Commit 6045e0dd authored by Nong Hoang Tu's avatar Nong Hoang Tu
Browse files

New upstream version 1.8.8

parent 229e1b38
Pipeline #4823 failed with stages
name: Lint
on: [pull_request]
jobs:
lint:
strategy:
matrix:
python-version: ['3.10']
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
- name: Cache for pip
uses: actions/cache@v1
id: cache-pip
with:
path: ~/.cache/pip
key: ${{ matrix.os }}-cache-pip
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}
- name: Critical lint
run: |
pip install flake8
# https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/python/linting/flake8.html
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
- name: Style lint
run: |
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504 --statistics > current.txt
git fetch origin
git checkout origin/"$GITHUB_BASE_REF"
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504 --statistics > base.txt
if diff base.txt current.txt | grep "^> ./"; then
false
fi
name: PyLint
on: [pull_request]
jobs:
pylint:
strategy:
matrix:
python-version: ['3.10']
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
- name: Cache for pip
uses: actions/cache@v1
id: cache-pip
with:
path: ~/.cache/pip
key: ${{ matrix.os }}-cache-pip
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}
- name: PyLint
run: |
set -x
pip install pylint
pip install --upgrade -r requirements.txt
# TODO: donot ignore serialization.py
pylint --exit-zero --errors-only --ignore=serialization.py pocsuite3 > current.txt
git fetch origin
git checkout origin/"$GITHUB_BASE_REF"
pylint --exit-zero --errors-only --ignore=serialization.py pocsuite3 > base.txt
if diff base.txt current.txt | grep "^> "; then
false
fi
name: Test
on: [pull_request]
jobs:
test:
strategy:
matrix:
python-version: [3.6, '3.10']
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
- name: Cache for pip
uses: actions/cache@v1
id: cache-pip
with:
path: ~/.cache/pip
key: ${{ matrix.os }}-cache-pip
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies & Test
run: |
pip install --upgrade -r requirements.txt
python setup.py install
python test.py
......@@ -274,6 +274,13 @@ Cross-platform shell code generation
* fix #228
# version 1.8.7
-----------------
* fix bug
* optimize code style & docs
* delete the exe tool for compatibility with dfsg
# version 1.8.8
-----------------
* rewrite multi module
* integrate with interactsh
* support filter poc by keyword
......@@ -30,6 +30,7 @@ It comes with a powerful proof-of-concept engine, many nice features for the ult
* Integrate with [ZoomEye](https://www.zoomeye.org) (for load target from ZoomEye `Dork`)
* Integrate with [Shodan](https://www.shodan.io) (for load target from Shodan `Dork`)
* Integrate with [Ceye](http://ceye.io/) (for verify blind DNS and HTTP request)
* Integrate with [Interactsh](https://github.com/projectdiscovery/interactsh) (for verify blind DNS and HTTP request)
* Integrate with Fofa (for load target from Fofa `Dork`)
* Friendly debug PoC scripts with IDEs
* More ...
......@@ -58,12 +59,40 @@ It comes with a powerful proof-of-concept engine, many nice features for the ult
## Installation
The quick way:
Paste at a terminal prompt:
### Python pip
``` bash
pip3 install pocsuite3
# use other pypi mirror
pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple pocsuite3
```
### MacOS
``` bash
$ pip3 install pocsuite3
brew update
brew info pocsuite3
brew install pocsuite3
```
### [Debian](https://tracker.debian.org/pkg/pocsuite3), [Ubuntu](https://launchpad.net/ubuntu/+source/pocsuite3), [Kali](http://pkg.kali.org/pkg/pocsuite3)
``` bash
sudo apt update
sudo apt install pocsuite3
```
### ArchLinux
``` bash
yay pocsuite3
```
###
Or click [here](https://github.com/knownsec/pocsuite3/archive/master.zip) to download the latest source zip package and extract
``` bash
......@@ -75,7 +104,7 @@ $ python3 setup.py install
```
The latest version of this software is available at: http://pocsuite.org
The latest version of this software is available at: https://pocsuite.org
## Documentation
......@@ -125,7 +154,7 @@ console mode
* [Change Log](./CHANGELOG.md)
* [Bug tracking](https://github.com/knownsec/pocsuite3/issues)
* [Copyright](./COPYING)
* [Pocsuite](http://pocsuite.org)
* [Pocsuite](https://pocsuite.org)
* [Seebug](https://www.seebug.org)
* [ZoomEye](https://www.zoomeye.org)
* [Knownsec](https://www.knownsec.com)
......@@ -157,7 +157,7 @@ from pocsuite3.lib.utils import random_str
desc = '/api/v2.0/user/remoteserver.saml接口的name参数存在命令注入' # 漏洞简要描述
samples = ['http://192.168.1.1'] # 测试样列,就是用 PoC 测试成功的目标
install_requires = ['BeautifulSoup4:bs4'] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写
pocDesc = ''' poc的用法描述 '''
pocDesc = ''' poc的用法描述 '''
dork = {'zoomeye': 'deviceState.admin.hostname'} # 搜索 dork,如果运行 PoC 时不提供目标且该字段不为空,将会调用插件从搜索引擎获取目标。
suricata_request = '''http.uri; content: "/api/v2.0/user/remoteserver.saml";''' # 请求流量 suricata 规则
suricata_response = '' # 响应流量 suricata 规则
......@@ -395,7 +395,7 @@ from pocsuite3.api import OptString, OptDict, OptIP, OptPort, OptBool, OptIntege
#### Pocsuite3 远程调用文件列表<div id="inclue_files"></div>
部分 PoC 需要采用包含远程文件的形式,要求基于 Pocsuite3 的 PoC 统一调用统一文件(如需引用未在以下文件列表内文件,请联系 404-team@knownsec.com 或者直接提交 issue)。
统一 URL 调用路径:`http://pocsuite.org/include_files/`,如 `http://pocsuite.org/include_files/xxe_verify.xml`
统一 URL 调用路径:`https://pocsuite.org/include_files/`,如 `https://pocsuite.org/include_files/xxe_verify.xml`
**文件列表**
......@@ -561,7 +561,7 @@ HttpServer Demo:
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
for more about information, plz visit https://pocsuite.org
"""
from http.server import SimpleHTTPRequestHandler
......
......@@ -28,7 +28,8 @@ Target:
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-f URL_FILE, --file URL_FILE
Scan multiple targets given in a textual file
-r POC [POC ...] Load POC file from local or remote from seebug website
-r POC [POC ...] Load PoC file from local or remote from seebug website
-k POC_KEYWORD Filter PoC by keyword, e.g. ecshop
-c CONFIGFILE Load options from a configuration INI file
Mode:
......@@ -49,7 +50,7 @@ Request:
--proxy-cred PROXY_CRED
Proxy authentication credentials (name:password)
--timeout TIMEOUT Seconds to wait before timeout connection (default 30)
--retry RETRY Time out retrials times.
--retry RETRY Time out retrials times
--delay DELAY Delay between two request of one thread
--headers HEADERS Extra headers (e.g. "key1: value1\nkey2: value2")
......@@ -76,23 +77,23 @@ Account:
Modules:
Modules(Seebug, Zoomeye, CEye, Fofa, Quake, Listener) options
--dork DORK Zoomeye dork used for search.
--dork DORK Zoomeye dork used for search
--dork-zoomeye DORK_ZOOMEYE
Zoomeye dork used for search.
Zoomeye dork used for search
--dork-shodan DORK_SHODAN
Shodan dork used for search.
Shodan dork used for search
--dork-censys DORK_CENSYS
Censys dork used for search.
Censys dork used for search
--dork-fofa DORK_FOFA
Fofa dork used for search.
Fofa dork used for search
--dork-quake DORK_QUAKE
Quake dork used for search.
--max-page MAX_PAGE Max page used in search API.
Quake dork used for search
--max-page MAX_PAGE Max page used in search API
--search-type SEARCH_TYPE
search type used in ZoomEye API, web or host
--vul-keyword VUL_KEYWORD
Seebug keyword used for search.
--ssv-id SSVID Seebug SSVID number for target PoC.
Seebug keyword used for search
--ssv-id SSVID Seebug SSVID number for target PoC
--lhost CONNECT_BACK_HOST
Connect back host for target PoC in shell mode
--lport CONNECT_BACK_PORT
......@@ -108,12 +109,12 @@ Optimization:
--pocs-path POCS_PATH
User defined poc scripts path
--threads THREADS Max number of concurrent network requests (default 1)
--batch BATCH Automatically choose defaut choice without asking.
--batch BATCH Automatically choose defaut choice without asking
--requires Check install_requires
--quiet Activate quiet mode, working without logger.
--quiet Activate quiet mode, working without logger
--ppt Hiden sensitive information when published to the network
--pcap use scapy capture flow
--rule export rules, default export reqeust and response
--rule export suricata rules, default export reqeust and response
--rule-req only export request rule
--rule-filename RULE_FILENAME
Specify the name of the export rule file
......
......@@ -31,7 +31,7 @@ is maintained at:
.I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
.PP
.SH VERSION
This manual page documents pocsuite3 version 1.8.7
This manual page documents pocsuite3 version 1.8.8
.SH AUTHOR
.br
(c) 2014-2021 by Knownsec 404 Team
......
......@@ -50,6 +50,9 @@ Scan multiple targets given in a textual file
\fB\-r\fR POC [POC ...]
Load POC file from local or remote from seebug website
.TP
\fB\-k\fR POC_KEYWORD
Filter PoC by keyword, e.g. ecshop
.TP
\fB\-c\fR CONFIGFILE
Load options from a configuration INI file
.SS "Mode:"
......@@ -90,7 +93,7 @@ Proxy authentication credentials (name:password)
Seconds to wait before timeout connection (default 30)
.TP
\fB\-\-retry\fR RETRY
Time out retrials times.
Time out retrials times
.TP
\fB\-\-delay\fR DELAY
Delay between two request of one thread
......@@ -116,6 +119,9 @@ fofa user
\fB\-\-fofa\-token\fR FOFA_TOKEN
fofa token
.TP
\fB\-\-quake\-token\fR QUAKE_TOKEN
quake token
.TP
\fB\-\-censys\-uid\fR CENSYS_UID
Censys uid
.TP
......@@ -126,31 +132,31 @@ Censys secret
Modules (Seebug, Zoomeye, CEye, Fofa, Listener) options
.TP
\fB\-\-dork\fR DORK
Zoomeye dork used for search.
Zoomeye dork used for search
.TP
\fB\-\-dork\-zoomeye\fR DORK_ZOOMEYE
Zoomeye dork used for search.
Zoomeye dork used for search
.TP
\fB\-\-dork\-shodan\fR DORK_SHODAN
Shodan dork used for search.
Shodan dork used for search
.TP
\fB\-\-dork\-censys\fR DORK_CENSYS
Censys dork used for search.
Censys dork used for search
.TP
\fB\-\-dork\-fofa\fR DORK_FOFA
Fofa dork used for search.
Fofa dork used for search
.TP
\fB\-\-max\-page\fR MAX_PAGE
Max page used in search API.
Max page used in search API
.TP
\fB\-\-search\-type\fR SEARCH_TYPE
search type used in ZoomEye API, web or host
.TP
\fB\-\-vul\-keyword\fR VUL_KEYWORD
Seebug keyword used for search.
Seebug keyword used for search
.TP
\fB\-\-ssv\-id\fR SSVID
Seebug SSVID number for target PoC.
Seebug SSVID number for target PoC
.TP
\fB\-\-lhost\fR CONNECT_BACK_HOST
Connect back host for target PoC in shell mode
......@@ -180,13 +186,13 @@ User defined poc scripts path
Max number of concurrent network requests (default 1)
.TP
\fB\-\-batch\fR BATCH
Automatically choose defalut choice without asking.
Automatically choose defalut choice without asking
.TP
\fB\-\-requires\fR
Check install_requires
.TP
\fB\-\-quiet\fR
Activate quiet mode, working without logger.
Activate quiet mode, working without logger
.TP
\fB\-\-ppt\fR
Hiden sensitive information when published to the
......@@ -250,7 +256,7 @@ is maintained at:
.I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
.PP
.SH VERSION
This manual page documents pocsuite3 version 1.8.7
This manual page documents pocsuite3 version 1.8.8
.SH AUTHOR
.br
(c) 2014-2021 by Knownsec 404 Team
......
......@@ -5,6 +5,8 @@ url =
url_file =
; load poc file from local or remote from seebug website
poc = ecshop_rce.py
; filter poc by keyword, e.g. cve-2021-22005
poc_keyword =
[Mode]
; run poc with verify mode
......@@ -27,7 +29,7 @@ proxy =
proxy_cred =
; seconds to wait before timeout connection (default 30)
timeout =
; time out retrials times.
; time out retrials times
retry =
; delay between two request of one thread
delay =
......@@ -53,25 +55,25 @@ censys_uid =
censys_secret =
[Modules]
; zoomeye dork used for search.
; zoomeye dork used for search
dork =
; zoomeye dork used for search.
; zoomeye dork used for search
dork_zoomeye =
; shodan dork used for search.
; shodan dork used for search
dork_shodan =
; censys dork used for search.
; censys dork used for search
dork_censys =
; fofa dork used for search.
; fofa dork used for search
dork_fofa =
; quake dork used for search.
; quake dork used for search
dork_quake =
; max page used in search api.
; max page used in search api
max_page = 1
; search type used in zoomeye api, web or host
search_type = host
; seebug keyword used for search.
; seebug keyword used for search
vul_keyword =
; seebug ssvid number for target poc.
; seebug ssvid number for target poc
ssvid =
; connect back host for target poc in shell mode
connect_back_host =
......@@ -91,11 +93,11 @@ plugins =
pocs_path =
; max number of concurrent network requests (default 1)
threads = 1
; automatically choose defaut choice without asking.
; automatically choose defaut choice without asking
batch =
; check install_requires
check_requires = False
; activate quiet mode, working without logger.
; activate quiet mode, working without logger
quiet = False
; hiden sensitive information when published to the network
ppt = False
......
__title__ = 'pocsuite3'
__version__ = '1.8.7'
__version__ = '1.8.8'
__author__ = 'Knownsec 404 Team'
__author_email__ = '404-team@knownsec.com'
__license__ = 'GPLv2'
......
......@@ -28,6 +28,7 @@ from pocsuite3.modules.seebug import Seebug
from pocsuite3.modules.shodan import Shodan
from pocsuite3.modules.spider import crawl
from pocsuite3.modules.zoomeye import ZoomEye
from pocsuite3.modules.interactsh import Interactsh
from pocsuite3.shellcodes import OSShellcodes, WebShell
__all__ = ('requests', 'PluginBase', 'register_plugin', 'PLUGIN_TYPE',
......@@ -43,7 +44,7 @@ __all__ = ('requests', 'PluginBase', 'register_plugin', 'PLUGIN_TYPE',
'OptFloat', 'OptString', 'OptItems', 'get_middle_text',
'generate_shellcode_list', 'random_str', 'encoder_bash_payload',
'encoder_powershell_payload', 'get_host_ipv6', 'bind_shell',
'bind_tcp_shell', 'bind_telnet_shell')
'bind_tcp_shell', 'bind_telnet_shell', 'Interactsh')
def get_listener_ip():
......
......@@ -9,6 +9,7 @@ logging.addLevelName(CUSTOM_LOGGING.ERROR, "-")
logging.addLevelName(CUSTOM_LOGGING.WARNING, "!")
LOGGER = logging.getLogger("pocsuite")
sys.stdout = open(sys.stdout.fileno(), mode='w', encoding='utf8', buffering=1)
LOGGER_HANDLER = logging.StreamHandler(sys.stdout)
PRIMARY_FMT = (
"%(cyan)s[%(asctime)s] %(log_color)s[%(levelname)s]%(reset)s %(message)s"
......
......@@ -4,13 +4,13 @@ import logging
import os
import re
import socket
import socks
import importlib
import prettytable
from termcolor import colored
from queue import Queue
from urllib.parse import urlsplit
import socks
import prettytable
from termcolor import colored
from pocsuite3.lib.core.clear import remove_extra_log_message
from pocsuite3.lib.core.common import boldify_message, check_file, get_file_items, parse_target, \
get_public_type_members, data_to_stdout
......@@ -213,7 +213,8 @@ def _set_multiple_targets():
if conf.dork:
# enable plugin 'target_from_zoomeye' by default
if 'target_from_shodan' not in conf.plugins and 'target_from_fofa' not in conf.plugins and 'target_from_quake' not in conf.plugins:
if ('target_from_shodan' not in conf.plugins and 'target_from_fofa' not in conf.plugins
and 'target_from_quake' not in conf.plugins):
conf.plugins.append('target_from_zoomeye')
if conf.dork_zoomeye:
......@@ -320,44 +321,58 @@ def _set_pocs_modules():
# load poc scripts .pyc file support
if conf.ssvid:
conf.plugins.append('poc_from_seebug')
if not (conf.poc or conf.vul_keyword) and conf.poc_keyword:
conf.poc = [paths.POCSUITE_POCS_PATH]
if conf.poc:
# step1. load system packed poc from pocsuite3/pocs folder
exists_poc_with_ext = list(
filter(lambda x: x not in ['__init__.py', '__init__.pyc'], os.listdir(paths.POCSUITE_POCS_PATH)))
exists_pocs = dict([os.path.splitext(x) for x in exists_poc_with_ext])
for poc in conf.poc:
load_poc_sucess = False
if any([poc in exists_poc_with_ext, poc in exists_pocs]):
poc_name, poc_ext = os.path.splitext(poc)
if poc_ext in ['.py', '.pyc']:
file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc)
else:
file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc + exists_pocs.get(poc))
if file_path:
info_msg = "loading PoC script '{0}'".format(file_path)
logger.info(info_msg)
load_poc_sucess = load_file_to_module(file_path)
# step2. load poc from given file path
# load poc from pocsuite3/pocs folder or other local path
try:
if not load_poc_sucess:
if not poc.startswith('ssvid-') and check_file(poc):
info_msg = "loading PoC script '{0}'".format(poc)
logger.info(info_msg)
load_poc_sucess = load_file_to_module(poc)
_pocs = []
load_poc_sucess = False
if os.path.isfile(poc):
_pocs.append(poc)
elif any([poc in exists_poc_with_ext, poc in exists_pocs]):
poc_name, poc_ext = os.path.splitext(poc)
if poc_ext in ['.py', '.pyc']:
file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc)
else:
file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc + exists_pocs.get(poc))
_pocs.append(file_path)
elif check_path(poc):
for root, _, files in os.walk(poc):
files = filter(lambda x: not x.startswith("__") and x.endswith(".py"), files)
_pocs.extend(map(lambda x: os.path.join(root, x), files))
for p in _pocs:
file_content = open(p, encoding='utf-8').read()
if 'register_poc' not in file_content:
continue
if conf.poc_keyword:
attr_field = re.search(r'vulID.*?def .*?\(', file_content, re.DOTALL)
if attr_field and conf.poc_keyword.lower() not in attr_field.group().lower():
continue
info_msg = "loading PoC script '{0}'".format(p)
logger.info(info_msg)
load_poc_sucess = load_file_to_module(p) or load_poc_sucess
except PocsuiteSystemException:
logger.error('PoC file "{0}" not found'.format(repr(poc)))
continue
# step3. load poc from seebug website using plugin 'poc_from_seebug'
if not load_poc_sucess:
if poc.startswith('ssvid-'):
info_msg = "loading Poc script 'https://www.seebug.org/vuldb/{0}'".format(poc)
logger.info(info_msg)
if "poc_from_seebug" not in conf.plugins:
conf.plugins.append('poc_from_seebug')
# load poc from seebug website using plugin 'poc_from_seebug'
if not load_poc_sucess and poc.startswith('ssvid-'):
info_msg = "loading Poc script 'https://www.seebug.org/vuldb/{0}'".format(poc)
logger.info(info_msg)
if "poc_from_seebug" not in conf.plugins:
conf.plugins.append('poc_from_seebug')
load_keyword_poc_sucess = False
if conf.vul_keyword:
# step4. load poc with vul_keyword search seebug website
info_msg = "loading PoC script from seebug website using search keyword '{0}' ".format(conf.vul_keyword)
......@@ -491,6 +506,7 @@ def _set_conf_attributes():
conf.url_file = None
conf.mode = 'verify'
conf.poc = None
conf.poc_keyword = None
conf.cookie = None
conf.host = None
conf.referer = None
......@@ -724,7 +740,9 @@ def init():
update()
_set_multiple_targets()
_set_user_pocs_path()
_set_pocs_modules() # The poc module module must be in front of the plug-in module, and some parameters in the poc option call the plug-in
# The poc module module must be in front of the plug-in module,
# and some parameters in the poc option call the plug-in
_set_pocs_modules()
_set_plugins()
_init_targets_plugins()
_init_pocs_plugins()
......
......@@ -7,6 +7,7 @@ optDict = {
'url': 'string',
'url_file': 'string',
'poc': 'string',
'poc_keyword': 'string',
'configFile': 'string'
},
'Mode': {
......
......@@ -8,7 +8,7 @@ from pocsuite3.lib.core.revision import get_revision_number