PoC Writing Notice
- When writing a PoC, try not to use third-party modules. If it is unavoidable, please fill in the
install_requires
field carefully, and fill in the format reference: PoC Third-party Module Dependency - When writing a PoC, try to use the methods provided by the API that Pocsuite3 has encapsulated, so as to avoid reinventing the wheel yourself. For some general methods, you can add them to the API. For details, refer to "General API List" .
- If the PoC needs to include remote files, etc., use Pocsuite3 remote files. For details, please refer to "Pocsuite3 Remote File". If the corresponding files are missing, A PR can be submitted on GitHub.
- When writing PoC, try not to require input parameters as much as possible, so that the customization is too high, which is not conducive to the batch scheduling execution of PoC.
- For the convenience of PoC management, please fill in the PoC information field carefully.
- In order to prevent false positives and prevent keywords being detected by WAF, etc., it is required to output a random string (you can call the
random_str
method in the API) when the verification result is judged, instead of using a constant string.
for example:
When detecting SQL injection:
token = random_str()
payload = 'select md5(%s)' % token
...
if hashlib.new('md5', token).hexdigest() in content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
When detecting XSS vulnerabilities:
# Refer to https://paper.seebug.org/1119/
token = random_str()
payload = 'alert("%s")' % token
...
if payload in content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
Check if PHP file upload was successful:
token = random_str()
payload = '<?php echo md5("%s");unlink(__FILE__);?>' % token
...
if hashlib.new('md5', token).hexdigest() in content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
- For arbitrary file reading vulnerability, If you don't know the filepath to read, you can read the system file for verification, and you need to write two versions, Windows version and Linux version. example:
for i in ['/etc/passwd', '/windows/win.ini']:
res = self._arbitrary_file_read(i)
if b':/bin' in res or b'[fonts]' in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo'][i] = res.decode()
break
return self.parse_output(result)
- In verify mode, the uploaded files must be deleted.
- After the PoC is written, be sure to test it. The test rules are: 5 websites that are not affected by the vulnerability, to ensure that the PoC verification is unsuccessful; 5 websites that are affected by the vulnerability, to ensure that the PoC verification is successful