Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

咨询个问题(poc间通信) #328

Open
langlixing opened this issue Sep 20, 2022 · 1 comment
Open

咨询个问题(poc间通信) #328

langlixing opened this issue Sep 20, 2022 · 1 comment

Comments

@langlixing
Copy link

pocsuite3 框架的poc 脚本之间是否有 互相通信的机制?有没有可参考的文档
实现的目的:
a、某个基础脚本1完成web应用/框架/版本的探测;
b、漏洞/非基础脚本2可以获取并根据a中基础脚本1的检测结果决定脚本2 是否要执行。
@13ph03nix
Copy link
Contributor

目前不支持。组件指纹识别需要手动在 PoC 脚本中实现,比如使用自带的 _check 方法检测 dork 关键词。

pocsuite3/pocsuite3/lib/core/poc.py

Lines 304 to 408 in b26a773

def _check(self, dork='', allow_redirects=False, return_obj=False, is_http=True, honeypot_check=True):
u = urlparse(self.url)
# the port closed
if u.port and not check_port(u.hostname, u.port):
logger.debug(f'{mosaic(self.url)}, the port is closed.')
return False
if is_http is False or self.current_protocol != POC_CATEGORY.PROTOCOL.HTTP:
return True
res = None
corrected = False
# this only covers most cases
redirect_https_keyword = [
# https://www.zoomeye.org/searchResult?q=%22request%20was%20sent%20to%20HTTPS%20port%22
'request was sent to https port',
# https://www.zoomeye.org/searchResult?q=%22running%20in%20SSL%20mode.%20Try%22
'running in ssl mode. try'
]
origin_url = self.url
netloc = self.url.split('://', 1)[-1]
urls = OrderedSet()
urls.add(self.url)
urls.add(f'http://{netloc}')
urls.add(f'https://{netloc}')
for url in urls:
try:
time.sleep(0.5)
res = requests.get(url, allow_redirects=allow_redirects)
# access ok, the url need to be correct
for k in redirect_https_keyword:
if k.lower() in res.text.lower():
self.url = f'https://{netloc}'
res = requests.get(self.url, allow_redirects=allow_redirects)
logger.warn(f'auto correct url: {mosaic(origin_url)} -> {mosaic(self.url)}')
corrected = True
break
# another protocol is access ok
if not corrected and url != self.url:
self.url = url
logger.warn(f'auto correct url: {mosaic(origin_url)} -> {mosaic(self.url)}')
break
except requests.RequestException:
pass
if self.url.split('://')[0] != self.scheme:
self.scheme = 'https' if self.url.startswith('https') else 'http'
port = urlparse(self.url).port
self.rport = port if port else 443 if self.scheme.startswith('https') else 80
self.netloc = f'{self.rhost}:{self.rport}'
if return_obj:
return res
if res is None:
return False
content = str(res.headers).lower() + res.text.lower()
dork = dork.lower()
if dork not in content:
return False
if not honeypot_check:
return True
is_honeypot = False
# detect honeypot
# https://www.zoomeye.org/searchResult?q=%22GoAhead-Webs%22%20%2B%22Apache-Coyote%22
keyword = [
'goahead-webs',
'apache-coyote',
'upnp/',
'openresty',
'tomcat'
]
sin = 0
for k in keyword:
if k in content:
sin += 1
if sin >= 3:
logger.debug(f'honeypot: sin({sin}) >= 3')
is_honeypot = True
# maybe some false positives
elif len(re.findall('<title>(.*)</title>', content)) > 5:
logger.debug('honeypot: too many title')
is_honeypot = True
elif len(re.findall('basic realm=', content)) > 5:
logger.debug('honeypot: too many www-auth')
is_honeypot = True
elif len(re.findall('server: ', content)) > 5:
logger.debug('honeypot: too many server')
is_honeypot = True
if is_honeypot:
logger.warn(f'{mosaic(self.url)} is a honeypot.')
return not is_honeypot

PoC 脚本编写参考:https://pocsuite.org/guide/poc-demo-cve-2019-15107.html#poc-开发

后续等支持了 YAML,会考虑结合 YAML 实现指纹识别功能。

@13ph03nix 13ph03nix mentioned this issue Nov 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@13ph03nix @langlixing