-
Notifications
You must be signed in to change notification settings - Fork 21
5 Command line usage
vFeed, Inc edited this page Aug 27, 2021
·
10 revisions
The Python 3 API is extremely easy to use and can be integrated within any Unix environment (with pre-requisites). To start using the API in CLI mode, just type the following:
./pyvfeed.py
usage: pyvfeed.py [-h] [--version] [--update] [--information CVE, CPE]
[--classification CVE, CPE] [--risk CVE, CPE]
[--inspection CVE, CPE] [--exploitation CVE, CPE]
[--defense CVE, CPE] [--search cve|cpe|cwe cve|cpe|cwe]
[--export CVE, CPE] [--plugin Plugin name Plugin name]
optional arguments:
-h, --help show this help message and exit
--version API info
--update Database update
--information CVE, CPE
Get information data
--classification CVE, CPE
Get classification data
--risk CVE, CPE Get risk data
--inspection CVE, CPE
Get Vulnerability testing data
--exploitation CVE, CPE
Get exploits and PoCs data
--defense CVE, CPE Get detective, reactive & preventive data
--search cve|cpe|cwe cve|cpe|cwe
Search for CVE, CPE2.2 | CPE2.3 or CWE
--export CVE, CPE Export all metadata to JSON file
--plugin Plugin name Plugin name
Load third party plugins
The simple help will indicate how to use the CLI.
For confidentiality reasons, we will not publish full JSON extracts with all our sources. Only sample JSON extract will be displayed
The basic vulnerability information extraction can be achieved using the --information method.
Example:
./pyvfeed.py --info CVE-2017-9805
The result is a JSON output.
{
"information": {
"description": [
{
"id": "CVE-2017-9805",
"published": "2018-04-12T07:01Z",
"modified": "2018-04-12T07:01Z",
"summary": "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
}
],
"references": [
{
"vendor": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
},
{
"vendor": "MISC",
"url": "http://www.securityfocus.com/bid/100609"
},
{
"vendor": "MISC",
"url": "http://www.securitytracker.com/id/1039263"
},
{
"vendor": "MISC",
"url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
},
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
Targets, packages and weaknesses can be retrieved using --classification method:
./pyvfeed.py --classification CVE-2017-9805
{
"classification": {
"id": 1,
"parameters": [
{
"title": "Apache Software Foundation Struts 2.1.2",
"cpe2.2": "cpe:/a:apache:struts:2.1.2",
"version_affected": {
"from": "",
"to": ""
},
"cpe2.3": "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*"
},
{
"title": "Apache Software Foundation Struts 2.1.3",
"cpe2.2": "cpe:/a:apache:struts:2.1.3",
"version_affected": {
"from": "",
"to": ""
},
"cpe2.3": "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*"
},
],
"weaknesses": [
{
"id": "CWE-502",
"parameters": {
"class": "weakness",
"title": "Deserialization of Untrusted Data",
"relationship": "CWE-915,CWE-913",
"url": "https://cwe.mitre.org/data/definitions/502.html",
"attack_patterns": REMOVED,
"ranking": {
"category": [
{
"Validate Inputs": {
"parameters": {
"id": "CWE-1019",
"url": "https://cwe.mitre.org/data/definitions/1019.html"
}
}
},
{
"CERT Java Secure Coding Section 13 - Serialization (SER)": {
"parameters": {
"id": "CWE-858",
"url": "https://cwe.mitre.org/data/definitions/858.html"
}
}
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
"packages": [
{
"apache": [
{
"product": "struts",
"version": {
"affected": "2.1.2",
"condition": "equal"
}
},
{
"product": "struts",
"version": {
"affected": "2.1.3",
"condition": "equal"
}
},
{
"product": "struts",
"version": {
"affected": "2.1.4",
"condition": "equal"
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
}
]
The risk scores, severity and more metrics are displayed using the following method --risk:
./pyvfeed.py --risk CVE-2017-9805
{
"risk": {
"cvss": {
"cvss2": {
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"base_score": "6.8",
"impact_score": "6.4",
"exploit_score": "8.6",
"access_vector": "NETWORK",
"access_complexity": "MEDIUM",
"authentication": "NONE",
"confidentiality_impact": "PARTIAL",
"integrity_impact": "PARTIAL",
"availability_impact": "PARTIAL"
},
"cvss3": {
"vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"base_score": "8.1",
"impact_score": "5.9",
"exploit_score": "2.2",
"attack_vector": "NETWORK",
"attack_complexity": "HIGH",
"privileges_required": "NONE",
"user_interaction": "NONE",
"score": "UNCHANGED",
"confidentiality_impact": "HIGH",
"integrity_impact": "HIGH",
"availability_impact": "HIGH"
}
}
Patches, fixes, hot fixes, bugs ids, rules etc are retrieved using --defense:
./pyvfeed.py --defense CVE-2017-9805
{
"defense": {
"preventive": [
{
"bid": [
{
"id": "100609",
"parameters": {
"family": "bulletin",
"url": "http://www.securityfocus.com/bid/100609"
}
}
]
},
{
"certvn": [
{
"id": "VU#112992",
"parameters": {
"family": "bulletin",
"url": "https://www.kb.cert.org/vuls/id/112992"
}
}
]
},
{
"cisco": [
{
"id": "cisco-sa-20170907-struts2",
"parameters": {
"family": "bulletin",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907- (
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
],
"detective": [
{
"snort": [
{
"id": "44315",
"parameters": {
"family": "attempted-admin",
"title": "SERVER-WEBAPP Java XML deserialization remote code execution attempt",
"url": "https://snort.org/rule_docs/1-44315/"
}
}
]
},
{
"suricata": [
{
"id": "2024663",
"parameters": {
"family": "attempted-user",
"title": "ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)",
"url": "http://doc.emergingthreats.net/2024663/"
}
},
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
]
The method --inspection will be leverage to get all data regarding remote and local scanners signatures that can detect the vulnerability
./pyvfeed.py --inspect CVE-2017-9805
{
"inspection": {
"remote": [
{
"nessus": [
{
"id": "102960",
"parameters": {
"family": "Misc.",
"name": "Apache Struts 2.1.x >= 2.1.2 / 2.2.x / 2.3.x < 2.3.34 / 2.5.x < 2.5.13 Multiple Vulnerabilities",
"file": "struts_2_5_13.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=102960"
}
},
{
"id": "102977",
"parameters": {
"family": "CGI abuses",
"name": "Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE",
"file": "struts_2_5_13_rest_rce.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=102977"
}
},
{
"id": "103536",
"parameters": {
"family": "CGI abuses",
"name": "MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU)",
"file": "mysql_enterprise_monitor_3_4_3_4225.nasl",
"url": "https://www.tenable.com/plugins/index.php?view=single&id=103536"
}
}
]
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
],
"local": [
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
]
The method --exploitation will be leverage to get all data regarding any PoC or exploit that can be used the to test the vulnerability
./pyvfeed.py --exploitation CVE-2017-9805
{
"exploitation": [
{
"exploitdb": [
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
{
"metasploit": [
{
"id": "struts2_rest_xstream.rb",
"parameters": {
"name": "Apache Struts 2 REST Plugin XStream RCE",
"file": "modules/exploits/multi/http/struts2_rest_xstream.rb",
"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_rest_xstream.rb"
}
}
]
},
{
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
The export module offers the ability to store vulnerability metadata into a JSON or YAML files. Therefore, the API will execute all the methods and grab the available information. The exported file is stored at the 'export' repository set in Getting started chapter.
./pyvfeed.py --export CVE-2017-9805
The result is stored into the directory /Users/dev/Documents/test/pro/export as CVE-2017-9805.json
The JSON will look like ( DATA REMOVED FOR CONFIDENTIALITY PURPOSES)
{
"information":{ },
"classification":{ },
"risk":{ },
"inspection":{ },
"exploitation":[ ],
"defense":{ }
}
The search module returns the result as JSON content. As per today, the available functions are: search_cve(), search_cpe() and `search_cwe().
Since version 0.9.8, we have introduced 3 new arguments when using the CLI.
./pyvfeed.py --search cve|cpe|cwe Your_Input
Here is an example regarding the search_cpe() that accepts both versions 2.2 and 2.3
./pyvfeed.py --search cpe cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
[
{
"id": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
"vulnerability": [
"CVE-2017-3106",
"CVE-2017-3100",
"CVE-2017-3099",
"CVE-2017-3085",
"CVE-2017-3084",
"CVE-2017-3083",
"CVE-2017-3082",
"CVE-2017-3081",
"CVE-2017-3080",
"CVE-2017-3079",
"CVE-2017-3078",
"CVE-2017-3077",
"CVE-2017-3076",
"CVE-2017-3075",
"CVE-2017-3074",
"CVE-2017-3073",
"CVE-2017-3072",
"CVE-2017-3071",
"CVE-2017-3070",
"CVE-2017-3069",
"CVE-2017-3068",
"CVE-2017-3064",
"CVE-2017-3063",
"CVE-2017-3062",
"CVE-2017-3061",
"CVE-2017-3060",
"CVE-2017-3059",
"CVE-2017-3058",
"CVE-2017-3003",
"CVE-2017-3002",
"CVE-2017-3001",
"CVE-2017-3000",
"CVE-2017-2999",
"CVE-2017-2998",
"CVE-2017-2997",
"CVE-2017-2996",
"CVE-2017-2995",
"CVE-2017-2994",
"CVE-2017-2993",
"CVE-2017-2992",
"CVE-2017-2991",
"CVE-2017-2990",
"CVE-2017-2988",
"CVE-2017-2987",
"CVE-2017-2986",
"CVE-2017-2985",
"CVE-2017-2984",
"CVE-2017-2982",
"CVE-2017-2938",
"CVE-2017-2937",
"CVE-2017-2936",
"CVE-2017-2935",
"CVE-2017-2934",
"CVE-2017-2933",
"CVE-2017-2932",
"CVE-2017-2931",
"CVE-2017-2930",
"CVE-2017-2928",
"CVE-2017-2927",
"CVE-2017-2926",
"CVE-2017-2925",
"CVE-2017-11305",
"CVE-2017-11292",
"CVE-2017-11282",
"CVE-2017-11281"
]
}
]
The search_cve() may return exploits when available.
./pyvfeed.py --search cve cve-2017-0199
{
"description": [
{
"id": "CVE-2017-0199",
"parameters": {
"modified": "2018-03-28T01:29Z",
"published": "2017-04-12T14:59Z",
"summary": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\""
}
}
],
"exploitation": [
{
"exploitdb": [
{
"id": "41894",
"parameters": {
"title": "Microsoft Word - '.RTF' Remote Code Execution",
"file": "exploit-database/exploits/windows/remote/41894.py",
"url": "https://www.exploit-db.com/exploits/41894/"
}
},
{
"id": "41934",
"parameters": {
"title": "Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",
"file": "exploit-database/exploits/windows/remote/41934.rb",
"url": "https://www.exploit-db.com/exploits/41934/"
}
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
The search_cwe() returns all vulnerabilities that affect the type CWE type.
./pyvfeed.py --search cwe cwe-89
{
"id": "CWE-89",
"parameters": {
"title": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"class": "weakness",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
"vulnerability": [
"CVE-2019-6805",
"CVE-2019-6798",
"CVE-2019-6691",
"CVE-2019-6497",
"CVE-2019-6296",
"CVE-2019-6295",
DATA REMOVED FOR CONFIDENTIALITY PURPOSES
}
}
]
}
Whenever a new customer is validated to acquire a license, a subscription email will be sent with the API keys.
Review the Getting Started chapter for more information.
The update process is leveraged using the following module --update
./pyvfeed.py --update
[+] Checking update status ...
[-] Downloading update
[-] Checksum verification 48a923ae7aa9d6a34b2a7e5ad3acc182627af923c1132c330a72dd6a680bd6c0
[-] Already updated
[+] Cleaning tmp downloads .