker_id': None, 'last_scan_date': '2022-03-28T18:07:52.178043+08:00', 'last_scan_id': 'b7eab683-8708-4cfc-9d3a-2e3c989fbae5', 'last_scan_session_id': 'b3b15334-44ed-4dd7-8363-b874c7ec0947', 'last_scan_session_status': 'completed', 'manual_intervention': None, 'severity_counts': { 'high': 0, 'info': 0, 'low': 0, 'medium': 0 }, 'target_id': '73e0d89a-6323-446a-a00c-691a884b286b', 'threat': 0, 'type': None, 'verification': None }, 'pagination': { 'count': 11, 'cursor_hash': '8f629dd49f910b9202eb0da5d51fdb6e', 'cursors': [None], 'sort': None } } 4.参数说明 参数说明targets目标详细信息pagination分页信息

targets:

参数说明address扫描目标网址continuous_mode是否连续模式criticality危险程度description描述last_scan_date最近扫描的日期last_scan_id最近扫描的idlast_scan_session_id最近扫描的session idlast_scan_session_status最近的扫描状态manual_intervention手动干预severity_counts漏洞等级个数分布target_id目标idthreat威胁等级type类型verification验证 2.添加任务到Targets扫描队列,并返回target_id 1.接口介绍 Method: POST URL: /api/v1/targets 2.python代码 api_url = tarurl + '/api/v1/targets' data = { "address": url, "description": "wyt_target", "criticality": "10" } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers, data=data_json, verify=False) target_id = r.json().get("target_id") print(target_id) 3.返回结果 87527c66-665b-4920-bde7-c56e5297f8b0 3.添加targets队列中的任务到scans 1.接口介绍 Method: POST URL: /api/v1/scans 2.data介绍 data = { "target_id": "ec78d77d-6e26-4994-8d46-7fa8deae11b9", "profile_id": "11111111-1111-1111-1111-111111111112", "schedule": { "disable": False, "start_date": None, "time_sensitive": False } } 3.python代码 api_url = tarurl + '/api/v1/scans' data = { "target_id": url, "profile_id": "11111111-1111-1111-1111-111111111112", "schedule": { "disable": False, "start_date": None, "time_sensitive": False } } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers, data=data_json, verify=False) 4.发送参数说明 参数类型说明profile_idstring扫描类型ui_session_istring可不传incrementalbool增加的schedulejson扫描时间设置(默认即时)report_template_idstring扫描报告类型(可不传)target_idstring目标id

profile_id:

类型值意义Full Scan11111111-1111-1111-1111-111111111111完全扫描High Risk Vulnerabilities11111111-1111-1111-1111-111111111112高风险漏洞Cross-site Scripting Vulnerabilities11111111-1111-1111-1111-111111111116XSS漏洞SQL Injection Vulnerabilities11111111-1111-1111-1111-111111111113SQL注入漏洞Weak Passwords11111111-1111-1111-1111-111111111115弱口令检测Crawl Only11111111-1111-1111-1111-111111111117Crawl OnlyMalware Scan11111111-1111-1111-1111-111111111120恶意软件扫描 4.获取scan_id 1.接口介绍 Method: GET URL: /api/v1/scans 2.代码 api_url = tarurl + '/api/v1/scans' r = requests.get(url=api_url, headers=headers, verify=False) print(r.json().get("scans")[0]) scan_id = r.json().get("scans")[0].get("scan_id") 3.返回结果 { 'criticality': 10, 'current_session': { 'event_level': 2, 'progress': 100, 'scan_session_id': '7be91fbd-f904-4c6f-a33c-909cddb7a9c8', 'severity_counts': { 'high': 0, 'info': 0, 'low': 0, 'medium': 0 }, 'start_date': '2022-04-03T19:05:05.089001+08:00', 'status': 'completed', 'threat': 0 }, 'incremental': False, 'max_scan_time': 0, 'next_run': None, 'profile_id': '11111111-1111-1111-1111-111111111112', 'profile_name': 'High Risk', 'report_template_id': None, 'scan_id': '5b9222cc-a21b-4b11-b1a5-6d6d5856d74a', 'schedule': { 'disable': False, 'history_limit': None, 'recurrence': None, 'start_date': None, 'time_sensitive': False, 'triggerable': False }, 'target': { 'address': 'http://6.6.6.6/', 'criticality': 10, 'description': 'wyt_target', 'type': 'default' }, 'target_id': '0944cef3-411e-4d4c-8647-4655f0b1e52b' } 4.返回参数说明 参数说明criticality危险程度current_session当前会话start_date开始扫描时间status扫描状态threat威胁性incremental额外的?manual_intervention人工干预max_scan_time最大扫描时间next_run下一轮profile_id扫描类型profile_name扫描类型名称report_template_id扫描报告模板idscan_id扫描idschedule时间表target目标相关的信息target_id目标id 5.导出报告-生成gennerate 1.接口介绍 Method: POST URL: /api/v1/reports 2.data介绍 data = { "template_id": "11111111-1111-1111-1111-111111111115", "source": { "list_type": "scans", "id_list": ["87527c66-665b-4920-bde7-c56e5297f8b0"] } } 3.python代码 api_url = tarurl + '/api/v1/reports' data = { "template_id": "11111111-1111-1111-1111-111111111115", "source": { "list_type": "scans", "id_list": [url] } } data_json = json.dumps(data) r = requests.post(url=api_url, headers=headers,data=data_json, verify=False) print(r.json) 4.返回结果 { 'pagination': { 'count': 5, 'cursor_hash': '8f629dd49f910b9202eb0da5d51fdb6e', 'cursors': [None], 'sort': None}, 'reports': [ { 'download': [ '/api/v1/reports/download/4df097a941830e36be6665ab908e40a27c2d0528d503a70ce9b77f72592bc73e05bc9f8d624994d71482b153-bd3b-4c36-8d21-0886c07f4739.html', '/api/v1/reports/download/1c3fa9b4f76396cedcda1e857e5bfe0053fcd9653bf55d1344a5e99bd1b53366fa10c36a624994d71482b153-bd3b-4c36-8d21-0886c07f4739.pdf' ], 'generation_date': '2022-04-03T19:33:46.118619+08:00', 'report_id': '1482b153-bd3b-4c36-8d21-0886c07f4739', 'source': { 'list_type': 'scans', 'description': 'http://6.6.6.6/;wyt_target', 'id_list': ['5b9222cc-a21b-4b11-b1a5-6d6d5856d74a'] }, 'status': 'completed', 'template_id': '11111111-1111-1111-1111-111111111115', 'template_name': 'Affected Items', 'template_type': 0 } ] } 5.发送参数说明 参数类型说明template_idString扫描报名模板类型list_typeString值为: scansid_listString值为: scan_id

template_id:

类型值Affected Items11111111-1111-1111-1111-111111111115CWE 201111111111-1111-1111-1111-111111111116Developer11111111-1111-1111-1111-111111111111Executive Summary11111111-1111-1111-1111-111111111113HIPAA11111111-1111-1111-1111-111111111114ISO 2700111111111-1111-1111-1111-111111111117NIST SP800 5311111111-1111-1111-1111-111111111118OWASP Top 10 201311111111-1111-1111-1111-111111111119PCI DSS 3.211111111-1111-1111-1111-111111111120Quick11111111-1111-1111-1111-111111111112Sarbanes Oxley11111111-1111-1111-1111-111111111121Scan Comparison11111111-1111-1111-1111-111111111124STIG DISA11111111-1111-1111-1111-111111111122WASC Threat Classification11111111-1111-1111-1111-111111111123 6.返回参数说明 参数说明generation_date生成时间template_type模板类型report_id报告idtemplate_name模板名字status状态template_id模板iddownload下载链接[html, pdf]source来源description备注 6.导出报告-html/pdf 1.接口介绍 Method: GET URL: /api/v1/reports 2.python代码 api_url = tarurl + '/api/v1/reports' r = requests.get(url=api_url, headers=headers, verify=False) html = r.json().get("reports")[0].get("download")[0] # pdf = r.json().get("reports")[0].get("download")[1] url_html = tarurl + html r_html = requests.get(url=url_html, headers=headers, verify=False) with open("report.html", "wb") as code: code.write(r_html.content) code.close() 总结

这篇文章缘起于我的本科毕业设计”漏洞分析系统设计“,首先感谢各位师傅的优秀博文分享,给了迷茫中的我许多灵感:

国光师傅的AWVS API文档:https://www.sqlsec.com/2020/04/awvsapi.html#toc-heading-32 h4rdy师傅的AWVS API文档:https://github.com/h4rdy/Acunetix11-API-Documentation Recar师傅的AWVS测试文件: https://blog.csdn.net/qq_28295425/article/details/81051954

2022年对于我是非常不一般的一年,前三个月的经历对我打击是巨大的。去年我的许多选择在今年看来都没有很好的结局,考研失败,身体一团糟,不知道未来在哪里,陷入无穷尽的自我怀疑旋涡……经历了一段时期的冷静期,重新回到CSDN,也是想重回初心。其实不论未来如何,最大的希望还是:做一个健康快乐的女孩子。 希望疫情能早日消失,我们的生活回归正轨;希望自己接下来的手术顺利进行,拥有一个健康的身体。有条件的话之后也要多发博文,和各位师傅一起进步。

2022年4月3日于家中



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3