catalog
1. 引言 2. 不同CMS版本标的文件路径调研
1. 引言
微软解决大量CVE补丁更新的检测时候,采取的思路不是根据MD5对单个漏洞文件(.dll、.sys)进行漏洞检测,而是采取基线检测的思路,对目标的.dll、.sys文件进行版本检测,如果当前版本不是最新的,则报告对应的可能存在的疑似漏洞
0x1: 技术方案
1. 识别WEB路径 1) 进程启动参数 2) 解析WEB容器配置文件 2. 定位CMS类型 1) 从WEB根目录进行递归查找 2) 根据相对路径、文本正则特征进行CMS类型定位 3) 所有的规则(SEARCHPATHRULE)是逻辑与的关系,必须同时成立后,才能100%定位到该CMS类型 4. 识别CMS版本 对于CMS版本的识别,通用的思路如下 1) 寻找每个版本100%一定都会变化的"标的文件",计算它的MD5值,和事先计算好的最新版的"标的文件"的MD5进行对比 2) 根据相对路径寻找一个"版本信息文件",此文件中明文保存着当前的版本信息 5. 计算当前获取的版本信息是否"小于"规则库中的版本信息(这里的小于可能需要在格式转换的基础上进行比较) 6. 特征的匹配、版本信息的提取采取正则规则进行,在正则规则中使用了一些非捕获分组、前后环视控制符,在提取结果的时候需要提取"第一个捕获子组匹配到的文本"
权衡之下,在判断版本的方案中,如果采用方案1的话如果规则库不及时更新的话,可能会造成大规模误报(用户本机的CMS版本高于规则中的版本,但是因为MD5不同也被报出来了),所以采用方案2是相对较合理的方案,这种方案要求规则制定的时候需要case by case地调研不同CMS标识版本信息的路径文件
Relevant Link:
http://www.cnblogs.com/LittleHann/p/4497977.html
2. 不同CMS版本标的文件路径调研
0x1: DEDECMS
<CMSVERSIONINFO>
<ITEM>
<NAME>DEDECMS</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\plus\mytag_js.php</PATH>
<PATTERN>\$pv->SetTemplet</PATTERN>
</RULE>
<RULE>
<PATH>\plus\ad_js.php</PATH>
<PATTERN>\$dsql->GetOne</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\data\admin\ver.txt</PATH>
<PATTERN>[0-9]{8}</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20150618</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0X2: DISCUZ-X
<CMSVERSIONINFO>
<ITEM>
<NAME>DISCUZ-X</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\api\uc.php</PATH>
<PATTERN>API_RETURN_SUCCEED;</PATTERN>
</RULE>
<RULE>
<PATH>\config\config_global.php</PATH>
<PATTERN>\$_config\[‘admincp‘\]</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\source\discuz_version.php</PATH>
<PATTERN>(?<=DISCUZ_RELEASE)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20150609</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x3: DISCUZ
Discuz的版本存在2个分支,Discuz(number)是老的分支现在已经不维护了,Discuz-X是新的分支,所以原则上如果检测到当前CMS为数字系列的,都一律报告存在低版本风险
|
Discuz!版本
|
版本维护级别
|
|||
|
一般性使用问题
|
严重性使用问题
|
一般性安全问题
|
高危安全问题
|
|
|
Discuz!X3.2
|
√
|
√
|
√
|
√
|
|
Discuz!X3.1
|
x
|
√
|
√
|
√
|
|
Discuz!X3.0
|
×
|
x
|
√
|
√
|
|
Discuz!X2.5
|
×
|
×
|
x
|
√
|
|
Discuz!X2
|
×
|
×
|
×
|
√
|
|
Discuz!X1.5.1
|
×
|
×
|
×
|
√
|
|
Discuz!X1.5
|
×
|
×
|
×
|
√
|
|
≤ Discuz! 7.x
|
x
|
x
|
x
|
x
|
| 放弃维护版本 |
Discuz!X1.0、 Discuz!1.0~Discuz!7.2
|
|||
<CMSVERSIONINFO>
<ITEM>
<NAME>DISCUZ</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\api\uc.php</PATH>
<PATTERN>API_RETURN_SUCCEED;</PATTERN>
</RULE>
<RULE>
<PATH>\manyou\userapp.php</PATH>
<PATTERN>userapp.php\?script=user</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\discuz_version.php</PATH>
<PATTERN>(?<=DISCUZ_RELEASE)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20101225</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x4: PHPMYADMIN
<CMSVERSIONINFO>
<ITEM>
<NAME>PHPMYADMIN</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\libraries\core.lib.php</PATH>
<PATTERN>PMA_ifSetOr</PATTERN>
</RULE>
<RULE>
<PATH>\libraries\common.inc.php</PATH>
<PATTERN>PHPMYADMIN</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\libraries\Config.class.php</PATH>
<PATTERN>(?<=PMA_VERSION)(?:.*?)([0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>4.5.1</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x5: ASPCMS
<CMSVERSIONINFO>
<ITEM>
<NAME>ASPCMS</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\inc\AspCms_CommonFun.asp</PATH>
<PATTERN>createStreamFile</PATTERN>
</RULE>
<RULE>
<PATH>\inc\AspCms_SettingClass.asp</PATH>
<PATTERN>setcharset</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\inc\AspCms_Version.asp</PATH>
<PATTERN>(?<="AspCms)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20150901</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x6: WORDPRESS
<CMSVERSIONINFO>
<ITEM>
<NAME>WORDPRESS</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\wp-admin\credits.php</PATH>
<PATTERN>wp_credits</PATTERN>
</RULE>
<RULE>
<PATH>\wp-admin\canonical.php</PATH>
<PATTERN>redirect_canonical</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\wp-includes\version.php</PATH>
<PATTERN>(?<=wp_version)(?:.*?)([0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>4.3.1</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x7: ECSHOP
<CMSVERSIONINFO>
<ITEM>
<NAME>ECSHOP</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\api\uc.php</PATH>
<PATTERN>API_RETURN_SUCCEED;</PATTERN>
</RULE>
<RULE>
<PATH>\includes\cls_template.php</PATH>
<PATTERN>make_compiled</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\includes\cls_ecshop.php</PATH>
<PATTERN>(?<=RELEASE)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20121106</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x8: phpcmsv9
<CMSVERSIONINFO>
<ITEM>
<NAME>PHPCMSV9</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\phpcms\base.php</PATH>
<PATTERN>load_sys_class;</PATTERN>
</RULE>
<RULE>
<PATH>\phpsso_server\api.php</PATH>
<PATTERN>pc_base::load_sys_class</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\caches\configs\version.php</PATH>
<PATTERN>(?<=pc_release)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20150812</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x9: JOOMLA
<CMSVERSIONINFO>
<ITEM>
<NAME>JOOMLA</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\libraries\cms\application\cms.php</PATH>
<PATTERN>afterSessionStart</PATTERN>
</RULE>
<RULE>
<PATH>\libraries\cms\class\loader.php</PATH>
<PATTERN>loadClass</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\libraries\cms\version\version.php</PATH>
<PATTERN>(?<=RELEASE)(?:.*?)([0-9]{0,1}\.[0-9]{0,1})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>3.4</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0X10: EMPIRECMS
<CMSVERSIONINFO>
<ITEM>
<NAME>EMPIRECMS</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\e\web\atom.php</PATH>
<PATTERN>RepSpeRssStr</PATTERN>
</RULE>
<RULE>
<PATH>\e\DoInfo\ecms.php</PATH>
<PATTERN>eCheckAccessDoIp</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\e\class\EmpireCMS_version.php</PATH>
<PATTERN>(?<=EmpireCMS_LASTTIME)(?:.*?)([0-9]{12})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>201502071030</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x11: PHPWEB
<CMSVERSIONINFO>
<ITEM>
<NAME>PHPWEB</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\member\includes\member.inc.php</PATH>
<PATTERN>membertypelist</PATTERN>
</RULE>
<RULE>
<PATH>\includes\codeimg.inc.php</PATH>
<PATTERN>SetDraw</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\version.php</PATH>
<PATTERN>(?<=PHPWEB_RELEASE)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20100925</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x12: METINFO: 无法找到版本文件
0x13: drupal: 无法找到版本文件
0x14: coldfusion: 无法找到版本文件
0x15: z-blog: 无法找到版本文件
0x16: DESTOON
<CMSVERSIONINFO>
<ITEM>
<NAME>DESTOON</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\module\brand\brand.class.php</PATH>
<PATTERN>get_list</PATTERN>
</RULE>
<RULE>
<PATH>\module\brand\admin\setting.inc.php</PATH>
<PATTERN>update_setting</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\version.inc.php</PATH>
<PATTERN>(?<=DT_RELEASE)(?:.*?)([0-9]{8})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>20151028</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x17: qibosoft: 无法找到版本文件
0x18: SHOPEX
<CMSVERSIONINFO>
<ITEM>
<NAME>SHOPEX</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\core\admin\controller\ctl.cent_save.php</PATH>
<PATTERN>make_shopex_ac</PATTERN>
</RULE>
<RULE>
<PATH>\core\admin\controller\member\ctl.member.php</PATH>
<PATTERN>show_detail</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\core\version.txt</PATH>
<PATTERN>(?<=app)(?:.*?)([0-9]{0,1}\.[0-9]{0,1}\.[0-9]{0,1})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>4.8.5</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
0x19: ECMALL
<CMSVERSIONINFO>
<ITEM>
<NAME>ECMALL</NAME>
<SEARCHPATHRULE>
<RULE>
<PATH>\includes\models\partner.model.php</PATH>
<PATTERN>reset_error_handler</PATTERN>
</RULE>
<RULE>
<PATH>\admin\includes\priv.inc.php</PATH>
<PATTERN>\$menu_data</PATTERN>
</RULE>
</SEARCHPATHRULE>
<VERSIONINFO>
<PATH>\eccore\ecmall.php</PATH>
<PATTERN>(?<=‘VERSION)(?:.*?)([0-9]{0,1}\.[0-9]{0,1}\.[0-9]{0,1})</PATTERN>
</VERSIONINFO>
<NEWESTVERSION>2.3.0</NEWESTVERSION>
</ITEM>
</CMSVERSIONINFO>
Relevant Link:
http://blog.sina.com.cn/s/blog_67c986fc0100w77z.html
Copyright (c) 2015 LittleHann All rights reserved
Automated CMS category, version identification (CMS vulnerability detection)
原文:http://www.cnblogs.com/LittleHann/p/4916633.html