• ch2_CaseStudy_CanonicalNASLScript.txt


    1 #
    2 # This is a verbose template for generic NASL scripts.
    3 #

    5 #
    6 # Script Title and Description
    7 #
    8 # Include a large comment block at the top of your script
    9 # indicating what the script checks for, which versions
    10 # of the target software are vulnerable, your name, the
    11 # date the script was written, credit to whoever found the
    12 # original exploit, and any other information you wish to
    13 # include.
    14 #
    15 
    16 if (description)
    17 {
    18  # All scripts should include a "description" section
    19  # inside an "if (description) { ... }" block.  The
    20  # functions called from within this section report
    21  # information back to Nessus.
    22  #
    23  # Many of the functions in this section accept named
    24  # parameters which support multiple languages.  The
    25  # languages supported by Nessus include 揺nglish,?
    26  # 揻rancais,?揹eutsch,?and 損ortuguese.? If the argument
    27  # is unnamed, the default is English.  English is
    28  # required; other languages are optional.
    29  
    30  script_version("$Revision:1.0$");
    31  
    32  # script_name is simply the name of the script.  Use a
    33  # descriptive name for your script.  For example,
    34  # "php_4_2_x_malformed_POST.nasl" is a better name than
    35  # "php.nasl"
    36  name["english"] = "Script Name in English";
    37  name["francais"] = "Script Name in French";
    38  script_name(english:name["english"], francais:name["francais"]);
    39  
    40  # script_description is a detailed explanation of the vulnerablity.
    41  desc["english"] = "
    42 This description of the script will show up in Nessus when
    43 the script is viewed.  It should include a discussion of
    44 what the script does, which software versions are vulnerable,
    45 links to the original advisory, links to the CVE and BugTraq
    46 articles (if they exist), a link to the vendor web site, a
    47 link to the patch, and any other information which may be
    48 useful.
    49 
    50 The text in this string is not indented, so that it displays
    51 correctly in the Nessus GUI.";
    52  script_description(english:desc["english"]);
    53  
    54  # script_summary is a one line description of what the script does.
    55  summary["english"] = "One line English description.";
    56  summary["francais"] = "One line French description.";
    57  script_summary(english:summary["english"],francais:summary["francais"]);
    58  
    59  # script_category should be one of the following:
    60  # ACT_INIT: Plugin sets KB items.
    61  # ACT_SCANNER: Plugin is a port scanner or similar (like ping).
    62  # ACT_SETTINGS: Plugin sets KB items after ACT_SCANNER.
    63  # ACT_GATHER_INFO: Plugin identifies services, parses banners.
    64  # ACT_ATTACK: For non-intrusive attacks (eg directory traversal)
    65  # ACT_MIXED_ATTACK: Plugin launches potentially dangerous attacks.
    66  # ACT_DESTRUCTIVE_ATTACK: Plugin attempts to destroy data.
    67  # ACT_DENIAL: Plugin attempts to crash a service.
    68  # ACT_KILL_HOST: Plugin attempts to crash target host.
    69  script_category(ACT_DENIAL);
    70  
    71  # script_copyright allows the author to place a copyright
    72  # on the plugin.  Often just the name of the author, but
    73  # sometimes "GPL" or "No copyright."
    74  script_copyright(english:"No copyright.");
    75  
    76  # script_family classifies the behavior of the service.  Valid
    77  # entries include:
    78  # - Backdoors
    79  # - CGI abuses
    80  # - CISCO
    81  # - Denial of Service
    82  # - Finger abuses
    83  # - Firewalls
    84  # - FTP
    85  # - Gain a shell remotely
    86  # - Gain root remotely
    87  # - General
    88  # - Misc.
    89  # - Netware
    90  # - NIS
    91  # - Ports scanners
    92  # - Remote file access
    93  # - RPC
    94  # - Settings
    95  # - SMTP problems
    96  # - SNMP
    97  # - Untested
    98  # - Useless services
    99  # - Windows
    100  # - Windows : User management
    101  family["english"] = "Denial of Service";
    102  family["francais"] = "Deni de Service";
    103  script_family(english:family["english"],francais:family["francais"]);
    104  
    105  # script_dependencies is the same as the incorrectly-
    106  # spelled "script_dependencie" function from NASL1.  It
    107  # indicates which other NASL scripts are required for the
    108  # script to function properly.
    109  script_dependencies("find_service.nes");
    110  
    111  # script_require_ports takes one or more ports and/or
    112  # Knowledge Base entries
    113  script_require_ports("Services/www",80);
    114  
    115  # Always exit from the "description" block
    116  exit(0);
    117 }
    118 
    119 #
    120 # Check begins here
    121 #
    122 
    123 # Include other scripts and library functions first
    124 include("http_func.inc");
    125 
    126 # Get initialization information from the KB or the target
    127 port = get_kb_item("Services/www");
    128 if ( !port ) port = 80;
    129 if ( !get_port_state(port) ) exit(0);
    130 
    131 if( safe_checks() ) {
    132 
    133  # Nessus users can check the "Safe Checks Only" option
    134  # when using Nessus to test critical hosts for known
    135  # vulnerabilities.  Implementing this section is optional,
    136  # but highly recommended.  Safe checks include banner
    137  # grabbing, reading HTTP response messages, and the like.
    138 
    139  # grab the banner
    140  b = get_http_banner(port: port);
    141  
    142  # check to see if the banner matches Apache/2.
    143  if ( b =~ 'Server: *Apache/2\.' ) {
    144   report = "
    145 Apache web server version 2.x found - maybe it is vulnerable, but
    146 maybe it isn't.  This is just an example script after all. 
    147   
    148 ** Note that Nessus did not perform a real test and
    149 ** just checked the version number in the banner
    150   
    151 Solution : Check www.apache.org for the latest and greatest.
    152 Risk factor : Low";
    153   
    154   # report the vulnerable service back to Nessus
    155   # Reporting functions include:
    156   # security_note: an informational finding
    157   # security_warning: a minor problem
    158   # security_hole: a serious problem
    159   security_hole(port: port, data: report);
    160  }
    161 
    162  # done with safe_checks, so exit
    163  exit(0);
    164  
    165 } else {
    166  # If safe_checks is not enabled, we can test using more intrusive
    167  # methods such as Denial of Service or Buffer Overflow attacks.
    168  
    169  # make sure the host isnt' dead before we get started...
    170  if ( http_is_dead(port:port) ) exit(0);
    171  
    172  # open a socket to the target host on the target port
    173  soc = http_open_socket(port);
    174  if( soc ) {
    175   # craft the custom payload, in this case, a string
    176   payload = "some nasty string\n\n\n\n\n\n\n\n\n";
    177   
    178   # send the payload
    179   send(socket:soc, data:payload);
    180   
    181   # read the result.
    182   r = http_recv(socket:soc);
    183   
    184   # Close the socket to the foreign host.
    185   http_close_socket(soc);
    186  
    187     # If the host is unresponsive, report a serious alert.
    188   if ( http_is_dead(port:port) ) security_hole(port);
    189  }
    190 }

  • 相关阅读:
    echarts二维坐标这样写出立体柱状图
    echarts中使图表循环显示tooltip-封装tooltip的方法轮询显示图表数据
    webpack--运行npm run dev自动打开浏览器以及热加载
    exports、module.exports和export、export default到底是咋回事,区别在哪里
    H5页面判断客户端是iOS或是Android并跳转对应链接唤起APP
    关于页面锚点跳转以及万能锚点跳转插件
    echarts Map 省份文字居中,即对应地图中心位置
    Moment.js 常见用法,常见API
    Tomcat 不加载图片验证码
    Cglib 动态代理
  • 原文地址:https://www.cnblogs.com/dushu/p/2511326.html
Copyright © 2020-2023  润新知