OpenVas Plugins 编写及实现方法

OpenVas plugins 编写规则

1. Description

　　id: 分配给公司的id，也做为plugin的unique标志

　　version, creation_date, last_modification: 版本号，创建修改时间

　　cve_id：“Common Vulnerabilities & Exposures”公共漏洞和暴露。CVE就好像是一个字典表，为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。使用一个共同的名字，可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。

　　bugtraq_id：BugTraq是一个完整的对计算机安全漏洞（它们是什么，如何利用它们，以及如何修补它们）的公告及详细论述进行适度披露的邮件列表。

　　risk_factor， cvss_base：风险系数

　　http://web.nvd.nist.gov/view/vuln/search-results?query=CVE-2008-6894【CVE号】&search_type=all&cves=on

　　cvss_base_vector：

　　name, summary, description: 根据CVE查询

　　category：说明这plugin是干什么事

　　　　　种类有：

View Code

– ACT_INIT: the plugin just sets a few KB items (kinds of global variables
for all plugins).
– ACT_SCANNER: the plugin is a port scanner or something like it (e.g.
ping).
– ACT_SETTINGS: just like ACT_INIT, but run after the scanners, once
we are sure that the host is alive (for performance).
– ACT_GATHER_INFO: the plugin identifies services, gather data, parses
banners, etc.
– ACT_ATTACK: the plugin launches a soft attack, e.g. a web directory
traversal.
– ACT_MIXED_ATTACK: the plugin launches an attach that might have
dangerous side effects (crashing the service most of the time).
– ACT_DESTRUCTIVE_ATTACK: the plugin tries to destroy data16 or
launch some dangerous attack (e.g. testing a buffer overflow is likely to
crash a vulnerable service).
– ACT_DENIAL: the plugin tries to crash a service.
– ACT_KILL_HOST: the plugin tries to crash the target host or disable it
(e.g. saturate the CPU, kill some vital service...).
– ACT_FLOOD: the plugin tries to crash the target host or disable it by
flooding it with incorrect packets or requests. It may saturate the network
or kill some routing, switching or filtering device on the way.

　　family：plugin的类别，比如在gsd里将plugin分类，如mysql就是databse类，用于XSS攻击的就是Web application abuses类。

　　copyright：版权所有

　　dependencies： sets the lists of scripts that should be run before this one
　　exclude_keys： sets the list of “KB items” that must not be set to run this
script in “optimize mode”.
　　require_keys： sets the list of “KB items” that must be set to run this script
in “optimize mode”
　　require_ports： sets the list of TCP ports that must be open to run this
script in “optimize mode”.

2. Plugins的攻击

一般：

1. 获取port number

　　port = get_http_port(default:80);

2. 获取版本号version

　　version = get_kb_item("www/" + port + "/Apache");　　由端口协助获得

　　version = get_kb_item("Adobe/Reader/Win/Ver");　　直接获得

3. 获取路径

　　dir = get_dir_from_kb(port:port, app:"joomla【APP的名字】"); 　　直接APP name获得路径

　　foreach dir (cgi_dirs())　　要遍历

4. 报告

View Code

• security_note reports a miscellaneous information.
It either takes an unnamed integer argument (the port number), or a some of
those named arguments:
– data is the text report (the “description” by default).
– port is the TCP or UDP port number of the service (or nothing if the bug
concerns the whole machine, e.g. the IP stack configuration).
– proto (or protocol) is the protocol ("tcp" by default; "udp" is the other
value).

• security_hole reports a severe flaw.
It either takes an unnamed integer argument (the port number), or a some of
those named arguments:
18
– data is the text report (the “description” by default).
– port is the TCP or UDP port number of the vulnerable service (or nothing
if the bug concerns the whole machine, e.g. the IP stack configuration).
– proto (or protocol) is the protocol ("tcp" by default; "udp" is the other
value).

• security_warning reports a mild flaw.
It either takes an unnamed integer argument (the port number), or a some of
those named arguments:
– data is the text report (the “description” by default).
– port is the TCP or UDP port number of the vulnerable service (or nothing
if the bug concerns the whole machine, e.g. the IP stack configuration).
– proto (or protocol) is the protocol ("tcp" by default; "udp" is the other
value).

5. KB Knowledge Base

Each host is associated to an internal knowledge base, which contains all the information gathered by the tests during the scan. The security tests are encouraged to read it and to contribute to it. The status of the ports, for instance, is in fact written somewhere in the knowledge base.

The KB is divided into categories. The ``Services'' category contains the port numbers associated to each known service. For instance, the element Services/smtp is very likely to have the value 25. However, if the remote host has a hidden SMTP server on port 2500, and none on port 25, then this item will have the value 2500.

方法：

View Code

• set_kb_item creates a new entry in the KB.
It takes two named string arguments: name and value.
Entering an item several times creates a list.
17

• get_kb_item retrieves an entry from the KB.
It takes one unnamed string argument (the name of the KB item).
If the item is a list, the plugin will fork and each child process will use a different
value. Nessus remebers which child got which value: reading the same item a
second time will not fork again!
You should not call this function when some connections are open if you do not
want to see several processes fighting to read or write on the same socket.

• get_kb_list retrieves multiple entrie from the KB. It takes one unnamed string
argument which may either designate a literal KB entry name, or a mask. The
returned value is a “hash”, i.e. an array with potentially duplicated indexes;
because of this, you need to convert it with make_list() or use foreach to access
each element (the make_array function allows you to create such hashes).
# Retrieves the list of all the web servers
webservers = get_kb_list("Services/www");
# Retrieves the list of all the services
services = get_kb_list("Services/*");
# Retrieves the whole KB
services = get_kb_list("*");

• replace_kb_item adds a new entry in the KB or replace the old value.
It takes two named string arguments: name and value.
Entering an item several times does not create a list, it just overwrites the old
value.
As this function is not defined in all Nessus version, it is safer to check that it is
defined before calling it or use the replace_or_set_kb_item NASL function.

 

 

1. 查版本号

　　include("version_func.inc");

　　方法有：

　　　　version_in_range(version:version【现有版本】, test_version:"10.0"【vuln的最低版本】, test_version2:"10.1.2"【vuln的最高版本】)

　　　　version_is_less()等

　

2. XSS，SQL攻击

　　1. 编写exploit script

　　　　如：string("'+and+1=2/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,",concat(0x6e,0x6f,0x70,0x73,0x65,0x63),",1,1,1/*");

　　　　如：string('"><script>alert(',"songhan got it!",')</script>');

　　　　对script encode用exss = urlencode(str:xss）

　　2. 找出攻击的url

　　　　如：string(dir, "/index.php?id=", exploit);

　　3. 发起攻击并检查vuln

　　　　1.如果只需检查收到的response msg有没有特定字符，如我们发送的特制的xss字符（如公司名），或者我们想要的错误提示

　　　　　　if(http_vuln_check(port:port,url:url,pattern:'xss'【我们的特制字符】,bodyonly:TRUE)

　　　　2.如果要查的东西比较复杂，则要分布进行

　　　　　　req=http_get(item:url,port:port);　　制定请求

　　　　　　received_msg = http_send_recv(port:port, data:req,bodyonly:TRUE);　　发送并接受

　　　　　　if (egrep(pattern:"xss", string:received_msg)) 或if (filter >< received_msg)　　检查

 

3. CSRF攻击

　　check if session key in the hidden response page. <input type="hidden" name="sesskey"

4. Absolute path traversal 【nopsec_asterisk_recording_disclosure.nasl】

　　1. 特制的url

　　　　url=string(dir, "/misc/audio.php?", "recording=../version.inc");

　　2. 发送，检查返回msg

　　　　pattern:string("Cannot use file: ../version.inc")