-
Notifications
You must be signed in to change notification settings - Fork 22
5 Command line usage
vFeed, Inc edited this page Oct 19, 2022
·
10 revisions
The Python 3 API is extremely easy to use and can be integrated within any Unix environment (with pre-requisites). To start using the API in CLI mode, just type the following:
./pyvfeed.py
usage: pyvfeed.py [-h] [--version] [--update] [--information CVE, CPE]
[--classification CVE, CPE] [--risk CVE, CPE]
[--inspection CVE, CPE] [--exploitation CVE, CPE]
[--defense CVE, CPE] [--search cve|cpe|cwe cve|cpe|cwe]
[--export CVE, CPE] [--plugin Plugin name Plugin name]
optional arguments:
-h, --help show this help message and exit
--version API info
--update Database update
--information CVE, CPE
Get information data
--classification CVE, CPE
Get classification data
--risk CVE, CPE Get risk data
--inspection CVE, CPE
Get Vulnerability testing data
--exploitation CVE, CPE
Get exploits and PoCs data
--defense CVE, CPE Get detective, reactive & preventive data
--search cve|cpe|cwe cve|cpe|cwe
Search for CVE, CPE2.2 | CPE2.3 or CWE
--export CVE, CPE Export all metadata to JSON file
--plugin Plugin name Plugin name
Load third party plugins
The simple help will indicate how to use the CLI.
For confidentiality reasons, we will not publish full JSON extracts with all our sources. Only sample JSON extract will be displayed
The basic vulnerability information extraction can be achieved using the --information method.
Example:
./pyvfeed.py --info CVE-2017-9805
The result is a JSON output.
{
"information": {
"description": [
{
"id": "CVE-2017-9805",
"published": "2018-04-12T07:01Z",
"modified": "2018-04-12T07:01Z",
"summary": "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
}
],
"references": [
{
"vendor": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
},
{
"vendor": "MISC",
"url": "http://www.securityfocus.com/bid/100609"
},
{
"vendor": "MISC",
"url": "http://www.securitytracker.com/id/1039263"
},
{
"vendor": "MISC",
"url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
},
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
Targets, packages and weaknesses can be retrieved using --classification method:
./pyvfeed.py --classification CVE-2017-9805
{
"classification": {
"id": 1,
"parameters": [
{
"title": "Apache Software Foundation Struts 2.1.2",
"cpe2.2": "cpe:/a:apache:struts:2.1.2",
"version_affected": {
"from": "",
"to": ""
},
"cpe2.3": "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*"
},
{
"title": "Apache Software Foundation Struts 2.1.3",
"cpe2.2": "cpe:/a:apache:struts:2.1.3",
"version_affected": {
"from": "",
"to": ""
},
"cpe2.3": "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*"
},
],
"weaknesses": [
{
"id": "CWE-502",
"parameters": {
"class": "weakness",
"title": "Deserialization of Untrusted Data",
"relationship": "CWE-915,CWE-913",
"url": "https://cwe.mitre.org/data/definitions/502.html",
"attack_patterns": REMOVED,
"ranking": {
"category": [
{
"Validate Inputs": {
"parameters": {
"id": "CWE-1019",
"url": "https://cwe.mitre.org/data/definitions/1019.html"
}
}
},
{
"CERT Java Secure Coding Section 13 - Serialization (SER)": {
"parameters": {
"id": "CWE-858",
"url": "https://cwe.mitre.org/data/definitions/858.html"
}
}
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
"packages": [
{
"apache": [
{
"product": "struts",
"version": {
"affected": "2.1.2",
"condition": "equal"
}
},
{
"product": "struts",
"version": {
"affected": "2.1.3",
"condition": "equal"
}
},
{
"product": "struts",
"version": {
"affected": "2.1.4",
"condition": "equal"
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
}
]
The risk scores, severity and more metrics are displayed using the following method --risk:
./pyvfeed.py --risk CVE-2017-9805
{
"risk": {
"cvss": {
"cvss2": {
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"base_score": "6.8",
"impact_score": "6.4",
"exploit_score": "8.6",
"access_vector": "NETWORK",
"access_complexity": "MEDIUM",
"authentication": "NONE",
"confidentiality_impact": "PARTIAL",
"integrity_impact": "PARTIAL",
"availability_impact": "PARTIAL"
},
"cvss3": {
"vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"base_score": "8.1",
"impact_score": "5.9",
"exploit_score": "2.2",
"attack_vector": "NETWORK",
"attack_complexity": "HIGH",
"privileges_required": "NONE",
"user_interaction": "NONE",
"score": "UNCHANGED",
"confidentiality_impact": "HIGH",
"integrity_impact": "HIGH",
"availability_impact": "HIGH"
}
},
"epss": {
"probability": 0.95975,
"percentile": 0.99987
},
"kev": {
"id": "CISA:BOD 22-01",
"parameters": {
"date_added": "2021-11-03",
"date_due": "2022-05-03",
"name": "Apache Struts Multiple Versions Remote Code Execution Vulnerability",
"vendor": "Apache",
"product": "Struts",
"required_action": "Apply updates per vendor instructions.",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
}
}
}
Patches, fixes, hot fixes, bugs ids, rules etc are retrieved using --defense:
./pyvfeed.py --defense CVE-2017-9805
{
"defense": {
"preventive": {
"bulletins": [
{
"bid": [
{
"id": "100609",
"parameters": {
"class": "bulletin",
"url": "http://www.securityfocus.com/bid/100609"
}
}
]
},
{
"certvn": [
{
"id": "VU#112992",
"parameters": {
"class": "bulletin",
"url": "https://www.kb.cert.org/vuls/id/112992"
}
}
]
},
{
"cisco": [
{
"id": "cisco-sa-20170907-struts2",
"parameters": {
"class": "fix",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
}
}
]
},
{
"oracle": [
{
"id": "alert",
"parameters": {
"class": "fix",
"url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
}
}
]
},
{
"redhat": [
{
"id": "1488482",
"parameters": {
"class": "bug",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"
}
}
]
}
],
"patches": [
{
"redhat": {
"date_published": "2017-09-05T00:00:00Z",
"description": "The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialization without any type filtering which could lead to Remote Code Execution when deserializing XML payloads. An attacker could use this flaw to execute arbitrary code or conduct further attacks.|The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.|",
"packages": [
{
"struts": [
{
"product": "Red Hat Enterprise Linux 5",
"version_fixed": "",
"version_not_fixed": "struts",
"status": "Not affected"
},
{
"product": "Red Hat JBoss Data Virtualization 6",
"version_fixed": "",
"version_not_fixed": "struts",
"status": "Not affected"
},
{
"product": "Red Hat JBoss Fuse Service Works 6",
"version_fixed": "",
"version_not_fixed": "struts",
"status": "Not affected"
},
{
"product": "Red Hat JBoss Operations Network 3",
"version_fixed": "",
"version_not_fixed": "struts",
"status": "Not affected"
},
{
"product": "Red Hat Satellite 5",
"version_fixed": "",
"version_not_fixed": "struts",
"status": "Not affected"
}
]
}
]
}
},
{
"ubuntu": {
"date_published": "2017-09-15T19:29:00Z",
"description": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.",
"packages": [
{
"libstruts1.2-java": [
{
"product": "trusty",
"version_fixed": "",
"version_not_fixed": "code not present",
"status": "not-affected"
},
{
"product": "cosmic",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "artful",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "devel",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "precise/esm",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "bionic",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "upstream",
"version_fixed": "",
"version_not_fixed": "",
"status": "needed"
},
{
"product": "xenial",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "vivid/ubuntu-core",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "zesty",
"version_fixed": "",
"version_not_fixed": "",
"status": "DNE"
},
{
"product": "trusty/esm",
"version_fixed": "",
"version_not_fixed": "trusty was not-affected [code not present]",
"status": "DNE"
}
]
}
]
}
}
]
},
"detective": [
{
"juniper": [
{
"id": "HTTP:APACHE:APACHE-REST-DE-SRL2",
"parameters": {
"class": "HTTP",
"title": "An insecure deserialization vulnerability has been discovered in Apache Struts 2 REST Plugin. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.",
"url": "https://threatlabs.juniper.net/home/search/#/details/?sigtype=ips&sigid=HTTP:APACHE:APACHE-REST-DE-SRL2"
}
},
{
"id": "HTTP:APACHE:APACHE-REST-DE-SRL1",
"parameters": {
"class": "HTTP",
"title": "An insecure deserialization vulnerability has been discovered in Apache Struts 2 REST Plugin. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.",
"url": "https://threatlabs.juniper.net/home/search/#/details/?sigtype=ips&sigid=HTTP:APACHE:APACHE-REST-DE-SRL1"
}
}
]
},
{
"snort": [
{
"id": "44315",
"parameters": {
"class": "attempted-admin",
"title": "SERVER-WEBAPP Java XML deserialization remote code execution attempt",
"url": "https://snort.org/rule_docs/1-44315/"
}
}
]
},
{
"suricata": [
{
"id": "2024663",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)",
"url": "http://doc.emergingthreats.net/2024663/"
}
},
{
"id": "2024664",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)",
"url": "http://doc.emergingthreats.net/2024664/"
}
},
{
"id": "2024668",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1",
"url": "http://doc.emergingthreats.net/2024668/"
}
},
{
"id": "2024669",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2",
"url": "http://doc.emergingthreats.net/2024669/"
}
},
{
"id": "2024670",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3",
"url": "http://doc.emergingthreats.net/2024670/"
}
},
{
"id": "2024671",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4",
"url": "http://doc.emergingthreats.net/2024671/"
}
},
{
"id": "2024672",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5",
"url": "http://doc.emergingthreats.net/2024672/"
}
},
{
"id": "2024673",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6",
"url": "http://doc.emergingthreats.net/2024673/"
}
},
{
"id": "2024674",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)",
"url": "http://doc.emergingthreats.net/2024674/"
}
},
{
"id": "2024675",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)",
"url": "http://doc.emergingthreats.net/2024675/"
}
},
{
"id": "2024843",
"parameters": {
"class": "attempted-user",
"title": "ET SCAN struts-pwn User-Agent",
"url": "http://doc.emergingthreats.net/2024843/"
}
},
{
"id": "2027516",
"parameters": {
"class": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)",
"url": "http://doc.emergingthreats.net/2027516/"
}
}
]
}
]
} }
The method --inspection will be leverage to get all data regarding remote and local scanners signatures that can detect the vulnerability
./pyvfeed.py --inspect CVE-2017-9805
{
"inspection": {
"remote": [
{
"nessus": [
{
"id": "102960",
"parameters": {
"family": "Misc.",
"name": "Apache Struts 2.1.x >= 2.1.2 / 2.2.x / 2.3.x < 2.3.34 / 2.5.x < 2.5.13 Multiple Vulnerabilities",
"file": "struts_2_5_13.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=102960"
}
},
{
"id": "102977",
"parameters": {
"family": "CGI abuses",
"name": "Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE",
"file": "struts_2_5_13_rest_rce.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=102977"
}
},
{
"id": "103536",
"parameters": {
"family": "CGI abuses",
"name": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)",
"file": "mysql_enterprise_monitor_3_4_3_4225.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=103536"
}
}
]
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
],
"local": [
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
]
The method --exploitation will be leverage to get all data regarding any PoC or exploit that can be used the to test the vulnerability
./pyvfeed.py --exploitation CVE-2017-9805
{
"exploitation": [
{
"exploitdb": [
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
{
"metasploit": [
{
"id": "struts2_rest_xstream.rb",
"parameters": {
"name": "Apache Struts 2 REST Plugin XStream RCE",
"file": "modules/exploits/multi/http/struts2_rest_xstream.rb",
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_rest_xstream.rb"
}
}
]
},
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
The export module offers the ability to store vulnerability metadata into a JSON or YAML files. Therefore, the API will execute all the methods and grab the available information. The exported file is stored at the 'export' repository set in Getting started chapter.
./pyvfeed.py --export CVE-2017-9805
The result is stored into the directory /Users/dev/Documents/test/pro/export as CVE-2017-9805.json
The JSON will look like ( DATA REMOVED FOR CONFIDENTIALITY PURPOSES)
{
"information":{ },
"classification":{ },
"risk":{ },
"inspection":{ },
"exploitation":{ },
"defense":{ }
}
The search module returns the result as JSON content. As per today, the available functions are: search_cve(), search_cpe() and `search_cwe().
Since version 0.9.8, we have introduced 3 new arguments when using the CLI.
./pyvfeed.py --search cve|cpe|cwe Your_Input
Here is an example regarding the search_cpe() that accepts both versions 2.2 and 2.3
./pyvfeed.py --search cpe cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
[
{
"id": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
"vulnerability": [
"CVE-2017-3106",
"CVE-2017-3100",
"CVE-2017-3099",
"CVE-2017-3085",
"CVE-2017-3084",
"CVE-2017-3083",
"CVE-2017-3082",
"CVE-2017-3081",
"CVE-2017-3080",
"CVE-2017-3079",
"CVE-2017-3078",
"CVE-2017-3077",
"CVE-2017-3076",
"CVE-2017-3075",
"CVE-2017-3074",
"CVE-2017-3073",
"CVE-2017-3072",
"CVE-2017-3071",
"CVE-2017-3070",
"CVE-2017-3069",
"CVE-2017-3068",
"CVE-2017-3064",
"CVE-2017-3063",
"CVE-2017-3062",
"CVE-2017-3061",
"CVE-2017-3060",
"CVE-2017-3059",
"CVE-2017-3058",
"CVE-2017-3003",
"CVE-2017-3002",
"CVE-2017-3001",
"CVE-2017-3000",
"CVE-2017-2999",
"CVE-2017-2998",
"CVE-2017-2997",
"CVE-2017-2996",
"CVE-2017-2995",
"CVE-2017-2994",
"CVE-2017-2993",
"CVE-2017-2992",
"CVE-2017-2991",
"CVE-2017-2990",
"CVE-2017-2988",
"CVE-2017-2987",
"CVE-2017-2986",
"CVE-2017-2985",
"CVE-2017-2984",
"CVE-2017-2982",
"CVE-2017-2938",
"CVE-2017-2937",
"CVE-2017-2936",
"CVE-2017-2935",
"CVE-2017-2934",
"CVE-2017-2933",
"CVE-2017-2932",
"CVE-2017-2931",
"CVE-2017-2930",
"CVE-2017-2928",
"CVE-2017-2927",
"CVE-2017-2926",
"CVE-2017-2925",
"CVE-2017-11305",
"CVE-2017-11292",
"CVE-2017-11282",
"CVE-2017-11281"
]
}
]
The search_cve() may return exploits when available.
./pyvfeed.py --search cve cve-2017-0199
{
"description": [
{
"id": "CVE-2017-0199",
"parameters": {
"modified": "2018-03-28T01:29Z",
"published": "2017-04-12T14:59Z",
"summary": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\""
}
}
],
"exploitation": [
{
"exploitdb": [
{
"id": "41894",
"parameters": {
"title": "Microsoft Word - '.RTF' Remote Code Execution",
"file": "exploit-database/exploits/windows/remote/41894.py",
"url": "https://www.exploit-db.com/exploits/41894/"
}
},
{
"id": "41934",
"parameters": {
"title": "Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",
"file": "exploit-database/exploits/windows/remote/41934.rb",
"url": "https://www.exploit-db.com/exploits/41934/"
}
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
The search_cwe() returns all vulnerabilities that affect the type CWE type.
./pyvfeed.py --search cwe cwe-89
{
"id": "CWE-89",
"parameters": {
"title": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"class": "weakness",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
"vulnerability": [
"CVE-2019-6805",
"CVE-2019-6798",
"CVE-2019-6691",
"CVE-2019-6497",
"CVE-2019-6296",
"CVE-2019-6295",
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
Whenever a new customer is validated to acquire a license, a subscription email will be sent with the API keys.
Review the Getting Started chapter for more information.
The update process is leveraged using the following module --update
./pyvfeed.py --update
[+] Checking update status ...
[-] Downloading update
[-] Checksum verification 48a923ae7aa9d6a34b2a7e5ad3acc182627af923c1132c330a72dd6a680bd6c0
[-] Already updated
[+] Cleaning tmp downloads .