內容沒有多大意義,關鍵是打破砂鍋的心。
/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [VulnSetID]
,[VulnsVersion]
,[VulnSetVersion]
,[Name]
,[Unnamed]
/*,[Description]
,[OrgID]
,[Creator]
,[CreateDate]
,[ModifiedDate]
,[VulnChecks]
,[EnableWhamScan]
,[ScanForWireless]
,[EnableShellScan]
,[StartWebCrawl]
,[SourceSifting]
,[SmartGuess]
,[SqlHack]
,[SourceDisclose]
,[EnableBruteForcing]
,[BruteForcing]
,[JavaAppletDecompile]
,[DirectoryBrowse]*/
,[VulnSetType]
,[VulnFilterXML] //該字段的內容連接到VulnFilter.xml
,[VulnFilterProcessedQuery] //該字段存儲的是獲取所有Vulns內容的查詢語句。
,[State]
FROM [faultline].[ScanComponent].[VulnSet]
where Name='cmb_default'
當初的的Vuln Set的設置是根據樹形結構的勾選,可以通過VulnSetVulns表查詢到Vulnset 所勾選的Vulns,但是當使用基於rule的方法之後,在該表中就沒有了相應的內容。
一度以爲查找錯了表,後續想到和其他的Vulnset的不同點就是基於tree和rule的不同,驗證後確認,詳細查看了Vulnset表,有基於類型不同的字段。
///xml文件的內容
<VulnFilter>
<Filter expression="( {0} and {1} ) and ( {2} or {3} or {4} or {5} or {6} or {7} or {8} or {9} or {10} or {11} or {12} or {13} or {14} or {15} or {16} ) and ( {17} and {18} )">
<Condition>
<Column>Intrusive</Column>
<Operator>equals</Operator>
<Value>0</Value>
<ConditionID>0</ConditionID>
</Condition>
<Condition>
<Column>Module</Column>
<Operator>does not equal</Operator>
<Value>3</Value>
<ConditionID>1</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>6</Value>
<ConditionID>2</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>10</Value>
<ConditionID>3</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>12</Value>
<ConditionID>4</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>14</Value>
<ConditionID>5</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>31</Value>
<ConditionID>6</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>50</Value>
<ConditionID>7</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>32</Value>
<ConditionID>8</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>115</Value>
<ConditionID>9</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>30</Value>
<ConditionID>10</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>48</Value>
<ConditionID>11</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>16</Value>
<ConditionID>12</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>24</Value>
<ConditionID>13</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>70</Value>
<ConditionID>14</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>19</Value>
<ConditionID>15</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>21</Value>
<ConditionID>16</ConditionID>
</Condition>
<Condition>
<Column>Vulnerability Name</Column>
<Operator>does not contain</Operator>
<Value>SSHv1 Protocol Enabled</Value>
<ConditionID>17</ConditionID>
</Condition>
<Condition>
<Column>Vulnerability Name</Column>
<Operator>does not contain</Operator>
<Value>Microsoft Internet Information Services Remote DoS</Value>
<ConditionID>18</ConditionID>
</Condition>
</Filter>
</VulnFilter>
use faultline
select * //後邊就是[VulnFilterProcessedQuery]字段的值,對應的是我們建立的過濾規則
FROM Content.vwVulnCategoryVulnSelectable MasterView WHERE 1=1 AND ( (MasterView.Intrusive = 0) and (MasterView.ModuleID <> 3) ) and ( (MasterView.VulnCategoryID = 6) or (MasterView.VulnCategoryID = 10) or (MasterView.VulnCategoryID = 12) or (MasterView.VulnCategoryID = 14) or (MasterView.VulnCategoryID = 31) or (MasterView.VulnCategoryID = 50) or (MasterView.VulnCategoryID = 32) or (MasterView.VulnCategoryID = 115) or (MasterView.VulnCategoryID = 30) or (MasterView.VulnCategoryID = 48) or (MasterView.VulnCategoryID = 16) or (MasterView.VulnCategoryID = 24) or (MasterView.VulnCategoryID = 70) or (MasterView.VulnCategoryID = 19) or (MasterView.VulnCategoryID = 21) ) and ( ( isnull(MasterView.VulnName, '') not like '%SSHv1 Protocol Enabled%' Escape '!' ) and ( isnull(MasterView.VulnName, '') not like '%Microsoft Internet Information Services Remote DoS%' Escape '!' ) )