通过数据库查询MVM的扫描漏洞名称和对应的扫描脚本关系

浏览数：28 / 时间：2015年06月12日

数据库和扫描脚本是漏洞扫描较为核心的两个部分，在日常运维中，官方的扫描脚本难免存在漏报误报的情况，想要深入了解和学习扫描的原理和验证漏洞，读对应漏洞的扫描脚本源代码是必不可少的。

下面的SQL语句，实现通过数据库查询MVM的扫描漏洞名称和对应的扫描脚本关系。

/****** Script for SelectTopNRows command from SSMS  ******/
--ScriptVuln 表是FaultlineID和scriptID的对应关系表，但似乎是一一对应关系，所以略去。 
SELECT [FaultlineID]
      --,[faultline].[Content].[Vuln].[ModuleID]
      --,[NID]
      ,[CVE]
      ,[MSFTID]
      ,[MSKBID]
      ,[CheckVersion]
      --,[CustomID]
      --,[Type]
      ,[Name]
      ,[Description]
      ,[Observation]
      ,[Risk]
      ,[Recommendation]
      ,[Simplicity]
      ,[Popularity]
      ,[Impact]
      ,[Intrusive]
      ,[SANS]
      --,[IAVA]
      --,[IAVARefNumber]
      --,[IAVAArmyRefNumber]
      ,[CheckRequiresCredentials]
      ,[AddedDate]
      ,[faultline].[Content].[Vuln].[ModifiedDate]
      --,[DeletedDate]
      ,[Status]
      --,[Customized]
      --,[Version]
      --,[Patched]
      --,[SupersededID]
      ,faultline.content.script.[ScriptName]
      --,faultline.content.script.[ModuleID]
      --,faultline.content.script.[ScriptRole]
      --,faultline.content.script.[CreatedDate]
      ,faultline.content.script.[ModifiedDate]
      --,faultline.content.script.[Script]
  FROM [faultline].[Content].[Vuln]
  left join faultline.content.script on faultline.content.script.scriptID=FaultlineID

如图是查询结果中的几个字段，关键是找到ScriptName，去读取源码。

FaultlineID	CVE	MSFTID	ScriptName	Name	Description	Observation
1	CVE-1999-1011	MS99-025	web-iis-rds-v2.fasl3	(MS99-025) Microsoft IIS RDS Command Execution	A command execution vulnerability in Microsoft IIS MDAC package allows remote attackers to gain administrative control of targeted systems.	Microsoft Internet Information Server (IIS) is an industry standard HTTP server. MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation. RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to (a) Obtain unauthorized access to unpublished files on the IIS server and (b) Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non public servers or effectively masking the source of an attack on another network. If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host. Vulnerable Systems: Microsoft IIS 4.0 For more information see: Microsoft Security Bulletin MS99-025: http://www.microsoft.com/technet/security/bulletin/ms99-025.mspx
2	CVE-MAP-NOMATCH	NULL	unix-rpc-cmsd-v2.fasl3	RPC Calendar Service cmsd Available	The RPC cmsd program was determined to be registered with the target system‘s portmapper.	The RPC cmsd program was determined to be registered with the target system‘s portmapper. RPC services are commonly enabled by default on most UNIX operating systems. Additionally, RPC services are regularly found to be vulnerable to buffer overflow and format string attacks that lead to complete compromise of the target system. Exploitation of RPC services affects all major UNIX operating systems including Solaris, HP/UX, AIX, Irix, Linux, FreeBSD and more. For more information see: CVE-1999-0320 CVE-1999-0696
39	CVE-1999-0833, CVE-1999-0851	NULL	unix-bind-nxt-overflow-v2.fasl3	ISC BIND NXT Buffer Overflow	A buffer overflow vulnerability exists within BIND 8.2 NXT record processing that allows an attacker to execute arbitrary code on vulnerable systems.	The portion of code responsible for processing NXT records in BIND 8.2 and 8.2.1 is vulnerable to a buffer overflow attack. By sending specially crafted NXT record traffic to a vulnerable system it is possible to execute arbitrary code on the target system. Vulnerable Systems: ISC BIND 8.2 - 8.2.1 on UNIX For more information see: BID 788: http://online.securityfocus.com/bid/788