PoC Specification
PoC Number
The PoC number ID is the same as the vulnerability ID. For example, the vulnerabilities in the Seebug are numbered by SSV-xxx
, and the PoC number is xxx.
PoC Naming Convention
Poc Naming: _<PoC number>_<Component>_<Affected version>_<Vulnerability type>
, look like this:
_1847_seeyon_3_1_login_info_disclosure.py
PoC Third-party Module Dependency
When writing PoC, try not to use third-party modules. If necessary, please add the install_requires
field in the basic information part of the PoC, and fill in the dependent module name in the following format:
install_requires =[str_item_, str_item, …] # The value of the entire field is list, and each item is a dependent module.
str_item format: module name[><=]version number
, the module name is the module name when pip install is installed (please do not fill in the module name of import).
If you encounter the inconsistency between the module name during installation and the call, use :
to separate, such as the common encryption algorithm library pycryptodome
, but the call is from Crypto.Cipher import AES
, then you need to fill in the following :
install_requires = ['pycryptodome>=3.12.0:Crypto']
TIP
The install_requires
field is for managing dependencies. When loading the PoC, if the framework detects that the user has not installed the dependent module, it will prompt the user to install the module before continuing to run. It cannot be used to import modules.
PoC Result Convention
result is the result data returned by PoC. The return value of result requires a complete item to be returned. It does not meet the situation of the result field and is placed in the extra field. This step must ensure that the operator can reproduce/understand
according to the information as much as possible. Vulnerabilities, if the steps are complicated, are described in the forensic information. E.g:
# Return the database administrator password
result['DBInfo'] = {}
result['DBInfo']['Password']='xxxxx'
# return webshell address
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = 'xxxxx'
# return webmaster username
result['AdminInfo'] = {}
result['AdminInfo']['Username']='xxxxx'
extra field description
The extra field is a supplementary field of the general result field. If the content to be returned does not belong to the general result field, you can use the extra field to assign values. The extra field is in dict format and can be assigned a custom key, such as:
result['extra'] = {}
result['extra']['field'] = 'aa'
Special Fields
evidence, for the forensic information returned in the result, the definition field name is only allowed to be evidence, and can only be stored in the extar field, that is:
result['extra'] = {}
result['extra' ]['evidence'] = 'aa'
General Field Description (Just an example of the field meaning, not the standard JSON format)
result: [
{ name: 'DBInfo', value: 'Database content' },
{ name: 'Username', value: 'Admin username'},
{ name: 'Password', value: 'Admin password' },
{ name: 'Salt', value: 'Salt value'},
{ name: 'Uid', value: 'User ID'},
{ name: 'Groupid', value: 'User group ID'},
{ name: 'ShellInfo', value: 'Webshell info'},
{ name: 'URL', value: 'Webshell address'},
{ name: 'Content', value: 'Webshell content'},
{ name: 'FileInfo', value: 'File Info'},
{ name: 'Filename', value: 'Filename'},
{ name: 'Content', value: 'file content'},
{ name: 'XSSInfo', value: 'Cross-site scripting information'},
{ name: 'URL', value: 'Authentication URL'},
{ name: 'Payload', value: 'Authentication Payload'},
{ name: 'AdminInfo', value: 'Admin Info'},
{ name: 'Uid', value: 'Admin ID'},
{ name: 'Username', value: 'Admin username'},
{ name: 'Password', value: 'Admin password'},
{ name: 'Database', value: 'Database information' },
{ name: 'Hostname', value: 'Database hostname'},
{ name: 'Username', value: 'Database username' },
{ name: 'Password', value: 'Database password'},
{ name: 'DBname', value: 'DBname'},
{ name: 'VerifyInfo', value: 'Verify Info'},
{ name: 'Target', value: 'Authentication host:port'},
{ name: 'URL', value: 'Authentication URL'},
{ name: 'Postdata', value: 'Verify POST data'},
{ name: 'Path', value: 'Website absolute path'},
{ name: 'SiteAttr', value: 'Website server information'},
{ name: 'Process', value: 'Server Process'}
]
Vulnerability Type Specification
Name (English) | Name (Chinese) | Abbreviation |
Cross Site Scripting | 跨站脚本 | xss |
Cross Site Request Forgery | 跨站请求伪造 | csrf |
SQL Injection | Sql注入 | sql-inj |
LDAP Injection | ldap注入 | ldap-inj |
Mail Command Injection | 邮件命令注入 | smtp-inj |
Null Byte Injection | 空字节注入 | null-byte-inj |
CRLF Injection | CRLF注入 | crlf-inj |
SSI Injection | Ssi注入 | ssi-inj |
XPath Injection | Xpath注入 | xpath-inj |
XML Injection | Xml注入 | xml-inj |
XQuery Injection | Xquery 注入 | xquery-inj |
Command Execution | 命令执行 | cmd-exec |
Code Execution | 代码执行 | code-exec |
Remote File Inclusion | 远程文件包含 | rfi |
Local File Inclusion | 本地文件包含 | lfi |
Abuse of Functionality | 功能函数滥用 | func-abuse |
Brute Force | 暴力破解 | brute-force |
Buffer Overflow | 缓冲区溢出 | buffer-overflow |
Content Spoofing | 内容欺骗 | spoofing |
Credential Prediction | 证书预测 | credential-prediction |
Session Prediction | 会话预测 | session-prediction |
Denial of Service | 拒绝服务 | dos |
Fingerprinting | 指纹识别 | finger |
Format String | 格式化字符串 | format-string |
HTTP Response Smuggling | http响应伪造 | http-response-smuggling |
HTTP Response Splitting | http响应拆分 | http-response-splitting |
HTTP Request Splitting | http请求拆分 | http-request-splitting |
HTTP Request Smuggling | http请求伪造 | http-request-smuggling |
HTTP Parameter Pollution | http参数污染 | hpp |
Integer Overflows | 整数溢出 | int-overflow |
Predictable Resource Location | 可预测资源定位 | res-location |
Session Fixation | 会话固定 | session-fixation |
URL Redirector Abuse | url重定向 | redirect |
Privilege Escalation | 权限提升 | privilege-escalation |
Resolve Error | 解析错误 | resolve-error |
Arbitrary File Creation | 任意文件创建 | file-creation |
Arbitrary File Download | 任意文件下载 | file-download |
Arbitrary File Deletion | 任意文件删除 | file-deletion |
Arbitrary File Read | 任意文件读取 | file-read |
Backup File Found | 备份文件发现 | bak-file-found |
Database Found | 数据库发现 | db-found |
Directory Listing | 目录遍历 | dir-listing |
Directory Traversal | 目录穿越 | dir-traversal |
File Upload | 文件上传 | file-upload |
Login Bypass | 登录绕过 | login-bypass |
Weak Password | 弱密码 | weak-pass |
Remote Password Change | 远程密码修改 | remote-pass-change |
Code Disclosure | 代码泄漏 | code-disclosure |
Path Disclosure | 路径泄漏 | path-disclosure |
Information Disclosure | 信息泄漏 | info-disclosure |
Security Mode Bypass | 安全模式绕过 | sec-bypass |
Malware | 挂马 | mal |
Black Link | 暗链 | black-link |
Backdoor | 后门 | backdoor |
Insecure Cookie Handling | 不安全的Cookie | insecure-cookie-handling |
Shellcode | Shellcode | shellcode |
Variable Coverage | 变量覆盖 | variable-coverage |
Injecting Malware Codes | 恶意代码注入 | injecting-malware-codes |
Upload Files | 文件上传 | upload-files |
Local Overflow | 本地溢出 | local-overflow |
Path Traversal | 目录穿越 | path-traversal |
Unauthorized Access | 未授权访问 | unauth-access |
Remote Overflow | 远程溢出 | remote-overflow |
Man-in-the-middle | 中间人攻击 | mitm |
Out of Memory | 内存溢出 | out-of-memory |
Buffer Over-read | 缓冲区越界读 | buffer-over-read |
Backup File Found | 备份文件泄漏 | backup-file-found |
Use After Free | 释放后使用 | uaf |
DNS Hijacking | DNS劫持 | dns-hijacking |
Improper Input Validation | 不正确的输入校验 | improper-input-validation |
Universal Cross-site Scripting | 通用型XSS | uxss |
Server-Side Request Forgery | 服务器端请求伪造 | ssrf |
Other | 其他 | other |
See also Seebug Vulnerability Type Specification.