private List <VulnerabilityFound.Reference> Helper_GetREFERENCE(XmlNode reportItem) { List <VulnerabilityFound.Reference> l = new List <VulnerabilityFound.Reference>(); foreach (XmlNode child in reportItem.ChildNodes) { //HARDCODED if (child.Name.ToUpper() == "bid".ToUpper()) { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "BID"; Reference.Title = child.InnerText; Reference.Url = "http://www.securityfocus.com/bid/" + child.InnerText; Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEBID: {0}", "http://www.securityfocus.com/bid/" + child.InnerText)); l.Add(Reference); } else { if (child.Name.ToUpper() == "see_also".ToUpper()) { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "NESSUS"; Reference.Title = child.InnerText; Reference.Url = child.InnerText; Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCENESSUS: {0}", child.InnerText)); //TODO: check these unknown references/source l.Add(Reference); } if (child.Name.ToUpper() == "xref".ToUpper()) { if (child.InnerText.Contains("OSVDB")) { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "OSVDB"; Reference.Title = child.InnerText.Replace("OSVDB:", ""); Reference.Url = "http://www.osvdb.org/" + child.InnerText.Replace("OSVDB:", ""); Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEOSVDB: {0}", "http://www.osvdb.org/" + child.InnerText.Replace("OSVDB:", ""))); l.Add(Reference); } else { if (child.InnerText.Contains("Secunia")) { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "SECUNIA"; Reference.Title = child.InnerText.Replace("Secunia:", ""); Reference.Url = "http://secunia.com/advisories/" + child.InnerText.Replace("Secunia:", ""); Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCESECUNIA: {0}", "http://secunia.com/advisories/" + child.InnerText.Replace("Secunia:", ""))); l.Add(Reference); } else { if (child.InnerText.Contains("EDB-ID")) { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "EXPLOIT-DB"; Reference.Title = child.InnerText.Replace("EDB-ID:", ""); Reference.Url = "http://www.exploit-db.com/exploits/" + child.InnerText.Replace("EDB-ID:", ""); Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCEEXPLOIT-DB: {0}", "http://www.exploit-db.com/exploits/" + child.InnerText.Replace("EDB-ID:", ""))); l.Add(Reference); } else { VulnerabilityFound.Reference Reference = new VulnerabilityFound.Reference(); Reference.Source = "NESSUS"; Reference.Title = child.InnerText; Reference.Url = child.InnerText; Utils.Helper_Trace("XORCISM PROVIDER NESSUS", string.Format("TEST REFERENCENESSUS: {0}", child.InnerText)); //TODO: check these unknown references/source l.Add(Reference); } } } } } } return(l); }
private void Helper_GetVulnerabilities(XmlDocument s, string ipadress) { List <VulnerabilityFound> list_VulnerabilityFound; list_VulnerabilityFound = new List <VulnerabilityFound>(); XmlNodeList portNodes; portNodes = s.SelectNodes("/openvas-report/results/result/ports/port"); //Hardcoded Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} port nodes to process", portNodes.Count)); foreach (XmlNode portNode in portNodes) { string protocol = portNode.Attributes["protocol"].Value.ToUpper(); int port = -1; if (portNode.Attributes["portid"] != null) { port = Convert.ToInt32(portNode.Attributes["portid"].Value); } Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol)); VulnerabilityEndPoint vulnerabilityEndPoint; vulnerabilityEndPoint = new VulnerabilityEndPoint(); vulnerabilityEndPoint.IpAdress = m_target; vulnerabilityEndPoint.Protocol = protocol; vulnerabilityEndPoint.Port = port; XmlNode ServiceNode = portNode.SelectSingleNode("service"); vulnerabilityEndPoint.Service = ServiceNode.Attributes["name"].Value.ToUpper(); foreach (XmlNode informationNode in portNode.SelectNodes("information")) { string severity = informationNode.SelectSingleNode("severity").InnerText; //<severity>Log Message</severity> : Information => should be ignored //<severity>Security Note</severity> //<severity>Security Warning</severity> string nvtId = informationNode.SelectSingleNode("id").InnerText; Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Handling nvtid {0}", nvtId)); XmlNode nvtNode; nvtNode = s.SelectSingleNode("/openvas-report/nvts/nvt[@oid='" + nvtId + "']"); string title = nvtNode.SelectSingleNode("name").InnerText; string summary = nvtNode.SelectSingleNode("summary").InnerText; string risk = nvtNode.SelectSingleNode("risk").InnerText; string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText; string bid_Value = nvtNode.SelectSingleNode("bugtraq_id").InnerText; Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Title = [{0}]", title)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value)); VulnerabilityFound vulnerabilityFound; vulnerabilityFound = new VulnerabilityFound(); vulnerabilityFound.InnerXml = nvtNode.InnerXml; vulnerabilityFound.Title = title; vulnerabilityFound.Description = summary; vulnerabilityFound.DetailedInformation = informationNode.SelectSingleNode("data").InnerText; vulnerabilityFound.Consequence = informationNode.SelectSingleNode("data").InnerText; //TODO: regex parse OWASP:OWASP-CM-006 //vulnerabilityFound.Severity = risk; //Risk Could be: //None, Unknown, Informational, Low, Medium, High switch (risk) { case "None": vulnerabilityFound.Severity = "1"; break; case "Unknown": vulnerabilityFound.Severity = "1"; break; case "Informational": vulnerabilityFound.Severity = "2"; break; case "Low": vulnerabilityFound.Severity = "3"; break; case "Medium": vulnerabilityFound.Severity = "4"; break; case "High": vulnerabilityFound.Severity = "5"; break; } if (cve_Value.Trim().ToUpper() != "NOCVE") { string[] list_Cve_Value; list_Cve_Value = cve_Value.Split(new char[] { ',' }); foreach (string cve in list_Cve_Value) { VulnerabilityFound.Item cve_Item; cve_Item = new VulnerabilityFound.Item(); cve_Item.ID = "cve"; cve_Item.Value = cve; vulnerabilityFound.ListItem.Add(cve_Item); } } if (bid_Value.Trim().ToUpper() != "NOBID") { string[] list_bid_Value; list_bid_Value = bid_Value.Split(new char[] { ',' }); foreach (string bid in list_bid_Value) { VulnerabilityFound.Reference bid_Reference; bid_Reference = new VulnerabilityFound.Reference(); bid_Reference.Source = "BID"; bid_Reference.Title = bid; bid_Reference.Url = "http://www.securityfocus.com/bid/" + bid; vulnerabilityFound.ListReference.Add(bid_Reference); } } VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model); } } }
public void parse() { Assembly a; a = Assembly.GetExecutingAssembly(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Assembly location = " + a.Location); // ============================================ // Parse the XML Document and populate the database // ============================================ // Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "data = " + m_data); XmlDocument doc = new XmlDocument(); doc.LoadXml(m_data); XORCISMEntities model; model = new XORCISMEntities(); string query = "/ScanGroup/Scan"; //Hardcoded XmlNode report; report = doc.SelectSingleNode(query); string ipAddress = string.Empty; ipAddress = HelperGetChildInnerText(report, "StartURL"); //Hardcoded if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/") { ipAddress = ipAddress.Substring(0, ipAddress.Length - 1); } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Handling host with IP {0}", ipAddress)); // =============================================== // If necessary, creates an asset in the database // =============================================== //TODO var myass = from ass in model.ASSET where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID select ass; ASSET asset = myass.FirstOrDefault(); if (asset == null) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creates a new entry in table ASSET for this IP"); asset = new ASSET(); //asset.AccountID = m_AccountID; asset.AssetName = ipAddress; asset.AssetDescription = ipAddress; asset.ipaddressIPv4 = ipAddress; asset.Enabled = true; //asset.JobID = m_JobId; model.ASSET.Add(asset); model.SaveChanges(); } else { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "This IP already corresponds to an existing asset"); } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creating ASSETINSESSION reference"); ASSETSESSION assinsess = new ASSETSESSION(); assinsess.AssetID = asset.AssetID; assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID; model.ASSETSESSION.Add(assinsess); model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Update JOB with ASSETINSESSIONID"); JOB daJob = model.JOB.Single(x => x.JobID == m_JobId); daJob.AssetSessionID = assinsess.AssetSessionID; model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "VULNERABILITIES FOUND"); query = "/ScanGroup/Scan/ReportItems"; report = doc.SelectSingleNode(query); foreach (XmlNode n in report.ChildNodes) { if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0) { //TODOs HARDCODED VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint(); vulnerabilityEndPoint.IpAdress = ipAddress; vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR vulnerabilityEndPoint.Port = 80; //443 ... A VOIR VulnerabilityFound vulnerabilityFound = new VulnerabilityFound(); //vulnerabilityFound.ListItem = Helper_GetCVE(n); vulnerabilityFound.InnerXml = n.OuterXml; //To eliminate VULNERABILITY (Value) duplicates: /* * string pattern = @"ReportItem id=""\d\d?\d?"""; * string s = Regex.Replace(n.OuterXml, pattern, "ReportItem id=\"0\""); * vulnerabilityFound.InnerXml = s; */ string url = HelperGetChildInnerText(n, "Affects"); //Server vulnerabilityFound.Url = url; if (url.ToLower().Contains("https://")) { vulnerabilityEndPoint.Port = 443; } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Url: {0}", url)); vulnerabilityFound.Type = HelperGetChildInnerText(n, "Type"); if (HelperGetChildInnerText(n, "IsFalsePositive") == "False") { vulnerabilityFound.IsFalsePositive = false; } else { vulnerabilityFound.IsFalsePositive = true; } vulnerabilityFound.Title = HelperGetChildInnerText(n, "Name"); //ModuleName //Affects vulnerabilityFound.Description = HelperGetChildInnerText(n, "Description"); //Extract the CVEs List <VulnerabilityFound.Item> ListCVEs = new List <VulnerabilityFound.Item>(); //MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), "CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]"); MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), @"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //myRegexCVE //https://cve.mitre.org/cve/identifiers/tech-guidance.html foreach (Match match in matches) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CVE: {0}", match.Groups[1].Value)); VulnerabilityFound.Item item; item = new VulnerabilityFound.Item(); item.ID = "cve"; item.Value = match.Groups[1].Value; ListCVEs.Add(item); } string mySeverity = HelperGetChildInnerText(n, "Severity"); switch (mySeverity) { //HARDCODED case "high": mySeverity = "High"; break; case "medium": mySeverity = "Medium"; break; case "low": mySeverity = "Low"; break; //case "info" } vulnerabilityFound.Severity = mySeverity; Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Severity: {0}", mySeverity)); string DetailsAnalysis = HelperGetChildInnerText(n, "Details"); if (DetailsAnalysis.Contains("URL encoded GET")) { vulnerabilityFound.VulnerableParameterType = "GET"; //should be Querystring for Netsparker var regex = new Regex(@"URL encoded GET input <b><font color=""dark"">(.*?)</font></b>"); var match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameter = match.Groups[1].Value; regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>"); match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value; } } } if (DetailsAnalysis.Contains("URL encoded POST")) { vulnerabilityFound.VulnerableParameterType = "POST"; //should be Post for Netsparker var regex = new Regex(@"URL encoded POST input <b><font color=""dark"">(.*?)</font></b>"); var match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameter = match.Groups[1].Value; regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>"); match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value; } } } //vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype"); //vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter"); //in <Details>: //URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">4-2+2*3-6</font></b> //URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">1'</font></b><br/>Error message found: <pre wrap="virtual"><font color="blue">supplied argument is not a valid MySQL result</font></pre> //URL encoded POST input <b><font color="dark">name</font></b> was set to <b><font color="dark">'"()&%1<ScRiPt >prompt(983150)</ScRiPt></font></b> //vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue"); List <VulnerabilityFound.Reference> ListReferences = new List <VulnerabilityFound.Reference>(); foreach (XmlNode nchild in n.ChildNodes) { if (nchild.Name.ToUpper() == "TechnicalDetails".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0) { //rawrequest vulnerabilityFound.rawrequest = HelperGetChildInnerText(nchild, "Request"); //rawresponse vulnerabilityFound.rawresponse = HelperGetChildInnerText(nchild, "Response"); } if (nchild.Name.ToUpper() == "References".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0) { foreach (XmlNode reference in nchild) { /* * REFERENCE myReference = new REFERENCE(); * myReference.Source = HelperGetChildInnerText(reference, "Database"); * myReference.Url = HelperGetChildInnerText(reference, "URL"); * * model.AddToREFERENCE(myReference); */ VulnerabilityFound.Reference refvuln = new VulnerabilityFound.Reference(); refvuln.Title = HelperGetChildInnerText(reference, "Database"); string refurl = HelperGetChildInnerText(reference, "URL").ToLower(); refvuln.Url = refurl; refvuln.Source = HelperGetChildInnerText(reference, "Database"); //Try to harmonise the Source with the other imports (ie: exploits) //HARDCODED //TODO: Use a Common Function if (refurl.Contains("/bugtraq/")) { refvuln.Source = "BUGTRAQ"; } if (refurl.Contains("marc.theaimsgroup.com/?l=bugtraq")) { refvuln.Source = "BUGTRAQ"; } if (refurl.Contains("securityfocus.com/bid")) { refvuln.Source = "BID"; } if (refurl.Contains("osvdb.org/")) { refvuln.Source = "OSVDB"; } if (refurl.Contains("xforce.iss.net/")) { refvuln.Source = "XF"; } if (refurl.Contains("www.iss.net/")) { refvuln.Source = "XF"; } if (refurl.Contains("www.ciac.org/")) { refvuln.Source = "CIAC"; } if (refurl.Contains("ciac.llnl.gov/")) { refvuln.Source = "CIAC"; } if (refurl.Contains("www.cert.org/")) { refvuln.Source = "CERT"; } if (refurl.Contains("sunsolve.sun.org/")) { refvuln.Source = "SUN"; } if (refurl.Contains("sunsolve.sun.com/")) { refvuln.Source = "SUN"; } if (refurl.Contains("patches.sgi.com/")) { refvuln.Source = "SGI"; } if (refurl.Contains("microsoft.com/default.aspx?scid=kb")) { refvuln.Source = "MSKB"; } if (refurl.Contains("ftp.sco.com/")) { refvuln.Source = "SCO"; } if (refurl.Contains("www.trustix.org/")) { refvuln.Source = "TRUSTIX"; } if (refurl.Contains("ftp.freebsd.org/")) { refvuln.Source = "FREEBSD"; } if (refurl.Contains("www.secunia.com/")) { refvuln.Source = "SECUNIA"; } if (refurl.Contains("www.vupen.com/")) { refvuln.Source = "VUPEN"; } if (refurl.Contains("www.securitytracker.com/")) { refvuln.Source = "SECTRACK"; } if (refurl.Contains("www.redhat.com/")) { refvuln.Source = "REDHAT"; } if (refurl.Contains("www.exploit-db.com/")) { refvuln.Source = "EXPLOIT-DB"; } if (refurl.Contains("www.milw0rm.com/")) { refvuln.Source = "MILW0RM"; } if (refurl.Contains("www.microsoft.com/")) { refvuln.Source = "MS"; } if (refurl.Contains("seclists.org/fulldisclosure")) { refvuln.Source = "FULLDISC"; } ListReferences.Add(refvuln); } } } vulnerabilityFound.ListReference = ListReferences; vulnerabilityFound.ListItem = ListCVEs; vulnerabilityFound.Result = HelperGetChildInnerText(n, "Details"); vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "Impact"); vulnerabilityFound.Solution = HelperGetChildInnerText(n, "Recommendation"); //DetailedInformation vulnerabilityFound.DetailedInformation = HelperGetChildInnerText(n, "DetailedInformation"); //TODO bool PatchUpgrade = false; string MSPatch = ""; int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "acunetix", model); if (etat == -1) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CANNOT IMPORT THIS ASSET !!!! ")); } } } }