How To: Detect Vulnerabilities in a Web Application with Uniscan

Detect Vulnerabilities in a Web Application with Uniscan

With the number of web applications out there today, it comes as no surprise that there are just as many vulnerabilities waiting for hackers to discover. Finding those vulnerabilities can be a difficult task, but there are plenty of tools available to make the process easier. While it won't help find any zero-days, web scanners such as Uniscan will detect common vulnerabilities.

Uniscan is a simple web vulnerability scanner that searches for common flaws like local file include, remote command execution, and remote file include vulnerabilities. It's also able to fingerprint and enumerate web services, interesting files and directories, and server information. This tool is written in Perl and is available as an intuitive command line tool or as a GUI.

If you're using Kali Linux as your pentesting station, Uniscan is included in it so there's no need to install anything. For everyone else, you can download it from SourceForge. In this guide, we'll be testing Uniscan out against the vulnerable virtual machine Metasploitable 2.

Scanning the Target

Uniscan has a number of different options we can employ for a scan. Simply open up the terminal and type uniscan or uniscan -h at the prompt, and it will display version information, available options to set, and a few usage examples. If you don't see this screen in Kali, you don't have it installed somehow, but you can get it quickly using apt install uniscan.

uniscan

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

OPTIONS:
    -h  help
    -u  <url> example: https://www.example.com/
    -f  <file> list of url's
    -b  Uniscan go to background
    -q  Enable Directory checks
    -w  Enable File checks
    -e  Enable robots.txt and sitemap.xml check
    -d  Enable Dynamic checks
    -s  Enable Static checks
    -r  Enable Stress checks
    -i  <dork> Bing search
    -o  <dork> Google search
    -g  Web fingerprint
    -j  Server fingerprint

usage:
[1] perl ./uniscan.pl -u http://www.example.com/ -qweds
[2] perl ./uniscan.pl -f sites.txt -bqweds
[3] perl ./uniscan.pl -i uniscan
[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"
[5] perl ./uniscan.pl -o "inurl:test"
[6] perl ./uniscan.pl -u https://www.example.com/ -r

The most basic way to use this tool is to give it a URL to scan by setting the -u flag, followed by the domain of interest, as shown below. It will return a brief summary, including information about the server and IP address.

uniscan -u http://172.16.1.102

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:52:26
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
===================================================================================================
Scan end date: 29-1-2019 14:52:26

HTML report saved in: report/172.16.1.102.html

We can also perform more detailed server fingerprinting by using the -j option — simply append it to the end of the command. This will run a ping test and traceroute to determine the network connectivity status, followed by an nslookup (name server lookup) to obtain any DNS records that are available. This option will also kick off an Nmap scan to discover any open services and ports, so be aware of the target as some defenses will consider this aggressive.

uniscan -u http://172.16.1.102 -j

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:53:23
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
===================================================================================================
| PING
|
| PING 172.16.1.102 (172.16.1.102) 56(84) bytes of data.
| 64 bytes from 172.16.1.102: icmp_seq=1 ttl=64 time=0.937 ms
| 64 bytes from 172.16.1.102: icmp_seq=2 ttl=64 time=1.77 ms
| 64 bytes from 172.16.1.102: icmp_seq=3 ttl=64 time=1.16 ms
| 64 bytes from 172.16.1.102: icmp_seq=4 ttl=64 time=1.18 ms
|
| --- 172.16.1.102 ping statistics ---
| 4 packets transmitted, 4 received, 0% packet loss, time 8ms
| rtt min/avg/max/mdev = 0.937/1.261/1.767/0.309 ms
===================================================================================================
| TRACEROUTE
|
| traceroute to 172.16.1.102 (172.16.1.102), 30 hops max, 60 byte packets
|  1  172.16.1.102 (172.16.1.102)  1.314 ms  1.554 ms  1.782 ms

...

Uniscan has an option to fingerprint web services, too. Use the -g option to do so. This will look for interesting HTTP methods, error information, and HTML strings, as well as other little tidbits that might aid in reconnaissance. We can see below that it found a couple of 404 errors and the greeting information when logging into Metasploitable.

uniscan -u http://172.16.1.102 -g

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:54:43
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
===================================================================================================
| Looking for Drupal plugins/modules
|
| GET,HEAD,POST,OPTIONS,TRACE
===================================================================================================
===================================================================================================
| WEB SERVICES
|
===================================================================================================
| FAVICON.ICO
|
===================================================================================================
| ERROR INFORMATION
|
|  404 Not Found Not Found The requested URL /lKBpm&lt;^reGdK(QpcajL+ was not found on this server. Apache/2.2.8 (Ubuntu) DAV/2 Server at 172.16.1.102 Port 80
|  404 Not Found Not Found The requested URL /7)DGG`[0wNqh&quot;&quot;2Q1,LY was not found on this server. Apache/2.2.8 (Ubuntu) DAV/2 Server at 172.16.1.102 Port 80
===================================================================================================
| TYPE ERROR
|
===================================================================================================
| SERVER MOBILE
|
===================================================================================================
| LANGUAGE
|
===================================================================================================
| INTERESTING STRINGS IN HTML
|
| Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started
| a href="/phpMyAdmin/">phpMyAdmin
===================================================================================================
| WHOIS
|
getaddrinfo(whois.arin.net): Name or service not known
===================================================================================================
| BANNER GRABBING:
===================================================================================================
===================================================================================================

We can crawl for directories located on the target by setting the -q flag. In my example, it looks like it discovered some directories that might be of interest, including what appears to be documentation and PHP configuration information.

uniscan -u http://172.16.1.102 -q

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:56:28
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://172.16.1.102/doc/
| [+] CODE: 200 URL: http://172.16.1.102/icons/
| [+] CODE: 200 URL: http://172.16.1.102/index/
| [+] CODE: 200 URL: http://172.16.1.102/phpinfo/
| [+] CODE: 200 URL: http://172.16.1.102/payload/
===================================================================================================
===================================================================================================

We can also enable file checks with the -w flag. Below we can see that it found a few files which could yield valuable information.

uniscan -u http://172.16.1.102 -w

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:57:46
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
|
| File check:
| [+] CODE: 200 URL: http://172.16.1.102/test
| [+] CODE: 200 URL: http://172.16.1.102/index.php
| [+] CODE: 200 URL: http://172.16.1.102/phpinfo.php
===================================================================================================
===================================================================================================

Uniscan has the ability to automatically check a website for a robots.txt file and a sitemap by using the -e option. In my example, those files do not appear to be present on the target, but nonetheless, it is a useful option when probing other sites.

uniscan -u http://172.16.1.102 -e

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:58:36
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
===================================================================================================

Uniscan will load some plugins to perform dynamic checks on the target, including email identification, backdoor detection, and discovery of SQL and other types of injection points. Set the -d flag to do this. This can take quite some time to run, and it doesn't always work correctly, so use at your own discretion.

uniscan -u http://172.16.1.102 -d

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 14:59:13
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
|
| Crawler Started:
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| [*] Crawling: [28 - 134]

...

We can also enable some static checks on the target with the -s option. This will run tests that detect local file include, remote command execution, and remote file include vulnerabilities.

uniscan -u http://172.16.1.102 -s

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3

Scan date: 29-1-2019 15:12:3
===================================================================================================
| Domain: http://172.16.1.102/
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| IP: 172.16.1.102
===================================================================================================
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|
|
| Local File Include:
|
|
| Remote Command Execution:
|
|
| Remote File Include:
[*] Remaining tests: 1

...

In addition to the command line tool, Uniscan has as a GUI. Simply type uniscan-gui at the terminal prompt to launch the program. From here, it operates pretty much the same as in the command line interface; We can list the target URL and any options we want to be enabled, then hit "Start scan" to kick it off.

Personally, I like the command line tool a little better since it runs the scan in the same way, plus you have to open the terminal up anyway to launch the GUI, but to each his own. It should be noted that in the command line version multiple options can also be set at the same time, like so:

uniscan -u http://172.16.1.102 -qwds

Uniscan also saves each scan as an HTML file under /usr/share/uniscan/report/ if scan results are needed at a later time.

Uniscan vs. Other Scanners

There is a lot of variety when it comes to web vulnerability scanners, and different tools can often accomplish the same goals. However, in certain situations, it pays to know what tool is right for the job. Let's take a brief look at a few other popular web scanners and how they compare to Uniscan.

  • WMAP is a scanner available as a module in Metasploit. It performs a lot of the same tests as Uniscan, including HTTP method detection, directory enumeration, and a robots.txt search. It's useful when working within Metasploit's framework, but Uniscan is nice because it can be fired up quickly and utilized right in the terminal.
  • Burp Suite is a name synonymous with web application testing, and in many situations, it will outperform any other scanner. The major downside with Burp is the free Community Edition does not include the automatic scanner. It can still be used as a manual tool and proxy to great effect, but Uniscan has the advantage since it does a few things simply and doesn't cost a dime.
  • Vega is another web scanner that is similar to Burp in many ways. It can also be used effectively as a proxy but is free and open source. Like Uniscan, Vega will find file include vulnerabilities in addition to other injection flaws. This tool is flexible since it can run on Linux, Mac, and Windows, but only in GUI form. Sometimes you just want an uncomplicated command line tool, and Uniscan wins in that regard.
  • Nikto is a popular web server scanner that is also written in Perl. The command line tool has a ton of features, and there is also a GUI version available. Similar to Uniscan, it also reports interesting HTTP headers, crawls directories, and fingerprints server information. Nikto is the scanner to use when a very detailed picture of the target is needed, but the slew of settings and options can sometimes be discouraging for a beginner. Again, for this reason, Uniscan excels at being a no-frills web vulnerability scanner.

While all of these scanners are great tools for testing web apps for common flaws, Uniscan is the one to come back to when you need a quick-and-dirty web scanner that's noob-friendly.

Cover image by ar130405/Pixabay; Screenshots by drd_/Null Byte

Never Miss a Hacking or Security Guide

New Null Byte in your inbox, every week.

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest