Penetration test is an effective security testing method. One of the key questions in automated penetration testing is to match discovered vulnerabilities and exploitations. Two matching methods based on open ports and references are put forward in this paper. One method is to compare the port numbers of system vulnerabilities with those described in exploitations. The other one is to compare the references of vulnerabilities with those in exploitations. The experimental results show that the recall ratios of the two methods reach 96.8%and 90.3%. Both of the two methods are effective. Furthermore, they can be applied to the penetration test in practical.%渗透测试是一种有效的安全测试方法,自动化渗透测试的关键问题之一是将发现的系统漏洞与已知漏洞利用代码进行匹配。文章提出基于开放端口和基于漏洞编号的两种匹配方法,通过将系统漏洞的端口号或漏洞编号,与漏洞利用代码中描述的端口号或漏洞编号对应检查完成匹配。实验结果表明,两种方法的查全率分别达到96.8%和90.3%,可以有效实现匹配。该方法可实际应用于自动化渗透测试。
展开▼
