CN113158195B - Distributed vulnerability scanning method and system based on POC script - Google Patents
Distributed vulnerability scanning method and system based on POC script Download PDFInfo
- Publication number
- CN113158195B CN113158195B CN202110383855.7A CN202110383855A CN113158195B CN 113158195 B CN113158195 B CN 113158195B CN 202110383855 A CN202110383855 A CN 202110383855A CN 113158195 B CN113158195 B CN 113158195B
- Authority
- CN
- China
- Prior art keywords
- script
- poc
- task
- scanning
- poc script
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The embodiment of the application discloses a distributed vulnerability scanning method based on a POC (Point of sale) script, which comprises the following steps: adopting the script description document of the extensible markup language to package the POC script, wherein the verification mode of the returned value of the POC script is determined; calling port scanning target information to perform asset identification and open port detection, acquiring the survival asset and the open port, splitting the survival asset and the open port, acquiring asset/port pairs and distributing the asset/port pairs to the POC script scanner for multi-thread concurrent scanning; and responsive to determining whether the POC script is applicable to the target asset/port pair and obtaining a result of POC script execution based on the asset/port pair and the script information; the method also comprises the steps of presetting a control console, obtaining a task issued by a user through the control console, configuring a node address for the task, responding to the fact that the task is a local scanning task or a remote task, deploying in a distributed mode, and initiating scanning among different networks.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a distributed vulnerability scanning method and system based on a POC (point of sale) script.
Background
Nowadays, with the development of information technology, the internet already covers the aspects of people's life and production, and the network security problem is highlighted along with the development. Although many public enterprises and public institutions deploy network security products and perform periodic asset vulnerability scanning and repairing, the network security relates to the problems of wide technical range, large quantity of network assets, endless vulnerability discovery of '0 day' vulnerability, low accuracy of conventional vulnerability scanning, difficulty in detecting some latest vulnerabilities and the like, so that in recent years, serious network security events such as 'lasso software' are exposed.
Therefore, the method utilizes a POC (point of sale) script to scan high-risk and latest vulnerabilities to form a supplement to conventional vulnerability scanning, and has become a common technical scheme for many network security products and teams. "Remote procedure Call" is a Remote procedure Call that requests a service from a Remote computer program over a network without knowing the protocols of the underlying network technology, and can implement the communication functions of a distributed service. However, the existing tools for performing vulnerability scanning by using POC scripts in the industry still have the following problems:
(1) The framework is written based on Python (or other single programming language) and requires POC scripts to use Python (or other single programming language) as well, which is a high use threshold for technicians unfamiliar with the language; (2) POC script needs to realize the method specified by the framework, and the transmission parameter and the return are in fixed format and can not be flexibly called; (3) The range of an operating system or a port and the like is not limited by the POC script, and the script is executed on each target when batch scanning is executed, so that the efficiency is low; (4) Distributed scanning is not supported, and the method cannot adapt to a complex network environment.
Disclosure of Invention
The application aims to provide a distributed vulnerability scanning method and system based on a POC script, which can flexibly call the POC script with multiple programming languages, do not strictly limit the parameters and the return of the script, limit the use range of the script and realize distributed scanning by multi-node deployment, and solve the problems in the background art.
In a first aspect, an embodiment of the present application provides a POC script-based distributed vulnerability scanning method, which includes the following steps:
s100, packaging the POC script by adopting a script description document of an extensible markup language, wherein a verification mode of a returned value of the POC script is determined; and
s200, calling port scanning target information to perform asset identification and open port detection, acquiring the survival asset and the open port, splitting the survival asset and the open port, acquiring asset/port pairs and distributing the asset/port pairs to a POC script scanner for multi-thread concurrent scanning; and
s300, based on the asset/port pair and the script information, in response to determining whether the POC script is applicable to the target asset/port pair, and obtaining a result of POC script execution.
In some embodiments, step S300 specifically includes
S301, based on the asset/port pair and the description document information of the POC script, the POC script scanner judges in advance whether the POC script is suitable for the target asset/port pair, if the POC script is suitable for the target asset/port pair, the step S302 is executed, if the POC script is not suitable for the target asset/port pair, the step S303 is executed;
s302, based on that the POC script is suitable for a target asset/port pair, generating a POC script calling command, executing the POC script calling command and obtaining a POC script execution result, based on a verification mode of a POC script return value, determining whether the POC script has a leak on the asset/port, and storing the result;
s303, based on that the POC script is not suitable for the target asset/port pair, the scanning result is set to be in a non-suitable state and stored, and the subsequent POC script scanning work is not executed.
By limiting the use range of the script through the operation, meaningless script execution can be avoided during scanning, and therefore scanning efficiency is improved.
In some embodiments, in step S302, the POC script return value is verified using a regular expression, and in response to determining whether the POC script execution result matches the regular expression, it is determined that a vulnerability exists on the asset/port pair based on determining that the regular expression matches. Whether loopholes exist in the scanning target or not is detected through the method, and then scanning efficiency is improved.
In some embodiments, the method further comprises the steps of:
s401, presetting a console, wherein the console acquires a task issued by a user, the task is configured with a node address, and in response to determining that the task is a local scanning task or a remote task, if the task is the local scanning task, executing a step S402, and if the task is the remote task, executing a step S403;
s402, based on the task being a local scanning task, calling a local POC script scanner to execute POC script scanning work;
and S403, based on the task being a remote task, the console initiates a remote process call request according to the node address configured by the task, sends the information of the task to the remote node, and after the remote node receives the task request, the remote node calls a port to analyze the scanning target information, calls a POC script scanner carried by the remote node and executes POC script scanning work. Distributed scanning may be supported by multi-node deployment to accommodate complex network environments.
In some embodiments, after the console initiates the remote procedure call request, the scanning node requesting the remote task is reached to the remote node at intervals, and the result is saved locally. And a new thread is started, and scanning can be initiated among different networks, so that the method is suitable for different network environments.
In some embodiments, the description document employed in the step of encapsulating POC scripts with a script description document in extensible markup language includes the following key elements:
a script (script) comprising a unique attribute identification (id) identifying a current document, determining a programming language (language) used by said POC script, and determining a path (path) of the POC script relative to the current document;
vulnerability (vulgaris), wherein the node content is the unique attribute identifier of the vulnerability and is associated with the vulnerability in the database;
validity, which determines the verification mode of the POC script return value;
scope (scope), which determines the scope to which the POC script may be applicable;
and the indefinite length parameter (params) determines parameters required by the POC script and the value source and sequence of the parameters.
Through the key elements, the language, the relevance loophole, the result verification mode, the parameter sequence and the return type of the POC script and the use range of the script can be flexibly defined, the POC script does not need to be executed on each scanning target during batch scanning, and the scanning efficiency is improved.
In some embodiments, the indefinite length parameter comprises
A parameter (arg), wherein the node of the parameter is a command attribute and represents the sequence of the parameter;
a value source (source), wherein the attribute value of the value source is an address, and the value of the parameter from the address of the scanning target is represented; the value source attribute value is a port, and the value of the representation parameter is taken from the port of the scanning target;
and (2) formatting parameters defined by the input parameter nodes by using nodes of the template in a placeholder mode to generate correct calling parameter character strings.
Through the operation, the correct calling parameter character string is obtained, so that the next calling port scanning target information is convenient to perform asset identification and open port detection.
In a second aspect, the present application provides a POC script-based distributed vulnerability scanning system, which includes:
a packaging module configured to package the POC script with a descriptive document of an extensible markup language, wherein a verification of a POC script return value is determined; and
the identification detection module is configured to call port scanning target information to perform asset identification and open port detection, acquire the live assets and open ports, split the live assets and open ports, acquire asset/port pairs and allocate the asset/port pairs to the POC script scanner for multi-thread concurrent scanning; and
a determination module configured to, based on the asset/port pair and the script information, in response to determining whether the POC script applies to the target asset/port pair, and to obtain a result of POC script execution.
In some embodiments, the system further comprises:
the distributed scanning module is configured to preset a console, the console acquires a task issued by a user, the task is configured with a node address, and the distributed scanning module responds to the fact that the task is a local scanning task or a remote task; and
a local scanning module configured to invoke a local POC script scanner to perform POC script scanning work based on the task being a local scanning task; and
the remote scanning module is configured to initiate a remote process calling request according to a node address configured by the task based on the fact that the task is the remote task, information of the task is sent to the remote node, and after the remote node receives the task request, a calling port is used for analyzing and scanning the target information and calling a POC script scanner carried by the remote node to execute POC script scanning work.
The combined action of the distributed scanning module, the local scanning module and the remote scanning module can realize distributed calling to adapt to complex network environment.
In a third aspect, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of any of the first aspects described above.
The distributed vulnerability scanning method and system based on the POC script have the following advantages that 1, the POC script is packaged by using a POC script description document, the extensible markup language (XML format) is used by the script description document, the language type, the associated vulnerability, the result verification mode, the sequence of parameters and the return type of the POC script are flexibly defined, and therefore the writing difficulty and the use threshold of the POC script are reduced. 2. The use range of the script is limited in the description document so as to avoid meaningless script execution during scanning and improve the scanning efficiency. 3. The system can be deployed on a single machine to scan the local network, and can also be deployed in a distributed mode by using a control console and remote nodes to initiate scanning of the remote network from the control console, so that the system is suitable for different network environments.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
fig. 1 is an exemplary basic flowchart in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a POC script execution flow in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a description document structure in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention;
fig. 4 is a flowchart of distributed scanning in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a distributed scanning structure in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a POC script-based distributed vulnerability scanning system according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a distributed scanning structure in a POC script-based distributed vulnerability scanning system according to an embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows an exemplary basic flowchart in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention. As shown in fig. 1, the basic process includes:
s100, packaging the POC script by adopting a description document of an extensible markup language (XML format), wherein the verification method for determining the returned value of the POC script is also included. The data in the XML format is stored in a plain text format, so that the XML is easier to read, more convenient to record and debug, and the data sharing among different systems and different programs is simpler. In a particular embodiment, the description document includes a plurality of key elements, with particular reference to FIG. 3.
S200, calling port scanning target information to perform asset identification and open port detection, acquiring the live assets and open ports, splitting the live assets and open ports, acquiring asset/port pairs and distributing the asset/port pairs to a POC script scanner for multi-thread concurrent scanning. In a particular embodiment, the asset is 80 open, 8080 two ports, split into 192.168.0.1/80 and 192.168.0.1/8080 two asset/port pairs.
S300, based on the asset/port pair and the script information, in response to determining whether the POC script is applicable to the target asset/port pair, and obtaining a result of POC script execution. By the method, the development flow of vulnerability scanning plug-ins can be simplified, the development time is shortened, the development efficiency is improved, and large-scale vulnerability scanning plug-ins can be developed in a short time, so that efficient and rapid vulnerability scanning is realized.
Fig. 2 is a schematic diagram illustrating a POC script execution flow in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention. As shown in fig. 2, the specific implementation manner of step S300 includes:
s301, based on the asset/port pair and the description document information of the POC script, the POC script scanner judges in advance whether the POC script is suitable for the target asset/port pair, if the POC script is suitable for the target asset/port pair, the step S302 is executed, if the POC script is not suitable for the target asset/port pair, the step S303 is executed;
s302, based on that the POC script is suitable for a target asset/port pair, generating a POC script calling command, executing the POC script calling command and acquiring a POC script execution result, based on a verification mode of a POC script return value, determining whether the POC script has a leak on the asset/port, analyzing a scanning result, and storing data based on the analysis result;
s303, based on that the POC script is not suitable for the target asset/port pair, directly setting the scanning result to be in an 'unsuitable' state and storing the result, and not executing the subsequent POC script scanning work to save time.
In a specific embodiment, in step S302, the POC script return value is verified using the regular expression, and in response to determining whether the POC script execution result matches the regular expression, it may be determined that a vulnerability exists in the asset/port pair based on determining that the POC script execution result matches the regular expression. Whether loopholes exist in the scanned target or not is detected through the method, and then scanning efficiency is improved.
Fig. 3 is a schematic diagram illustrating a description document structure in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention. As shown in fig. 3, the description document used in the step of encapsulating POC scripts with a script description document in extensible markup language includes the following key elements:
a script (script) comprising a unique attribute identification (id) identifying a current document, determining a programming language (language) used by said POC script, and determining a path (path) of the POC script relative to the current document;
vulnerability (vulgaris), wherein the node content is the unique attribute identifier of the vulnerability and is associated with the vulnerability in the database;
validity, which determines a verification manner of the POC script return value, as shown in fig. 3, in a specific embodiment, type = "regex" indicates that the script return value is verified using a regular expression, for example, a script execution result matches the regular expression, which indicates that a vulnerability associated with the script exists in a scan target.
Scope (scope), which determines the scope to which a POC script may be applied, as shown in fig. 3, in a particular embodiment, the script may only be used on windows assets with 80 or 8080 ports open.
And the indefinite length parameter (params) determines parameters required by the POC script and the value source and sequence of the parameters.
The indefinite length parameter comprises a parameter (arg), a value source (source) and a template (template), wherein the parameter (arg) has a node as a command attribute and represents the sequence of the parameter; a value source (source), wherein the attribute value of the value source is an address (address), and the value of the parameter from the address of the scanning target is represented; the value source attribute value is a port (port), and the value of the parameter from the port of the scanning target is represented; and (2) formatting parameters defined by the input parameter nodes by using nodes of the template (template) in a placeholder mode to generate a correct calling parameter character string.
Through the key elements, the language, the associated vulnerability, the result verification mode, the order and the return type of the parameters of the POC script and the use range of the defined script can be flexibly defined, the POC script does not need to be executed on each scanning target during batch scanning, and the scanning efficiency is improved. And correct calling parameter character strings can be obtained through the operation, so that the next step of calling port scanning target information to perform asset identification and open port detection is facilitated.
With continued reference to fig. 3, in a specific embodiment, assuming that the scan target address is 192.168.0.1, the operating system is windows, and the port 80 is opened, the finally generated system command is "python3 check _ ssl _ front _ block. Py-host 192.168.0.1-port 80", and assuming that the script return value is "vulneable", the regular expression "vulneable" in the matching description document is used, which indicates that there is a vulnerability with id "ssl _ heart _ block" in the scan target. The calling of the POC script without the limitation of programming language can be realized only by deploying a machine and installing a corresponding execution environment, and the parameters and the return values can be flexibly configured.
Fig. 4 shows a distributed scanning flowchart in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention, and fig. 5 shows a distributed scanning structure diagram in a POC script-based distributed vulnerability scanning method according to an embodiment of the present invention. With combined reference to fig. 4 and 5, in a particular embodiment, the method further comprises the steps of:
s401, presetting a console, wherein the console acquires a task issued by a user, the task is configured with a node address, and in response to determining that the task is a local scanning task or a remote task, if the task is the local scanning task, executing a step S402, and if the task is the remote task, executing a step S403; note that the job information also includes job parameters such as a scanning speed and a scanning position.
S402, based on the task being a local scanning task, calling a local POC script scanner to execute POC script scanning work;
and S403, based on the task being a remote task, the console initiates a Remote Procedure Call (RPC) request according to the node address configured by the task, sends information of the task to the remote node, and after the remote node receives the task request, the remote node calls a port to analyze and scan target information and calls a POC script scanner carried by the remote node to execute POC script scanning work. Distributed scanning may be supported by multi-node deployment to accommodate complex network environments.
In a specific embodiment, after the console initiates the remote procedure call request, the scanning node of the remote task requested by the remote node is reached at intervals, and the result is stored locally until the remote scanning task is finished. And the new thread is started, so that scanning can be initiated among different networks, and the method is suitable for different network environments.
Fig. 6 shows a schematic structural diagram of a POC script-based distributed vulnerability scanning system according to an embodiment of the present invention, as an implementation of the method shown in the above figures, the embodiment of the system corresponds to the embodiment of the method shown in fig. 1, and the system may be specifically applied to various electronic devices. As shown in fig. 6, the apparatus 500 for vulnerability scanning of POC scripts of the present embodiment includes an encapsulation module 510, an identification detection module 520, and a determination module 530. Wherein the encapsulating module 510 is configured to encapsulate the POC script with a description document of an extensible markup language (XML format), wherein a verification manner of a POC script return value is determined; an identification detection module 520 configured to invoke port scan target information to perform asset identification and open port detection, acquire a live asset and an open port, split the live asset and the open port, acquire an asset/port pair and allocate the asset/port pair to a POC script scanner for multi-thread concurrent scanning; a decision module 530 configured to respond to determining whether the POC script applies to the target asset/port pair based on the asset/port pair and the script information, and to obtain a result of POC script execution.
Fig. 7 is a schematic diagram illustrating a distributed scanning structure in a POC script-based distributed vulnerability scanning system according to an embodiment of the present invention, as an implementation of the method shown in the above figures, the embodiment of the system corresponds to the embodiment of the method shown in fig. 2, and the system may be specifically applied to various electronic devices. As shown in fig. 7, the apparatus 600 for distributed vulnerability scanning of POC scripts of the present embodiment includes a distributed scanning module 610, a local scanning module 620, and a remote scanning module 630. The distributed scanning module 610 is configured to preset a console, the console acquires a task issued by a user, and the task is configured with a node address and responds to a determination that the task is a local scanning task or a remote task; a local scanning module 620 configured to invoke a local POC script scanner to perform POC script scanning work based on the task being a local scanning task; the remote scanning module 630 is configured to initiate a remote procedure call request according to a node address configured by the task based on that the task is a remote task, send information of the task to the remote node, and after the remote node receives the task request, the remote node calls a port to analyze and scan the target information and calls a POC script scanner carried by the remote node to execute POC script scanning work. The combined action of the distributed scanning module 610, the local scanning module 620, and the remote scanning module 630 may enable distributed invocation to accommodate complex network environments.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. The computer readable storage medium described herein may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, an analysis module, and an output module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
The foregoing description is only exemplary of the preferred embodiments of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements in which any combination of the features described above or their equivalents does not depart from the spirit of the invention disclosed above. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (8)
1. A distributed vulnerability scanning method based on a POC script is characterized by comprising the following steps:
s100, packaging the POC script by adopting a script description document of an extensible markup language, wherein a verification mode of a returned value of the POC script is determined;
the description document used in the step of encapsulating POC scripts in the script description document in extensible markup language includes the following key elements:
a script (script) comprising a unique attribute identification (id) identifying a current document, determining a programming language (language) used by the POC script, and determining a path (path) of the POC script relative to the current document; and
vulnerability (vulgaris), wherein the node content is the unique attribute identifier of the vulnerability and is associated with the vulnerability in the database; and
valid verification (validation) that determines a verification manner of the POC script return value; and
a scope (scope) that determines a scope to which the POC script may be applicable; and
a fixed length parameter (params) that determines parameters required by the POC script and a value source and an order thereof; and
s200, calling port scanning target information to perform asset identification and open port detection, acquiring a survival asset and an open port, splitting the survival asset and the open port, acquiring an asset/port pair and distributing the asset/port pair to a POC script scanner for multi-thread concurrent scanning; and
s300, responding to the determination whether the POC script is suitable for the target asset/port pair or not and acquiring the execution result of the POC script based on the asset/port pair and the script information;
step S300 specifically includes:
s301, based on the description document information of the asset/port pair and the POC script, the POC script scanner determines in advance whether the POC script is applicable to the target asset/port pair, if the POC script is applicable to the target asset/port pair, the step S302 is executed, and if the POC script is not applicable to the target asset/port pair, the step S303 is executed;
s302, based on that the POC script is applicable to the target asset/port pair, generating a POC script calling command, executing the POC script calling command and obtaining the execution result of the POC script, based on the verification mode of the returned value of the POC script, determining whether the POC script has a leak on the asset/port, and storing the result;
s303, based on that the POC script is not suitable for the target asset/port pair, setting the scanning result to be in a non-suitable state and storing the result, and not executing the subsequent POC script scanning work.
2. The POC script-based distributed vulnerability scanning method according to claim 1, wherein in step S302, a POC script return value is verified using a regular expression, and in response to determining whether the POC script execution result matches the regular expression, it is determined that a vulnerability exists on the asset/port pair based on determining that the regular expression matches.
3. The POC script-based distributed vulnerability scanning method according to claim 1, further comprising the steps of:
s401, a control console is preset, the control console acquires a task issued by a user, the task is configured with a node address, and in response to the fact that the task is determined to be a local scanning task or a remote task, if the task is a local scanning task, a step S402 is executed, and if the task is a remote task, a step S403 is executed;
s402, based on the task is a local scanning task, calling a local POC script scanner to execute the POC script scanning work;
and S403, based on the task being a remote task, the console initiates a remote procedure call request according to the node address configured by the task, sends the information of the task to a remote node, and after receiving the task request, the remote node calls a port to analyze and scan the target information, calls a POC script scanner carried by the remote node, and executes the POC script scanning work.
4. The POC script-based distributed vulnerability scanning method according to claim 3, wherein after the console initiates a remote procedure invocation request, the remote node requests the scanning node of the remote task at intervals, and saves the result to local.
5. The POC script-based distributed vulnerability scanning method according to claim 1, wherein the indefinite length parameters comprise:
a parameter (arg), the node of which is a command attribute, representing the order of the parameters; and
a value source (source), wherein the attribute value of the value source is an address, and the value of the parameter from the address of the scanning target is represented; the value source attribute value is a port and represents that the parameter takes a value from the port of the scanning target; and
and the nodes of the template format the parameters which are input into the parameter node definition in a placeholder mode to generate a correct calling parameter character string.
6. A distributed vulnerability scanning system based on POC scripts, the system comprising:
an encapsulation module configured to encapsulate a POC script with a description document of an extensible markup language, wherein a validation mode of determining a POC script return value
The description document employed in the script description document encapsulation POC script employing the extensible markup language includes the following key elements:
a script (script) comprising a unique attribute identification (id) identifying a current document, determining a programming language (language) used by the POC script, and determining a path (path) of the POC script relative to the current document; and
vulnerability (vulneravailability), wherein the node content is the unique attribute identifier of the vulnerability and is associated with the vulnerability in a database; and
validity, the validity determining a verification manner of the POC script return value; and
a scope (scope) that determines a scope to which the POC script may be applicable; and
a fixed length parameter (params) that determines parameters required by the POC script and a value source and an order thereof; and
an identification detection module configured to invoke port scan target information for asset identification and open port detection, obtain live assets and open ports, split the live assets and open ports, obtain asset/port pairs and allocate them to a POC script scanner for multi-threaded concurrent scanning; and
a determination module configured to, based on the asset/port pair and script information, in response to determining whether the POC script applies to a target asset/port pair and obtaining a result of a POC script execution;
the method specifically comprises the following steps:
s301, based on the description document information of the asset/port pair and the POC script, the POC script scanner determines in advance whether the POC script is applicable to the target asset/port pair, if the POC script is applicable to the target asset/port pair, the step S302 is executed, and if the POC script is not applicable to the target asset/port pair, the step S303 is executed;
s302, based on the fact that the POC script is applicable to the target asset/port pair, generating a POC script calling command, executing the POC script calling command and obtaining the execution result of the POC script, based on the verification mode of the returned value of the POC script, determining whether the POC script has a leak on the asset/port, and storing the result;
s303, based on that the POC script is not suitable for the target asset/port pair, setting the scanning result to be in a non-suitable state and storing the result, and not executing the subsequent POC script scanning work.
7. The POC script-based distributed vulnerability scanning system of claim 6, wherein the system further comprises:
a distributed scanning module configured to preset a console, the console acquiring a task issued by a user, the task configured with a node address, in response to determining that the task is a local scanning task or a remote task; and
a local scanning module configured to invoke a local POC script scanner to perform the POC script scanning work based on the task being a local scanning task; and
the remote scanning module is configured to initiate a remote process calling request according to a node address configured by the task based on the task, send information of the task to a remote node, and after receiving the task request, the remote node calls a port to analyze and scan the target information and calls a POC script scanner carried by the remote node to execute the POC script scanning work.
8. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110383855.7A CN113158195B (en) | 2021-04-09 | 2021-04-09 | Distributed vulnerability scanning method and system based on POC script |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110383855.7A CN113158195B (en) | 2021-04-09 | 2021-04-09 | Distributed vulnerability scanning method and system based on POC script |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113158195A CN113158195A (en) | 2021-07-23 |
| CN113158195B true CN113158195B (en) | 2022-10-11 |
Family
ID=76889653
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110383855.7A Active CN113158195B (en) | 2021-04-09 | 2021-04-09 | Distributed vulnerability scanning method and system based on POC script |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113158195B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113918954A (en) * | 2021-09-14 | 2022-01-11 | 国网新疆电力有限公司信息通信公司 | Automated vulnerability scanning integration method, device, equipment and storage medium |
| CN114996716A (en) * | 2022-06-15 | 2022-09-02 | 中国电信股份有限公司 | Vulnerability processing method and device based on plug-in, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110162971A (en) * | 2019-04-12 | 2019-08-23 | 中国平安人寿保险股份有限公司 | A kind of leak detection method of software project, device, storage medium and server |
| CN111262839A (en) * | 2020-01-09 | 2020-06-09 | 深信服科技股份有限公司 | Vulnerability scanning method, management equipment, node and storage medium |
| CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
| CN112507344A (en) * | 2020-12-11 | 2021-03-16 | 北京知道未来信息技术有限公司 | Vulnerability detection method and device, electronic equipment and computer readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707578A (en) * | 2017-11-28 | 2018-02-16 | 四川长虹电器股份有限公司 | Cloud service assets based on vulnerability scanning are met an urgent need scan method |
| US11017094B2 (en) * | 2018-01-03 | 2021-05-25 | Beijing Jingdong Shangke Information Technology Co., Ltd. | System and method for java deserialization vulnerability detection |
| CN108322446B (en) * | 2018-01-05 | 2021-04-27 | 深圳壹账通智能科技有限公司 | Method and device for detecting vulnerability of intranet assets, computer equipment and storage medium |
| CN109522723B (en) * | 2018-11-14 | 2023-11-03 | 平安科技(深圳)有限公司 | POC script generation method and device, electronic equipment and storage medium |
| CN112507346A (en) * | 2020-12-28 | 2021-03-16 | 苏州极光无限信息技术有限公司 | Vulnerability scanning system |
-
2021
- 2021-04-09 CN CN202110383855.7A patent/CN113158195B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110162971A (en) * | 2019-04-12 | 2019-08-23 | 中国平安人寿保险股份有限公司 | A kind of leak detection method of software project, device, storage medium and server |
| CN111262839A (en) * | 2020-01-09 | 2020-06-09 | 深信服科技股份有限公司 | Vulnerability scanning method, management equipment, node and storage medium |
| CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
| CN112507344A (en) * | 2020-12-11 | 2021-03-16 | 北京知道未来信息技术有限公司 | Vulnerability detection method and device, electronic equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113158195A (en) | 2021-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11128652B1 (en) | Dynamic vulnerability correlation | |
| US11599348B2 (en) | Container image building using shared resources | |
| US11233826B2 (en) | System and method of microservice-based application deployment with automating authorization configuration | |
| US20170090883A1 (en) | Methods and systems for uploading a program based on a target network platform | |
| US11062022B1 (en) | Container packaging device | |
| CN113158195B (en) | Distributed vulnerability scanning method and system based on POC script | |
| CN112104709B (en) | Intelligent contract processing method, device, medium and electronic equipment | |
| CN111783096B (en) | Method and device for detecting security hole | |
| US8799923B2 (en) | Determining relationship data associated with application programs | |
| CN108287894B (en) | Data processing method, device, computing equipment and storage medium | |
| US11934287B2 (en) | Method, electronic device and computer program product for processing data | |
| CN107526623B (en) | Data processing method and device | |
| CN113360377B (en) | Test method and device | |
| CN112765246A (en) | Task processing method and device, electronic equipment and storage medium | |
| US9398041B2 (en) | Identifying stored vulnerabilities in a web service | |
| US20160308749A1 (en) | Test automation system and method for detecting change in signature of internet application traffic protocol | |
| CN113434217B (en) | Vulnerability scanning method, vulnerability scanning device, computer equipment and medium | |
| CN114547628A (en) | Vulnerability detection method and device | |
| CN113050987A (en) | Interface document generation method and device, storage medium and electronic equipment | |
| CN115113972A (en) | Application transformation method, system, cluster, medium and program product | |
| CN109189753B (en) | Method and device for adding user information in HUE | |
| EP3502925A1 (en) | Computer system and method for extracting dynamic content from websites | |
| CN114201149B (en) | Operation flow generation method, device and system and computer readable storage medium | |
| CN117171800B (en) | Sensitive data identification method and device based on zero trust protection system | |
| CN116401319B (en) | Data synchronization method and device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |