Skip to content

PoC Specification

PoC Number

The PoC number ID is the same as the vulnerability ID. For example, the vulnerabilities in the Seebug are numbered by SSV-xxx, and the PoC number is xxx.

PoC Naming Convention

Poc Naming: _<PoC number>_<Component>_<Affected version>_<Vulnerability type>, look like this:

_1847_seeyon_3_1_login_info_disclosure.py

PoC Third-party Module Dependency

When writing PoC, try not to use third-party modules. If necessary, please add the install_requires field in the basic information part of the PoC, and fill in the dependent module name in the following format:

install_requires =[str_item_, str_item,] # The value of the entire field is list, and each item is a dependent module.

str_item format: module name[><=]version number, the module name is the module name when pip install is installed (please do not fill in the module name of import).

If you encounter the inconsistency between the module name during installation and the call, use : to separate, such as the common encryption algorithm library pycryptodome, but the call is from Crypto.Cipher import AES, then you need to fill in the following :

install_requires = ['pycryptodome>=3.12.0:Crypto']

TIP

The install_requires field is for managing dependencies. When loading the PoC, if the framework detects that the user has not installed the dependent module, it will prompt the user to install the module before continuing to run. It cannot be used to import modules.

PoC Result Convention

result is the result data returned by PoC. The return value of result requires a complete item to be returned. It does not meet the situation of the result field and is placed in the extra field. This step must ensure that the operator can reproduce/understand according to the information as much as possible. Vulnerabilities, if the steps are complicated, are described in the forensic information. E.g:

# Return the database administrator password
result['DBInfo'] = {}
result['DBInfo']['Password']='xxxxx'
# return webshell address
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = 'xxxxx'
# return webmaster username
result['AdminInfo'] = {}
result['AdminInfo']['Username']='xxxxx'

extra field description

The extra field is a supplementary field of the general result field. If the content to be returned does not belong to the general result field, you can use the extra field to assign values. The extra field is in dict format and can be assigned a custom key, such as:

result['extra'] = {}
result['extra']['field'] = 'aa'

Special Fields

evidence, for the forensic information returned in the result, the definition field name is only allowed to be evidence, and can only be stored in the extar field, that is:

result['extra'] = {}
result['extra' ]['evidence'] = 'aa'

General Field Description (Just an example of the field meaning, not the standard JSON format)

result: [
    { name: 'DBInfo', value: 'Database content' },
        { name: 'Username', value: 'Admin username'},
        { name: 'Password', value: 'Admin password' },
        { name: 'Salt', value: 'Salt value'},
        { name: 'Uid', value: 'User ID'},
        { name: 'Groupid', value: 'User group ID'},


    { name: 'ShellInfo', value: 'Webshell info'},
        { name: 'URL', value: 'Webshell address'},
        { name: 'Content', value: 'Webshell content'},


    { name: 'FileInfo', value: 'File Info'},
        { name: 'Filename', value: 'Filename'},
        { name: 'Content', value: 'file content'},


    { name: 'XSSInfo', value: 'Cross-site scripting information'},
        { name: 'URL', value: 'Authentication URL'},
        { name: 'Payload', value: 'Authentication Payload'},


    { name: 'AdminInfo', value: 'Admin Info'},
        { name: 'Uid', value: 'Admin ID'},
        { name: 'Username', value: 'Admin username'},
        { name: 'Password', value: 'Admin password'},


    { name: 'Database', value: 'Database information' },
        { name: 'Hostname', value: 'Database hostname'},
        { name: 'Username', value: 'Database username' },
        { name: 'Password', value: 'Database password'},
        { name: 'DBname', value: 'DBname'},


    { name: 'VerifyInfo', value: 'Verify Info'},
        { name: 'Target', value: 'Authentication host:port'},
        { name: 'URL', value: 'Authentication URL'},
        { name: 'Postdata', value: 'Verify POST data'},
        { name: 'Path', value: 'Website absolute path'},


    { name: 'SiteAttr', value: 'Website server information'},
    { name: 'Process', value: 'Server Process'}

]

Vulnerability Type Specification

Name (English)Name (Chinese)Abbreviation
Cross Site Scripting 跨站脚本 xss
Cross Site Request Forgery 跨站请求伪造 csrf
SQL Injection Sql注入 sql-inj
LDAP Injection ldap注入 ldap-inj
Mail Command Injection 邮件命令注入 smtp-inj
Null Byte Injection 空字节注入 null-byte-inj
CRLF Injection CRLF注入 crlf-inj
SSI Injection Ssi注入 ssi-inj
XPath Injection Xpath注入 xpath-inj
XML Injection Xml注入 xml-inj
XQuery Injection Xquery 注入 xquery-inj
Command Execution 命令执行 cmd-exec
Code Execution 代码执行 code-exec
Remote File Inclusion 远程文件包含 rfi
Local File Inclusion 本地文件包含 lfi
Abuse of Functionality 功能函数滥用 func-abuse
Brute Force 暴力破解 brute-force
Buffer Overflow 缓冲区溢出 buffer-overflow
Content Spoofing 内容欺骗 spoofing
Credential Prediction 证书预测 credential-prediction
Session Prediction 会话预测 session-prediction
Denial of Service 拒绝服务 dos
Fingerprinting 指纹识别 finger
Format String 格式化字符串 format-string
HTTP Response Smuggling http响应伪造 http-response-smuggling
HTTP Response Splitting http响应拆分 http-response-splitting
HTTP Request Splitting http请求拆分 http-request-splitting
HTTP Request Smuggling http请求伪造 http-request-smuggling
HTTP Parameter Pollution http参数污染 hpp
Integer Overflows 整数溢出 int-overflow
Predictable Resource Location 可预测资源定位 res-location
Session Fixation 会话固定 session-fixation
URL Redirector Abuse url重定向 redirect
Privilege Escalation 权限提升 privilege-escalation
Resolve Error 解析错误 resolve-error
Arbitrary File Creation 任意文件创建 file-creation
Arbitrary File Download 任意文件下载 file-download
Arbitrary File Deletion 任意文件删除 file-deletion
Arbitrary File Read 任意文件读取 file-read
Backup File Found 备份文件发现 bak-file-found
Database Found 数据库发现 db-found
Directory Listing 目录遍历 dir-listing
Directory Traversal 目录穿越 dir-traversal
File Upload 文件上传 file-upload
Login Bypass 登录绕过 login-bypass
Weak Password 弱密码 weak-pass
Remote Password Change 远程密码修改 remote-pass-change
Code Disclosure 代码泄漏 code-disclosure
Path Disclosure 路径泄漏 path-disclosure
Information Disclosure 信息泄漏 info-disclosure
Security Mode Bypass 安全模式绕过 sec-bypass
Malware 挂马 mal
Black Link 暗链 black-link
Backdoor 后门 backdoor
Insecure Cookie Handling 不安全的Cookie insecure-cookie-handling
Shellcode Shellcode shellcode
Variable Coverage 变量覆盖 variable-coverage
Injecting Malware Codes 恶意代码注入 injecting-malware-codes
Upload Files 文件上传 upload-files
Local Overflow 本地溢出 local-overflow
Path Traversal 目录穿越 path-traversal
Unauthorized Access 未授权访问 unauth-access
Remote Overflow 远程溢出 remote-overflow
Man-in-the-middle 中间人攻击 mitm
Out of Memory 内存溢出 out-of-memory
Buffer Over-read 缓冲区越界读 buffer-over-read
Backup File Found 备份文件泄漏 backup-file-found
Use After Free 释放后使用 uaf
DNS Hijacking DNS劫持 dns-hijacking
Improper Input Validation 不正确的输入校验 improper-input-validation
Universal Cross-site Scripting 通用型XSS uxss
Server-Side Request Forgery 服务器端请求伪造 ssrf
Other 其他 other

See also Seebug Vulnerability Type Specification.

Released under the GPLv2 License.