private void Helper_GetVulnerabilities(XmlDocument s, string ipadress)
{
//TODO
//List<VULNERABILITYFOUND> list_vulnerabilyFound = new List<VULNERABILITYFOUND>() ;
string query = "/scan/results/hosts/host"; //Hardcoded
XmlNode host;
try
{
host = s.SelectNodes(query)[0];
if (HelperHasChild(host, "protocol") != null)
{
XmlNode protocol = HelperHasChild(host, "protocol");
if (HelperHasChild(protocol, "port") != null)
{
XmlNode port = HelperHasChild(protocol, "port");
VulnerabilityEndPoint VoIPScannerEndPoint = new VulnerabilityEndPoint();
VoIPScannerEndPoint.Port = Convert.ToInt32(port.Attributes["id"].InnerText);
VoIPScannerEndPoint.Protocol = protocol.Attributes["name"].InnerText.Trim().ToUpper();
VoIPScannerEndPoint.IpAdress = m_target;
Utils.Helper_Trace("XORCISM PROVIDER VOIPSCANNER", string.Format("Getting new vulnerability from the current endPoint(IpAdress={0},Port={1},Protocol={2})", VoIPScannerEndPoint.IpAdress, VoIPScannerEndPoint.Port.ToString(), VoIPScannerEndPoint.Protocol));
if (HelperHasChild(port, "pwd") != null)
{
XmlNode pwd = HelperHasChild(port, "pwd");
foreach (XmlNode extension in pwd.ChildNodes)
{
VulnerabilityFound detail = new VulnerabilityFound();
detail.Description = string.Format("The {0} SIP user has {1} as password", extension.Attributes["name"].InnerText, extension.Attributes["password"].InnerText);
detail.InnerXml = extension.OuterXml;
VulnerabilityPersistor.Persist(detail, VoIPScannerEndPoint, m_JobId, "voipscanner", m_model);
}
//FREE MEMORY
pwd = null;
}
}
}
//FREE MEMORY
host = null;
//list_vulnerabilyFound = null;
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER VOIPSCANNER", string.Format("Error SelectNodes {0}:{1} {2}", query, ex.Message, ex.InnerException));
//return;
}
}
private void Helper_GetVulnerabilities(XmlDocument s, string ipadress)
{
List <VulnerabilityFound> list_VulnerabilityFound;
list_VulnerabilityFound = new List <VulnerabilityFound>();
XmlNodeList portNodes;
portNodes = s.SelectNodes("/openvas-report/results/result/ports/port"); //Hardcoded
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} port nodes to process", portNodes.Count));
foreach (XmlNode portNode in portNodes)
{
string protocol = portNode.Attributes["protocol"].Value.ToUpper();
int port = -1;
if (portNode.Attributes["portid"] != null)
{
port = Convert.ToInt32(portNode.Attributes["portid"].Value);
}
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol));
VulnerabilityEndPoint vulnerabilityEndPoint;
vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = m_target;
vulnerabilityEndPoint.Protocol = protocol;
vulnerabilityEndPoint.Port = port;
XmlNode ServiceNode = portNode.SelectSingleNode("service");
vulnerabilityEndPoint.Service = ServiceNode.Attributes["name"].Value.ToUpper();
foreach (XmlNode informationNode in portNode.SelectNodes("information"))
{
string severity = informationNode.SelectSingleNode("severity").InnerText;
//<severity>Log Message</severity> : Information => should be ignored
//<severity>Security Note</severity>
//<severity>Security Warning</severity>
string nvtId = informationNode.SelectSingleNode("id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Handling nvtid {0}", nvtId));
XmlNode nvtNode;
nvtNode = s.SelectSingleNode("/openvas-report/nvts/nvt[@oid='" + nvtId + "']");
string title = nvtNode.SelectSingleNode("name").InnerText;
string summary = nvtNode.SelectSingleNode("summary").InnerText;
string risk = nvtNode.SelectSingleNode("risk").InnerText;
string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText;
string bid_Value = nvtNode.SelectSingleNode("bugtraq_id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Title = [{0}]", title));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value));
VulnerabilityFound vulnerabilityFound;
vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = nvtNode.InnerXml;
vulnerabilityFound.Title = title;
vulnerabilityFound.Description = summary;
vulnerabilityFound.DetailedInformation = informationNode.SelectSingleNode("data").InnerText;
vulnerabilityFound.Consequence = informationNode.SelectSingleNode("data").InnerText;
//TODO: regex parse OWASP:OWASP-CM-006
//vulnerabilityFound.Severity = risk;
//Risk Could be:
//None, Unknown, Informational, Low, Medium, High
switch (risk)
{
case "None":
vulnerabilityFound.Severity = "1";
break;
case "Unknown":
vulnerabilityFound.Severity = "1";
break;
case "Informational":
vulnerabilityFound.Severity = "2";
break;
case "Low":
vulnerabilityFound.Severity = "3";
break;
case "Medium":
vulnerabilityFound.Severity = "4";
break;
case "High":
vulnerabilityFound.Severity = "5";
break;
}
if (cve_Value.Trim().ToUpper() != "NOCVE")
{
string[] list_Cve_Value;
list_Cve_Value = cve_Value.Split(new char[] { ',' });
foreach (string cve in list_Cve_Value)
{
VulnerabilityFound.Item cve_Item;
cve_Item = new VulnerabilityFound.Item();
cve_Item.ID = "cve";
cve_Item.Value = cve;
vulnerabilityFound.ListItem.Add(cve_Item);
}
}
if (bid_Value.Trim().ToUpper() != "NOBID")
{
string[] list_bid_Value;
list_bid_Value = bid_Value.Split(new char[] { ',' });
foreach (string bid in list_bid_Value)
{
VulnerabilityFound.Reference bid_Reference;
bid_Reference = new VulnerabilityFound.Reference();
bid_Reference.Source = "BID";
bid_Reference.Title = bid;
bid_Reference.Url = "http://www.securityfocus.com/bid/" + bid;
vulnerabilityFound.ListReference.Add(bid_Reference);
}
}
VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model);
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "Assembly location = " + a.Location);
// ============================================
// Parse the XML Document and populate the database
// ============================================
XmlDocument doc = new XmlDocument();
doc.LoadXml(m_data);
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/NessusClientData_v2/Report";
XmlNode report;
report = doc.SelectSingleNode(query);
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("Found {0} hosts to parse", report.ChildNodes.Count));
foreach (XmlNode reportHost in report.ChildNodes)
{
string ipAddress;
ipAddress = reportHost.Attributes["name"].InnerText;
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("Handling host with IP {0}", ipAddress));
// =============================================
// If necessary, create an asset in the database
// =============================================
//TODO ipaddressIPv4
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
//TODO ipaddressIPv4
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
// =============================
// Handles every ReportItem tag
// =============================
foreach (XmlNode n in reportHost.ChildNodes)
{
//Hardcoded
if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0)
{
string protocol = n.Attributes["protocol"].InnerText.ToUpper();
int port = Convert.ToInt32(n.Attributes["port"].InnerText);
//svc_name
//pluginID
//pluginName
//pluginFamily
//risk_factor
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = protocol;
vulnerabilityEndPoint.Port = port;
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.ListItem = Helper_GetCVE(n);
vulnerabilityFound.ListReference = Helper_GetREFERENCE(n); //TODO: Helper_GetCVE and Helper_GetREFERENCE could be mixed for only 1 parsing
vulnerabilityFound.InnerXml = n.OuterXml;
vulnerabilityFound.Description = HelperGetChildInnerText(n, "description");
vulnerabilityFound.Solution = HelperGetChildInnerText(n, "solution");
vulnerabilityFound.Title = HelperGetChildInnerText(n, "synopsis");
vulnerabilityFound.rawresponse = HelperGetChildInnerText(n, "plugin_output");
vulnerabilityFound.Result = HelperGetChildInnerText(n, "plugin_output");
vulnerabilityFound.Severity = n.Attributes["severity"].InnerText; //1
//vulnerabilityFound.Severity = HelperGetChildInnerText(n, "risk_factor"); //None Low
if (HelperGetChildInnerText(n, "exploit_available") == "true")
{
vulnerabilityFound.Exploitable = true;
}
//exploitability_ease Exploits are available
//exploit_framework_canvas
//exploit_framework_metasploit
//exploit_framework_core
//metasploit_name
//canvas_package
//cvss_vector
//cvss_temporal_score
try
{
vulnerabilityFound.CVSSBaseScore = float.Parse(HelperGetChildInnerText(n, "cvss_base_score"), System.Globalization.CultureInfo.InvariantCulture);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("Error parsing CVSS_BASE : Exception = {0}", ex.Message));
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("CVSS_BASE =", HelperGetChildInnerText(n, "cvss_base_score")));
}
bool PatchUpgrade = false;
string MSPatch = "";
string title;
string Solution;
//patch_publication_date
if (HelperGetChildInnerText(n, "patch_publication_date") != "")
{
PatchUpgrade = true;
}
title = n.Attributes["pluginName"].InnerText;
Regex objNaturalPattern = new Regex("MS[0-9][0-9]-[0-9][0-9][0-9]");
MSPatch = objNaturalPattern.Match(title).ToString();
if (MSPatch != "")
{
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", "MSPatch=" + MSPatch);
PatchUpgrade = true;
}
//Hardcoded
Solution = HelperGetChildInnerText(n, "solution");
if (Solution.Contains(" upgrade to "))
{
PatchUpgrade = true;
}
if (Solution.Contains("Upgrade "))
{
PatchUpgrade = true;
}
if (Solution.Contains("has released a set of patches"))
{
PatchUpgrade = true;
}
if (Solution.Contains("Apply the appropriate patch"))
{
PatchUpgrade = true;
}
//<patch_publication_date>
vulnerabilityFound.PatchUpgrade = PatchUpgrade;
vulnerabilityFound.MSPatch = MSPatch;
// ===========
// Persistance
// ===========
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("Persistance [{0}] [{1}] [{2}]", protocol, port, Helper_ListCVEToString(vulnerabilityFound.ListItem)));
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "nessus", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
}
}
// TODO
// VulnerabilityPersistor.UpdateVulnerabilityJob(list_vulnerabilyFound,m_JobId,m_model);
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "Assembly location = " + a.Location);
// ===================================================
// Parses the XML Document and populates the database
// ===================================================
// Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "data = " + m_data);
XmlDocument doc = new XmlDocument();
//TODO: Input Validation (XML)
doc.LoadXml(m_data);
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/netsparker/target"; //Hardcoded
XmlNode report;
report = doc.SelectSingleNode(query);
string ipAddress = string.Empty;
ipAddress = HelperGetChildInnerText(report, "url"); //Hardcoded
if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/")
{
ipAddress = ipAddress.Substring(0, ipAddress.Length - 1);
}
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", string.Format("Handling host with IP {0}", ipAddress));
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO ipaddressIPv4
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
//TODO ipaddressIPv4
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "VULNERABILITIES FOUND");
query = "/netsparker"; //Hardcoded
report = doc.SelectSingleNode(query);
foreach (XmlNode n in report.ChildNodes)
{
//Hardcoded
if (n.Name.ToUpper() == "vulnerability".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0)
{
if (n.Attributes["confirmed"].InnerText == "True")
{
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR
vulnerabilityEndPoint.Port = 80; //443 ... A VOIR
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
//vulnerabilityFound.ListItem = Helper_GetCVE(n);
vulnerabilityFound.InnerXml = n.OuterXml;
string url = HelperGetChildInnerText(n, "url");
vulnerabilityFound.Url = url;
if (url.ToLower().Contains("https://"))
{
vulnerabilityEndPoint.Port = 443;
}
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", string.Format("Url: {0}", url));
//vulnerabilityFound.Type = HelperGetChildInnerText(n, "type");
vulnerabilityFound.Title = HelperGetChildInnerText(n, "type");
vulnerabilityFound.Description = HelperGetChildInnerText(n, "type");
vulnerabilityFound.Severity = HelperGetChildInnerText(n, "severity");
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", string.Format("Severity: {0}", HelperGetChildInnerText(n, "severity")));
vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype");
vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter");
vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue");
//rawrequest
//rawresponse
//extrainformation
// <info name="Found E-mails">[email protected]</info>
// <info name="Identified Internal Path(s)">/var/www/webscantest/vulnsite/picshare/upload.pl</info>
vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "extrainformation");
bool PatchUpgrade = false;
string MSPatch = "";
/*
* <classification>
* <OWASP>A1</OWASP>
* <WASC>19</WASC>
* <CWE>89</CWE>
* <CAPEC>66</CAPEC>
* </classification>
*/
foreach (XmlNode classif in n.ChildNodes)
{
//Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "classif n.ChildNodes: " + classif.Name);
if (classif.Name.ToUpper() == "classification".ToUpper() && classif.ChildNodes != null && classif.ChildNodes.Count > 0)
{
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "OWASP: " + HelperGetChildInnerText(classif, "OWASP"));
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "WASC: " + HelperGetChildInnerText(classif, "WASC"));
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "CWE: " + HelperGetChildInnerText(classif, "CWE"));
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", "CAPEC: " + HelperGetChildInnerText(classif, "CAPEC"));
}
}
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "netsparker", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER NETSPARKER", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", "Assembly location = " + a.Location);
// ============================================
// Parse the Document and populate the database
// ============================================
XORCISMEntities model;
model = new XORCISMEntities();
string ipAddress;
ipAddress = "";
string protocol = "WWW"; //Hardcoded
int port = 80;
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", string.Format("Handling host with IP {0}", ipAddress));
// =============================================
// If necessary, create an asset in the database
// =============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
//**************************
StreamReader monStreamReader = new StreamReader("samples.js"); //Hardcoded
string curline = monStreamReader.ReadLine();
bool issue_samples = false;
int currentseverity = 0;
string curvulntype = "";
while (curline != null)
{
if (issue_samples)
{
if (curline.Contains("'url':"))
{
Console.WriteLine(curvulntype);
Console.WriteLine(vulntypeSkipfish(curvulntype));
curline = curline.Trim();
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
string vulnurl = words1[0].Replace("{ 'url': '", "");
vulnurl = vulnurl.Substring(0, vulnurl.Length - 1);
Console.WriteLine(vulnurl);
string vulnparam = words1[1].Replace("'extra': '", "");
vulnparam = vulnparam.Substring(0, vulnparam.Length - 1).Trim();
Console.WriteLine(vulnparam);
string vulninfodir = words1[2].Replace("'dir': '", "");
vulninfodir = vulninfodir.Replace("' } ]", "");
vulninfodir = vulninfodir.Replace("' }", "").Trim();
Console.WriteLine(vulninfodir);
if (currentseverity > 0)
{
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = protocol;
vulnerabilityEndPoint.Port = port;
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
//vulnerabilityFound.PatchUpgrade = PatchUpgrade;
//vulnerabilityFound.MSPatch = MSPatch;
vulnerabilityFound.Title = vulntypeSkipfish(curvulntype);
vulnerabilityFound.Severity = currentseverity.ToString();
vulnerabilityFound.Url = vulnurl;
//vulnerabilityFound.rawrequest= vulninfodir+"/request.dat";
//vulnerabilityFound.rawresponse= vulninfodir+"/response.dat";
vulnerabilityFound.Result = vulnparam;
// ===========
// Persistance
// ===========
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", string.Format("Persistance [{0}] [{1}] [{2}]", protocol, port, Helper_ListCVEToString(vulnerabilityFound.ListItem)));
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "skipfish", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER SkipfishImport", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
else
{
//TODO
/*
* //severity=0
* INFORMATION myinfo = new INFORMATION();
* myinfo.Title = vulntypeSkipfish(curvulntype);
* myinfo.Severity = currentseverity.ToString();
* myinfo.Url = vulnurl;
* //myinfo.rawrequest= vulninfodir+"/request.dat";
* //myinfo.rawresponse= vulninfodir+"/response.dat";
* myinfo.Result = vulnparam;
* myinfo.JobID = m_JobId;
*
* model.AddToINFORMATION(myinfo);
* model.SaveChanges();
*/
}
}
}
if (curline.Contains("'severity': 4"))
{
currentseverity = 4;
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
curvulntype = words1[1].Replace(" 'type': ", "");
}
if (curline.Contains("'severity': 3"))
{
currentseverity = 3;
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
curvulntype = words1[1].Replace(" 'type': ", "");
}
if (curline.Contains("'severity': 2"))
{
currentseverity = 2;
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
curvulntype = words1[1].Replace(" 'type': ", "");
}
if (curline.Contains("'severity': 1"))
{
currentseverity = 1;
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
curvulntype = words1[1].Replace(" 'type': ", "");
}
if (curline.Contains("'severity': 0"))
{
currentseverity = 0;
char[] splitter1 = { ',' };
string[] words1 = curline.Split(splitter1);
curvulntype = words1[1].Replace(" 'type': ", "");
}
//Where am I?
if (curline.Contains("var issue_samples"))
{
issue_samples = true;
/*
* ligne = ligne.Trim();
* char[] splitter1 = { ' ' };
* string[] words1 = ligne.Split(splitter1);
*
* cmd1 = "./msfcli " + words1[0].Trim() + " T";
*/
}
curline = monStreamReader.ReadLine();
}
monStreamReader.Close();
// A VOIR
// VulnerabilityPersistor.UpdateVulnerabilityJob(list_vulnerabilyFound,m_JobId,m_model);
}
/* @default : port = "80"
* @default : strategy | tunning ="x"
*/
public void Run(string target, int jobID, string policy, string strategy)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "Entering Run()");
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Target = {0} , JobID = {1} , Policy = {2}, Strategy = {3}", target, jobID, policy, strategy));
string targetmodified = target.ToLower().Replace("https://", "").Replace("http://", "");
XORCISMEntities model = new XORCISMEntities();
/* On initialise une var */
//SandcatParser sandcatParser = null;
string file = "";
Assembly a;
a = Assembly.GetExecutingAssembly();
file = string.Format("sandcat_{0}_{1}", DateTime.Now.Ticks, this.GetHashCode());
Process process = new Process();
try
{
//sandcatParser = new SandcatParser(target, jobID, policy, strategy);
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "SANDCAT Assembly location = " + a.Location);
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("JobID: {0} Results will be stored in directory [{1}]", jobID, file));
string program;
program = Path.GetDirectoryName(a.Location) + "\\sandcatmini-4.2.5.0\\SandcatCS.exe"; //HARDCODED
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Using sandcat at '{0}'", program));
process.StartInfo.UseShellExecute = true;
try
{
process.StartInfo.FileName = program;
process.StartInfo.Arguments = " " + targetmodified + " -sn " + file; //HARDCODED
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = false;
process.StartInfo.CreateNoWindow = true;
// process.EnableRaisingEvents = true;
// process.Exited += new EventHandler(Process_Exited);
process.Start();
// Process.Start(vProgram,vIAnnotationLocal.Folder + vIAnnotationLocal.EntryPoint);
}
catch (Win32Exception vException)
{
if (vException.NativeErrorCode == ERROR_FILE_NOT_FOUND)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("ERROR_FILE_NOT_FOUND : Exception = {0}", vException.Message));
//return null;
}
else if (vException.NativeErrorCode == ERROR_ACCESS_DENIED)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("ERROR_ACCESS_DENIED : Exception = {0}", vException.Message));
//return null;
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "JobID:" + jobID + "Exception RunningSandcat = " + ex.Message + " " + ex.InnerException);
}
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("sandcat is running"));
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "JobID:" + jobID + "Exception SandcatParser = " + ex.Message + " " + ex.InnerException);
}
try
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Waiting for sandcat to finish"));
process.WaitForExit(1800000); //3 hours
}
catch (Exception vException)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("TimeException = {0}", vException.Message));
//return null;
}
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "sandcat has finished");
StreamReader SR = process.StandardOutput;
string strOutput = SR.ReadToEnd();
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Output: " + strOutput));
//demo.testfire.net [80]_Vulns.log
string resultfile;
resultfile = Path.Combine(Path.GetDirectoryName(a.Location), "\\sandcatmini-4.2.5.0\\Rep\\" + file + "\\" + targetmodified + " [80]_Vulns.log"); //HARDCODED
/*
* "vname=search.aspx XSS",vpars=txtSearch,vlns=,vrisk=Medium,vpath=http://demo.testfire.net/search.aspx?txtSearch=[script]alert('Vulnerable')[/script],vstat=200,"f=Application Vuln.xrm"
* "vname=comment.aspx XSS",vpars=name,vlns=,vrisk=Medium,"vpath=http://demo.testfire.net/comment.aspx?cfile=comments.txt&name=[script]alert('Vulnerable')[/script]&email_addr=&subject=Sandcat&comments=&submit= Submit&reset= Clear Form",vstat=200,"f=Application Vuln (2).xrm"
* "vname=login.aspx XSS",vpars=uid,vlns=,vrisk=Medium,vpath=http://demo.testfire.net/bank/login.aspx?uid=[script]alert(document.cookie)[/script]&passw=&btnSubmit=Login,vstat=200,"f=Application Vuln (3).xrm"
* "vname=default.aspx Directory Traversal",vpars=content,vlns=,vrisk=High,vpath=http://demo.testfire.net/default.aspx?content=../../../../../../../../boot.ini%00inside_contact.htm,vstat=200,"f=Application Vuln (4).xrm"
*/
try
{
StreamReader myfilereader = new StreamReader(resultfile);
string ligne = myfilereader.ReadLine();
while (ligne != null)
{
Console.WriteLine(ligne);
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityFound.InnerXml = ligne;
vulnerabilityEndPoint.IpAdress = target;
vulnerabilityEndPoint.Port = 80; //TODO: à voir
vulnerabilityEndPoint.Protocol = "TCP"; //HARDCODED
vulnerabilityEndPoint.Service = "WWW";
string[] arInfo = new string[7];
char[] splitter = { ',' };
arInfo = ligne.Split(splitter);
for (int x = 0; x < arInfo.Length; x++)
{
if (arInfo[x].Contains("vname"))
{
vulnerabilityFound.Title = arInfo[x].Replace("vname=", "").Replace("\"", "");
}
else
{
if (arInfo[x].Contains("vpars"))
{
vulnerabilityFound.VulnerableParameter = arInfo[x].Replace("vpars=", "").Replace("\"", "");
}
else
{
if (arInfo[x].Contains("vrisk"))
{
vulnerabilityFound.Severity = arInfo[x].Replace("vrisk=", "").Replace("\"", "");
}
else
{
if (arInfo[x].Contains("vpath"))
{
vulnerabilityFound.Url = arInfo[x].Replace("vpath=", "").Replace("\"", "");
}
}
}
}
}
VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, jobID, "sandcat", model);
ligne = myfilereader.ReadLine();
}
myfilereader.Close();
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "JobID:" + jobID + "Exception SandcatReader = " + ex.Message + " " + ex.InnerException + " " + resultfile);
}
string status = XCommon.STATUS.FINISHED.ToString();
// =================================================
// Change the status of the job to FINISHED or ERROR
// =================================================
/*
* if (sandcatParser.Parse() == false)
* {
* status = XCommon.STATUS.ERROR.ToString();
* Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Updating job {0} status to ERROR", jobID));
* XCommon.Utils.Helper_SendEmail("*****@*****.**", "Sandcat ERROR", "Sandcat ERROR for job:" + jobID);
* }
* else
* {
* Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", string.Format("Updating job {0} status to FINISHED", jobID));
* }
*/
try
{
var Q = from j in model.JOB
where j.JobID == jobID
select j;
JOB myJob = Q.FirstOrDefault();
myJob.Status = status;
myJob.DateEnd = DateTimeOffset.Now;
//image
System.Text.UTF8Encoding encoding = new System.Text.UTF8Encoding();
myJob.XmlResult = encoding.GetBytes(m_data);
model.SaveChanges();
//FREE MEMORY
model.Dispose();
// sandcatParser = null;
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "JobID:" + jobID + "Exception UpdateJob = " + ex.Message + " " + ex.InnerException);
}
Utils.Helper_Trace("XORCISM PROVIDER SANDCAT", "JobID:" + jobID + "Leaving Run()");
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Assembly location = " + a.Location);
// ============================================
// Parse the XML Document and populate the database
// ============================================
// Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "data = " + m_data);
XmlDocument doc = new XmlDocument();
doc.LoadXml(m_data);
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/ScanGroup/Scan"; //Hardcoded
XmlNode report;
report = doc.SelectSingleNode(query);
string ipAddress = string.Empty;
ipAddress = HelperGetChildInnerText(report, "StartURL"); //Hardcoded
if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/")
{
ipAddress = ipAddress.Substring(0, ipAddress.Length - 1);
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Handling host with IP {0}", ipAddress));
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "VULNERABILITIES FOUND");
query = "/ScanGroup/Scan/ReportItems";
report = doc.SelectSingleNode(query);
foreach (XmlNode n in report.ChildNodes)
{
if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0)
{
//TODOs HARDCODED
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR
vulnerabilityEndPoint.Port = 80; //443 ... A VOIR
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
//vulnerabilityFound.ListItem = Helper_GetCVE(n);
vulnerabilityFound.InnerXml = n.OuterXml;
//To eliminate VULNERABILITY (Value) duplicates:
/*
* string pattern = @"ReportItem id=""\d\d?\d?""";
* string s = Regex.Replace(n.OuterXml, pattern, "ReportItem id=\"0\"");
* vulnerabilityFound.InnerXml = s;
*/
string url = HelperGetChildInnerText(n, "Affects"); //Server
vulnerabilityFound.Url = url;
if (url.ToLower().Contains("https://"))
{
vulnerabilityEndPoint.Port = 443;
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Url: {0}", url));
vulnerabilityFound.Type = HelperGetChildInnerText(n, "Type");
if (HelperGetChildInnerText(n, "IsFalsePositive") == "False")
{
vulnerabilityFound.IsFalsePositive = false;
}
else
{
vulnerabilityFound.IsFalsePositive = true;
}
vulnerabilityFound.Title = HelperGetChildInnerText(n, "Name");
//ModuleName
//Affects
vulnerabilityFound.Description = HelperGetChildInnerText(n, "Description");
//Extract the CVEs
List <VulnerabilityFound.Item> ListCVEs = new List <VulnerabilityFound.Item>();
//MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), "CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), @"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //myRegexCVE
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
foreach (Match match in matches)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CVE: {0}", match.Groups[1].Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.ID = "cve";
item.Value = match.Groups[1].Value;
ListCVEs.Add(item);
}
string mySeverity = HelperGetChildInnerText(n, "Severity");
switch (mySeverity)
{
//HARDCODED
case "high":
mySeverity = "High";
break;
case "medium":
mySeverity = "Medium";
break;
case "low":
mySeverity = "Low";
break;
//case "info"
}
vulnerabilityFound.Severity = mySeverity;
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Severity: {0}", mySeverity));
string DetailsAnalysis = HelperGetChildInnerText(n, "Details");
if (DetailsAnalysis.Contains("URL encoded GET"))
{
vulnerabilityFound.VulnerableParameterType = "GET"; //should be Querystring for Netsparker
var regex = new Regex(@"URL encoded GET input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
if (DetailsAnalysis.Contains("URL encoded POST"))
{
vulnerabilityFound.VulnerableParameterType = "POST"; //should be Post for Netsparker
var regex = new Regex(@"URL encoded POST input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
//vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype");
//vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter");
//in <Details>:
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">4-2+2*3-6</font></b>
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">1'</font></b><br/>Error message found: <pre wrap="virtual"><font color="blue">supplied argument is not a valid MySQL result</font></pre>
//URL encoded POST input <b><font color="dark">name</font></b> was set to <b><font color="dark">'"()&%1<ScRiPt >prompt(983150)</ScRiPt></font></b>
//vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue");
List <VulnerabilityFound.Reference> ListReferences = new List <VulnerabilityFound.Reference>();
foreach (XmlNode nchild in n.ChildNodes)
{
if (nchild.Name.ToUpper() == "TechnicalDetails".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
//rawrequest
vulnerabilityFound.rawrequest = HelperGetChildInnerText(nchild, "Request");
//rawresponse
vulnerabilityFound.rawresponse = HelperGetChildInnerText(nchild, "Response");
}
if (nchild.Name.ToUpper() == "References".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
foreach (XmlNode reference in nchild)
{
/*
* REFERENCE myReference = new REFERENCE();
* myReference.Source = HelperGetChildInnerText(reference, "Database");
* myReference.Url = HelperGetChildInnerText(reference, "URL");
*
* model.AddToREFERENCE(myReference);
*/
VulnerabilityFound.Reference refvuln = new VulnerabilityFound.Reference();
refvuln.Title = HelperGetChildInnerText(reference, "Database");
string refurl = HelperGetChildInnerText(reference, "URL").ToLower();
refvuln.Url = refurl;
refvuln.Source = HelperGetChildInnerText(reference, "Database");
//Try to harmonise the Source with the other imports (ie: exploits)
//HARDCODED
//TODO: Use a Common Function
if (refurl.Contains("/bugtraq/"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("marc.theaimsgroup.com/?l=bugtraq"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("securityfocus.com/bid"))
{
refvuln.Source = "BID";
}
if (refurl.Contains("osvdb.org/"))
{
refvuln.Source = "OSVDB";
}
if (refurl.Contains("xforce.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.ciac.org/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("ciac.llnl.gov/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("www.cert.org/"))
{
refvuln.Source = "CERT";
}
if (refurl.Contains("sunsolve.sun.org/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("sunsolve.sun.com/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("patches.sgi.com/"))
{
refvuln.Source = "SGI";
}
if (refurl.Contains("microsoft.com/default.aspx?scid=kb"))
{
refvuln.Source = "MSKB";
}
if (refurl.Contains("ftp.sco.com/"))
{
refvuln.Source = "SCO";
}
if (refurl.Contains("www.trustix.org/"))
{
refvuln.Source = "TRUSTIX";
}
if (refurl.Contains("ftp.freebsd.org/"))
{
refvuln.Source = "FREEBSD";
}
if (refurl.Contains("www.secunia.com/"))
{
refvuln.Source = "SECUNIA";
}
if (refurl.Contains("www.vupen.com/"))
{
refvuln.Source = "VUPEN";
}
if (refurl.Contains("www.securitytracker.com/"))
{
refvuln.Source = "SECTRACK";
}
if (refurl.Contains("www.redhat.com/"))
{
refvuln.Source = "REDHAT";
}
if (refurl.Contains("www.exploit-db.com/"))
{
refvuln.Source = "EXPLOIT-DB";
}
if (refurl.Contains("www.milw0rm.com/"))
{
refvuln.Source = "MILW0RM";
}
if (refurl.Contains("www.microsoft.com/"))
{
refvuln.Source = "MS";
}
if (refurl.Contains("seclists.org/fulldisclosure"))
{
refvuln.Source = "FULLDISC";
}
ListReferences.Add(refvuln);
}
}
}
vulnerabilityFound.ListReference = ListReferences;
vulnerabilityFound.ListItem = ListCVEs;
vulnerabilityFound.Result = HelperGetChildInnerText(n, "Details");
vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "Impact");
vulnerabilityFound.Solution = HelperGetChildInnerText(n, "Recommendation");
//DetailedInformation
vulnerabilityFound.DetailedInformation = HelperGetChildInnerText(n, "DetailedInformation");
//TODO
bool PatchUpgrade = false;
string MSPatch = "";
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "acunetix", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Assembly location = " + a.Location);
XmlDocument doc = new XmlDocument();
#region HackCenzic
/*
string filename;
filename = @"C:\Cenzic_webscan.xml"; //Hardcoded
doc.Load(filename);
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("HackFile should be located at : " + filename));
*/
#endregion
// ============================================
// Parse the XML Document and populate the database
// ============================================
string protocol = string.Empty;
//int port = -1;
string service = string.Empty;
//bool PatchUpgrade = false;
//string title;
//string MSPatch = "";
//string Solution;
m_data = m_data.Replace("Configurable format #", "Configurable"); //Hardcoded
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("m_data = {0}", m_data));
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Loading the XML document");
doc.LoadXml(m_data);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Exception = {0} / {1}", ex.Message, ex.InnerException == null ? "" : ex.InnerException.Message));
}
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/AssessmentRunData/SmartAttacks/SmartAttacksData"; //Hardcoded
XmlNodeList report;
report = null;
try
{
report = doc.SelectNodes(query);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error SelectNodes({0}) : Exception = {1}", query, ex.Message));
return;
}
//We should retrieve the target for an import
string m_target = string.Empty;
string patterntoken = "<Url>(.*?)</Url>";
MatchCollection matchesurl = Regex.Matches(m_data, patterntoken);
foreach (Match match in matchesurl)
{
m_target = match.Value.Replace("<Url>", "").Replace("</Url>", "");
//Console.WriteLine(mytoken);
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "target: " + m_target);
}
int myPort = 80;
if (m_target.Contains("https://"))
{
myPort = 443;
}
//Check if we have a custom port, ex: http://10.20.30.40:8080/test
string strTargetTest = m_target;
strTargetTest = strTargetTest.Replace("http://", "");
strTargetTest = strTargetTest.Replace("https://", "");
try
{
if (strTargetTest.Contains(":"))
{
char[] splitter = { ':' };
string[] strSplit = strTargetTest.Split(splitter);
strTargetTest = strSplit[1];
if (strTargetTest.Contains("/"))
{
strSplit = strTargetTest.Split(new Char[] { '/' });
strTargetTest = strSplit[0];
}
try
{
myPort = Convert.ToInt32(strTargetTest);
}
catch (FormatException e)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", strTargetTest + " is not a sequence of digits.");
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Custom Port:{0}", strTargetTest));
}
else
{
if (strTargetTest.Contains("/"))
{
string[] strSplit = strTargetTest.Split(new Char[] { '/' });
strTargetTest = strSplit[0];
if (m_target.Contains("https://"))
{
m_target = "https://" + strTargetTest;
}
if (m_target.Contains("http://"))
{
m_target = "http://" + strTargetTest;
}
}
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in strTargetTest : Exception = {0}", ex.Message));
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "the m_target=" + m_target);
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == m_target //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = m_target;
asset.AssetDescription = m_target;
asset.ipaddressIPv4 = m_target;
asset.Enabled = true;
//asset.JobID = m_jobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "This IP already corresponds to an existing asset");
}
int m_assetId = asset.AssetID;
int m_sessionId = (int)model.JOB.Single(x => x.JobID == m_jobId).SessionID;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = m_sessionId; // model.JOB.Single(x => x.JobID == m_jobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_jobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = m_target;
vulnerabilityEndPoint.Protocol = "TCP"; // "http";
vulnerabilityEndPoint.Port = myPort;
vulnerabilityEndPoint.Service = "WWW";
int myEndpointID = 0;
var testEndpoint = from e in model.ENDPOINT
where e.AssetID == m_assetId && e.SessionID == m_sessionId
select e;
if (testEndpoint.Count() == 0)
{
ENDPOINT newEndpoint = new ENDPOINT();
newEndpoint.AssetID = m_assetId;
newEndpoint.SessionID = m_sessionId;
newEndpoint.ProtocolName = "TCP"; // "http";
newEndpoint.PortNumber = myPort;
newEndpoint.Service = "WWW";
model.ENDPOINT.Add(newEndpoint);
model.SaveChanges();
myEndpointID = newEndpoint.EndPointID;
}
else
{
myEndpointID = testEndpoint.FirstOrDefault().EndPointID;
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myEndpointID:{0}", myEndpointID));
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found {0} SmartAttacks to parse", report.Count));
foreach (XmlNode reportHost in report)
{
// ==================================
// Handle every SmartAttacksData tag
// ==================================
string myInnerXml = string.Empty;
string myTitle = string.Empty;
string myDescription = string.Empty;
string myConsequence = string.Empty;
string myResult = string.Empty;
string mySolution = string.Empty;
string myCVE = string.Empty;
MatchCollection myCVEs;
string myPCI = string.Empty;
string myMessage = string.Empty;
foreach (XmlNode n in reportHost.ChildNodes)
{
//SmartAttackInfo
//ReportItems
XmlNodeList Childs = n.ChildNodes;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 1"));
try
{
if (n.Name == "SmartAttackInfo")
{
myInnerXml = n.OuterXml;
myTitle = HelperGetChildInnerText(n, "SmartAttackName");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found SmartAttackName:{0}", myTitle));
Regex myRegex = new Regex("PCI [0-9].[0-9].[0-9]");
myPCI = myRegex.Match(myTitle).ToString();
if (myPCI != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "PCI=" + myPCI);
}
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myInnerXml:{0}", myInnerXml));
//Hardcoded
myDescription = HelperGetChildInnerText(n, "Description");
myConsequence = HelperGetChildInnerText(n, "HowItWorks");
myResult = HelperGetChildInnerText(n, "Impact");
mySolution = HelperGetChildInnerText(n, "Remediation");
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in SmartAttackInfo : Exception = {0}", ex.Message));
}
if (n.Name == "ReportItems")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 2"));
foreach (XmlNode x in n.ChildNodes)
{
//HARDCODED
//ReportItem
foreach (XmlNode ReportItem in x.ChildNodes)
{
myMessage = "";
if (ReportItem.Name == "ReportItemType")
{
//Pass
if (ReportItem.InnerText == "Information")
{
try
{
//TODO
/*
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Information"));
INFORMATION newInformation = new INFORMATION();
//newInformation.InnerXml
newInformation.Title = myTitle;
newInformation.Description = myDescription;
newInformation.Consequence = myConsequence;
newInformation.Result = myResult;
newInformation.Solution = mySolution;
newInformation.Severity = HelperGetChildInnerText(x, "Severity");
newInformation.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
myMessage = HelperGetChildInnerText(x, "Message");
newInformation.Message = myMessage;
//TODO A FAIRE
//Matching avec les références
//http://www.securityfocus.com/bid/43140/info
//http://www.securityfocus.com/bid/43140/solution
newInformation.Url = HelperGetChildInnerText(x, "Url");
newInformation.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
newInformation.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
if (myPCI != "")
{
newInformation.PCI_FLAG = true;
}
newInformation.JobID = m_jobId;
newInformation.EndPointID = myEndpointID;
model.AddToINFORMATION(newInformation);
model.SaveChanges();
*/
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Information : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
if (ReportItem.InnerText == "Warning")
{
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Warning"));
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = myInnerXml;
vulnerabilityFound.Title = myTitle;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle));
vulnerabilityFound.Description = myDescription;
vulnerabilityFound.Consequence = myConsequence;
vulnerabilityFound.Result = myResult;
vulnerabilityFound.Solution = mySolution;
if (myPCI != "")
{
vulnerabilityFound.PCI_FLAG = true;
}
//ReportItemCreateDate
vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity");
//Low, Medium, High
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("WARNING Severity:{0}", HelperGetChildInnerText(x, "Severity")));
vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
//Count
myMessage=HelperGetChildInnerText(x, "Message");
//vulnerabilityFound.Message = myMessage; //not exact because same VULNERABILITY will have various Messages
vulnerabilityFound.rawresponse = myMessage;
//Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //TODO: Update this?
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
/*
myCVE = objNaturalPattern.Match(myMessage).ToString();
if (myCVE != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE);
}
*/
List<VulnerabilityFound.Item> l;
l = new List<VulnerabilityFound.Item>();
myCVEs = myRegexCVE.Matches(myMessage);
foreach (Match match in myCVEs)
{
foreach (Capture capture in match.Captures)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.Value = capture.Value;
item.ID = "cve";
l.Add(item);
}
}
vulnerabilityFound.ListItem = l;
vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url")));
vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
//vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
//StructuredData
//*** Compliances? voir en bas
//http://www.cenzic.com/downloads/Cenzic_CWE.pdf
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Warning : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
if (ReportItem.InnerText == "Vulnerable")
{
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerable"));
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = myInnerXml;
vulnerabilityFound.Title = myTitle;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle));
vulnerabilityFound.Description = myDescription;
vulnerabilityFound.Consequence = myConsequence;
vulnerabilityFound.Result = myResult;
vulnerabilityFound.Solution = mySolution;
//ReportItemCreateDate
vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity");
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("VULNERABLE Severity:{0}", HelperGetChildInnerText(x, "Severity")));
vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
//Count
myMessage = HelperGetChildInnerText(x, "Message");
//vulnerabilityFound.Message = myMessage;
vulnerabilityFound.rawresponse = myMessage;
//Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})");
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
/*
myCVE = objNaturalPattern.Match(myMessage).ToString();
if (myCVE != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE);
}
*/
List<VulnerabilityFound.Item> l;
l = new List<VulnerabilityFound.Item>();
myCVEs = myRegexCVE.Matches(myMessage);
foreach (Match match in myCVEs)
{
foreach (Capture capture in match.Captures)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.Value = capture.Value;
item.ID = "cve";
l.Add(item);
}
}
vulnerabilityFound.ListItem = l;
vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url")));
vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
//vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
//StructuredData
if (myPCI != "")
{
//TODO
/*
vulnerabilityFound.PCI_FLAG = true;
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
List<int> myIds = new List<int>();
var id = from o in model.COMPLIANCECATEG
where o.Title == myTitle &&
o.COMPLIANCE.Title == "PCIDSS"
select o.ComplianceCategID;
int Id = id.FirstOrDefault();
myIds.Add(Id);
List<int> Compliances = new List<int>();
Compliances = myIds;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerability persisted , VulnID = {0} & Compliance count = {1}", VulnID, Compliances.Count));
var V = from tmpVuln in model.VULNERABILITYFOUND
where tmpVuln.VulnerabilityFoundID == VulnID
select tmpVuln;
VULNERABILITYFOUND VF = V.FirstOrDefault();
foreach (int i in Compliances)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Categorie Compliance => ", i));
var C = from Comp in model.COMPLIANCECATEG
where Comp.ComplianceCategID == i
select Comp;
COMPLIANCECATEG myCompliance = new COMPLIANCECATEG();
myCompliance = C.FirstOrDefault();
VF.COMPLIANCECATEG.Add(myCompliance);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Mapping Compliance-Vulnerability Added");
}
*/
}
else
{
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in Vulnerable : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
}
}
}
}
}
}
}
