云安全中心API应急漏洞扫描实战

新钛云服已累计为您分享643篇技术干货

云安全中心应急漏洞扫描

云安全中心是一个实时识别、分析、预警安全威胁的统一安全管理系统，通过防勒索、防病毒、防篡改、合规检查等安全能力，实现威胁检测、告警响应、攻击溯源的自动化安全运营闭环，保护云上资产和本地服务器安全，并满足监管合规要求。

前提条件配置

①子账户生成阿里云的AKSK信息，授权云安全中心权限

②python环境配置

1安装依赖2yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel gdbm-devel sqlite-devel readline-devel tk-devel gcc make libffi-devel gcc-c++ libffi zlib zlib-dev libssl-dev db4-devel libpcap-devel xz-devel345下载python3.10.46wget -c https://www.python.org/ftp/python/3.10.4/Python-3.10.4.tgz78解压python3.10.49tar -zxvf Python-3.10.4.tgz1011 cd Python-3.10.4/12./configure --with-ssl13make && make install1415备份python文件16mv /usr/bin/python /usr/bin/python.bak1718 #建立python3的软链接19ln -s /usr/ local/bin/python3 /usr/bin/python2021 which pip322 #yum执行异常解决23vi /usr/libexec/urlgrabber-ext-down24 #! /usr/bin/python22526vi /usr/bin/yum27 #!/usr/bin/python2282930安装模块31pip3 install --upgrade pip32pip3 install alibabacloud_sas20181203==1.1.1333pip install alibabacloud_tea_console3435如果在import ssl调式报错ImportError: cannot import name 'OPENSSL_VERSION_NUMBER' from '_ssl' (unknown location)解决办法如下3637 #下载安装openssl38wget -c https://www.openssl.org/ source/openssl-1.1.1n.tar.gz39tar -zxvf openssl-1.1.1n.tar.gz40 cd openssl-1.1.1n41./config --prefix=/usr/ local/openssl42make && make instal43mv /usr/bin/openssl /usr/bin/openssl.bak44ln -sf /usr/ local/openssl/bin/openssl /usr/bin/openssl45 echo "/usr/local/openssl/lib" >> /etc/ld.so.conf4647ldconfig -v4849 #查询openssl版本50openssl version5152vim /root/Python-3.10.4/Modules/Setup53211 OPENSSL=/usr/ local/openssl54212 _ssl _ssl.c \55213 -I$(OPENSSL)/include -L$(OPENSSL)/lib \56214 -lssl -lcrypto575859最后在执行下python3.10.4安装60 cd Python-3.10.4/61./configure62make && make install

一、扫描获取特定应急漏洞的名称信息

如扫描fastjson <= 1.2.80 反序列化任意代码执行漏洞

API文档 https://help.aliyun.com/document_detail/421691.html

Lang:zh

RiskStatus:y

ScanType:python

CheckType:fastjson <= 1.2.80 反序列化任意代码执行漏洞

VulName:

1{2 "TotalCount": 1,3 "RequestId": "A79C0E69-CE10-5688-8D01-7322BD3715C8",4 "PageSize": 5,5 "CurrentPage": 1,6 "GroupedVulItems": [7 {8 "Status": 30,9 "PendingCount": 116,10 "Type": "python",11 "Description": "fastjson已使用黑白名单用于防御反序列化漏洞，经研究该利用在特定条件下可绕过默认autoType关闭限制，攻击远程服务器，风险影响较大。建议fastjson用户尽快采取安全措施保障系统安全。\n\n特定依赖存在下影响 ≤1.2.80。",12 "CheckType": 1,13 "AliasName": "fastjson <= 1.2.80 反序列化任意代码执行漏洞【原理扫描】",14 "GmtLastCheck": 1653471386000,15 "GmtPublish": 1653273837000,16 "Name": "emg:SCA:AVD-2022-1243027"17 }18 ]19}

得到特定应急漏洞名称信息为emg:SCA:AVD-2022-1243027

pip install alibabacloud_sas20181203==1.1.13

pip install alibabacloud_tea_console

1 # -*- coding: utf-8 -*-2 # This file is auto-generated, don't edit it. Thanks.3 import sys45 from typing import List6 from Tea.core import TeaCore78 from alibabacloud_sas20181203.client import Client as Sas20181203Client9 from alibabacloud_tea_openapi import models as open_api_models10 from alibabacloud_sas20181203 import models as sas_20181203_models11 from alibabacloud_tea_util import models as util_models12 from alibabacloud_tea_console.client import Client as ConsoleClient13 from alibabacloud_tea_util.client import Client as UtilClient141516 class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas20181203Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id= 'LTAI5t',35 # 您的AccessKey Secret,36 access_key_secret= 'dSr'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas20181203Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 describe_emg_vul_item_request = sas_20181203_models.DescribeEmgVulItemRequest(48 lang= 'zh',49 risk_status= 'y',50 scan_type= 'python',51 vul_name= 'fastjson <= 1.2.80 反序列化任意代码执行漏洞'52 )53 runtime = util_models.RuntimeOptions()54 resp = client.describe_emg_vul_item_with_options(describe_emg_vul_item_request, runtime)55 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5657 @staticmethod58 async def main_async(59 args: List[str],60 ) -> None:61 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')62 describe_emg_vul_item_request = sas_20181203_models.DescribeEmgVulItemRequest(63 lang= 'zh',64 risk_status= 'y',65 scan_type= 'python',66 vul_name= 'fastjson <= 1.2.80 反序列化任意代码执行漏洞'67 )68 runtime = util_models.RuntimeOptions()69 resp = await client.describe_emg_vul_item_with_options_async(describe_emg_vul_item_request, runtime)70 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))717273 if __name__ == '__main__':74 Sample.main(sys.argv[ 1:])

二、根据特定的应急漏洞执行扫描任务

Lang:zh

Name:emg:SCA:AVD-2022-1243027

UserAgreement:yes

1{2 "RequestId": "08744049-2F38-54BF-A7E7-529B5226AC9E"3}

pip install alibabacloud_sas20181203==1.1.13

1# -*- coding: utf -8 -*-2# This file is auto-generated, don't edit it. Thanks.3import sys45from typing import List6from Tea.core import TeaCore78from alibabacloud_sas 2 0 1 8 1 2 0 3.client import Client as Sas 2 0 1 8 1 2 0 3Client9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_sas 2 0 1 8 1 2 0 3 import models as sas_ 2 0 1 8 1 2 0 3_models11from alibabacloud_tea_util import models as util_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas 2 0 1 8 1 2 0 3Client:25 "" "26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 " ""32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id='LTAI 5t',35 # 您的AccessKey Secret,36 access_key_secret='dS'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas 2 0 1 8 1 2 0 3Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 modify_emg_vul_submit_request = sas_ 2 0 1 8 1 2 0 3_models.ModifyEmgVulSubmitRequest(48 lang='zh',49 name='emg:SCA:AVD -2022 -1243027',50 user_agreement='yes'51 )52 runtime = util_models.RuntimeOptions()53 resp = client.modify_emg_vul_submit_with_options(modify_emg_vul_submit_request, runtime)54 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5556 @staticmethod57 async def main_async(58 args: List[str],59 ) -> None:60 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')61 modify_emg_vul_submit_request = sas_ 2 0 1 8 1 2 0 3_models.ModifyEmgVulSubmitRequest(62 lang='zh',63 name='emg:SCA:AVD -2022 -1243027',64 user_agreement='yes'65 )66 runtime = util_models.RuntimeOptions()67 resp = await client.modify_emg_vul_submit_with_options_async(modify_emg_vul_submit_request, runtime)68 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))697071if __name__ == '__main__':72 Sample.main(sys.argv[ 1:])

执行脚本发现阿里云的云安全中心应急漏洞fastjson <= 1.2.80 反序列化任意代码执行漏洞开始执行扫描任务计划

三、应急漏洞全部扫描

Types:"emg"

Uuids:

1cve：Linux软件漏洞2sys：Windows系统漏洞3cms：Web-CMS漏洞4app：应用漏洞5emg：应急漏洞6image：容器镜像漏洞

pip install alibabacloud_sas20181203==1.1.13

1 # -*- coding: utf-8 -*-2 # This file is auto-generated, don't edit it. Thanks.3 import sys45 from typing import List6 from Tea.core import TeaCore78 from alibabacloud_sas20181203.client import Client as Sas20181203Client9 from alibabacloud_tea_openapi import models as open_api_models10 from alibabacloud_sas20181203 import models as sas_20181203_models11 from alibabacloud_tea_util import models as util_models12 from alibabacloud_tea_console.client import Client as ConsoleClient13 from alibabacloud_tea_util.client import Client as UtilClient141516 class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas20181203Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id= 'LTAI5t',35 # 您的AccessKey Secret,36 access_key_secret= 'dSr'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas20181203Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 modify_start_vul_scan_request = sas_20181203_models.ModifyStartVulScanRequest(48 types= '"emg"'49 )50 runtime = util_models.RuntimeOptions()51 resp = client.modify_start_vul_scan_with_options(modify_start_vul_scan_request, runtime)52 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5354 @staticmethod55 async def main_async(56 args: List[str],57 ) -> None:58 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')59 modify_start_vul_scan_request = sas_20181203_models.ModifyStartVulScanRequest(60 types= '"emg"'61 )62 runtime = util_models.RuntimeOptions()63 resp = await client.modify_start_vul_scan_with_options_async(modify_start_vul_scan_request, runtime)64 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))656667 if __name__ == '__main__':68 Sample.main(sys.argv[ 1:])

执行完脚本后应急漏洞服务全部开始扫描计划任务

四、导出应急漏洞列表信息

API文档信息 ExportVul - 导出漏洞列表 (aliyun.com)

Lang:zh

Type:emg

Uuids:

AliasName:fastjson <= 1.2.80 反序列化任意代码执行漏洞

Necessity:asap

Dealed:n

1 # -*- coding: utf-8 -*-2 # This file is auto-generated, don't edit it. Thanks.3 import sys45 from typing import List6 from Tea.core import TeaCore78 from alibabacloud_sas20181203.client import Client as SasClient9 from alibabacloud_tea_openapi import models as open_api_models10 from alibabacloud_darabonba_env.client import Client as EnvClient11 from alibabacloud_sas20181203 import models as sas_models12 from alibabacloud_tea_console.client import Client as ConsoleClient13 from alibabacloud_tea_util.client import Client as UtilClient141516 class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> SasClient:25 """26 使用AK&SK初始化账号Client27 """28 config = open_api_models.Config()29 # 您的AccessKey ID30 config.access_key_id = 'LTAI5t'31 # 您的AccessKey Secret32 config.access_key_secret = 'dSrH3z'33 config.endpoint = 'tds.aliyuncs.com'34 return SasClient(config)3536 @staticmethod37 def main(38 args: List[str],39 ) -> None:40 client = Sample.create_client(EnvClient.get_env( 'ACCESS_KEY_ID'), EnvClient.get_env( 'ACCESS_KEY_SECRET'))41 export_request = sas_models.ExportVulRequest(42 lang= 'zh',43 type= 'emg',44 alias_name= 'fastjson <= 1.2.80 反序列化任意代码执行漏洞',45 necessity= 'asap',46 dealed= 'n'47 )48 export_response = client.export_vul(export_request)49 ConsoleClient.log( f'response is {UtilClient.to_jsonstring(TeaCore.to_map(export_response.body))}')5051 @staticmethod52 async def main_async(53 args: List[str],54 ) -> None:55 client = Sample.create_client(EnvClient.get_env( 'ACCESS_KEY_ID'), EnvClient.get_env( 'ACCESS_KEY_SECRET'))56 export_request = sas_models.ExportVulRequest(57 lang= 'zh',58 type= 'emg',59 alias_name= 'fastjson <= 1.2.80 反序列化任意代码执行漏洞',60 necessity= 'asap',61 dealed= 'n'62 )63 export_response = await client.export_vul_async(export_request)64 ConsoleClient.log( f'response is {UtilClient.to_jsonstring(TeaCore.to_map(export_response.body))}')656667 if __name__ == '__main__':68 Sample.main(sys.argv[ 1:])

得到值为

1[LOG] response is { "FileName": "emg_20220526", "Id": 102889, "RequestId": "A15E37DA-10C8-542D-8D59-CCCB5E6837E4"}

1在执行脚本的时候可以通过过滤id号得到漏洞导出任务的ID信息，最后得到值为10288923python3 exportall.py | grep \ "Id\" | awk -F\: '{print $3}' | awk -F\, '{print $1}'4

通过ExportId的102889获取文件下载

1 # -*- coding: utf-8 -*-2 # This file is auto-generated, don't edit it. Thanks.3 import sys45 from typing import List6 from Tea.core import TeaCore78 from alibabacloud_sas20181203.client import Client as SasClient9 from alibabacloud_tea_openapi import models as open_api_models10 from alibabacloud_darabonba_env.client import Client as EnvClient11 from alibabacloud_sas20181203 import models as sas_models12 from alibabacloud_tea_console.client import Client as ConsoleClient13 from alibabacloud_tea_util.client import Client as UtilClient141516 class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> SasClient:25 """26 使用AK&SK初始化账号Client27 """28 config = open_api_models.Config()29 # 您的AccessKey ID30 config.access_key_id = 'LTAI'31 # 您的AccessKey Secret32 config.access_key_secret = 'dSrH'33 config.endpoint = 'tds.aliyuncs.com'34 return SasClient(config)3536 @staticmethod37 def main(38 args: List[str],39 ) -> None:40 client = Sample.create_client(EnvClient.get_env( 'ACCESS_KEY_ID'), EnvClient.get_env( 'ACCESS_KEY_SECRET'))41 export_request = sas_models.ExportVulRequest(42 type= 'cve'43 )44 export_response = client.export_vul(export_request)45 body = export_response.body46 export_info_id = body.id47 vul_export_info_request = sas_models.DescribeVulExportInfoRequest(48 export_id= 10288949 )50 info_detail_response = client.describe_vul_export_info(vul_export_info_request)51 ConsoleClient.log( f'response is {UtilClient.to_jsonstring(TeaCore.to_map(info_detail_response.body))}')5253 @staticmethod54 async def main_async(55 args: List[str],56 ) -> None:57 client = Sample.create_client(EnvClient.get_env( 'ACCESS_KEY_ID'), EnvClient.get_env( 'ACCESS_KEY_SECRET'))58 export_request = sas_models.ExportVulRequest(59 type= 'cve'60 )61 export_response = await client.export_vul_async(export_request)62 body = export_response.body63 export_info_id = body.id64 vul_export_info_request = sas_models.DescribeVulExportInfoRequest(65 export_id= 10288966 )67 info_detail_response = await client.describe_vul_export_info_async(vul_export_info_request)68 ConsoleClient.log( f'response is {UtilClient.to_jsonstring(TeaCore.to_map(info_detail_response.body))}')697071 if __name__ == '__main__':72 Sample.main(sys.argv[ 1:])

1执行脚本得到附件的下载链接2python exportfile.py | awk -F\ "Link\": '{print $2}' | awk -F\, '{print $1}' | xargs wget -O "emg_$(date +%Y%m%d).zip "3

可以把zip文件解压后上传到oss存储中，通过脚本钉钉推送到指定群通知或者邮件推送指定的人

1钉钉推送如下2wget https://gosspublic.alicdn.com/ossutil/1.7.9/ossutil643chmod 755 ossutil64456./ossutil64 config7./ossutil64 ls oss://examplebucket -c /home/config8910vim vulnerabilityDingtack.sh11#!/bin/bash1213UPLOAD_TIME=$(date "+%Y%m%d")14curl 'https://oapi.dingtalk.com/robot/send?access_token=88c98f36028d0564c' \15-H 'Content-Type: application/json' \16-d '{17"msgtype": "link",18"link": {19"text":"应急安全漏洞 \n",20"title": "应急安全漏洞报告",21"picUrl": "https://vulnerability.oss-cn-shanghai.aliyuncs.com/vulnerability/vulnerability.png",22"messageUrl": "https://vulnerability.oss-cn-shanghai.aliyuncs.com/vulnerability/emg_'${UPLOAD_TIME}'.xlsx"23}24}'2526echo "---------上传到OSS--------------------"27ALI_OSS_ENDPOINT="oss-cn-shanghai.aliyuncs.com"28ALI_OSS_AK="LTAI5"29ALI_OSS_SK="dSrH3z"30WORKSPACE=/opt/kingen3132#打开oss命令文件夹33cd ${WORKSPACE}/34#配置oss35./ossutil64 config -e ${ALI_OSS_ENDPOINT} -i ${ALI_OSS_AK} -k ${ALI_OSS_SK}36unzip emg_${UPLOAD_TIME}.zip37#上传apk到oss38./ossutil64 cp "./emg_${UPLOAD_TIME}.xlsx" "oss://backups/vulnerability/"

来个开胃小菜

阿里云CDN刷新目录脚本(刷新之前更换AKSK秘钥,替换object_path刷新的网站URL地址)

pip install alibabacloud_cdn20180510==1.0.11

1 # -*- coding: utf-8 -*-2 # This file is auto-generated, don't edit it. Thanks.3 import sys45 from typing import List6 from Tea.core import TeaCore78 from alibabacloud_cdn20180510.client import Client as Cdn20180510Client9 from alibabacloud_tea_openapi import models as open_api_models10 from alibabacloud_cdn20180510 import models as cdn_20180510_models11 from alibabacloud_tea_util import models as util_models12 from alibabacloud_tea_console.client import Client as ConsoleClient13 from alibabacloud_tea_util.client import Client as UtilClient141516 class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Cdn20180510Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id=access_key_id,35 # 您的AccessKey Secret,36 access_key_secret=access_key_secret37 )38 # 访问的域名39 config.endpoint = f'cdn.aliyuncs.com'40 return Cdn20180510Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 refresh_object_caches_request = cdn_20180510_models.RefreshObjectCachesRequest(48 object_path= 'https://uat.abc.com/',49 object_type= 'Directory'50 )51 runtime = util_models.RuntimeOptions()52 resp = client.refresh_object_caches_with_options(refresh_object_caches_request, runtime)53 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5455 @staticmethod56 async def main_async(57 args: List[str],58 ) -> None:59 client = Sample.create_client( 'ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')60 refresh_object_caches_request = cdn_20180510_models.RefreshObjectCachesRequest(61 object_path= 'https://club-admin-7788-uat.apta.com.hk/',62 object_type= 'Directory'63 )64 runtime = util_models.RuntimeOptions()65 resp = await client.refresh_object_caches_with_options_async(refresh_object_caches_request, runtime)66 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))676869 if __name__ == '__main__':70 Sample.main(sys.argv[ 1:])

成功给https://uat.abc.com网站目录刷新。

了解新钛云服

往期技术干货