GithubHelp home page GithubHelp logo

windowsvulnscan's Introduction

0x00 说明:

这是一款基于主机的漏洞扫描工具,采用多线程确保可以快速的请求数据,采用线程锁可以在向sqlite数据库中写入数据避免database is locked的错误,采用md5哈希算法确保数据不重复插入。

本工具查找是否有公开exp的网站为shodan,该网站限制网络发包的速度,因而采用了单线程的方式,且耗时较长。

功能:

  • 查找主机上具有的CVE
  • 查找具有公开EXP的CVE

1583672504536

0x01 起因:

因为需要做一些主机漏洞扫描方面的工作,因而编写了这个简单的工具。之前也查找了几款类似的工具,如下:

vulmap:

vulmon开发的一款开源工具,原理是根据软件的名称和版本号来确定,是否有CVE及公开的EXP。这款Linux的工具挺好用,但是对于Windows系统层面不太适用。

windows-exp-suggester:

这款和本工具的原理一样,尝试使用了之后,发现它的CVEKB数据库只更新到2017年的,并且没有给出CVE是否有公开的EXP信息。

基于以上所以写了这个简单的工具,该项目在https://github.com/chroblert/WindowsVulnScan

0x02 原理:

1. 搜集CVE与KB的对应关系。首先在微软官网上收集CVE与KB对应的关系,然后存储进数据库中

2. 查找特定CVE网上是否有公开的EXP

3. 利用powershell脚本收集主机的一些系统版本与KB信息

4. 利用系统版本与KB信息搜寻主机上具有存在公开EXP的CVE

0x03 参数:

# author: JC0o0l
# GitHub: https://github.com/chroblert/
可选参数:
  -h, --help            show this help message and exit
  -u, --update-cve      更新CVEKB数据
  -U, --update-exp      更新CVEEXP数据
  -m MODE, --mode MODE  搭配-U使用。更新模式 All:更新所有;Empty:只更新空白的;Error:只更新之前未成功更新的
  -C, --check-EXP       检索具有EXP的CVE
  -n PRODUCTNAME, --productName PRODUCTNAME
                        搭配-C使用。自定义产品名称,如Windows 10
  -N PRODUCTVERSION, --productVersion PRODUCTVERSION
                        搭配-C使用。自定义产品版本,如20H2
  -f FILE, --file FILE  ps1脚本运行后产生的.json文件

0x04 示例:

1. 首先运行powershell脚本KBCollect.ps收集一些信息

.\KBCollect.ps1

2. 将运行后产生的KB.json文件移动到cve-check.py所在的目录

3. 安装一些python3模块

python3 -m pip install requirements.txt

4. 运行cve-check.py -u创建CVEKB数据库

5. 运行cve-check.py -U更新CVEKB数据库中的hasPOC字段

  此处可以使用-m选择更新模式。
  -m All:更新所有
  -m Empty:只更新hasPOC字段为空的
  -m Error:只更新hasPOC字段为Error的

6. 运行cve-check.py -C -f KB.json查看具有公开EXP的CVE,如下:

1619484955553.png

7. 若使用脚本扫描到的系统名称和版本不准确,可以使用-n,-N进行指定

1619494405661.png

0x05 版本:

version1: 20201207

version2: 20210427

  • 更新微软网址
  • 可以指定数据库更新模式
  • 可以指定系统名称,系统版本

windowsvulnscan's People

Contributors

chroblert avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

thelostworldfree sdgdsffdsfff b-xiang keyman9848 rabbitshee shad0w008 wkmc omiter ericzhong2010 anyeduke sefanll s884812 tobey123 r4b3rt liuxing9848 heyseafh 5l1v3r1 bbkali huangzccn bb33bb renjunfeng lordlight happysharegithub alicethehive pfxjacky yyming-sudo wuyoukm kangd1w2 deepwebhacker lsec123 wangashun gkfnf akwood nadkennytung knowno re-expoc popmedd bawed mytfx gysf666 vpn28 determinasc zzhacked mrawb alexcaffrey molisxyliu jeromeyoung 77-0 root13920 spark-a zzhsec nanaao jasonlou ionlylove57 kosakd ludovicofu helloswing dp-kali wangyi0127 victorzhang-1928 startagain2016 caine111 jiujianfang zhang1231o lntsctu grow520 fu2yu fleabane1 gitstq smallzhong lworld0x00 gingercatxdd gxlzy s1g0day askylyz dylangywu kelly778956 willdiedog paopaoqqcbg werwolfz cjx1121

windowsvulnscan's Issues

重复更新

-U大U重复更新,更新一次需要17个小时,更新完使用-,-C-f往下运行 exp是空的, 更新完重新输入更新命令还会重新更新。这是啥情况啊?

[bug] 更新CVEKB数据时提示impact、articleName找不到

版本WindowsVulnScan/blob/master/version2/cve-check.py

错误信息

更新第20页
Exception in thread 7:
Traceback (most recent call last):
  File "D:\0_tools\python\3.10.5\lib\threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "D:\WindowsVulnScan-master\version2\cve-check.py", line 43, in run
    self.result = self.func(self.args[0],)
  File "D:\WindowsVulnScan-master\version2\cve-check.py", line 193, in update_onepage_cvedb_database
    metaStr = result['product'] + KBName + result['cveNumber'] + result['impact']
KeyError: 'impact'
Exception in thread 10:
Traceback (most recent call last):
  File "D:\0_tools\python\3.10.5\lib\threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "D:\WindowsVulnScan-master\version2\cve-check.py", line 43, in run
    self.result = self.func(self.args[0],)
  File "D:\WindowsVulnScan-master\version2\cve-check.py", line 189, in update_onepage_cvedb_database
    KBName += KBNode['articleName'] + ";" if (KBNode['articleName'] != None) and KBNode['articleName'].isdigit() else ""
KeyError: 'articleName'
i:21,pageCount-i:223,ThreadCount:10,PageCount:244
===============================
更新第21页

跑完后共报34个错误,逐个调试后发现部分数据中impact或articleName不存在,在原代码186行190行中,并未验证这两个值是否存在

186行
KBName += KBNode['articleName'] + ";" if (KBNode['articleName'] != None) and KBNode['articleName'].isdigit() else ""
190行
metaStr = result['product'] + KBName + result['cveNumber'] + result['impact']

修改后

    for result in resultList:
        KBName = ""
        impact = ""
        for KBNode in result['kbArticles']:
            KBName += KBNode['articleName'] + ";" if ("articleName" in KBNode) and (KBNode['articleName'] != None) and  KBNode['articleName'].isdigit() else ""
        if KBName == "":
            continue
        h1 = hashlib.md5()
        impact = result['impact'] + ";" if ('impact'in result) and (result['impact'] != None) else ""
        metaStr = result['product'] + KBName + result['cveNumber'] + impact
        h1.update(metaStr.encode('utf-8'))
        #hasPOC = check_POC_every_CVE(result['cveNumber'])
        # 收集到所有的KB后再搜索有没有公开的EXP
        hasPOC = ""
        sql = "INSERT OR IGNORE INTO "+TableName+" VALUES ('" + h1.hexdigest() + "','" + result['product'] + "','" + KBName + "','" + result['cveNumber'] + "','" + result['impact'] + "','" + hasPOC+"')"
        with lock:
            global insertSQL
            insertSQL.append(sql)

CVE database error

Hi,
CVE databae is not correct after running "cve-check.py -u" to create a new one.
It shows nothing when running “cve-check.py -C -f KB.json” to check its database.

大佬有遇到吗?

输入python3 cve-check.py -C -f KB.json为什么什么都没有呀?每条命令输入后都没有信息回显
image

KBCollect.ps1不能运行

有大哥知道这个怎么搞不?
用的管理员权限的cmd进的Powershell,然后报错。用powershell的管理员权限也报错
image

powershell脚本版本限制

ConvertTo-Json 这个函数在powershell2.0应该调用不了,比如window7或者win2008.是不是应该自行实现一个或者换个结构?

json.decoder.JSONDecodeError: Unexpected UTF-8 BOM (decode using utf-8-sig): line 1 column 1 (char 0) 

========CVE-EXP-Check===============
|       author:JC0o0l               |
|       wechat:JC_SecNotes          |
|       version:1.0                 |
=====================================

Traceback (most recent call last):
File "cve-check.py", line 277, in
KBResult = json.load(f)
File "D:\python3\lib\json_init_.py", line 293, in load
return loads(fp.read(),
File "D:\python3\lib\json_init_.py", line 337, in loads
raise JSONDecodeError("Unexpected UTF-8 BOM (decode using utf-8-sig)",
json.decoder.JSONDecodeError: Unexpected UTF-8 BOM (decode using utf-8-sig): line 1 column 1 (char 0)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.