工具|Windows主机漏洞扫描工具v2
0x01 前言
之前发布了一篇,目前由于微软官方更新了查询安全更新的站点,因而本工具需要进行相应的更新。
微软官方安全通知网站:
https://github.com/chroblert/WindowsVulnScan
0x02 更新内容:
get_page_num()函数
def get_page_num(dstDateStrArg = None):
headers = {
'origin': "https://msrc.microsoft.com",
'referer': "https://msrc.microsoft.com/update-guide",
'accept-language': "zh-CN",
'user-agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
'accept': "application/json, text/plain, */*",
'accept-encoding': "gzip, deflate",
'host': "api.msrc.microsoft.com",
'connection': "close",
'cache-control': "no-cache",
}
url = "https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct"
dstDateStr = str(datetime.date.today()) if dstDateStrArg == None else dstDateStrArg
params = {
"$$orderby":"releaseDate desc",
"$filter":"(releaseDate gt 1000-03-01T00:00:00+08:06) and (releaseDate lt "+ dstDateStr +"T23:59:59+08:00)",
}
dataCount = 500
try:
response = requests.request("GET", url, params=params, headers=headers, verify = False)
dataCount = json.loads(response.text)['@odata.count']
except Exception as e:
print(e)
return math.ceil(int(dataCount)/DATA_PER_PAGE)update_onepage_cvedb_database()函数
def update_onepage_cvedb_database(num=1,pageSize=500):
pass
skip = num * DATA_PER_PAGE
headers = {
'origin': "https://msrc.microsoft.com",
'referer': "https://msrc.microsoft.com/update-guide",
'accept-language': "zh-CN",
'user-agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
'accept': "application/json, text/plain, */*",
'accept-encoding': "gzip, deflate",
'host': "api.msrc.microsoft.com",
'connection': "close",
'cache-control': "no-cache",
}
url = "https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct"
params = {
"$$orderby":"releaseDate desc",
"$filter":"(releaseDate gt 1000-03-01T00:00:00+08:06) and (releaseDate lt "+str(datetime.date.today())+"T23:59:59+08:00)",
"$skip":skip
}
# print(params)
resultList = []
try:
response = requests.request("GET", url, params=params, headers=headers, verify = False)
resultList = json.loads(response.text)['value']
except Exception as e:
print(e)
#print(response.text)
conn = sqlite3.connect(DBFileName)
create_sql = """Create Table IF NOT EXISTS {} (
hash TEXT UNIQUE,
name TEXT,
KBName TEXT,
CVEName TEXT,
impact TEXT,
hasPOC TEXT)""".format(TableName)
conn.execute(create_sql)
conn.commit()
conn.close()
for result in resultList:
KBName = ""
for KBNode in result['kbArticles']:
KBName += KBNode['articleName'] + ";" if (KBNode['articleName'] != None) and KBNode['articleName'].isdigit() else ""
if KBName == "":
continue
h1 = hashlib.md5()
metaStr = result['product'] + KBName + result['cveNumber'] + result['impact']
h1.update(metaStr.encode('utf-8'))
#hasPOC = check_POC_every_CVE(result['cveNumber'])
# 收集到所有的KB后再搜索有没有公开的EXP
hasPOC = ""
sql = "INSERT OR IGNORE INTO "+TableName+" VALUES ('" + h1.hexdigest() + "','" + result['product'] + "','" + KBName + "','" + result['cveNumber'] + "','" + result['impact'] + "','" + hasPOC+"')"
with lock:
global insertSQL
insertSQL.append(sql)
0x03 目录结构:
version1:第一版
version2:第二版
0x04 运行效果:
0x05 示例
首先运行powershell脚本KBCollect.ps收集一些信息
.\KBCollect.ps1
将运行后产生的KB.json文件移动到cve-check.py所在的目录
安装一些python3模块
python3 -m pip install requirements.txt
运行
cve-check.py -u
创建CVEKB数据库运行
cve-check.py -U
更新CVEKB数据库中的hasPOC字段运行
cve-check.py -C -f KB.json
查看具有公开EXP的CVE,如下