通过数据库查询MVM的扫描漏洞名称和对应的扫描脚本关系

数据库和扫描脚本是漏洞扫描较为核心的两个部分,在日常运维中,官方的扫描脚本难免存在漏报误报的情况,想要深入了解和学习扫描的原理和验证漏洞,读对应漏洞的扫描脚本源代码是必不可少的。


下面的SQL语句,实现通过数据库查询MVM的扫描漏洞名称和对应的扫描脚本关系。



/****** Script for SelectTopNRows command from SSMS  ******/
--ScriptVuln 表是FaultlineID和scriptID的对应关系表,但似乎是一一对应关系,所以略去。 
SELECT [FaultlineID]
      --,[faultline].[Content].[Vuln].[ModuleID]
      --,[NID]
      ,[CVE]
      ,[MSFTID]
      ,[MSKBID]
      ,[CheckVersion]
      --,[CustomID]
      --,[Type]
      ,[Name]
      ,[Description]
      ,[Observation]
      ,[Risk]
      ,[Recommendation]
      ,[Simplicity]
      ,[Popularity]
      ,[Impact]
      ,[Intrusive]
      ,[SANS]
      --,[IAVA]
      --,[IAVARefNumber]
      --,[IAVAArmyRefNumber]
      ,[CheckRequiresCredentials]
      ,[AddedDate]
      ,[faultline].[Content].[Vuln].[ModifiedDate]
      --,[DeletedDate]
      ,[Status]
      --,[Customized]
      --,[Version]
      --,[Patched]
      --,[SupersededID]
      ,faultline.content.script.[ScriptName]
      --,faultline.content.script.[ModuleID]
      --,faultline.content.script.[ScriptRole]
      --,faultline.content.script.[CreatedDate]
      ,faultline.content.script.[ModifiedDate]
      --,faultline.content.script.[Script]
  FROM [faultline].[Content].[Vuln]
  left join faultline.content.script on faultline.content.script.scriptID=FaultlineID


如图是查询结果中的几个字段,关键是找到ScriptName,去读取源码。

FaultlineID CVE MSFTID ScriptName Name Description Observation
1 CVE-1999-1011 MS99-025 web-iis-rds-v2.fasl3 (MS99-025) Microsoft IIS RDS Command Execution A command execution vulnerability in Microsoft IIS MDAC package allows  remote attackers to gain administrative control of targeted systems. Microsoft Internet Information Server (IIS) is an industry standard HTTP  server.  MDAC (Microsoft Data Access  Components) is a package used to integrate web and database services. It  includes a component named RDS (Remote Data Services). RDS allows remote  access via the internet to database objects through IIS.  Both are included in a default installation  of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation.    RDS includes a component called the  DataFactory object, which has a vulnerability that could allow any web user  to (a) Obtain unauthorized access to unpublished files on the IIS server and  (b) Use MDAC to tunnel ODBC requests through to a remote internal or external  location, thereby obtaining access to non public servers or effectively  masking the source of an attack on another network.    If the Microsoft JET OLE DB Provider or  Microsoft DataShape Provider are installed, a user could use the shell() VBA  command on the server with System privileges. These two vulnerabilities  combined can allow an attacker on the Internet to run arbitrary commands with  System level privileges on the target host.     Vulnerable Systems:    Microsoft  IIS 4.0    For more information  see:    Microsoft Security Bulletin  MS99-025:   http://www.microsoft.com/technet/security/bulletin/ms99-025.mspx
2 CVE-MAP-NOMATCH NULL unix-rpc-cmsd-v2.fasl3 RPC Calendar Service cmsd Available The RPC cmsd program was determined to be registered with the target  system's portmapper. The RPC cmsd program was determined to be registered with the target  system's portmapper. RPC services are commonly enabled by default on most  UNIX operating systems. Additionally, RPC services are regularly found to be  vulnerable to buffer overflow and format string attacks that lead to complete  compromise of the target system. Exploitation of RPC services affects all  major UNIX operating systems including Solaris, HP/UX, AIX, Irix, Linux,  FreeBSD and more.    For more  information see:    CVE-1999-0320  CVE-1999-0696  
39 CVE-1999-0833, CVE-1999-0851 NULL unix-bind-nxt-overflow-v2.fasl3 ISC BIND NXT Buffer Overflow A buffer overflow vulnerability exists within BIND 8.2 NXT record  processing that allows an attacker to execute arbitrary code on vulnerable  systems. The portion of code responsible for processing NXT records in BIND 8.2  and 8.2.1 is vulnerable to a buffer overflow attack. By sending specially  crafted NXT record traffic to a vulnerable system it is possible to execute  arbitrary code on the target system.     Vulnerable Systems:  ISC BIND  8.2 - 8.2.1 on UNIX    For more  information see:     BID 788:  http://online.securityfocus.com/bid/788



脚本的内容也是存储在数据库中的,而且是经过加密的,内容不能直接可读,要查看脚本内容也只能通过MVM自己的编辑器,直接用文本编辑器打开是不可读的。和Nmap、Openvas的开源脚本不同。不过能都已经是不错了。


另外,MVM的更新原理是也通过数据库实现,即更新包实际上是更新数据库的内容,其他组件再通过与数据库的通信实现各自的更新。数据库成了核心。

本文出自 “奋斗的菜鸟” 博客,谢绝转载!

你可能感兴趣的:(漏洞,对应关系,脚本源代码,扫描脚本)