• ch2_CaseStudy_CanonicalNASLScript.txt


    1 #
    2 # This is a verbose template for generic NASL scripts.
    3 #

    5 #
    6 # Script Title and Description
    7 #
    8 # Include a large comment block at the top of your script
    9 # indicating what the script checks for, which versions
    10 # of the target software are vulnerable, your name, the
    11 # date the script was written, credit to whoever found the
    12 # original exploit, and any other information you wish to
    13 # include.
    14 #
    15 
    16 if (description)
    17 {
    18  # All scripts should include a "description" section
    19  # inside an "if (description) { ... }" block.  The
    20  # functions called from within this section report
    21  # information back to Nessus.
    22  #
    23  # Many of the functions in this section accept named
    24  # parameters which support multiple languages.  The
    25  # languages supported by Nessus include 揺nglish,?
    26  # 揻rancais,?揹eutsch,?and 損ortuguese.? If the argument
    27  # is unnamed, the default is English.  English is
    28  # required; other languages are optional.
    29  
    30  script_version("$Revision:1.0$");
    31  
    32  # script_name is simply the name of the script.  Use a
    33  # descriptive name for your script.  For example,
    34  # "php_4_2_x_malformed_POST.nasl" is a better name than
    35  # "php.nasl"
    36  name["english"] = "Script Name in English";
    37  name["francais"] = "Script Name in French";
    38  script_name(english:name["english"], francais:name["francais"]);
    39  
    40  # script_description is a detailed explanation of the vulnerablity.
    41  desc["english"] = "
    42 This description of the script will show up in Nessus when
    43 the script is viewed.  It should include a discussion of
    44 what the script does, which software versions are vulnerable,
    45 links to the original advisory, links to the CVE and BugTraq
    46 articles (if they exist), a link to the vendor web site, a
    47 link to the patch, and any other information which may be
    48 useful.
    49 
    50 The text in this string is not indented, so that it displays
    51 correctly in the Nessus GUI.";
    52  script_description(english:desc["english"]);
    53  
    54  # script_summary is a one line description of what the script does.
    55  summary["english"] = "One line English description.";
    56  summary["francais"] = "One line French description.";
    57  script_summary(english:summary["english"],francais:summary["francais"]);
    58  
    59  # script_category should be one of the following:
    60  # ACT_INIT: Plugin sets KB items.
    61  # ACT_SCANNER: Plugin is a port scanner or similar (like ping).
    62  # ACT_SETTINGS: Plugin sets KB items after ACT_SCANNER.
    63  # ACT_GATHER_INFO: Plugin identifies services, parses banners.
    64  # ACT_ATTACK: For non-intrusive attacks (eg directory traversal)
    65  # ACT_MIXED_ATTACK: Plugin launches potentially dangerous attacks.
    66  # ACT_DESTRUCTIVE_ATTACK: Plugin attempts to destroy data.
    67  # ACT_DENIAL: Plugin attempts to crash a service.
    68  # ACT_KILL_HOST: Plugin attempts to crash target host.
    69  script_category(ACT_DENIAL);
    70  
    71  # script_copyright allows the author to place a copyright
    72  # on the plugin.  Often just the name of the author, but
    73  # sometimes "GPL" or "No copyright."
    74  script_copyright(english:"No copyright.");
    75  
    76  # script_family classifies the behavior of the service.  Valid
    77  # entries include:
    78  # - Backdoors
    79  # - CGI abuses
    80  # - CISCO
    81  # - Denial of Service
    82  # - Finger abuses
    83  # - Firewalls
    84  # - FTP
    85  # - Gain a shell remotely
    86  # - Gain root remotely
    87  # - General
    88  # - Misc.
    89  # - Netware
    90  # - NIS
    91  # - Ports scanners
    92  # - Remote file access
    93  # - RPC
    94  # - Settings
    95  # - SMTP problems
    96  # - SNMP
    97  # - Untested
    98  # - Useless services
    99  # - Windows
    100  # - Windows : User management
    101  family["english"] = "Denial of Service";
    102  family["francais"] = "Deni de Service";
    103  script_family(english:family["english"],francais:family["francais"]);
    104  
    105  # script_dependencies is the same as the incorrectly-
    106  # spelled "script_dependencie" function from NASL1.  It
    107  # indicates which other NASL scripts are required for the
    108  # script to function properly.
    109  script_dependencies("find_service.nes");
    110  
    111  # script_require_ports takes one or more ports and/or
    112  # Knowledge Base entries
    113  script_require_ports("Services/www",80);
    114  
    115  # Always exit from the "description" block
    116  exit(0);
    117 }
    118 
    119 #
    120 # Check begins here
    121 #
    122 
    123 # Include other scripts and library functions first
    124 include("http_func.inc");
    125 
    126 # Get initialization information from the KB or the target
    127 port = get_kb_item("Services/www");
    128 if ( !port ) port = 80;
    129 if ( !get_port_state(port) ) exit(0);
    130 
    131 if( safe_checks() ) {
    132 
    133  # Nessus users can check the "Safe Checks Only" option
    134  # when using Nessus to test critical hosts for known
    135  # vulnerabilities.  Implementing this section is optional,
    136  # but highly recommended.  Safe checks include banner
    137  # grabbing, reading HTTP response messages, and the like.
    138 
    139  # grab the banner
    140  b = get_http_banner(port: port);
    141  
    142  # check to see if the banner matches Apache/2.
    143  if ( b =~ 'Server: *Apache/2\.' ) {
    144   report = "
    145 Apache web server version 2.x found - maybe it is vulnerable, but
    146 maybe it isn't.  This is just an example script after all. 
    147   
    148 ** Note that Nessus did not perform a real test and
    149 ** just checked the version number in the banner
    150   
    151 Solution : Check www.apache.org for the latest and greatest.
    152 Risk factor : Low";
    153   
    154   # report the vulnerable service back to Nessus
    155   # Reporting functions include:
    156   # security_note: an informational finding
    157   # security_warning: a minor problem
    158   # security_hole: a serious problem
    159   security_hole(port: port, data: report);
    160  }
    161 
    162  # done with safe_checks, so exit
    163  exit(0);
    164  
    165 } else {
    166  # If safe_checks is not enabled, we can test using more intrusive
    167  # methods such as Denial of Service or Buffer Overflow attacks.
    168  
    169  # make sure the host isnt' dead before we get started...
    170  if ( http_is_dead(port:port) ) exit(0);
    171  
    172  # open a socket to the target host on the target port
    173  soc = http_open_socket(port);
    174  if( soc ) {
    175   # craft the custom payload, in this case, a string
    176   payload = "some nasty string\n\n\n\n\n\n\n\n\n";
    177   
    178   # send the payload
    179   send(socket:soc, data:payload);
    180   
    181   # read the result.
    182   r = http_recv(socket:soc);
    183   
    184   # Close the socket to the foreign host.
    185   http_close_socket(soc);
    186  
    187     # If the host is unresponsive, report a serious alert.
    188   if ( http_is_dead(port:port) ) security_hole(port);
    189  }
    190 }

  • 相关阅读:
    用于展现图表的50种JavaScript库
    EditPlus常用正则表达式
    人工智能生成仿真人脸
    树莓派搭建SVN服务器
    JS三座大山再学习 ---- 异步和单线程
    JS三座大山再学习 ---- 作用域和闭包
    基于C#的MongoDB数据库开发应用(2)--MongoDB数据库的C#开发
    基于C#的MongoDB数据库开发应用(1)--MongoDB数据库的基础知识和使用
    大数据高效复制的处理案例分析总结
    基于DevExpress的Winform程序安装包的制作
  • 原文地址:https://www.cnblogs.com/dushu/p/2511326.html
Copyright © 2020-2023  润新知