private List <VulnerabilityFound.Reference> Helper_GetREFERENCE(XmlNode reportItem)
{
List <VulnerabilityFound.Reference> l = new List <VulnerabilityFound.Reference>();
foreach (XmlNode child in reportItem.ChildNodes)
{
//HARDCODED
if (child.Name.ToUpper() == "bid".ToUpper())
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "BID";
Reference.Title = child.InnerText;
Reference.Url = "http://www.securityfocus.com/bid/" + child.InnerText;
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEBID: {0}", "http://www.securityfocus.com/bid/" + child.InnerText));
l.Add(Reference);
}
else
{
if (child.Name.ToUpper() == "see_also".ToUpper())
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "NESSUS";
Reference.Title = child.InnerText;
Reference.Url = child.InnerText;
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCENESSUS: {0}", child.InnerText));
//TODO: check these unknown references/source
l.Add(Reference);
}
if (child.Name.ToUpper() == "xref".ToUpper())
{
if (child.InnerText.Contains("OSVDB"))
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "OSVDB";
Reference.Title = child.InnerText.Replace("OSVDB:", "");
Reference.Url = "http://www.osvdb.org/" + child.InnerText.Replace("OSVDB:", "");
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEOSVDB: {0}", "http://www.osvdb.org/" + child.InnerText.Replace("OSVDB:", "")));
l.Add(Reference);
}
else
{
if (child.InnerText.Contains("Secunia"))
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "SECUNIA";
Reference.Title = child.InnerText.Replace("Secunia:", "");
Reference.Url = "http://secunia.com/advisories/" + child.InnerText.Replace("Secunia:", "");
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCESECUNIA: {0}", "http://secunia.com/advisories/" + child.InnerText.Replace("Secunia:", "")));
l.Add(Reference);
}
else
{
if (child.InnerText.Contains("EDB-ID"))
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "EXPLOIT-DB";
Reference.Title = child.InnerText.Replace("EDB-ID:", "");
Reference.Url = "http://www.exploit-db.com/exploits/" + child.InnerText.Replace("EDB-ID:", "");
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEEXPLOIT-DB: {0}", "http://www.exploit-db.com/exploits/" + child.InnerText.Replace("EDB-ID:", "")));
l.Add(Reference);
}
else
{
VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference();
Reference.Source = "NESSUS";
Reference.Title = child.InnerText;
Reference.Url = child.InnerText;
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCENESSUS: {0}", child.InnerText));
//TODO: check these unknown references/source
l.Add(Reference);
}
}
}
}
}
}
return(l);
}
private void Helper_GetVulnerabilities(XmlDocument s, string ipadress)
{
List <VulnerabilityFound> list_VulnerabilityFound;
list_VulnerabilityFound = new List <VulnerabilityFound>();
XmlNodeList portNodes;
portNodes = s.SelectNodes("/openvas-report/results/result/ports/port"); //Hardcoded
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} port nodes to process", portNodes.Count));
foreach (XmlNode portNode in portNodes)
{
string protocol = portNode.Attributes["protocol"].Value.ToUpper();
int port = -1;
if (portNode.Attributes["portid"] != null)
{
port = Convert.ToInt32(portNode.Attributes["portid"].Value);
}
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol));
VulnerabilityEndPoint vulnerabilityEndPoint;
vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = m_target;
vulnerabilityEndPoint.Protocol = protocol;
vulnerabilityEndPoint.Port = port;
XmlNode ServiceNode = portNode.SelectSingleNode("service");
vulnerabilityEndPoint.Service = ServiceNode.Attributes["name"].Value.ToUpper();
foreach (XmlNode informationNode in portNode.SelectNodes("information"))
{
string severity = informationNode.SelectSingleNode("severity").InnerText;
//<severity>Log Message</severity> : Information => should be ignored
//<severity>Security Note</severity>
//<severity>Security Warning</severity>
string nvtId = informationNode.SelectSingleNode("id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Handling nvtid {0}", nvtId));
XmlNode nvtNode;
nvtNode = s.SelectSingleNode("/openvas-report/nvts/nvt[@oid='" + nvtId + "']");
string title = nvtNode.SelectSingleNode("name").InnerText;
string summary = nvtNode.SelectSingleNode("summary").InnerText;
string risk = nvtNode.SelectSingleNode("risk").InnerText;
string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText;
string bid_Value = nvtNode.SelectSingleNode("bugtraq_id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Title = [{0}]", title));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value));
VulnerabilityFound vulnerabilityFound;
vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = nvtNode.InnerXml;
vulnerabilityFound.Title = title;
vulnerabilityFound.Description = summary;
vulnerabilityFound.DetailedInformation = informationNode.SelectSingleNode("data").InnerText;
vulnerabilityFound.Consequence = informationNode.SelectSingleNode("data").InnerText;
//TODO: regex parse OWASP:OWASP-CM-006
//vulnerabilityFound.Severity = risk;
//Risk Could be:
//None, Unknown, Informational, Low, Medium, High
switch (risk)
{
case "None":
vulnerabilityFound.Severity = "1";
break;
case "Unknown":
vulnerabilityFound.Severity = "1";
break;
case "Informational":
vulnerabilityFound.Severity = "2";
break;
case "Low":
vulnerabilityFound.Severity = "3";
break;
case "Medium":
vulnerabilityFound.Severity = "4";
break;
case "High":
vulnerabilityFound.Severity = "5";
break;
}
if (cve_Value.Trim().ToUpper() != "NOCVE")
{
string[] list_Cve_Value;
list_Cve_Value = cve_Value.Split(new char[] { ',' });
foreach (string cve in list_Cve_Value)
{
VulnerabilityFound.Item cve_Item;
cve_Item = new VulnerabilityFound.Item();
cve_Item.ID = "cve";
cve_Item.Value = cve;
vulnerabilityFound.ListItem.Add(cve_Item);
}
}
if (bid_Value.Trim().ToUpper() != "NOBID")
{
string[] list_bid_Value;
list_bid_Value = bid_Value.Split(new char[] { ',' });
foreach (string bid in list_bid_Value)
{
VulnerabilityFound.Reference bid_Reference;
bid_Reference = new VulnerabilityFound.Reference();
bid_Reference.Source = "BID";
bid_Reference.Title = bid;
bid_Reference.Url = "http://www.securityfocus.com/bid/" + bid;
vulnerabilityFound.ListReference.Add(bid_Reference);
}
}
VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model);
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Assembly location = " + a.Location);
// ============================================
// Parse the XML Document and populate the database
// ============================================
// Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "data = " + m_data);
XmlDocument doc = new XmlDocument();
doc.LoadXml(m_data);
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/ScanGroup/Scan"; //Hardcoded
XmlNode report;
report = doc.SelectSingleNode(query);
string ipAddress = string.Empty;
ipAddress = HelperGetChildInnerText(report, "StartURL"); //Hardcoded
if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/")
{
ipAddress = ipAddress.Substring(0, ipAddress.Length - 1);
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Handling host with IP {0}", ipAddress));
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "VULNERABILITIES FOUND");
query = "/ScanGroup/Scan/ReportItems";
report = doc.SelectSingleNode(query);
foreach (XmlNode n in report.ChildNodes)
{
if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0)
{
//TODOs HARDCODED
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR
vulnerabilityEndPoint.Port = 80; //443 ... A VOIR
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
//vulnerabilityFound.ListItem = Helper_GetCVE(n);
vulnerabilityFound.InnerXml = n.OuterXml;
//To eliminate VULNERABILITY (Value) duplicates:
/*
* string pattern = @"ReportItem id=""\d\d?\d?""";
* string s = Regex.Replace(n.OuterXml, pattern, "ReportItem id=\"0\"");
* vulnerabilityFound.InnerXml = s;
*/
string url = HelperGetChildInnerText(n, "Affects"); //Server
vulnerabilityFound.Url = url;
if (url.ToLower().Contains("https://"))
{
vulnerabilityEndPoint.Port = 443;
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Url: {0}", url));
vulnerabilityFound.Type = HelperGetChildInnerText(n, "Type");
if (HelperGetChildInnerText(n, "IsFalsePositive") == "False")
{
vulnerabilityFound.IsFalsePositive = false;
}
else
{
vulnerabilityFound.IsFalsePositive = true;
}
vulnerabilityFound.Title = HelperGetChildInnerText(n, "Name");
//ModuleName
//Affects
vulnerabilityFound.Description = HelperGetChildInnerText(n, "Description");
//Extract the CVEs
List <VulnerabilityFound.Item> ListCVEs = new List <VulnerabilityFound.Item>();
//MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), "CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), @"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //myRegexCVE
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
foreach (Match match in matches)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CVE: {0}", match.Groups[1].Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.ID = "cve";
item.Value = match.Groups[1].Value;
ListCVEs.Add(item);
}
string mySeverity = HelperGetChildInnerText(n, "Severity");
switch (mySeverity)
{
//HARDCODED
case "high":
mySeverity = "High";
break;
case "medium":
mySeverity = "Medium";
break;
case "low":
mySeverity = "Low";
break;
//case "info"
}
vulnerabilityFound.Severity = mySeverity;
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Severity: {0}", mySeverity));
string DetailsAnalysis = HelperGetChildInnerText(n, "Details");
if (DetailsAnalysis.Contains("URL encoded GET"))
{
vulnerabilityFound.VulnerableParameterType = "GET"; //should be Querystring for Netsparker
var regex = new Regex(@"URL encoded GET input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
if (DetailsAnalysis.Contains("URL encoded POST"))
{
vulnerabilityFound.VulnerableParameterType = "POST"; //should be Post for Netsparker
var regex = new Regex(@"URL encoded POST input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
//vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype");
//vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter");
//in <Details>:
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">4-2+2*3-6</font></b>
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">1'</font></b><br/>Error message found: <pre wrap="virtual"><font color="blue">supplied argument is not a valid MySQL result</font></pre>
//URL encoded POST input <b><font color="dark">name</font></b> was set to <b><font color="dark">'"()&%1<ScRiPt >prompt(983150)</ScRiPt></font></b>
//vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue");
List <VulnerabilityFound.Reference> ListReferences = new List <VulnerabilityFound.Reference>();
foreach (XmlNode nchild in n.ChildNodes)
{
if (nchild.Name.ToUpper() == "TechnicalDetails".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
//rawrequest
vulnerabilityFound.rawrequest = HelperGetChildInnerText(nchild, "Request");
//rawresponse
vulnerabilityFound.rawresponse = HelperGetChildInnerText(nchild, "Response");
}
if (nchild.Name.ToUpper() == "References".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
foreach (XmlNode reference in nchild)
{
/*
* REFERENCE myReference = new REFERENCE();
* myReference.Source = HelperGetChildInnerText(reference, "Database");
* myReference.Url = HelperGetChildInnerText(reference, "URL");
*
* model.AddToREFERENCE(myReference);
*/
VulnerabilityFound.Reference refvuln = new VulnerabilityFound.Reference();
refvuln.Title = HelperGetChildInnerText(reference, "Database");
string refurl = HelperGetChildInnerText(reference, "URL").ToLower();
refvuln.Url = refurl;
refvuln.Source = HelperGetChildInnerText(reference, "Database");
//Try to harmonise the Source with the other imports (ie: exploits)
//HARDCODED
//TODO: Use a Common Function
if (refurl.Contains("/bugtraq/"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("marc.theaimsgroup.com/?l=bugtraq"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("securityfocus.com/bid"))
{
refvuln.Source = "BID";
}
if (refurl.Contains("osvdb.org/"))
{
refvuln.Source = "OSVDB";
}
if (refurl.Contains("xforce.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.ciac.org/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("ciac.llnl.gov/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("www.cert.org/"))
{
refvuln.Source = "CERT";
}
if (refurl.Contains("sunsolve.sun.org/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("sunsolve.sun.com/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("patches.sgi.com/"))
{
refvuln.Source = "SGI";
}
if (refurl.Contains("microsoft.com/default.aspx?scid=kb"))
{
refvuln.Source = "MSKB";
}
if (refurl.Contains("ftp.sco.com/"))
{
refvuln.Source = "SCO";
}
if (refurl.Contains("www.trustix.org/"))
{
refvuln.Source = "TRUSTIX";
}
if (refurl.Contains("ftp.freebsd.org/"))
{
refvuln.Source = "FREEBSD";
}
if (refurl.Contains("www.secunia.com/"))
{
refvuln.Source = "SECUNIA";
}
if (refurl.Contains("www.vupen.com/"))
{
refvuln.Source = "VUPEN";
}
if (refurl.Contains("www.securitytracker.com/"))
{
refvuln.Source = "SECTRACK";
}
if (refurl.Contains("www.redhat.com/"))
{
refvuln.Source = "REDHAT";
}
if (refurl.Contains("www.exploit-db.com/"))
{
refvuln.Source = "EXPLOIT-DB";
}
if (refurl.Contains("www.milw0rm.com/"))
{
refvuln.Source = "MILW0RM";
}
if (refurl.Contains("www.microsoft.com/"))
{
refvuln.Source = "MS";
}
if (refurl.Contains("seclists.org/fulldisclosure"))
{
refvuln.Source = "FULLDISC";
}
ListReferences.Add(refvuln);
}
}
}
vulnerabilityFound.ListReference = ListReferences;
vulnerabilityFound.ListItem = ListCVEs;
vulnerabilityFound.Result = HelperGetChildInnerText(n, "Details");
vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "Impact");
vulnerabilityFound.Solution = HelperGetChildInnerText(n, "Recommendation");
//DetailedInformation
vulnerabilityFound.DetailedInformation = HelperGetChildInnerText(n, "DetailedInformation");
//TODO
bool PatchUpgrade = false;
string MSPatch = "";
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "acunetix", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
}
}
