STRLCPY/CVS

v1.1.0
有安科技 committed 5 months ago

df2ae1f8

■ ■ ■ ■ ■ ■

README.md

1	+	<h1 align="center">
2	+	<br>
3	+	<a href="https://www.uusec.com">CVS</a>
4	+	</h1>
5	+
6	+	<h4 align="center">Cosmos Vulnerability Scanner</h4>
7	+
8	+	<p align="center">
9	+	<a href="https://github.com/Safe3/CVS/releases"><img src="https://img.shields.io/github/downloads/Safe3/CVS/total">
10	+	<a href="https://github.com/Safe3/CVS/graphs/contributors"><img src="https://img.shields.io/github/contributors-anon/Safe3/CVS">
11	+	<a href="https://github.com/Safe3/CVS/releases/"><img src="https://img.shields.io/github/release/Safe3/CVS">
12	+	<a href="https://github.com/Safe3/CVS/issues"><img src="https://img.shields.io/github/issues-raw/Safe3/CVS">
13	+	<a href="https://github.com/Safe3/CVS/discussions"><img src="https://img.shields.io/github/discussions/Safe3/CVS">
14	+	</p>
15	+	<p align="center">
16	+	<a href="#features">Features</a> •
17	+	<a href="#usage">Usage</a> •
18	+	<a href="#for-security-engineers">For Security Engineers</a> •
19	+	<a href="#credits">Credits</a> •
20	+	<a href="#contact">Contact</a> •
21	+	<a href="#license">License</a>
22	+	</p>
23	+
24	+
25	+	<p align="center">
26	+	<a href="https://github.com/Safe3/CVS/blob/main/README.md">English</a>
27	+	<a href="https://github.com/Safe3/CVS/blob/main/README_CN.md">中文</a>
28	+	</p>
29	+
30	+
31	+	---
32	+
33	+	Like many products such as Nessus and Nuclei, CVS is used to scan for various network vulnerabilities, but it is more modern with a wait free OOB testing strategy, advanced vulnerability PoC IDE, and powerful VDSL (Vulnerability Domain Specific Language) engine, allowing you to easily and quickly scan almost all vulnerabilities. It also has features such as lightweight, single binary file, cross platform, and no additional dependencies.
34	+
35	+	## Features
36	+
37	+	<h3 align="center">
38	+	<img src="https://github.com/Safe3/CVS/blob/main/cvs.png" alt="CVS" width="700px">
39	+	<br>
40	+	</h3>
41	+
42	+	- Powerful PoC scripting language - VDSL (Domain Specific Language)
43	+	- Advanced and easy-to-use PoC development and debugging environment - CVS PoC IDE
44	+	- More modern and wait free OOB server
45	+	- A high-speed and high-performance vulnerability scanning engine
46	+	- Compatible with almost all Nuclei's helper functions , so you can easily convert Nuclei templates to CVS PoC
47	+	- Easily extract Senluo's network services and fingerprint information
48	+	- Lightweight, single binary file, cross platform, and no additional dependencies
49	+	- Output format support - JSON
50	+
51	+	## Usage
52	+	CVS consists of three parts: CVS scanner, PoC IDE, and OOB server. CVS scanner is used to read the scaned target information generated by Senluo and load PoC for vulnerability scanning. PoC IDE is used to write and debug vulnerability scripts and generate PoC files. OOB server is used for reverse connection platforms such as some vulnerabilities without echo to confirm the existence of vulnerabilities.
53	+
54	+	### Write PoC
55	+
56	+	Command line running IDE
57	+
58	+	```sh
59	+	ide.exe
60	+	```
61	+
62	+	Open http://127.0.0.1:777/ with the browser,you will see the PoC development environment, which provides functions such as PoC writing, debugging, and saving, and supports code completion and intelligent prompts, as shown in the following picture:
63	+
64	+	<h3 align="center">
65	+	<img src="https://github.com/Safe3/CVS/blob/main/ide.png" alt="IDE" width="700px">
66	+	<br>
67	+	</h3>
68	+
69	+
70	+	The upper right corner of the above picture shows the Run, Save, and Refresh buttons, which are used to debug PoC scripts. The syntax of the script is similar to Golang. The cvs structure in the picture will be automatically generated by the CVS scanner based on target.json, without the need for implementation. It is only convenient for testing during debugging and can be declared by oneself. This picture shows the writing process of the CVE-2022-46169 no echo vulnerability test script. CVS IDE provides the debug function for printing debugging information, which is compatible with fmt.Printf in the go language The usage is shown in the text box below. For vulnerabilities with echoes, the existence of the vulnerability can be confirmed directly by returning true. For scenarios that require some information to be returned, such as password cracking, a string can be returned to save the result, which is located in the info field of the result. json generated by the CVS scanner. The functions in the PoC script are compatible with the help functions of Nuclei, please refer to them for details https://docs.projectdiscovery.io/templates/reference/helper-functions So it is very convenient to convert Nuclei's vulnerability template into CVS's PoC. For more PoC examples, please refer to the yaml file in the poc directory of the CVS scanner.
71	+
72	+	### Setting up an OOB server
73	+
74	+	The full name of OOB is Out-of-Band. Many vulnerability tests do not directly echo any information, and an OOB server needs to be set up on the public network to receive the results of successful vulnerability testing. Usually, OOB servers receive connection requests triggered by vulnerability testing, such as DNS, HTTP, ldap, rmi, FTP, etc., and return the results to the CVS scanner.
75	+
76	+	1.First, upload the OOB server to a publicly accessible server
77	+
78	+	2.Running OOB server will automatically generate a configuration file named cfg.yml
79	+
80	+	3.Modify the configuration file: domain is the root domain name to be resolved by the DNS server, token is the authentication token for CVS scanner to connect to the OOB server, external_ip is the public IP of the server, and SSL is whether the CVS scanner connects to the OOB server to enable SSL connection. If it is true, the TLS certificate server.crt and private key server.key in PEM format need to be put
81	+
82	+	```yaml
83	+	domain: example.com
84	+	token: clt5j6r4uu422g7i8rrg
85	+	external_ip: 3.1.1.1
86	+	ssl: false
87	+	log_level: info
88	+	```
89	+
90	+	4.Open ports 80, 53, and 33333 on the server, and set the OOB server as the NS resolution server. For example, domain names on Alibaba Cloud can be referenced https://help.aliyun.com/zh/dws/user-guide/custom-dns-host to perform configuration
91	+
92	+	### Enable CVS scanner
93	+
94	+	There are three directories under the CVS scanner: poc, lib, and db, as well as a configuration file cfg.yml. The poc directory is the PoC storage directory, with subdirectories named after the service protocol. The lib directory is a directory for storing user-defined VDSL library files. The db directory is used to store database files with detailed information on non echo vulnerabilities. The configuration file cfg.yml is as follows：
95	+
96	+	```yaml
97	+	oob_url: http://3.1.1.1
98	+	oob_dns: example.com
99	+	oob_server: "http://3.1.1.1:33333/events/"
100	+	oob_token: "clt5j6r4uu422g7i8rrg"
101	+	threads: 36
102	+	log_level: error
103	+	```
104	+
105	+	Above oob_url is the external network address of the OOB server, used for reverse connection of the HTTP protocol. Oob_dns is the root domain name of DNS, used for reverse connection of DNS protocol. Oob_server is a long connection communication URL that receives anti connection information. Oob_token corresponds to the authentication token on the OOB server. Threads is the number of concurrent threads in the CVS scanner.
106	+
107	+	After configured the above configuration, copy the target.json generated by the Senluo cyberpace search engine and execute CVS to start scanning for vulnerabilities.
108	+
109	+	CVS command-line options:
110	+
111	+
112	+	```console
113	+	Usage of cvs:
114	+	-i string
115	+	Input path of the targets json file (default "target.json")
116	+	-o string
117	+	Output path of the results json file (default "result.json")
118	+	```
119	+
120	+
121	+
122	+	## For Security Engineers
123	+
124	+	CVS offers great number of features that are helpful for security engineers to customise workflow in their organization. With the powerful PoC IDE and VDSL script language, security engineers can easily create their suite of custom checks with CVS.
125	+
126	+
127	+
128	+	## Credits
129	+
130	+	Thanks to all the amazing [community contributors for sending PRs](https://github.com/Safe3/CVS/graphs/contributors) and keeping this project updated. :heart:
131	+
132	+	If you have an idea or some kind of improvement, you are welcome to contribute and participate in the Project, feel free to send your PR.
133	+
134	+	<p align="center">
135	+	<a href="https://github.com/Safe3/CVS/graphs/contributors">
136	+	<img src="https://contrib.rocks/image?repo=Safe3/CVS&max=500">
137	+	</a>
138	+	</p>
139	+
140	+	## Contact
141	+
142	+	<p><span style="unicode-bidi: bidi-override; direction: rtl;">moc.cesuu@troppus</span></p>
143	+
144	+
145	+
146	+	## License
147	+
148	+	CVS is only for personal free use. If you want to use it for commercial purposes, please contact us for commercial authorization.
149	+

■ ■ ■ ■ ■ ■

README_CN.md

1	+	<h1 align="center">
2	+	<br>
3	+	<a href="https://www.uusec.com">CVS</a>
4	+	</h1>
5	+	<h4 align="center">万象漏洞扫描器</h4>
6	+
7	+	<p align="center">
8	+	<a href="https://github.com/Safe3/CVS/releases"><img src="https://img.shields.io/github/downloads/Safe3/CVS/total">
9	+	<a href="https://github.com/Safe3/CVS/graphs/contributors"><img src="https://img.shields.io/github/contributors-anon/Safe3/CVS">
10	+	<a href="https://github.com/Safe3/CVS/releases/"><img src="https://img.shields.io/github/release/Safe3/CVS">
11	+	<a href="https://github.com/Safe3/CVS/issues"><img src="https://img.shields.io/github/issues-raw/Safe3/CVS">
12	+	<a href="https://github.com/Safe3/CVS/discussions"><img src="https://img.shields.io/github/discussions/Safe3/CVS">
13	+	</p>
14	+	<p align="center">
15	+	<a href="#特色">特色</a> •
16	+	<a href="#使用">使用</a> •
17	+	<a href="#为安全工程师">为安全工程师</a> •
18	+	<a href="#感谢">感谢</a> •
19	+	<a href="#联系">联系</a> •
20	+	<a href="#授权">授权</a>
21	+	</p>
22	+
23	+
24	+
25	+
26	+	<p align="center">
27	+	<a href="https://github.com/Safe3/CVS/blob/main/README.md">English</a>
28	+	<a href="https://github.com/Safe3/CVS/blob/main/README_CN.md">中文</a>
29	+	</p>
30	+
31	+
32	+	---
33	+
34	+	与Nessus和Nuclei等许多产品一样，CVS用于扫描各种网络漏洞，但它更现代，具有免等待的OOB测试策略、高级漏洞PoC IDE和强大的VDSL（漏洞域特定语言）引擎，使您能够轻松快速地扫描几乎所有漏洞。它还具有轻量级、单一二进制文件、跨平台和无附加依赖性等特性。
35	+
36	+
37	+
38	+	## 特色
39	+
40	+	<h3 align="center">
41	+	<img src="https://github.com/Safe3/CVS/blob/main/cvs.png" alt="CVS" width="700px">
42	+	<br>
43	+	</h3>
44	+
45	+	- 强大的PoC脚本语言 - VDSL (Domain Specific Language)
46	+	- 先进易用的PoC开发和调试环境 - CVS PoC IDE
47	+	- 更现代化，无需等待OOB服务器
48	+	- 高速、高性能的漏洞扫描引擎
49	+	- 与几乎所有Nuclei的帮助函数功能兼容，因此您可以轻松地将Nuclei模板转换为CVS PoC
50	+	- 轻松提取森罗空间测绘引擎扫描的网络服务和指纹信息
51	+	- 轻量级、单一二进制文件、跨平台且无其他依赖关系
52	+	- 输出格式支持 - JSON
53	+
54	+
55	+
56	+	## 使用
57	+
58	+	CVS由三部分组成：CVS扫描器、PoC IDE和OOB服务器。CVS扫描器用于读取森罗空间测绘引擎生成的扫描目标信息，并加载PoC进行漏洞扫描。PoC IDE用于编写和调试漏洞脚本以及生成PoC文件。OOB服务器用于反向连接平台，如一些没有回显的漏洞，以确认漏洞的存在。
59	+
60	+
61	+	### 编写PoC
62	+
63	+	命令行运行IDE
64	+
65	+	```sh
66	+	ide.exe
67	+	```
68	+	浏览器打开http://127.0.0.1:777/即可看到PoC开发环境，该IDE提供了PoC的编写、调试和保存等功能，并支持代码补全和智能提示，如下图所示：
69	+
70	+	<h3 align="center">
71	+	<img src="https://github.com/Safe3/CVS/blob/main/ide.png" alt="IDE" width="700px">
72	+	<br>
73	+	</h3>
74	+
75	+	上图右上角分别为运行、保存、刷新按钮，运行按钮用于调试PoC脚本，该脚本语法类似golang，图中cvs结构体在CVS扫描器中会自动根据target.json生成，无需实现，仅在调试时方便测试，自行声明。此图展示的是CVE-2022-46169无回显漏洞测试脚本的编写过程，图中提供了debug函数用于打印调试信息，该函数兼容go语言中fmt.Printf的用法，结果显示于下方方框。对于有回显的漏洞可以直接通过return true返回来确认漏洞存在，对于需要返回一些信息的场景，如密码破解等，可以return一个字符串来保存结果，结果位于CVS扫描器生成的result.json中的info字段中。PoC脚本中的函数兼容Nuclei的帮助函数，详见https://docs.projectdiscovery.io/templates/reference/helper-functions，所以可以很方便的将Nuclei的漏洞模板转换成CVS的PoC。更多PoC样例可参考CVS扫描器poc目录下的yaml文件。
76	+
77	+	### 架设OOB服务器
78	+
79	+	OOB全称Out-of-Band，有很多漏洞测试时并不直接回显任何信息，需要在公网架设一台OOB服务器来接收漏洞是否测试成功的结果。通常OOB服务器会接收漏洞测试所触发的dns、http、ldap、rmi、ftp等连接请求，并将结果返回给CVS扫描器。
80	+
81	+	1.首先将oob-server上传到公网可访问的服务器上
82	+
83	+	2.运行oob-server会自动生成一个名为cfg.yml的配置文件
84	+
85	+	3.修改配置文件：domain为dns服务器要解析的根域名，token为CVS扫描器连接OOB服务器的认证token，external_ip为该服务器的公网ip，ssl为CVS扫描器连接OOB服务器是否启用ssl连接，若为true则需要上传pem格式的tls证书server.crt和私钥server.key
86	+
87	+	```yaml
88	+	domain: example.com
89	+	token: clt5j6r4uu422g7i8rrg
90	+	external_ip: 3.1.1.1
91	+	ssl: false
92	+	log_level: info
93	+	```
94	+
95	+	4.放开服务器的80、53、33333端口访问，并将OOB服务器设置为NS解析服务器，如阿里云上的域名可以参考https://help.aliyun.com/zh/dws/user-guide/custom-dns-host进行配置
96	+
97	+	### 开启CVS扫描器
98	+
99	+	CVS扫描器下面有poc、lib、db三个目录和一个配置文件cfg.yml。poc目录为PoC存放目录，子目录以服务协议命名。lib目录为用户自定义的VDSL库文件存放目录。db目录用于存放无回显漏洞详细信息的数据库文件。配置文件cfg.yml如下：
100	+
101	+	```yaml
102	+	oob_url: http://3.1.1.1
103	+	oob_dns: example.com
104	+	oob_server: "http://3.1.1.1:33333/events/"
105	+	oob_token: "clt5j6r4uu422g7i8rrg"
106	+	threads: 36
107	+	log_level: error
108	+	```
109	+
110	+	上面oob_url为OOB服务器的外网地址，用于http协议的反连。oob_dns为dns的根域名，用于dns协议的反连。oob_server为接收反连信息的长连接通信url。oob_token对应OOB服务器上的认证token。threads为CVS扫描器的并发线程数。
111	+
112	+	配置好上面配置后，将森罗网络空间测绘引擎生成的target.json拷过来，执行cvs即可开始扫描漏洞。
113	+
114	+	CVS命令行选项
115	+
116	+
117	+	```console
118	+	Usage of cvs:
119	+	-i string
120	+	扫描的目标输入文件路径（默认为森罗输出的“target.json”）
121	+	-o string
122	+	扫描结果输出文件路径（默认为“result.json”）
123	+	```
124	+
125	+
126	+
127	+	## 为安全工程师
128	+
129	+	CVS提供了大量功能，有助于安全工程师在其组织中自定义工作流程。通过强大的PoC IDE和VDSL脚本语言，安全工程师可以轻松地使用CVS创建他们的自定义漏洞检测平台。
130	+
131	+
132	+
133	+	## 感谢
134	+
135	+	感谢所有了不起的[社区贡献者发送PR](https://github.com/safe3/cvs/graphs/contributors)并不断更新此项目。请支持我们的朋友点个:heart:赞。
136	+
137	+	如果你有想法或某种改进，欢迎你贡献并参与该项目，随时发送你的PR。
138	+
139	+	<p align="center">
140	+	<a href="https://github.com/Safe3/CVS/graphs/contributors">
141	+	<img src="https://contrib.rocks/image?repo=Safe3/CVS&max=500">
142	+	</a>
143	+	</p>
144	+
145	+	## 联系
146	+
147	+	<p><span style="unicode-bidi: bidi-override; direction: rtl;">moc.cesuu@troppus</span></p>
148	+
149	+
150	+
151	+	## 授权
152	+
153	+	CVS 仅用于个人免费使用，如要进行商业用途请联系我们获取商业授权。
154	+

cvs.png
ide.png

v1.1.0