數據庫和掃描腳本是漏洞掃描較爲核心的兩個部分,在日常運維中,官方的掃描腳本難免存在漏報誤報的情況,想要深入瞭解和學習掃描的原理和驗證漏洞,讀對應漏洞的掃描腳本源代碼是必不可少的。
下面的SQL語句,實現通過數據庫查詢MVM的掃描漏洞名稱和對應的掃描腳本關係。
/****** Script for SelectTopNRows command from SSMS ******/ --ScriptVuln 表是FaultlineID和scriptID的對應關係表,但似乎是一一對應關係,所以略去。 SELECT [FaultlineID] --,[faultline].[Content].[Vuln].[ModuleID] --,[NID] ,[CVE] ,[MSFTID] ,[MSKBID] ,[CheckVersion] --,[CustomID] --,[Type] ,[Name] ,[Description] ,[Observation] ,[Risk] ,[Recommendation] ,[Simplicity] ,[Popularity] ,[Impact] ,[Intrusive] ,[SANS] --,[IAVA] --,[IAVARefNumber] --,[IAVAArmyRefNumber] ,[CheckRequiresCredentials] ,[AddedDate] ,[faultline].[Content].[Vuln].[ModifiedDate] --,[DeletedDate] ,[Status] --,[Customized] --,[Version] --,[Patched] --,[SupersededID] ,faultline.content.script.[ScriptName] --,faultline.content.script.[ModuleID] --,faultline.content.script.[ScriptRole] --,faultline.content.script.[CreatedDate] ,faultline.content.script.[ModifiedDate] --,faultline.content.script.[Script] FROM [faultline].[Content].[Vuln] left join faultline.content.script on faultline.content.script.scriptID=FaultlineID
如圖是查詢結果中的幾個字段,關鍵是找到ScriptName,去讀取源碼。
FaultlineID | CVE | MSFTID | ScriptName | Name | Description | Observation |
1 | CVE-1999-1011 | MS99-025 | web-iis-rds-v2.fasl3 | (MS99-025) Microsoft IIS RDS Command Execution | A command execution vulnerability in Microsoft IIS MDAC package allows remote attackers to gain administrative control of targeted systems. | Microsoft Internet Information Server (IIS) is an industry standard HTTP server. MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation. RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to (a) Obtain unauthorized access to unpublished files on the IIS server and (b) Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non public servers or effectively masking the source of an attack on another network. If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host. Vulnerable Systems: Microsoft IIS 4.0 For more information see: Microsoft Security Bulletin MS99-025: http://www.microsoft.com/technet/security/bulletin/ms99-025.mspx |
2 | CVE-MAP-NOMATCH | NULL | unix-rpc-cmsd-v2.fasl3 | RPC Calendar Service cmsd Available | The RPC cmsd program was determined to be registered with the target system's portmapper. | The RPC cmsd program was determined to be registered with the target system's portmapper. RPC services are commonly enabled by default on most UNIX operating systems. Additionally, RPC services are regularly found to be vulnerable to buffer overflow and format string attacks that lead to complete compromise of the target system. Exploitation of RPC services affects all major UNIX operating systems including Solaris, HP/UX, AIX, Irix, Linux, FreeBSD and more. For more information see: CVE-1999-0320 CVE-1999-0696 |
39 | CVE-1999-0833, CVE-1999-0851 | NULL | unix-bind-nxt-overflow-v2.fasl3 | ISC BIND NXT Buffer Overflow | A buffer overflow vulnerability exists within BIND 8.2 NXT record processing that allows an attacker to execute arbitrary code on vulnerable systems. | The portion of code responsible for processing NXT records in BIND 8.2 and 8.2.1 is vulnerable to a buffer overflow attack. By sending specially crafted NXT record traffic to a vulnerable system it is possible to execute arbitrary code on the target system. Vulnerable Systems: ISC BIND 8.2 - 8.2.1 on UNIX For more information see: BID 788: http://online.securityfocus.com/bid/788 |
腳本的內容也是存儲在數據庫中的,而且是經過加密的,內容不能直接可讀,要查看腳本內容也只能通過MVM自己的編輯器,直接用文本編輯器打開是不可讀的。和Nmap、Openvas的開源腳本不同。不過能都已經是不錯了。
另外,MVM的更新原理是也通過數據庫實現,即更新包實際上是更新數據庫的內容,其他組件再通過與數據庫的通信實現各自的更新。數據庫成了核心。