waf指纹识别工具WAFW00F的原理，安装与使用

zhaorong · 发表于 2021-7-26 15:26:22

本帖最后由 zhaorong 于 2021-7-26 15:36 编辑

原理

发送正常的HTTP请求并分析响应;这确定了许多WAF方案解决
如果不成功则发送多个（可能是恶意的）HTTP请求并使用简单的逻辑来
。示例就是WAF则分析先前回复的响应并采用另一种简单的方法来抢救WAF或安
。解决全是否正在积极响应我们的请求

事实上它的核心就是其中的的main.py：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
版权所有 (C) 2019，WAFW00F 开发人员。
有关复制权限，请参阅 LICENSE 文件。
'''
import csv
import io
import json
import logging
import os
import random
import re
import sys
from collections import defaultdict
from optparse import OptionParser
from wafw00f.lib.asciiarts import *
from wafw00f import __version__, __license__
from wafw00f.manager import load_plugins
from wafw00f. wafprio
从 wafw00f.lib.evillib 导入 wafdetectionsprio 导入 urlParser、waftoolsengine、def_headers

复制代码

class WAFW00F(waftoolsengine):
xsstring = '<script>alert("XSS");</script>'
sqlistring = "UNION SELECT ALL FROM information_schema AND ' or SLEEP(5) or '"
lfistring = '../.. /../../etc/passwd'
rcestring = '/bin/cat /etc/passwd; 平 127.0.0.1; curl google.com'
xxestring = '<!ENTITY xxe SYSTEM "file:///etc/shadow">]><pwn>&hack;</pwn>'
def __init__(self, target='www.example.com' , debuglevel=0, path='/',
followredirect=True, extraheaders={}, proxies=None):
self.log = logging.getLogger('wafw00f')
self.attackres = None
waftoolsengine.__init__(self, target,
self.knowledge = dict(generic=dict(found=False, reason=''), wafname=list())
def normalRequest(self):
return self.Request()
def customRequest(self, headers=None):
return self .Request(headers=headers)
def nonExistent(self):
return self.Request(path=self.path + str(random.randrange(100, 999)) + '.html')
def xssAttack(self):
return self. Request(path=self.path, params= {'s': self.xsstring})
def xxeAttack(self):
return self.Request(path=self.path, params= {'s': self.xxestring})
def lfiAttack(self):
return self.Request(path=self.path + self.lfistring)
def centralAttack(self):
return self.Request(path=self.path, params={'a': self.xsstring, 'b': self.sqlistring, 'c': self.lfistring})
def sqliAttack(self):
return self.Request( path=self.path, params= {'s': self.sqlistring})
def oscAttack(self):
return self.Request(path=self.path, params= {'s': self.rcestring})
def performCheck( self, request_method):
r = request_method()
如果 r 是 None:
raise RequestBlocked()
return r

复制代码

# 用于检测 WAF 的最常见攻击
attcom = [xssAttack, sqliAttack, lfiAttack] Attack
= [xssAttack, xxeAttack, lfiAttack, sqliAttack, oscAttack]
def genericdetect(self):
reason = '' reason
= ['Blocking is being done at connection /packet level.',
'检测到攻击时服务器标头不同。',
'当使用攻击字符串时，服务器返回不同的响应代码。',
'它关闭了正常请求的连接。',
'当请求不是从浏览器发出时，响应是不同的。
]

复制代码

try:
# 测试没有用户代理响应。检测几乎所有的 WAF。
resp1 = self.performCheck(self.normalRequest)
if 'User-Agent' in self.headers:
del self.headers['User-Agent'] # 从对象中删除用户代理密钥不是字典。
resp3 = self.customRequest(headers=def_headers)
if resp1.status_code != resp3.status_code:
self.log.info('当请求不包含用户代理头时，服务器返回了不同的响应。')
reason = reason [4]
reason += '\r\n'
reason += '正常响应代码为“%s”,' % resp1.status_code
reason += ' 而修改请求的响应代码是 "%s"' % resp3.status_code
self.knowledge['generic']['reason'] = reason
self.knowledge['generic']['found'] = True
return True
# 发送 xss 攻击时测试状态码
resp2 = self.performCheck(self.xssAttack)
if resp1.status_code != resp2.status_code:
self.log.info('当 XSS 攻击时服务器返回不同的响应')
原因 = 原因 [2]
原因 += '\r\n'
原因 += '正常响应代码是 "%s",' % resp1.状态代码
reason += ' 而跨站脚本攻击的响应代码是 "%s"' % resp2.status_code
self.knowledge['generic']['reason'] = reason
self.knowledge['generic']['found '] = True
return True
# 发送 lfi 攻击时测试状态码
resp2 = self.performCheck(self.lfiAttack)
if resp1.status_code != resp2.status_code:
self.log.info('Server已尝试目录遍历。')
reason = reason[2]
reason += '\r\n'
reason += '正常响应代码是 "%s",' % resp1.status_code
reason += ' 而文件包含攻击的响应代码是 "%s"' % resp2.status_code
self.knowledge['generic']['reason'] = reason
self.knowledge['generic']['found' ] = True
return True
# 发送sqli攻击时测试状态码
resp2 = self.performCheck(self.sqliAttack)
if resp1.status_code != resp2.status_code:
self.log.info('当SQLi攻击时服务器返回不同的响应')
原因 = 原因 [2]
原因 += '\r\n'
原因 += '正常响应代码是 "%s",' % resp1。状态代码
reason += ' 而 SQL 注入攻击的响应代码是 "%s"' % resp2.status_code
self.knowledge['generic']['reason'] = reason
self.knowledge['generic']['found' ] = True
return True
# 发送恶意请求后检查服务器头
response = self.attackres
normalserver = resp1.headers.get('Server')
attackresponse_server = response.headers.get('Server')
if attackresponse_server:
if attackresponse_server ! = normalserver:
self.log.info('服务器头改变，可能检测到WAF')
self.log.debug('Attack response: %s' % attackresponse_server)
self.log.debug('Normal response: %s' % normalserver)
reason = Reasons [1]
reason += '\r\n正常响应是 "%s", ' % normalserver
reason += ' 而服务器标头对攻击的响应是 "%s",' % attackresponse_server
self.knowledge['generic']['reason'] = reason
self. Knowledge['generic']['found'] = True
返回 True

复制代码

# 如果所有请求都没有通过，
除了 RequestBlocked 外按 F ：
self.knowledge['generic']['reason'] =
Reasons[ 0] self.knowledge['generic']['found'] = True
return True
return False
def matchHeader(self, headermatch,attack=False):
if attack:
r = self.attackres
else: r = rq
if r is None:
return
header, match = headermatch
headerval = r.headers.get(header)
if headerval :
# set-cookie 可以有多
个头，python 给了我们# 用逗号连接
if header == 'Set-Cookie':
headervals = headerval.split(', ')
else:
headervals = [headerval]
for headervals:
if re.search(match, headerval, re.I):
return True
return False
def matchStatus(self, statuscode, attack=True):
if attack:
r = self.attackres
else: r = rq
if r is None:
return
if r.status_code == statuscode:
return True
return False

复制代码

def matchCookie(self, match,attack=False):
return self.matchHeader(('Set-Cookie', match),attack=attack)
def matchReason(self, reasoncode,attack=True):
if attack:
r = self. attackres
else: r = rq
if r is None:
return
# 我们可能需要在响应体中匹配多行上下文
if str(r.reason) == reasoncode:
return True
return False
def matchContent(self, regex, attack=True):
如果攻击：
r = self.attackres
else：r = rq
如果 r 是 None：
返回
# 我们可能需要在响应体中匹配多行上下文
if re.search(regex, r.text, re.I):
return True
return False
wafdetections = dict()
plugin_dict = load_plugins()
result_dict = {}
for plugin_dict in plugin_dict。 values():
wafdetections[plugin_module.NAME] = plugin_module.is_waf
# 首先检查优先级，然后检查外部添加的那些
checklist = wafdetectionsprio
checklist += list(set(wafdetections.keys()) - set(checklist))
def identwaf (self, findall=False) : detection =
list()
try:
self.attackres = self.performCheck(self.centralAttack)
除了 RequestBlocked:
return
在 self.checklist:
self.log.info('Checking for %s' % wafvendor)
if self.wafdetections[wafvendor](self):
detection.append(wafvendor)
如果不是 findall:
break
self .knowledge['wafname'] = detection
返回检测到
def calclogginglevel(verbosity):
default = 40 # 错误被打印出来
level = default - (verbosity * 10)
if level < 0:
level = 0
return level
def buildResultRecord(url, waf ):
结果 = {}
结果['url'] = url
if waf:
result['detected'] = True
if waf == 'generic':
result['firewall'] = 'Generic'
result['manufacturer'] = 'Unknown'
else:
result['firewall'] = waf. split('(')[0].strip()
result['manufacturer'] = waf.split('(')[1].replace(')', '').strip()
else:
result['检测到'] = False
result['firewall'] = 'None'
result['manufacturer'] = 'None'
返回结果

复制代码

def getTextResults(res=None):
# 留出一些空间以供将来更新列的可能性
# 可以将新列添加到此元组下面的
键 = ('detected')
res = [({key: ba[key] for key in ba if key not in keys}) for ba in res]
rows = []
for dk in res:
p = [str(x) for _, x in dk.items()]
rows.append(p)
for m in rows :
m[1] = f'{m[1]} ({m[2]})'
m.pop()
defgen = [
(max([len(str(row)) for row in rows]) + 3 )
for i in range(len(rows[0]))
]
rwfmt = "".join(["{:>"+str(dank)+"}" for dank in defgen])
textresults = []
对于行中的行：
textresults.append(rwfmt.format(*row))
return textresults
def disableStdOut():
sys.stdout = None
def enableStdOut():
sys.stdout = sys.__stdout__
def getheaders(fn):
headers = { }
如果不是 os.path.exists(fn):
logging.getLogger('wafw00f').critical('Headers file "%s" does not exist!' % fn)
返回
io.open(fn, 'r', encoding='utf-8') as f:
for line in f.readlines():
_t = line.split(':', 2)
if len(_t) == 2:
h, v = map(lambda x: x.strip(), _t)
标头[h] = v
返回标头
类 RequestBlocked(Exception)：
通过

复制代码

def main():
parser = OptionParser(usage='%prog url1 [url2 [url3 ... ]]\r\nexample: %prog http://www.victim.org/')
parser.add_option('-v ', '--verbose', action='count', dest='verbose', default=0,
help='启用详细程度，多个 -v 选项增加详细程度')
parser.add_option('-a', '-- findall', action='store_true', dest='findall', default=False,
help='找到所有匹配签名的WAF，不要停止对第一个的测试')
parser.add_option('-r', ' --noredirect', action='store_false', dest='followredirect',
default=True, help='不要遵循 3xx 响应给出的重定向'）
parser.add_option('-t', '--test', dest='test', help='Test for a specific WAF')
parser.add_option('-o', '--output', dest='output ', help='
根据文件扩展 名将输出写入 csv、json 或文本文件。对于标准输出，指定 - 作为文件名。',
default=None)
parser.add_option('-i', '--input-file' , dest='input', help='从文件中读取目标。输入格式可以
是 csv、json 或文本。对于 csv 和 json，需要一个 `url` 列名或元素。',
default=None)
解析器。 add_option('-l', '--list', dest='list', action='store_true',
default=False, help='列出 WAFW00F 能够检测到的所有 WAF')
parser.add_option('-p', '--proxy', dest='proxy', default=None,
help='使用HTTP代理执行请求，示例：http://hostname:8080,
socks5://主机名:1080, http://user:pass@hostname:8080')
parser.add_option('--version', '-V', dest='version', action='store_true',
default=False, help= '打印出当前版本的 WafW00f 并退出。')
parser.add_option('--headers', '-H', dest='headers', action='store', default=None,
help='Pass custom headers通过文本文件覆盖默认头集。')
选项，args = parser.parse_args()
日志记录。basicConfig(level=calclogginglevel(options.verbose))
log = logging.getLogger('wafw00f')
if options.output == '-':
disableStdOut()
print(randomArt())
if options.list:
print('[+] Can test for these WAFs:\r\n')
attack = WAFW00F(None)
尝试：
m = [i.replace(')', '').split(' (') for i in wafdetectionsprio]
print(R+' WAF Name'+' '*24+'Manufacturer\n '+'-'*8 +' '*24+'-'*12+'\n')
max_len = max(len(str(x)) for k in m for x in k)
for inner in m:
first = True
for elem in inner:
如果第一个：
text = Y+" {:<{}} ".format(elem,max_len+2)
第一个 = 假
否则：
text = W+"{:<{}} ".format(elem, max_len+2)
print(text, E, end="")
print()
sys.exit(0)
除了异常：
返回
if options.version :
print('[+] 您拥有的 WAFW00F 版本是 %sv%s%s' % (B, __version__, E))
print('[+] WAFW00F 是在 %s%s%s 许可下提供的。' % (C, __license__, E))
return
extraheaders = {}
if options.headers:
log.info('Getting extra headers from %s' % options.headers)
extraheaders = getheaders(options.headers)
如果 extraheaders 是 None ：
parser.error('请提供一个带有冒号分隔的头文件名和值的头文件')
if len(args) == 0 and not options.input:
parser.error('No test target specified.')
#check if input file存在
if options.input:
log.debug("Loading file '%s'" % options.input)
try:
if options.input.endswith('.json'):
with open(options.input) as f:
try ：

复制代码

urls = json.loads(f.read())
除了 json.decoder.JSONDecodeError:
log.critical("JSON file %s does not contain well-formed JSON", options.input)
sys.exit(1)
log.info ("Found: %s urls to check." %(len(urls)))
targets = [ item['url'] for item in urls ]
elif options.input.endswith('.csv'):
columns = defaultdict( list)
with open(options.input) as f:
reader = csv.DictReader(f)
for row in reader:
for (k,v) in row.items():
columns[k].append(v)
target = columns['url']
else:
with open(options.input) as f:
targets = [x for x in f.read().splitlines()]
除了 FileNotFoundError:
log.error('File %s could not被读取。没有加载目标。', options.input)
sys.exit(1)
else:
targets = args
results = []
for target in targets:
if not target.startswith('http'):
log.info('The url %s 应该以 http:// 或 https:// 开头 .. 修复（可能使其无法使用）' % target)
target = 'https://' + target
print('[*] Checking %s' % target )
pret = urlParser(target)
如果 pret 是 None:
log.critical('The url %s is not
wellformed ' % target) sys.exit(1)
(hostname, port, path, _, _) = pret
log.info ('starting wafw00f on %s' % target)
proxies = dict()
if options.proxy:
proxies = {
"http": options.proxy,
"https": options.proxy,
}
attacker = WAFW00F(target, debuglevel=options .verbose, path=path,
followredirect=options.followredirect, extraheaders=extraheaders,
proxies=proxies)
全局 rq
rq =attacker.normalRequest()
如果 rq 为 None：
log.error('Site %s 似乎已关闭' % hostname)
continue
if options.test:
if options.test
inattacker.wafdetections : waf = attack.wafdetections[options .test](attacker)
if waf:
print('[+] The site %s%s%s is behind %s%s%s WAF.' % (B, target, E, C, options.test, E) )
else:
print('[-] WAF %s 未在 %s' % (options.test, target) 上检测到)
else:
print('[-] WAF %s 在我们的列表中未找到\r\n使用--list 选项以
查看可用的内容'% options.test)
return
waf = attack.identwaf(options.findall)
log.info('Identified WAF: %s' % waf)
if len(waf) > 0:
for i in waf:
results.append(buildResultRecord(target, i))
print ('[+] 站点 %s%s%s 在 %s%s%s WAF 后面。' % (B, target, E, C, (E+' 和/或 '+C).join(waf), E))
if (options.findall) or len(waf) == 0:
print('[+] Generic Detection results:')
if
attack.genericdetect( ): log.info('Generic Detection: %s' % attack .knowledge['generic']['reason'])
print('[*] 站点 %s 似乎支持 WAF 或某种安全解决方案'％目标）
print('[~] Reason: %s' %
attack.knowledge ['generic']['reason']) results.append(buildResultRecord(target, 'generic'))
else:
print('[-] 未检测到 WAF通过通用检测')
results.append(buildResultRecord(target, None))
print('[~] Number of requests: %s' %attacker.requestnumber)
#print table of results
if len(results) > 0:
log. info("Found: %s 匹配。" % (len(results)))
if options.output:
if options.output == '-':
enableStdOut()
print(os.linesep.join(getTextResults(results)))
elif 选项。output.endswith('.json'):
log.debug("以 json 格式导出数据到文件：%s" % (options.output))
with open(options.output, 'w') as outfile:
json.dump(results, outfile, indent=2)
elif options.output.endswith('.csv'):
log.debug("Exporting data in csv format to file: %s" % (options.output))
with open(options.output, 'w') as outfile:
csvwriter = csv.writer(outfile, delimiter=',', quotechar='"',
quoting=csv.QUOTE_MINIMAL)
count = 0
for result in results:
if count == 0:
header = result.keys()
csvwriter.writerow(header)
count += 1
csvwriter.writerow(result.values())
else:
log.debug("以文本格式导出数据到文件：%s" % (options.output))
with open(options. output, 'w') as outfile:
outfile.write(os.linesep.join(getTextResults(results)))
if __name__ == '__main__':
if sys.hexversion < 0x2060000:
sys.stderr.write('Your version of python 太旧了...请更新到 2.6 或更高版本\r\n')
main()

复制代码

安装

github地址：https://github.com/EnableSecurity/wafw00f
官方使用文档：https://github.com/enablesecurity/wafw00f/wiki
安装环境：python3环境 --->使用pip install wafw00f进行安装
安装成功后目录：python安装目录中的Lib\site-packages\wafw00f--->例如：
C:\Python37\Lib\site-packages\wafw00f

验证：cd到C:\Python37\Lib\site-packages\wafw00f目录中输入python main.py如下图说明安装成功

具体使用

这里我们直接使用kali kali中自带自带WAFW00F：

输入wafw00f --help或者wafw00f -h可以看到很多使用参数：

-h, --help show this help message and exit
-v, --verbose Enable verbosity, multiple -v options increase
verbosity
-a, --findall Find all WAFs which match the signatures, do not stop
testing on the first one
-r, --noredirect Do not follow redirections given by 3xx responses
-t TEST, --test=TEST Test for one specific WAF
-o OUTPUT, --output=OUTPUT
Write output to csv, json or text file depending on
file extension. For stdout, specify - as filename.
-i INPUT, --input-file=INPUT
Read targets from a file. Input format can be csv,
json or text. For csv and json, a `url` column name or
element is required.
-l, --list List all WAFs that WAFW00F is able to detect
-p PROXY, --proxy=PROXY
Use an HTTP proxy to perform requests, examples:
http://hostname:8080, socks5://hostname:1080,
http://user:pass@hostname:8080
-V, --version Print out the current version of WafW00f and exit.
-H HEADERS, --headers=HEADERS
Pass custom headers via a text file to overwrite the
default header set.

复制代码

wafw00f -l 一次可以识别出的防火墙：

WAF Name Manufacturer
------------
ACE XML Gateway Cisco
aeSecure aeSecure
AireeCDN Airee
Airlock Phion/Ergon
Alert Logic Alert Logic
AliYunDun阿里云计算
安心宝安心宝
AnYu AnYu Technologies
Approach
AppWall Radware
Armor Defense Armor
ArvanCloud ArvanCloud
ASP.NET Generic Microsoft
ASPA Firewall ASPA Engineering Co.
Astra Czar Securities
AWS Elastic Load Balancer Amazon
AzionCDN AzionCDN
Azure的前门微软
Barikode伦理忍者
梭子鱼梭子鱼网络
Bekchy Faydata Technologies Inc.的
鲟CDN鲟
BIG-IP本地流量管理器F5 Networks公司
BinarySec BinarySec
BitNinja BitNinja
BlockDoS BlockDoS
蓝盾蓝盾IST
BulletProof Security Pro AITpro Security
CacheWall Varnish
CacheFly CDN CacheFly
Comodo cWatch Comodo CyberSecurity
CdnNS 应用程序网关 CdnNs/WdidcNet
ChinaCache 负载均衡器 ChinaCache
Chuang Yu Shield Yunaq
Cloudbric Penta Security
Cloudflare Cloudflare Inc.
Cloudfloor Cloudfloor DNS
Cloudfront Amazon
CrawlProtect Jean-Denis Brun
DataPower IBM
DenyALL Rohde & Schwarz CyberSecurity Distil Distil
Networks
DOSarrest DOSarrest Internet Security
DotDefender Applicure Technologies
DynamicWeb Injection Check DynamicWeb
Edgecast Verizon Digital Media Eisoo
Cloud Firewall Eisoo
Expression Engine EllisLab
BIG-IP AppSec Manager F5 Networks
BIG-IP AP Manager F5 Networks
Fastly Fastly CDN
FirePass F5 Networks
FortiWeb Fortinet
GoDaddy 网站保护 GoDaddy
Greywizard Gray Wizard
华为云防火墙华为
HyperGuard 防御艺术
Imunify360 CloudLinux
Incapsula Imperva Inc.
IndusGuard Indusface
Instart DX Instart Logic
ISA Server Microsoft
Janusec Application Gateway Janusec
Jiasule Jiasule
Kona SiteDefender Akamai
KS-WAF KnownSec
KeyCDN KeyCDN
风头CDN风头
的Litespeed的Litespeed技术
开放Resty Lua的Nginx的FLOSS
Oracle云甲骨文
Malcare Inactiv
MaxCDN MaxCDN
任务控制盾构任务控制
的ModSecurity SpiderLabs
NAXSI NBS系统
Nemesida PentestIt
NevisProxy AdNovum
NetContinuum Barracuda Networks
NetScaler AppFirewall Citrix Systems
Newdefend NewDefend
NexusGuard 防火墙 NexusGuard
NinjaFirewall NinTechNet
NullDDoS 保护 NullDDoS NSFocus NSFocus
Global Inc.
OnMessage Shield BlackBaud
Palo Alto 下一代防火墙 Palo Alto Networks
PerimeterX PerimeterX
PentaWAF 全球网络服务
pkSecurity IDS pkSec
PT 应用防火墙 Positive Technologies
PowerCDN PowerCDN
Profense ArmorLogic
普惠普惠
七牛七牛 CDN
Reblaze Reblaze
RSFirewall RSJoomla!
RequestValidationMode Microsoft
Sabre 防火墙 Sabre
Safe3 Web 防火墙 Safe3
Safedog SafeDog
Safeline Chaitin Tech。
SecKing SecKing
eEye SecureIIS BeyondTrust
SecuPress WP 安全性 SecuPress
SecureSphere Imperva Inc.
Secure Entry United Security Providers
SEnginx Neusoft
ServerDefender VP Port80 Software
Shield Security One Dollar Plugin
Shadow Daemon Zecure
SiteGround SiteGround
SiteGuard Sakura Inc.
Sitelock TrueShield
SonicWall Dell
UTM Web Protection Sophos
Squarespace Squarespace
SquidProxy IDS SquidProxy
StackPath StackPath
Sucuri CloudProxy Sucuri Inc.
腾讯云防火墙腾讯科技
Teros Citrix Systems
Trafficshield F5 Networks
TransIP Web 防火墙 TransIP
URLMaster SecurityCheck iFinity/DotNetNuke
URLScan Microsoft
UEWaf UCloud
Varnish OWASP
Viettel Cloudrity
VirusDie VirusDie LLC
Wallarm Wallarm Inc.
WatchGuard WatchGuard Technologies
WebARX WebARX 安全解决方案
WebKnight AQTRONIX
WebLand WebLand
RayWAF WebRay 解决方案
WebSEAL IBM
WebTotem WebTotem
West263 CDN West263CDN
Wordfence Defiant
WP Cerber Security Cerber Tech
WTS-WAF WTS
360WangZhanBao 360 Technologies
XLabs Security WAF XLabs
玄武顿
玄武顿
云顿云锁云锁
云家苏百度云计算
YXLink YxLink Technologies
Zenedge Zenedge
ZScaler Accenture

复制代码

网络探测站点是否存在waf和一些细节

例子1：（wafw00f https://www.baidu.com百度知道有waf）

这里还可以用的服务器应该是BWS/1.1但是它的响应包中返回的服务器是Apache我们自己用burp抓包也能包：

应该是修改了响应头的返回。例如：进入org/apache/catalina/util编辑配置文件ServerInfo.properties
字段来实现来改变我们tomcat的版本信息

修改为：

server.info=Apache Tomcat
server.number=0.0.0.0
server.built=2017 年 4 月 2 日 07:25:00 UTC

复制代码

将修改后的信息压缩回jar包：

# cd /tomcat/lib
# jar uvf catalina.jar org/ap
ache/catalina/util/ServerInfo.properties

复制代码

重启公猫验证前后截图如下所示：

		自动登录	找回密码
密码			注册

[网络安全] waf指纹识别工具WAFW00F的原理，安装与使用