Xml file with application vulnerability

Started by berghem, August 01, 2012, 12:27:01 PM

Previous topic - Next topic

berghem

Hi all
Is there a xml file (or similar) with  the common application vulnerabilities?
For example I wish had a file with this structure

Apllication : Internet Explore 6
Vulnerability: vuln 1 vuln 2
exploit : ....

In other word, a file with this export (http://www.exploit-db.com/) but only application vulnerability....
Exist it?
I found in the NIST site or CVE  but nothing...

r083rt

#1
QuoteApllication : Internet Explore 6
Vulnerability: vuln 1 vuln 2
exploit : ....

1 ) what are you trying to do ?  ## IN DETAIL
2 ) Internet explorer 6 ???

QuoteIn other word, a file with this export (http://www.exploit-db.com/) but only application vulnerability....
Exist it?

XML of EXPLOITDB ???

is what your tying to do is export all the exploits into an xml and if so why ???
but Im still unsure what you are trying to achieve PLEASE ENLIGHTEN  me in detail EXACTLY to your end goal

berghem

I want to write a tool for passive vulnerability scanner, for example, if I sniff the traffic and I have a cap file I can check if the client use a vulnerability application and if I see that the client use internet explorer 6 or pidgin or other application, I can check in a my database (xml file in this case) that the application is vulnerability, and i have immediately the available exploit.

r083rt

#3
so what you what to do is have a script to extract exploit db and any exploit that is x will be listed

example....  exploit for explorer or mysql

the script will check against the exploit database and if there is one it will be listed in your script or used to start an attack with that
exploit


berghem

Yes, with application and version I check in my database. In other word, I want to automize (in part) the pentest.

r083rt

ok well there is many ways to do it .....


it really depends on what your script is designed to do and xml hmm well if you want to use that to import into other tools fine
but would'nt confine your self to xml and if I was you I would rethink it

If you supply the tool specs i.e SRS so I can see what your ideas are



berghem

I don't write script in this moment, i would like write to program....
I think xml file, but not binding, csv file or db at the same, for me it is indifferent....
When I find the file or db, I will start to write the program

r083rt


ok well you need to do an SRS ( SOFTWARE REQUIREMENT SPECIFICATION ) and plan out what you want it to do and
which way you want to extract the info from exploitdb and display or use the required information if it meets the terms of your requirements in your script or program

simply thinking about importing exploitb into xml  isnt going to do what you are looking for it to do there is a lot more that is involved to getting to what you want to build if you require help on building your program and want help the please outline your SRS and a detailed plan and start to work on it and the community will help on aspects of programming it..  they wont do it all for you but I'm sure we will help to get you started

if you feel that I have misunderstood what your are trying to do please post and Ill get weVeg to look at your post and see
if he can decrypt your post  :P

r083rt

thisismyname

#8
I am also not sure what it is that you are trying to do. But ...
Warning
I am not pentester but
 
There is already a api for exploit db
http://www.exploit-db.com/exploit-database-new-features/

Most API get you the info via xml and if they don't move on or screen-scrape
Now QT-quick(QML) has a great "Element" called XMLListModel
http://doc.qt.nokia.com/4.7-snapshot/qml-xmllistmodel.html
what this does is lets you connect to a api and render the xml how ever you would like. Now there is a bit more to it then that but here is some video that will get you started with the over all idea.
http://qt-project.org/videos#s-qt-quick

next I guess would be to set up some sorta DB (or not )lucky for you the QT framework comes with sqllight out of the box.
I guess that it is just about case and if statements after that.
I hope that this helps.