云安全中心 API 应急漏洞扫描实战指南

云安全中心应急漏洞扫描

云安全中心是一个实时识别、分析、预警安全威胁的统一安全管理系统，通过防勒索、防病毒、防篡改、合规检查等安全能力，实现威胁检测、告警响应、攻击溯源的自动化安全运营闭环，保护云上资产和本地服务器安全，并满足监管合规要求。

前提条件配置

①子账户生成阿里云的AKSK信息，授权云安全中心权限

②python环境配置

1安装依赖 2yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel gdbm-devel sqlite-devel readline-devel tk-devel gcc make libffi-devel gcc-c++ libffi zlib zlib-dev libssl-dev db4-devel libpcap-devel xz-devel 3 4 5下载python3.10.4 6wget -c https://www.python.org/ftp/python/3.10.4/Python-3.10.4.tgz 7 8解压python3.10.4 9tar -zxvf Python-3.10.4.tgz1011cd Python-3.10.4/12./configure --with-ssl13make && make install1415备份python文件16mv /usr/bin/python /usr/bin/python.bak1718#建立python3的软链接19ln -s /usr/local/bin/python3 /usr/bin/python2021which pip322#yum执行异常解决23vi /usr/libexec/urlgrabber-ext-down24#! /usr/bin/python22526vi /usr/bin/yum27#!/usr/bin/python2282930安装模块31pip3 install --upgrade pip32pip3 install alibabacloud_sas20181203==1.1.1333pip install alibabacloud_tea_console3435如果在import ssl调式报错ImportError: cannot import name 'OPENSSL_VERSION_NUMBER' from '_ssl' (unknown location)解决办法如下3637#下载安装openssl38wget -c https://www.openssl.org/source/openssl-1.1.1n.tar.gz39tar -zxvf openssl-1.1.1n.tar.gz40cd openssl-1.1.1n41./config --prefix=/usr/local/openssl 42make && make instal43mv /usr/bin/openssl /usr/bin/openssl.bak44ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl45echo "/usr/local/openssl/lib" >> /etc/ld.so.conf4647ldconfig -v4849#查询openssl版本50openssl version5152vim /root/Python-3.10.4/Modules/Setup53211 OPENSSL=/usr/local/openssl54212 _ssl _ssl.c \55213 -I$(OPENSSL)/include -L$(OPENSSL)/lib \56214 -lssl -lcrypto575859最后在执行下python3.10.4安装60cd Python-3.10.4/61./configure 62make && make install

一、扫描获取特定应急漏洞的名称信息

如扫描fastjson <= 1.2.80 反序列化任意代码执行漏洞

API文档 https://help.aliyun.com/document_detail/421691.html

Lang:zh

RiskStatus:y

ScanType:python

CheckType:fastjson <= 1.2.80 反序列化任意代码执行漏洞

VulName:

1{ 2 "TotalCount": 1, 3 "RequestId": "A79C0E69-CE10-5688-8D01-7322BD3715C8", 4 "PageSize": 5, 5 "CurrentPage": 1, 6 "GroupedVulItems": [ 7 { 8 "Status": 30, 9 "PendingCount": 116,10 "Type": "python",11 "Description": "fastjson已使用黑白名单用于防御反序列化漏洞，经研究该利用在特定条件下可绕过默认autoType关闭限制，攻击远程服务器，风险影响较大。建议fastjson用户尽快采取安全措施保障系统安全。\n\n特定依赖存在下影响 ≤1.2.80。",12 "CheckType": 1,13 "AliasName": "fastjson <= 1.2.80 反序列化任意代码执行漏洞【原理扫描】",14 "GmtLastCheck": 1653471386000,15 "GmtPublish": 1653273837000,16 "Name": "emg:SCA:AVD-2022-1243027"17 }18 ]19}

得到特定应急漏洞名称信息为emg:SCA:AVD-2022-1243027

pip install alibabacloud_sas20181203==1.1.13

pip install alibabacloud_tea_console

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_sas20181203.client import Client as Sas20181203Client 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_sas20181203 import models as sas_20181203_models11from alibabacloud_tea_util import models as util_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas20181203Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id='LTAI5t',35 # 您的AccessKey Secret,36 access_key_secret='dSr'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas20181203Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 describe_emg_vul_item_request = sas_20181203_models.DescribeEmgVulItemRequest(48 lang='zh',49 risk_status='y',50 scan_type='python',51 vul_name='fastjson <= 1.2.80 反序列化任意代码执行漏洞'52 )53 runtime = util_models.RuntimeOptions()54 resp = client.describe_emg_vul_item_with_options(describe_emg_vul_item_request, runtime)55 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5657 @staticmethod58 async def main_async(59 args: List[str],60 ) -> None:61 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')62 describe_emg_vul_item_request = sas_20181203_models.DescribeEmgVulItemRequest(63 lang='zh',64 risk_status='y',65 scan_type='python',66 vul_name='fastjson <= 1.2.80 反序列化任意代码执行漏洞'67 )68 runtime = util_models.RuntimeOptions()69 resp = await client.describe_emg_vul_item_with_options_async(describe_emg_vul_item_request, runtime)70 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))717273if __name__ == '__main__':74 Sample.main(sys.argv[1:])

二、根据特定的应急漏洞执行扫描任务

Lang:zh

Name:emg:SCA:AVD-2022-1243027

UserAgreement:yes

1{2 "RequestId": "08744049-2F38-54BF-A7E7-529B5226AC9E"3}

pip install alibabacloud_sas20181203==1.1.13

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_sas20181203.client import Client as Sas20181203Client 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_sas20181203 import models as sas_20181203_models11from alibabacloud_tea_util import models as util_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas20181203Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id='LTAI5t',35 # 您的AccessKey Secret,36 access_key_secret='dS'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas20181203Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 modify_emg_vul_submit_request = sas_20181203_models.ModifyEmgVulSubmitRequest(48 lang='zh',49 name='emg:SCA:AVD-2022-1243027',50 user_agreement='yes'51 )52 runtime = util_models.RuntimeOptions()53 resp = client.modify_emg_vul_submit_with_options(modify_emg_vul_submit_request, runtime)54 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5556 @staticmethod57 async def main_async(58 args: List[str],59 ) -> None:60 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')61 modify_emg_vul_submit_request = sas_20181203_models.ModifyEmgVulSubmitRequest(62 lang='zh',63 name='emg:SCA:AVD-2022-1243027',64 user_agreement='yes'65 )66 runtime = util_models.RuntimeOptions()67 resp = await client.modify_emg_vul_submit_with_options_async(modify_emg_vul_submit_request, runtime)68 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))697071if __name__ == '__main__':72 Sample.main(sys.argv[1:])

执行脚本发现阿里云的云安全中心应急漏洞fastjson <= 1.2.80 反序列化任意代码执行漏洞开始执行扫描任务计划

三、应急漏洞全部扫描

Types:"emg"

Uuids:

1cve：Linux软件漏洞2sys：Windows系统漏洞3cms：Web-CMS漏洞4app：应用漏洞5emg：应急漏洞6image：容器镜像漏洞

pip install alibabacloud_sas20181203==1.1.13

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_sas20181203.client import Client as Sas20181203Client 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_sas20181203 import models as sas_20181203_models11from alibabacloud_tea_util import models as util_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Sas20181203Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id='LTAI5t',35 # 您的AccessKey Secret,36 access_key_secret='dSr'37 )38 # 访问的域名39 config.endpoint = f'tds.aliyuncs.com'40 return Sas20181203Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 modify_start_vul_scan_request = sas_20181203_models.ModifyStartVulScanRequest(48 types='"emg"'49 )50 runtime = util_models.RuntimeOptions()51 resp = client.modify_start_vul_scan_with_options(modify_start_vul_scan_request, runtime)52 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5354 @staticmethod55 async def main_async(56 args: List[str],57 ) -> None:58 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')59 modify_start_vul_scan_request = sas_20181203_models.ModifyStartVulScanRequest(60 types='"emg"'61 )62 runtime = util_models.RuntimeOptions()63 resp = await client.modify_start_vul_scan_with_options_async(modify_start_vul_scan_request, runtime)64 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))656667if __name__ == '__main__':68 Sample.main(sys.argv[1:])

执行完脚本后应急漏洞服务全部开始扫描计划任务

四、导出应急漏洞列表信息

API文档信息 ExportVul - 导出漏洞列表 (aliyun.com)

Lang:zh

Type:emg

Uuids:

AliasName:fastjson <= 1.2.80 反序列化任意代码执行漏洞

Necessity:asap

Dealed:n

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_sas20181203.client import Client as SasClient 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_darabonba_env.client import Client as EnvClient11from alibabacloud_sas20181203 import models as sas_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> SasClient:25 """26 使用AK&SK初始化账号Client27 """28 config = open_api_models.Config()29 # 您的AccessKey ID30 config.access_key_id = 'LTAI5t'31 # 您的AccessKey Secret32 config.access_key_secret = 'dSrH3z'33 config.endpoint = 'tds.aliyuncs.com'34 return SasClient(config)3536 @staticmethod37 def main(38 args: List[str],39 ) -> None:40 client = Sample.create_client(EnvClient.get_env('ACCESS_KEY_ID'), EnvClient.get_env('ACCESS_KEY_SECRET'))41 export_request = sas_models.ExportVulRequest(42 lang='zh',43 type='emg',44 alias_name='fastjson <= 1.2.80 反序列化任意代码执行漏洞',45 necessity='asap',46 dealed='n'47 )48 export_response = client.export_vul(export_request)49 ConsoleClient.log(f'response is {UtilClient.to_jsonstring(TeaCore.to_map(export_response.body))}')5051 @staticmethod52 async def main_async(53 args: List[str],54 ) -> None:55 client = Sample.create_client(EnvClient.get_env('ACCESS_KEY_ID'), EnvClient.get_env('ACCESS_KEY_SECRET'))56 export_request = sas_models.ExportVulRequest(57 lang='zh',58 type='emg',59 alias_name='fastjson <= 1.2.80 反序列化任意代码执行漏洞',60 necessity='asap',61 dealed='n'62 )63 export_response = await client.export_vul_async(export_request)64 ConsoleClient.log(f'response is {UtilClient.to_jsonstring(TeaCore.to_map(export_response.body))}')656667if __name__ == '__main__':68 Sample.main(sys.argv[1:])

得到值为

1[LOG] response is {"FileName": "emg_20220526", "Id": 102889, "RequestId": "A15E37DA-10C8-542D-8D59-CCCB5E6837E4"}

1在执行脚本的时候可以通过过滤id号得到漏洞导出任务的ID信息，最后得到值为10288923python3 exportall.py | grep \"Id\" | awk -F\: '{print $3}' | awk -F\, '{print $1}'4

通过ExportId的102889获取文件下载

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_sas20181203.client import Client as SasClient 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_darabonba_env.client import Client as EnvClient11from alibabacloud_sas20181203 import models as sas_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> SasClient:25 """26 使用AK&SK初始化账号Client27 """28 config = open_api_models.Config()29 # 您的AccessKey ID30 config.access_key_id = 'LTAI'31 # 您的AccessKey Secret32 config.access_key_secret = 'dSrH'33 config.endpoint = 'tds.aliyuncs.com'34 return SasClient(config)3536 @staticmethod37 def main(38 args: List[str],39 ) -> None:40 client = Sample.create_client(EnvClient.get_env('ACCESS_KEY_ID'), EnvClient.get_env('ACCESS_KEY_SECRET'))41 export_request = sas_models.ExportVulRequest(42 type='cve'43 )44 export_response = client.export_vul(export_request)45 body = export_response.body46 export_info_id = body.id47 vul_export_info_request = sas_models.DescribeVulExportInfoRequest(48 export_id=10288949 )50 info_detail_response = client.describe_vul_export_info(vul_export_info_request)51 ConsoleClient.log(f'response is {UtilClient.to_jsonstring(TeaCore.to_map(info_detail_response.body))}')5253 @staticmethod54 async def main_async(55 args: List[str],56 ) -> None:57 client = Sample.create_client(EnvClient.get_env('ACCESS_KEY_ID'), EnvClient.get_env('ACCESS_KEY_SECRET'))58 export_request = sas_models.ExportVulRequest(59 type='cve'60 )61 export_response = await client.export_vul_async(export_request)62 body = export_response.body63 export_info_id = body.id64 vul_export_info_request = sas_models.DescribeVulExportInfoRequest(65 export_id=10288966 )67 info_detail_response = await client.describe_vul_export_info_async(vul_export_info_request)68 ConsoleClient.log(f'response is {UtilClient.to_jsonstring(TeaCore.to_map(info_detail_response.body))}')697071if __name__ == '__main__':72 Sample.main(sys.argv[1:])

1执行脚本得到附件的下载链接2python exportfile.py | awk -F\"Link\": '{print $2}' | awk -F\, '{print $1}' | xargs wget -O "emg_$(date +%Y%m%d).zip" 3

可以把zip文件解压后上传到oss存储中，通过脚本钉钉推送到指定群通知或者邮件推送指定的人

来个开胃小菜

阿里云CDN刷新目录脚本(刷新之前更换AKSK秘钥,替换object_path刷新的网站URL地址)

pip install alibabacloud_cdn20180510==1.0.11

1# -*- coding: utf-8 -*- 2# This file is auto-generated, don't edit it. Thanks. 3import sys 4 5from typing import List 6from Tea.core import TeaCore 7 8from alibabacloud_cdn20180510.client import Client as Cdn20180510Client 9from alibabacloud_tea_openapi import models as open_api_models10from alibabacloud_cdn20180510 import models as cdn_20180510_models11from alibabacloud_tea_util import models as util_models12from alibabacloud_tea_console.client import Client as ConsoleClient13from alibabacloud_tea_util.client import Client as UtilClient141516class Sample:17 def __init__(self):18 pass1920 @staticmethod21 def create_client(22 access_key_id: str,23 access_key_secret: str,24 ) -> Cdn20180510Client:25 """26 使用AK&SK初始化账号Client27 @param access_key_id:28 @param access_key_secret:29 @return: Client30 @throws Exception31 """32 config = open_api_models.Config(33 # 您的AccessKey ID,34 access_key_id=access_key_id,35 # 您的AccessKey Secret,36 access_key_secret=access_key_secret37 )38 # 访问的域名39 config.endpoint = f'cdn.aliyuncs.com'40 return Cdn20180510Client(config)4142 @staticmethod43 def main(44 args: List[str],45 ) -> None:46 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')47 refresh_object_caches_request = cdn_20180510_models.RefreshObjectCachesRequest(48 object_path='https://uat.abc.com/',49 object_type='Directory'50 )51 runtime = util_models.RuntimeOptions()52 resp = client.refresh_object_caches_with_options(refresh_object_caches_request, runtime)53 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))5455 @staticmethod56 async def main_async(57 args: List[str],58 ) -> None:59 client = Sample.create_client('ACCESS_KEY_ID', 'ACCESS_KEY_SECRET')60 refresh_object_caches_request = cdn_20180510_models.RefreshObjectCachesRequest(61 object_path='https://club-admin-7788-uat.apta.com.hk/',62 object_type='Directory'63 )64 runtime = util_models.RuntimeOptions()65 resp = await client.refresh_object_caches_with_options_async(refresh_object_caches_request, runtime)66 ConsoleClient.log(UtilClient.to_jsonstring(TeaCore.to_map(resp)))676869if __name__ == '__main__':70 Sample.main(sys.argv[1:])

成功给https://uat.abc.com网站目录刷新。