Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/knownsec/pocsuite3
Browse files Browse the repository at this point in the history
  • Loading branch information
@boy-hack
boy-hack committed Apr 4, 2019
2 parents 4a7b5f2 + c8ddb77 commit 5fc2d93
Show file tree
Hide file tree
Showing 8 changed files with 725 additions and 60 deletions.
107 changes: 106 additions & 1 deletion docs/CODING.md
View file
Expand Up @@ -394,10 +394,10 @@ from pocsuite3.api import OptString,OptDict,OptIP,OptPort,OptBool,OptInteger,Opt
|from pocsuite3.api import ZoomEye|ZoomEye api 调用|
|from pocsuite3.api import CEye|Ceye api 调用|
|from pocsuite3.api import crawl|简单爬虫功能|
|from pocsuite3.api import PHTTPServer|Http服务功能|
|from pocsuite3.api import REVERSE_PAYLOAD|反向连接shell payload|
|from pocsuite3.api import get_results|获取结果|


**参数调用**<div id="api_params"></div>

* self.headers 用来获取 http 请求头, 可以通过 --cookie, --referer, --user-agent, --headers 来修改和增加需要的部分
Expand All @@ -411,6 +411,7 @@ from pocsuite3.api import OptString,OptDict,OptIP,OptPort,OptBool,OptInteger,Opt
##### PoC Python 代码示例<div id="pyexample"></div>

[Ecshop 2.x/3.x Remote Code Execution](http://www.seebug.org/vuldb/ssvid-97343) PoC:

```
import base64
from urllib.parse import urljoin
Expand Down Expand Up @@ -510,7 +511,111 @@ class DemoPOC(POCBase):
register_poc(DemoPOC)
```


HttpServer Demo:

```python
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
from http.server import SimpleHTTPRequestHandler

from pocsuite3.api import Output, POCBase, register_poc
from pocsuite3.api import PHTTPServer


class MyRequestHandler(SimpleHTTPRequestHandler):
def do_GET(self):
path = self.path
status = 404
count = 0

xxe_dtd = '''xxx'''
if path == "/xxe_dtd":
count = len(xxe_dtd)
status = 200
self.send_response(status)
self.send_header('Content-Type', 'text/html')
self.send_header('Content-Length', '{}'.format(count))
self.end_headers()
self.wfile.write(xxe_dtd.encode())
return
self.send_response(status)
self.send_header('Content-Type', 'text/html')
self.send_header("Content-Length", "{}".format(count))
self.end_headers()

def do_HEAD(self):
status = 404

if self.path.endswith('jar'):
status = 200
self.send_response(status)
self.send_header("Content-type", "text/html")
self.send_header("Content-Length", "0")
self.end_headers()


class DemoPOC(POCBase):
vulID = '' # ssvid
version = '1.0'
author = ['seebug']
vulDate = '2018-03-08'
createDate = '2018-04-12'
updateDate = '2018-04-13'
references = ['']
name = ''
appPowerLink = ''
appName = ''
appVersion = ''
vulType = ''
desc = '''
'''
samples = []
install_requires = ['']

def _verify(self):
result = {}
'''Simple http server demo
default params:
bind_ip='0.0.0.0'
bind_port=666
is_ipv6=False
use_https=False
certfile=os.path.join(paths.POCSUITE_DATA_PATH, 'cacert.pem')
requestHandler=BaseRequestHandler
You can write your own handler, default list current directory
'''
httpd = PHTTPServer(requestHandler=MyRequestHandler)
httpd.start()

# Write your code
return self.parse_output(result)

def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output

_attack = _verify


register_poc(DemoPOC)

```





### pocsuite3 集成调用<div id="pocsuite_import"></div>

pocsuite3 api 提供了集成调用` pocsuite3` 的全部功能函数,可参见测试用例 `tests/test_import_pocsuite_execute.py`。典型的集成调用方法如下:

```python
Expand Down
3 changes: 2 additions & 1 deletion pocsuite3/api/__init__.py
View file
Expand Up @@ -19,6 +19,7 @@
from pocsuite3.modules.zoomeye import ZoomEye
from pocsuite3.modules.shodan import Shodan
from pocsuite3.modules.spider import crawl
from pocsuite3.modules.httpserver import PHTTPServer
from pocsuite3.shellcodes import OSShellcodes, WebShell
from pocsuite3.lib.core.interpreter_option import OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptString, \
OptItems, OptDict
Expand All @@ -28,7 +29,7 @@
'PLUGIN_TYPE', 'POCBase', 'Output', 'AttribDict', 'POC_CATEGORY',
'register_poc', 'conf', 'kb', 'logger', 'paths', 'DEFAULT_LISTENER_PORT', 'load_file_to_module',
'load_string_to_module', 'single_time_warn_message', 'CEye', 'Seebug',
'ZoomEye', 'Shodan', 'REVERSE_PAYLOAD', 'get_listener_ip', 'get_listener_port',
'ZoomEye', 'Shodan', 'PHTTPServer','REVERSE_PAYLOAD', 'get_listener_ip', 'get_listener_port',
'get_results', 'init_pocsuite', 'start_pocsuite', 'get_poc_options', 'crawl',
'OSShellcodes', 'WebShell','OptDict', 'OptIP', 'OptPort', 'OptBool', 'OptInteger', 'OptFloat', 'OptString', \
'OptItems', 'OptDict')
Expand Down
109 changes: 75 additions & 34 deletions pocsuite3/lib/core/common.py
View file
@@ -1,23 +1,23 @@
import struct
import sys
import time

import hashlib
import inspect
import logging
import os
import re
import select
import shlex
import socket
import struct
import subprocess
import sys
import time
from collections import OrderedDict
from functools import wraps
from ipaddress import ip_address, ip_network
from platform import machine
from subprocess import call, Popen, PIPE

import requests
import chardet
from collections import OrderedDict

import hashlib
import os
import re
import socket
from ipaddress import ip_address, ip_network
import requests

from pocsuite3.lib.core.convert import stdout_encode
from pocsuite3.lib.core.data import conf
Expand All @@ -35,12 +35,13 @@
from pocsuite3.lib.core.settings import IP_ADDRESS_REGEX
from pocsuite3.lib.core.settings import OLD_VERSION_CHARACTER
from pocsuite3.lib.core.settings import POCSUITE_VERSION_CHARACTER
from pocsuite3.lib.core.settings import POC_NAME_REGEX
from pocsuite3.lib.core.settings import POC_REQUIRES_REGEX
from pocsuite3.lib.core.settings import UNICODE_ENCODING
from pocsuite3.lib.core.settings import URL_ADDRESS_REGEX
from pocsuite3.lib.core.settings import POC_REQUIRES_REGEX
from pocsuite3.lib.core.settings import POC_NAME_REGEX
from pocsuite3.thirdparty.termcolor.termcolor import colored
from pocsuite3.thirdparty.colorama.initialise import init as coloramainit
from pocsuite3.thirdparty.ifcfg import ifcfg
from pocsuite3.thirdparty.termcolor.termcolor import colored


def read_binary(filename):
Expand Down Expand Up @@ -887,11 +888,14 @@ def _wrapper(self, *args, **kwargs):

return _outer_wrapper

def check_port(ip, port, is_ipv6=False):
AF_INET = socket.AF_INET6 if is_ipv6 else socket.AF_INET
s = socket.socket(AF_INET, socket.SOCK_STREAM)

def check_port(ip, port):
res = socket.getaddrinfo(ip, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
af, sock_type, proto, canonname, sa = res[0]
s = socket.socket(af, sock_type, proto)

try:
s.connect((ip, port))
s.connect(sa)
s.shutdown(2)
return True
except:
Expand All @@ -900,19 +904,56 @@ def check_port(ip, port, is_ipv6=False):
s.close()


def get_host_ipv6(ipv4):
ip4 = list()
ip6 = list()
def exec_cmd(cmd, raw_data=True):
cmd = shlex.split(cmd)
out_data = b''
try:
for interface in socket.getaddrinfo(socket.gethostname(), None):
ip = interface[4][0]
if interface[0] == socket.AF_INET:
ip4.append(ip.split('%')[0])
else:
ip6.append(ip.split('%')[0])
except Exception:
pass
d = dict()
for ip4, ip6 in zip(ip4, ip6):
d[ip4] = ip6
return d.get(ipv4)
p = subprocess.Popen(
cmd, shell=True, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
while p.poll() is None:
line = p.stdout.read()
out_data += line
except Exception as ex:
print("Execute cmd error {}".format(str(ex)))

encoding = chardet.detect(out_data).get('encoding')
encoding = encoding if encoding else 'utf-8'
if IS_WIN:
out_data = out_data.split(b'\r\n\r\n')
else:
out_data = out_data.split(b'\n\n')
if not raw_data:
for i, data in enumerate(out_data):
out_data[i] = data.decode(encoding, errors='ignore')

return out_data


def get_all_nic_info():
nic_info = dict()
for name, info in ifcfg.interfaces().items():
nic_info[name] = info
return nic_info


def get_host_ipv6(with_nic=True):
nic_info = get_all_nic_info()
ipv4 = get_host_ip()
ipv6 = None
for nic, info in nic_info.items():
ip4 = info['inet4']
ip6 = info['inet6']
if not all([ip4, ip6]):
continue
ip4, ip6 = ip4.pop(), ip6.pop()
if ip4 == ipv4:
ipv6 = ip6 if ip6 else None
if ipv6 and '%' not in ipv6:
ipv6 = ipv6 + '%' + nic
break

if ipv6:
if not with_nic:
ipv6 = ipv6.split('%')[0]
return ipv6
11 changes: 8 additions & 3 deletions pocsuite3/modules/httpserver/__init__.py
View file
Expand Up @@ -16,6 +16,7 @@
from pocsuite3.lib.core.common import check_port
from pocsuite3.lib.core.common import get_host_ip, get_host_ipv6
from pocsuite3.lib.core.data import logger, paths
from pocsuite3.lib.core.exception import PocsuiteSystemException


class PHTTPSingleton(type):
Expand Down Expand Up @@ -105,7 +106,11 @@ def __init__(self, bind_ip='0.0.0.0', bind_port=666, is_ipv6=False, use_https=Fa
self.server_started = False # Aviod start server mutl-times
self.requestHandler = requestHandler
if ':' in bind_ip:
self.host_ip = get_host_ipv6(get_host_ip())
ipv6 = get_host_ipv6()
if not ipv6:
logger.error('Your machine may not support ipv6')
raise PocsuiteSystemException
self.host_ip = ipv6
self.httpserver = HTTPServerV6
self.is_ipv6 = True
else:
Expand All @@ -125,7 +130,7 @@ def start(self, daemon=True):
'Httpd serve has been started on {}://{}:{}, '.format(self.scheme, self.bind_ip, self.bind_port))
return

if check_port(self.host_ip, self.bind_port, self.is_ipv6):
if check_port(self.host_ip, self.bind_port):
logger.error('Port {} has been occupied, start Httpd serve failed!'.format(self.bind_port))
return

Expand All @@ -137,7 +142,7 @@ def start(self, daemon=True):
while detect_count:
try:
logger.info('Detect {} server is runing or not...'.format(self.scheme))
if check_port(self.host_ip, self.bind_port, self.is_ipv6):
if check_port(self.host_ip, self.bind_port):
break
except Exception as ex:
logger.error(str(ex))
Expand Down

0 comments on commit 5fc2d93

Please sign in to comment.