OpenVas Plugins 编写及实现方法
OpenVas plugins 编写规则
1. Description
id: 分配给公司的id,也做为plugin的unique标志
version, creation_date, last_modification: 版本号,创建修改时间
cve_id:“Common Vulnerabilities & Exposures”公共漏洞和暴露。CVE就好像是一个字典表,为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。使用一个共同的名字,可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。
bugtraq_id:BugTraq是一个完整的对计算机安全漏洞(它们是什么,如何利用它们,以及如何修补它们)的公告及详细论述进行适度披露的邮件列表。
risk_factor, cvss_base:风险系数
http://web.nvd.nist.gov/view/vuln/search-results?query=CVE-2008-6894【CVE号】&search_type=all&cves=on
cvss_base_vector:
name, summary, description: 根据CVE查询
category:说明这plugin是干什么事
种类有:
– ACT_INIT: the plugin just sets a few KB items (kinds of global variables for all plugins). – ACT_SCANNER: the plugin is a port scanner or something like it (e.g. ping). – ACT_SETTINGS: just like ACT_INIT, but run after the scanners, once we are sure that the host is alive (for performance). – ACT_GATHER_INFO: the plugin identifies services, gather data, parses banners, etc. – ACT_ATTACK: the plugin launches a soft attack, e.g. a web directory traversal. – ACT_MIXED_ATTACK: the plugin launches an attach that might have dangerous side effects (crashing the service most of the time). – ACT_DESTRUCTIVE_ATTACK: the plugin tries to destroy data16 or launch some dangerous attack (e.g. testing a buffer overflow is likely to crash a vulnerable service). – ACT_DENIAL: the plugin tries to crash a service. – ACT_KILL_HOST: the plugin tries to crash the target host or disable it (e.g. saturate the CPU, kill some vital service...). – ACT_FLOOD: the plugin tries to crash the target host or disable it by flooding it with incorrect packets or requests. It may saturate the network or kill some routing, switching or filtering device on the way.
family:plugin的类别,比如在gsd里将plugin分类,如mysql就是databse类,用于XSS攻击的就是Web application abuses类。
copyright:版权所有
dependencies: sets the lists of scripts that should be run before this one
exclude_keys: sets the list of “KB items” that must not be set to run this
script in “optimize mode”.
require_keys: sets the list of “KB items” that must be set to run this script
in “optimize mode”
require_ports: sets the list of TCP ports that must be open to run this
script in “optimize mode”.
2. Plugins的攻击
一般:
1. 获取port number
port = get_http_port(default:80);
2. 获取版本号version
version = get_kb_item("www/" + port + "/Apache"); 由端口协助获得
version = get_kb_item("Adobe/Reader/Win/Ver"); 直接获得
3. 获取路径
dir = get_dir_from_kb(port:port, app:"joomla【APP的名字】"); 直接APP name获得路径
foreach dir (cgi_dirs()) 要遍历
4. 报告
• security_note reports a miscellaneous information. It either takes an unnamed integer argument (the port number), or a some of those named arguments: – data is the text report (the “description” by default). – port is the TCP or UDP port number of the service (or nothing if the bug concerns the whole machine, e.g. the IP stack configuration). – proto (or protocol) is the protocol ("tcp" by default; "udp" is the other value). • security_hole reports a severe flaw. It either takes an unnamed integer argument (the port number), or a some of those named arguments: 18 – data is the text report (the “description” by default). – port is the TCP or UDP port number of the vulnerable service (or nothing if the bug concerns the whole machine, e.g. the IP stack configuration). – proto (or protocol) is the protocol ("tcp" by default; "udp" is the other value). • security_warning reports a mild flaw. It either takes an unnamed integer argument (the port number), or a some of those named arguments: – data is the text report (the “description” by default). – port is the TCP or UDP port number of the vulnerable service (or nothing if the bug concerns the whole machine, e.g. the IP stack configuration). – proto (or protocol) is the protocol ("tcp" by default; "udp" is the other value).
5. KB Knowledge Base
Each host is associated to an internal knowledge base, which contains all the information gathered by the tests during the scan. The security tests are encouraged to read it and to contribute to it. The status of the ports, for instance, is in fact written somewhere in the knowledge base.
The KB is divided into categories. The ``Services'' category contains the port numbers associated to each known service. For instance, the element Services/smtp is very likely to have the value 25. However, if the remote host has a hidden SMTP server on port 2500, and none on port 25, then this item will have the value 2500.
方法:
• set_kb_item creates a new entry in the KB. It takes two named string arguments: name and value. Entering an item several times creates a list. 17 • get_kb_item retrieves an entry from the KB. It takes one unnamed string argument (the name of the KB item). If the item is a list, the plugin will fork and each child process will use a different value. Nessus remebers which child got which value: reading the same item a second time will not fork again! You should not call this function when some connections are open if you do not want to see several processes fighting to read or write on the same socket. • get_kb_list retrieves multiple entrie from the KB. It takes one unnamed string argument which may either designate a literal KB entry name, or a mask. The returned value is a “hash”, i.e. an array with potentially duplicated indexes; because of this, you need to convert it with make_list() or use foreach to access each element (the make_array function allows you to create such hashes). # Retrieves the list of all the web servers webservers = get_kb_list("Services/www"); # Retrieves the list of all the services services = get_kb_list("Services/*"); # Retrieves the whole KB services = get_kb_list("*"); • replace_kb_item adds a new entry in the KB or replace the old value. It takes two named string arguments: name and value. Entering an item several times does not create a list, it just overwrites the old value. As this function is not defined in all Nessus version, it is safer to check that it is defined before calling it or use the replace_or_set_kb_item NASL function.
1. 查版本号
include("version_func.inc");
方法有:
version_in_range(version:version【现有版本】, test_version:"10.0"【vuln的最低版本】, test_version2:"10.1.2"【vuln的最高版本】)
version_is_less()等
2. XSS,SQL攻击
1. 编写exploit script
如:string("'+and+1=2/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,",concat(0x6e,0x6f,0x70,0x73,0x65,0x63),",1,1,1/*");
如:string('"><script>alert(',"songhan got it!",')</script>');
对script encode用exss = urlencode(str:xss)
2. 找出攻击的url
如:string(dir, "/index.php?id=", exploit);
3. 发起攻击并检查vuln
1.如果只需检查收到的response msg有没有特定字符,如我们发送的特制的xss字符(如公司名),或者我们想要的错误提示
if(http_vuln_check(port:port,url:url,pattern:'xss'【我们的特制字符】,bodyonly:TRUE)
2.如果要查的东西比较复杂,则要分布进行
req=http_get(item:url,port:port); 制定请求
received_msg = http_send_recv(port:port, data:req,bodyonly:TRUE); 发送并接受
if (egrep(pattern:"xss", string:received_msg)) 或if (filter >< received_msg) 检查
3. CSRF攻击
check if session key in the hidden response page. <input type="hidden" name="sesskey"
4. Absolute path traversal 【nopsec_asterisk_recording_disclosure.nasl】
1. 特制的url
url=string(dir, "/misc/audio.php?", "recording=../version.inc");
2. 发送,检查返回msg
pattern:string("Cannot use file: ../version.inc")