Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to understand the PoC framework Pocsuite3, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Brief introduction

Pocsuite is an open source remote vulnerability testing framework created by Zhi Chuangyu 404 Lab. It is the cornerstone of the development of the know Chuangyu security research team, and it is a project that the team has maintained so far, ensuring that we are in the lead in Web security research capabilities.

You can directly use Pocsuite for vulnerability verification and exploitation; you can also develop PoC/Exp based on Pocsuite, because it is also a PoC development framework; at the same time, you can also integrate Pocsuite directly into your vulnerability testing tool, which also provides standard calling classes.

Pocsuite3 is written entirely by Python3 and supports Windows/Linux/Mac OSX and other systems. It is rewritten and upgraded on the basis of the original Pocsuite, which makes the whole framework more operational and flexible.

The shoulder of a giant

Pocsuite3 is written with reference to many open source frameworks and popular mature frameworks in the market, and the Sqlmap,Pocsuite-console pattern is referenced to routersploit and metasploit in the code engineering structure, so the code format of PoC is somewhat different from that before (but try to avoid major changes). Pocsuite3 also provides very simple interface calls that can be integrated into other security tools.

Download Pip installation

There are two kinds of installation, pip and direct run source code.

Pip install-U pocsuite3-- no-cache-dir

The latest version of Pocsuite3 will be used.

Execute:

Pocsuite-h

Verify the installation effect.

Source code installation

If you are confident that you can toss around, you can download the source code to use, which is also our recommended way, because pip updates may be slower than github.

Wget https://github.com/knownsec/pocsuite3/archive/master.zipunzip master.zip

Two dependencies need to be installed at the same time:

Pip install requests requests-toolbelt

If you are also a Windows system, you need to install one in addition to the above dependencies:

Use it in pip install pyreadline # Windows console mode. If you don't use it, you don't have to install it.

Finally:

Python cli.py-h

Verify the installation effect.

In addition, it should be noted that only one of the two installation methods can be used, not at the same time. It is recommended to use source code installation.

General use help

In most cases,-h can help you understand the features supported by Pocsuite.

A simple test python3 cli.py-r pocs/ecshop_rce.py-- dork ecshop-- threads 5

ZoomEye will be used to search for ecshop and ecshop_rce.py probe will be used to specify the number of threads as 5

The operation mode of Pocsuite defaults to verify authentication mode, which has the least impact on the target. There are also attack and shell modes, and related attacks and shell bounces on the target (of course, PoC support is required. Pocsuite's PoC writing format reserves interfaces for these three modes, and there are many built-in API to help implement these three interfaces).

Shell mode

Pocsuite3 has added a new setting for shell mode. When you select this function, Pocsuite3 will listen on a port and wait for the target to be disconnected. We provide a variety of languages for anti-connection payload, as well as for generating shellcode executable under the Windows/Linux platform.

Run from the configuration file

Sometimes there are too many command-line commands, some parameters are highly reusable, and Pocsuite also provides a way to run from a configuration file.

Let's take the unauthorized access vulnerability of redis as an example, we modify the file pocsuite.ini.

Adjust the thread, too, RUN!

Python3 cli.py-c.. / pocsuite.ini

With the comparsion parameter enabled, we can see more information:

If you are also a Zoomeye VIP, you can also identify honeypots while collecting targets. At present, only the data obtained through the Zoomeye interface can have the identification of the honeypot. Shodan and Censys have not enabled the relevant API APIs.

Plug-in system

Pocsuite supports the plug-in system, which is divided into three types of plug-ins according to load target (targets), load PoC (pocs), and result processing (results).

Targets plug-in

In addition to being able to load local targets using-u and-f, you can write a targets type plug-in to load targets from anywhere you want (eg:Zoomeye, Shodan) or even from a web page, redis. Pocsuite3 has four built-in target loading plug-ins.

As you can see from the above, if you use search dork-dork,-dork_zoomeye,-dork_shodan,-dork_censys, the relevant plug-ins will automatically load without the need to specify manually.

Pocs plug-in

Originally, plug-ins could only be called from seebug, but now this way is extracted as plug-ins, allowing calls from anywhere you can access, or even writing a plug-in to maintain a warehouse call on github.

Demo:

Https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/poc_from_redis.pyhttps://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/poc_from_seebug.pyResults-plugin

The Results plug-in allows you to process the scan results. You can refer to the two built-in plug-ins to save the result as html and save the result as txt. The results of the Results plug-in are real-time, depending on how plugins/file_record.py is implemented.

Https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/html_report.pyhttps://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/file_record.py call plug-in

Multiple plug-ins can be used and split by specifying the plug-in name later by-- plugins. For example-- plugins html_report will generate a document in HTML report format.

Built-in API

Based on the accumulation of our vulnerability emergency, basically, the built-in API interface of Pocsuite can be fully covered by PoC. We'll talk about many API interfaces in the next chapter. Here are two interesting cases.

Shellcode generation support

In some special Linux and Windows environments, it is difficult to obtain bouncing shell conditions. For this reason, we have made shellcode for bouncing in Windows/Linux x86 x64 environment, and created interface support, so that you can automatically write shellcode to the target machine and execute bounce shell commands if you only need to have command execution permission.

Demo Poc: https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/thinkphp_rce2.py

HTTP service built-in

If you are still interested in Hacking Jenkins Part 2-Abusing Meta Programming for Unauthenticated RCE! I remember. What a perfect loophole, but we encountered difficulties in writing PoC. We can easily identify verify mode with Ceye, but attack mode and shell mode we have to make our own Jar and upload it to the server!

For this reason, we make API packaged in Jar format and HTTP service API, which we will find so useful in the following PoC writing that is becoming more and more difficult to automate.

Jenkins Abusing Meta Programming for Unauthenticated RCE (CVE-2019-1003000) with Pocsuite3 demo video is attached:

Https://www.youtube.com/watch?v=5P7WWlqYt4U

Custom parameter passing

As programmers become more aware of security, you will find that the days when you can get RCE with a single link are over. More and more vulnerabilities turn to require certain "permissions" to trigger. To do this, we need to reserve a parameter interface in Pocsuite3.

On the premise of keeping the original PoC format as much as possible, we add a _ options method to specify the parameters passed by the user.

DemoPoc: https://github.com/knownsec/pocsuite3/blob/master/tests/login_demo.py

We have defined that two parameters, username and password, need to be passed in Poc. For convenience, you can directly use the following parameters in command line mode:

Python3 cli.py-u http://localhost-r tests/login_demo.py-username "404team"-password "password"

Yes, it's that simple. You may ask what to do if the parameter defined in PoC conflicts with the parameter name that comes with Pocsuite. Our solution is not to allow the definition of conflicting parameter names. Pocsuite will check at startup. If there are conflicting parameter names, you will be prompted to modify the custom parameter names in PoC.

Console mode

In some cases, we also take into account the interactive command mode (the hacker's sense of ritual). And it is fully compatible with PoC in command line mode, so if you use it in Linux or Mac, you will get a better experience.

API Universal Integration

We encourage and support Pocsuite3 as part of the security product. Just import Pocsuite3 into your project as a module to make it easy to use. We will also explain in detail how Pocsuite3 does this later.

Pocsuite3.api exposes all the interfaces in Pocsuite, whether writing PoC or integrating into your own environment, that's all you need to use. A simple call to Demo.

From pocsuite3.api import init_pocsuite from pocsuite3.api import start_pocsuite from pocsuite3.api import get_result from pocsuite3.api import path import os config = {'url':' https://www.baidu.com/', 'poc': os. Path. Join (paths. POCSUITE_ROOT_PATH, ".. / tests/login_demo.py"), 'username': "asd",' password': 'asdss',' verbose': 0} # config dictionary configuration is the same as the cli command line parameter configuration init_pocsuite (config) start_pocsuite () result = get_results (). Pop () print (result)

A fully functional framework is not just an engine that can batch process tasks, a lot of things need to be accumulated in the actual combat and implemented in the best way (commonly known as trampling pit). In the process of building your own PoC framework, be sure to know what you need and how to solve it gracefully.

On how to understand the PoC framework Pocsuite3 to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.