Commit 890be363 authored by Nong Hoang Tu's avatar Nong Hoang Tu
Browse files

Update upstream source from tag 'upstream/1.8.5'

Update to upstream version '1.8.5'
with Debian dir dfeb6c71f2c47fbccfe09bb0130b6beec681b476
parents 8e0de124 164d4d5d
......@@ -64,4 +64,5 @@ dist/
*.egg-info
.eggs/
pocsuite.ini
pocsuite3/pocs/
\ No newline at end of file
pocsuite3/pocs/
pocsuite3/data/cacert.pem
......@@ -226,4 +226,44 @@ Cross-platform shell code generation
# version 1.7.6
-----------------
* fixes #192
\ No newline at end of file
* fixes #192
# version 1.7.7
-----------------
* 添加--dork自动用poc中的dork字段扫描功能
* 适配Debian源格式需求
# version 1.7.8
-----------------
* add option to display extra parameters of poc
* add more poc attribute to result dict
* allow custom module path in console mode
* fix some compatibility problems
# version 1.8.0
-----------------
* fix the timeout problem in shell mode leads to confusing results
* made some improvements with network address related issues
# version 1.8.1
-----------------
* fix check_requires() can not handle dependent version correctly #208
* update docs
# version 1.8.2
-----------------
* fix finding a python module version gives error
# version 1.8.3
-----------------
* some improvements related to dependent
# version 1.8.4
-----------------
* update docs
* fix typo
# version 1.8.5
-----------------
* support bind shell in shell mode
* fix #221
......@@ -7,8 +7,8 @@ Usage of pocsuite for attacking targets without prior mutual consent is illegal.
pocsuite is for security testing purposes only
## 法律免责声明
未经事先双方同意,使用pocsuite攻击目标是非法的。
pocsuite仅用于安全测试目的
未经事先双方同意,使用 pocsuite 攻击目标是非法的。
pocsuite 仅用于安全测试目的
## Overview
......@@ -18,8 +18,8 @@ It comes with a powerful proof-of-concept engine, many powerful features for the
## Features
* PoC scripts can running with `attack`,`verify`, `shell` mode in different way
* Plugin ecosystem
* Dynamic loading PoC script from any where (local file, redis , database, Seebug ...)
* Load multi-target from any where (CIDR, local file, redis , database, Zoomeye, Shodan ...)
* Dynamic loading PoC script from any where (local file, redis, database, Seebug ...)
* Load multi-target from any where (CIDR, local file, redis, database, Zoomeye, Shodan ...)
* Results can be easily exported
* Dynamic patch and hook requests
* Both command line tool and python package import to use
......@@ -53,7 +53,7 @@ It comes with a powerful proof-of-concept engine, many powerful features for the
## Requirements
- Python 3.4+
- Python 3.6+
- Works on Linux, Windows, Mac OSX, BSD
## Installation
......@@ -74,30 +74,39 @@ $ pip3 install -r requirements.txt
```
The latest version of this software is available from: http://pocsuite.org
The latest version of this software is available at: http://pocsuite.org
## Documentation
Documentation is available in the [```docs```](./docs) directory.
## 常用命令
## Usage
```
命令行模式下
pocsuite -u http://example.com -r example.py -v 2 # 基础用法 v2开启详细信息
cli mode
# basic usage, use -v to set the log level
pocsuite -u http://example.com -r example.py -v 2
pocsuite -u http://example.com -r example.py -v 2 --shell # shell反连模式,基础用法 v2开启详细信息
# run poc with shell mode
pocsuite -u http://example.com -r example.py -v 2 --shell
pocsuite -r redis.py --dork service:redis --threads 20 # 从zoomeye搜索redis目标批量检测,线程设置为20
# search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The thread is set to 20
pocsuite -r redis.py --dork service:redis --threads 20
pocsuite -u http://example.com --plugins poc_from_pocs,html_report # 加载poc目录下所有poc,并将结果保存为html
# load all poc in the poc directory and save the result as html
pocsuite -u http://example.com --plugins poc_from_pocs,html_report
pocsuite -f batch.txt --plugins poc_from_pocs,html_report # 从文件中加载目标,并使用poc目录下poc批量扫描
# load the target from the file, and use the poc under the poc directory to scan
pocsuite -f batch.txt --plugins poc_from_pocs,html_report
pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr # 加载CIDR目标
# load CIDR target
pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr
pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami" # ecshop poc中实现了自定义命令`command`,可以从外部参数传递。
# the custom parameters `command` is implemented in ecshop poc, which can be set from command line options
pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami"
console模式
console mode
poc-console
```
......
This diff is collapsed.
# Usage
- **pocsuite**: a cool and hackable commane line program
- **pocsuite**: a cool and hackable command line program
## pocsuite
Enter into `pocsuite` directory, execute `python cli.py`. It supports double mode:
It supports three modes:
- ```verify```
- ```attack```
- ```shell```
You can also use ```python cli.py -h``` for more details.
You can also use ```pocsuite -h``` for more details.
```
usage: pocsuite [options]
......@@ -67,16 +67,17 @@ Account:
fofa user
--fofa-token FOFA_TOKEN
fofa token
--quake-token QUAKE_TOKEN
quake token
--censys-uid CENSYS_UID
Censys uid
--censys-secret CENSYS_SECRET
Censys secret
Modules:
Modules(Seebug、Zoomeye、CEye、Fofa Listener) options
Modules(Seebug、Zoomeye、CEye、Fofa、Quake Listener) options
--dork DORK Zoomeye dork used for search.
--dork-b64 Whether dork is in base64 format
--dork-zoomeye DORK_ZOOMEYE
Zoomeye dork used for search.
--dork-shodan DORK_SHODAN
......@@ -85,6 +86,8 @@ Modules:
Censys dork used for search.
--dork-fofa DORK_FOFA
Fofa dork used for search.
--dork-quake DORK_QUAKE
Quake dork used for search.
--max-page MAX_PAGE Max page used in ZoomEye API(10 targets/Page).
--search-type SEARCH_TYPE
search type used in ZoomEye API, web or host
......@@ -96,7 +99,7 @@ Modules:
--lport CONNECT_BACK_PORT
Connect back port for target PoC in shell mode
--comparison Compare popular web search engines
--pcap capture package in verify mode
--dork-b64 Whether dork is in base64 format
Optimization:
Optimization options
......@@ -108,14 +111,19 @@ Optimization:
--batch BATCH Automatically choose defaut choice without asking.
--requires Check install_requires
--quiet Activate quiet mode, working without logger.
--rule Export rules, default export reqeust and response.
--rule-req Only export request rule.
--rule-filename Specify the name of the export rule file.
--ppt Hiden sensitive information when published to the
network
--pcap use scapy capture flow
--rule export rules, default export reqeust and response
--rule-req only export request rule
--rule-filename RULE_FILENAME
Specify the name of the export rule file
Poc options:
definition options for PoC
--options Show all definition options
```
**-f, --file URLFILE**
......@@ -123,10 +131,10 @@ Poc options:
Scan multiple targets given in a textual file
```
$ python cli.py -r tests/poc_example.py -f url.txt --verify
$ pocsuite -r pocs/poc_example.py -f url.txt --verify
```
> Attack batch processing mode only need to replace the ```--verify``` as ``` --attack```.
> Attack batch processing mode only need to replace the ```--verify``` to ``` --attack```.
**-r POCFILE**
......@@ -134,7 +142,7 @@ POCFILE can be a file or Seebug SSVID. pocsuite plugin can load poc codes from a
```
$ python cli.py -r ssvid-97343 -u http://www.example.com --shell
$ pocsuite -r ssvid-97343 -u http://www.example.com --shell
```
**--verify**
......@@ -142,7 +150,7 @@ $ python cli.py -r ssvid-97343 -u http://www.example.com --shell
Run poc with verify mode. PoC(s) will be only used for a vulnerability scanning.
```
$ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --verify
$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --verify
```
**--attack**
......@@ -150,7 +158,7 @@ $ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --verify
Run poc with attack mode, PoC(s) will be exploitable, and it may allow hackers/researchers break into labs.
```
$ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --attack
$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --attack
```
**--shell**
......@@ -158,7 +166,7 @@ $ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --attack
Run poc with shell mode, PoC will be exploitable, when PoC shellcode successfully executed, pocsuite3 will drop into interactive shell.
```
$ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --shell
$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --shell
```
**--threads THREADS**
......@@ -166,7 +174,7 @@ $ python cli.py -r pocs/poc_example.py -u http://www.example.com/ --shell
Using multiple threads, the default number of threads is 1
```
$ python cli.py -r tests/ -f url.txt --verify --threads 10
$ pocsuite -r pocs/poc_example.py -f url.txt --verify --threads 10
```
**--dork DORK**
......@@ -177,7 +185,7 @@ Search redis server with ```port:6379``` and ```redis``` keyword.
```
$ python cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
$ pocsuite --dork 'port:6379' --vul-keyword 'redis' --max-page 2
```
**--dork-shodan DORK**
......@@ -187,7 +195,7 @@ $ python cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
Search libssh server with `libssh` keyword.
```
python3 cli.py -r pocs/libssh_auth_bypass.py --dork-shodan libssh --thread 10
pocsuite -r pocs/libssh_auth_bypass.py --dork-shodan libssh --thread 10
```
**--dork-fofa DORK**
......@@ -198,7 +206,7 @@ $ python cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
```
$ python3 cli.py -r pocs/check_http_status.py --dork-fofa 'body="thinkphp"' --search-type web --thread 10
$ pocsuite -r pocs/check_http_status.py --dork-fofa 'body="thinkphp"' --search-type web --thread 10
```
**--dork-quake DORK**
......@@ -209,7 +217,7 @@ $ python cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
```
$ python3 cli.py -r pocs/check_http_status.py --dork-quake 'app:"ThinkPHP"' --thread 10
$ pocsuite -r pocs/check_http_status.py --dork-quake 'app:"ThinkPHP"' --thread 10
```
**--dork-b64**
......@@ -218,7 +226,7 @@ $ python cli.py --dork 'port:6379' --vul-keyword 'redis' --max-page 2
```
$ python cli.py --dork cG9ydDo2Mzc5 --vul-keyword 'redis' --max-page 2 --dork-b64
$ pocsuite --dork cG9ydDo2Mzc5 --vul-keyword 'redis' --max-page 2 --dork-b64
```
**--rule**
......@@ -227,29 +235,44 @@ $ python cli.py --dork cG9ydDo2Mzc5 --vul-keyword 'redis' --max-page 2 --dork-b6
Use the --pocs-path parameter to set the directory where the poc needs to be ruled
```
$ python cli.py --rule
$ pocsuite --rule
```
**--rule-req**
In some cases, we may only need the request rule, --rule-req only export request rule.
```
$ python cli.py --rule-req
$ pocsuite --rule-req
```
If you have good ideas, please show them on your way.
## 常用命令
- pocsuite -u http://example.com -r example.py -v 2 # 基础用法 v2开启详细信息
## Example
- pocsuite -u http://example.com -r example.py -v 2 --shell # shell反连模式,基础用法 v2开启详细信息
```
cli mode
- pocsuite -r redis.py --dork service:redis --threads 20 # 从zoomeye搜索redis目标批量检测,线程设置为20
# basic usage, use -v to set the log level
pocsuite -u http://example.com -r example.py -v 2
- pocsuite -u http://example.com --plugins poc_from_pocs,html_report # 加载poc目录下所有poc,并将结果保存为html
# run poc with shell mode
pocsuite -u http://example.com -r example.py -v 2 --shell
- pocsuite -f batch.txt --plugins poc_from_pocs,html_report # 从文件中加载目标,并使用poc目录下poc批量扫描
# search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The thread is set to 20
pocsuite -r redis.py --dork service:redis --threads 20
- pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr # 加载CIDR目标
# load all poc in the poc directory and save the result as html
pocsuite -u http://example.com --plugins poc_from_pocs,html_report
- pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami" # ecshop poc中实现了自定义命令`command`,可以从外部参数传递。
# load the target from the file, and use the poc under the poc directory to scan
pocsuite -f batch.txt --plugins poc_from_pocs,html_report
# load CIDR target
pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr
# the custom parameters `command` is implemented in ecshop poc, which can be set from command line options
pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami"
console mode
poc-console
```
.TH POC-CONSOLE "1" "June 2021" "Manual page for poc-console"
.\"
.\" 22st June 2021
.\" Man page author:
.\" Tian Qiao <abcnsxyz@gmail.com>
.\"
.SH NAME
.I poc-console
\- console mode of
.B pocsuite.
.SH Legal Disclaimer
poc-console is part of pocsuite. Usage of pocsuite for attacking targets without prior mutual consent is illegal.
pocsuite is for security testing purposes only.
.SH SYNOPSIS
.B poc-console
.SH DESCRIPTION
.I poc-console is the console mode of pocsuite.
.I pocsuite
is an open-sourced remote vulnerability testing and proof-of-concept
development framework developed by the Knownsec 404 Team. It comes with a
powerful proof-of-concept engine, many nice features for the ultimate
penetration testers and security researchers.
.SH OPTIONS
poc-console do not have command line options. To see a list of available commands,
enter help at the console prompt.
.SH "SEE ALSO"
The full documentation for
.B pocsuite
is maintained at:
.br
.I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
.PP
.SH VERSION
This manual page documents pocsuite version 1.8.5
.SH AUTHOR
.br
(c) 2014-2021 by Knownsec 404 Team
.br
<404-team@knownsec.com>
.LP
This program is free software; you may redistribute and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; Version 2 (or later) with the clarifications and
exceptions described below. This guarantees your right to use, modify, and
redistribute this software under certain conditions. If you wish to embed
pocsuite technology into proprietary software, we sell alternative licenses
(contact 404-team@knownsec.com).
.PP
Manual page started by Tian Qiao
<abcnsxyz@gmail.com>
.PP
.TH POCSUITE "1" "June 2021" "Manual page for pocsuite"
.\"
.\" 22st June 2021
.\" Man page author:
.\" Tian Qiao <abcnsxyz@gmail.com>
.\"
.SH NAME
.I pocsuite
\- open-sourced remote vulnerability testing framework.
.SH Legal Disclaimer
Usage of pocsuite for attacking targets without prior mutual consent is illegal.
pocsuite is for security testing purposes only.
.SH SYNOPSIS
.B pocsuite
\-h[elp]
.br
.B pocsuite
[options]
.br
.SH DESCRIPTION
.I pocsuite
is an open-sourced remote vulnerability testing and proof-of-concept
development framework developed by the Knownsec 404 Team. It comes with a
powerful proof-of-concept engine, many nice features for the ultimate
penetration testers and security researchers.
.SH OPTIONS
.SS "optional arguments:"
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-\-version\fR
Show program's version number and exit
.TP
\fB\-\-update\fR
Update Pocsuite
.TP
\fB\-v\fR {0,1,2,3,4,5,6}
Verbosity level: 0\-6 (default 1)
.SS "Target:"
.IP
At least one of these options has to be provided to define the target(s)
.TP
\fB\-u\fR URL [URL ...], \fB\-\-url\fR URL [URL ...]
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
.TP
\fB\-f\fR URL_FILE, \fB\-\-file\fR URL_FILE
Scan multiple targets given in a textual file
.TP
\fB\-r\fR POC [POC ...]
Load POC file from local or remote from seebug website
.TP
\fB\-c\fR CONFIGFILE
Load options from a configuration INI file
.SS "Mode:"
.IP
Pocsuite running mode options
.TP
\fB\-\-verify\fR
Run poc with verify mode
.TP
\fB\-\-attack\fR
Run poc with attack mode
.TP
\fB\-\-shell\fR
Run poc with shell mode
.SS "Request:"
.IP
Network request options
.TP
\fB\-\-cookie\fR COOKIE
HTTP Cookie header value
.TP
\fB\-\-host\fR HOST
HTTP Host header value
.TP
\fB\-\-referer\fR REFERER
HTTP Referer header value
.TP
\fB\-\-user\-agent\fR AGENT
HTTP User\-Agent header value
.TP
\fB\-\-random\-agent\fR
Use randomly selected HTTP User\-Agent header value
.TP
\fB\-\-proxy\fR PROXY
Use a proxy to connect to the target URL
.TP
\fB\-\-proxy\-cred\fR PROXY_CRED
Proxy authentication credentials (name:password)
.TP
\fB\-\-timeout\fR TIMEOUT
Seconds to wait before timeout connection (default 30)
.TP
\fB\-\-retry\fR RETRY
Time out retrials times.
.TP
\fB\-\-delay\fR DELAY
Delay between two request of one thread
.TP
\fB\-\-headers\fR HEADERS
Extra headers (e.g. "key1: value1\enkey2: value2")
.SS "Account:"
.IP
Telnet404, Shodan, CEye, Fofa account options
.TP
\fB\-\-login\-user\fR LOGIN_USER
Telnet404 login user
.TP
\fB\-\-login\-pass\fR LOGIN_PASS
Telnet404 login password
.TP
\fB\-\-shodan\-token\fR SHODAN_TOKEN
Shodan token
.TP
\fB\-\-fofa\-user\fR FOFA_USER
fofa user
.TP
\fB\-\-fofa\-token\fR FOFA_TOKEN
fofa token
.TP
\fB\-\-censys\-uid\fR CENSYS_UID
Censys uid
.TP
\fB\-\-censys\-secret\fR CENSYS_SECRET
Censys secret
.SS "Modules:"
.IP
Modules (Seebug, Zoomeye, CEye, Fofa, Listener) options
.TP
\fB\-\-dork\fR DORK
Zoomeye dork used for search.
.TP
\fB\-\-dork\-zoomeye\fR DORK_ZOOMEYE
Zoomeye dork used for search.
.TP
\fB\-\-dork\-shodan\fR DORK_SHODAN
Shodan dork used for search.
.TP
\fB\-\-dork\-censys\fR DORK_CENSYS
Censys dork used for search.
.TP
\fB\-\-dork\-fofa\fR DORK_FOFA
Fofa dork used for search.
.TP
\fB\-\-max\-page\fR MAX_PAGE
Max page used in ZoomEye API(10 targets/Page).
.TP
\fB\-\-search\-type\fR SEARCH_TYPE
search type used in ZoomEye API, web or host
.TP
\fB\-\-vul\-keyword\fR VUL_KEYWORD
Seebug keyword used for search.
.TP
\fB\-\-ssv\-id\fR SSVID
Seebug SSVID number for target PoC.
.TP
\fB\-\-lhost\fR CONNECT_BACK_HOST
Connect back host for target PoC in shell mode
.TP
\fB\-\-lport\fR CONNECT_BACK_PORT
Connect back port for target PoC in shell mode
.TP
\fB\-\-comparison\fR
Compare popular web search engines
.TP
\fB\-\-dork\-b64\fR
Whether dork is in base64 format
.SS "Optimization:"
.IP
Optimization options
.TP
\fB\-\-plugins\fR PLUGINS
Load plugins to execute
.TP
\fB\-\-pocs\-path\fR POCS_PATH
User defined poc scripts path
.TP
\fB\-\-threads\fR THREADS
Max number of concurrent network requests (default 1)
.TP
\fB\-\-batch\fR BATCH
Automatically choose defalut choice without asking.
.TP
\fB\-\-requires\fR
Check install_requires
.TP
\fB\-\-quiet\fR
Activate quiet mode, working without logger.
.TP
\fB\-\-ppt\fR
Hiden sensitive information when published to the
network
.TP
\fB\-\-pcap\fR
use scapy capture flow
.TP
\fB\-\-rule\fR
export rules, default export request and response
.TP
\fB\-\-rule\-req\fR
only export request rule
.TP
\fB\-\-rule\-filename\fR RULE_FILENAME
Specify the name of the export rule file
.SS "Poc options:"
.IP
definition options for PoC
.TP
\fB\-\-options\fR
Show all definition options
.SH EXAMPLES
.PP
.br
Run poc with verify mode, poc will be only used for vulnerability scanning.
.PP
.br
\fI% pocsuite -r poc_example.py -u http://example.com/ --verify\fR
.PP
.br
Run poc with attack mode, and it may allow hackers/researchers break into labs.
.PP
.br
\fI% pocsuite -r poc_example.py -u http://example.com/ --attack\fR
.PP
.br
Run poc with shell mode, if executed successfully, pocsuite will drop into interactive shell.
.PP
.br
\fI% pocsuite -r poc_example.py -u http://example.com/ --shell\fR
.PP
.br
Using multiple threads, the default number of threads is 1.
.PP
.br
\fI% pocsuite -r poc_example.py -u http://example.com/ --verify --threads 20\fR
.PP
.br
Scan multiple targets given in a textual file.
.PP