Merge pull request #292 from 13ph03nix/master

Some improvements & Bug fixes

Author: 13ph03nix

CHANGELOG.md

@@ -332,3 +332,14 @@ Cross-platform shell code generation
 * support http/https protocol autocorrect { _check() method in POCBase }
 * refactor --update
 * support version check { minimum_version_required() method }
+
+# version 1.9.5
+----------------
+* refactor --ppt, optimize mosaic for url
+* optimize poc template
+* optimize pocsuite command default prompt message
+* adjust the default timeout to 10 seconds
+* adjust the default number of threads to 150
+* target url support cidr, user can use -p provide additional ports
+* support local mode, local mode do not need any targets, e.g. LPE
+* bug fixes

Dockerfile

@@ -31,7 +31,7 @@ RUN sh -c "$(wget -O- https://raw.githubusercontent.com/13ph03nix/zsh-in-docker/
     && sudo apt-get clean -y \
     && sudo rm -rf /var/lib/apt/lists/*
 
-RUN sudo pip3 install --upgrade pip && sudo pip3 install --upgrade pocsuite3==1.9.4
+RUN sudo pip3 install --upgrade pip && sudo pip3 install --upgrade pocsuite3==1.9.5
 
 WORKDIR /home/pocsuite3
 CMD ["zsh"]

docs/USAGE.md

@@ -26,9 +26,11 @@ Target:
   At least one of these options has to be provided to define the target(s)
 
   -u URL [URL ...], --url URL [URL ...]
-                        Target URL (e.g. "http://www.site.com/vuln.php?id=1")
+                        Target URL/CIDR (e.g. "http://www.site.com/vuln.php?id=1")
   -f URL_FILE, --file URL_FILE
-                        Scan multiple targets given in a textual file
+                        Scan multiple targets given in a textual file (one per line)
+  -p PORTS, --ports PORTS
+                        add additional port to each target (e.g. 8080,8443)
   -r POC [POC ...]      Load PoC file from local or remote from seebug website
   -k POC_KEYWORD        Filter PoC by keyword, e.g. ecshop
   -c CONFIGFILE         Load options from a configuration INI file
@@ -50,8 +52,8 @@ Request:
   --proxy PROXY         Use a proxy to connect to the target URL
   --proxy-cred PROXY_CRED
                         Proxy authentication credentials (name:password)
-  --timeout TIMEOUT     Seconds to wait before timeout connection (default 30)
-  --retry RETRY         Time out retrials times
+  --timeout TIMEOUT     Seconds to wait before timeout connection (default 10)
+  --retry RETRY         Time out retrials times (default 0)
   --delay DELAY         Delay between two request of one thread
   --headers HEADERS     Extra headers (e.g. "key1: value1\nkey2: value2")
 
@@ -119,7 +121,7 @@ Optimization:
   --plugins PLUGINS     Load plugins to execute
   --pocs-path POCS_PATH
                         User defined poc scripts path
-  --threads THREADS     Max number of concurrent network requests (default 1)
+  --threads THREADS     Max number of concurrent network requests (default 150)
   --batch BATCH         Automatically choose defaut choice without asking
   --requires            Check install_requires
   --quiet               Activate quiet mode, working without logger
@@ -182,7 +184,7 @@ $ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --shell
 
 **--threads THREADS**
 
-Using multiple threads, the default number of threads is 1
+Using multiple threads, the default number of threads is 150
 
 ```
 $ pocsuite -r pocs/poc_example.py -f url.txt --verify --threads 10

manpages/poc-console.1

@@ -31,7 +31,7 @@ is maintained at:
 .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
 .PP
 .SH VERSION
-This manual page documents pocsuite3 version 1.9.4
+This manual page documents pocsuite3 version 1.9.5
 .SH AUTHOR
 .br
 (c) 2014-2022 by Knownsec 404 Team

manpages/pocsuite.1

@@ -45,10 +45,13 @@ Verbosity level: 0\-6 (default 1)
 At least one of these options has to be provided to define the target(s)
 .TP
 \fB\-u\fR URL [URL ...], \fB\-\-url\fR URL [URL ...]
-Target URL (e.g. "http://www.site.com/vuln.php?id=1")
+Target URL/CIDR (e.g. "http://www.site.com/vuln.php?id=1")
 .TP
 \fB\-f\fR URL_FILE, \fB\-\-file\fR URL_FILE
-Scan multiple targets given in a textual file
+Scan multiple targets given in a textual file (one per line)
+.TP
+\fB\-p\fR PORTS, \fB\-\-ports\fR PORTS
+add additional port to each target (e.g. 8080,8443)
 .TP
 \fB\-r\fR POC [POC ...]
 Load POC file from local or remote from seebug website
@@ -93,10 +96,10 @@ Use a proxy to connect to the target URL
 Proxy authentication credentials (name:password)
 .TP
 \fB\-\-timeout\fR TIMEOUT
-Seconds to wait before timeout connection (default 30)
+Seconds to wait before timeout connection (default 10)
 .TP
 \fB\-\-retry\fR RETRY
-Time out retrials times
+Time out retrials times (default 0)
 .TP
 \fB\-\-delay\fR DELAY
 Delay between two request of one thread
@@ -204,7 +207,7 @@ Load plugins to execute
 User defined poc scripts path
 .TP
 \fB\-\-threads\fR THREADS
-Max number of concurrent network requests (default 1)
+Max number of concurrent network requests (default 150)
 .TP
 \fB\-\-batch\fR BATCH
 Automatically choose defalut choice without asking
@@ -257,7 +260,7 @@ Run poc with shell mode, if executed successfully, pocsuite will drop into inter
 \fI% pocsuite -r poc_example.py -u http://example.com/ --shell\fR
 .PP
 .br
-Using multiple threads, the default number of threads is 1.
+Using multiple threads, the default number of threads is 150.
 .PP
 .br
 \fI% pocsuite -r poc_example.py -u http://example.com/ --verify --threads 20\fR
@@ -277,7 +280,7 @@ is maintained at:
 .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md
 .PP
 .SH VERSION
-This manual page documents pocsuite3 version 1.9.4
+This manual page documents pocsuite3 version 1.9.5
 .SH AUTHOR
 .br
 (c) 2014-2022 by Knownsec 404 Team

pocsuite.ini

@@ -1,8 +1,10 @@
 [Target]
-; target url (e.g. "http://www.site.com/vuln.php?id=1")
+; target url/cidr (e.g. "http://www.site.com/vuln.php?id=1")
 url = https://www.google.com
-; scan multiple targets given in a textual file
+; scan multiple targets given in a textual file (one per line)
 url_file = 
+; add additional port to each target (e.g. 8080,8443)
+ports =
 ; load poc file from local or remote from seebug website
 poc =
 ; filter poc by keyword, e.g. cve-2021-22005
@@ -27,9 +29,9 @@ agent =
 proxy = 
 ; proxy authentication credentials (name:password)
 proxy_cred = 
-; seconds to wait before timeout connection (default 30)
+; seconds to wait before timeout connection (default 10)
 timeout = 
-; time out retrials times
+; time out retrials times (default 0)
 retry =
 ; delay between two request of one thread
 delay = 
@@ -101,8 +103,8 @@ dork_b64 = False
 plugins =
 ; user defined poc scripts path
 pocs_path =
-; max number of concurrent network requests (default 1)
-threads = 1
+; max number of concurrent network requests (default 150)
+threads =
 ; automatically choose defaut choice without asking
 batch = 
 ; check install_requires

pocsuite3/__init__.py

@@ -1,5 +1,5 @@
 __title__ = 'pocsuite3'
-__version__ = '1.9.4'
+__version__ = '1.9.5'
 __author__ = 'Knownsec 404 Team'
 __author_email__ = '[email protected]'
 __license__ = 'GPLv2'

pocsuite3/api/__init__.py

@@ -4,7 +4,7 @@
                                        get_host_ipv6, single_time_warn_message)
 from pocsuite3.lib.core.data import conf, kb, logger, paths
 from pocsuite3.lib.core.datatype import AttribDict
-from pocsuite3.lib.core.common import OrderedSet, OrderedDict, mosaic
+from pocsuite3.lib.core.common import OrderedSet, OrderedDict, mosaic, urlparse
 from pocsuite3.lib.core.enums import PLUGIN_TYPE, POC_CATEGORY, VUL_TYPE
 from pocsuite3.lib.core.interpreter_option import (OptBool, OptDict, OptFloat,
                                                    OptInteger, OptIP, OptItems,
@@ -39,7 +39,7 @@
            'DEFAULT_LISTENER_PORT', 'load_file_to_module', 'OrderedDict', 'OrderedSet',
            'load_string_to_module', 'single_time_warn_message', 'CEye',
            'Seebug', 'ZoomEye', 'Shodan', 'Fofa', 'Quake', 'Hunter', 'Censys',
-           'PHTTPServer', 'REVERSE_PAYLOAD', 'get_listener_ip', 'mosaic',
+           'PHTTPServer', 'REVERSE_PAYLOAD', 'get_listener_ip', 'mosaic', 'urlparse',
            'get_listener_port', 'get_results', 'init_pocsuite',
            'start_pocsuite', 'get_poc_options', 'crawl', 'OSShellcodes',
            'WebShell', 'OptDict', 'OptIP', 'OptPort', 'OptBool', 'OptInteger',

pocsuite3/lib/controller/controller.py

@@ -17,16 +17,17 @@
 
 def runtime_check():
     if not kb.registered_pocs:
-        error_msg = "no PoC loaded, please check your PoC file"
-        logger.error(error_msg)
-        raise PocsuiteSystemException(error_msg)
+        msg = "try 'pocsuite -h' or 'pocsuite --help' for more information"
+        logger.warn(msg)
+        raise PocsuiteSystemException(msg)
 
 
 def start():
     runtime_check()
     tasks_count = kb.task_queue.qsize()
     info_msg = "pocsusite got a total of {0} tasks".format(tasks_count)
     logger.info(info_msg)
+    conf.threads = min(conf.threads, tasks_count)
     logger.debug("pocsuite will open {} threads".format(conf.threads))
 
     try:

pocsuite3/lib/core/common.py

@@ -15,7 +15,7 @@
 import collections
 import chardet
 import requests
-import ipaddress
+import urllib
 from collections import OrderedDict
 from functools import wraps
 from ipaddress import ip_address, ip_network
@@ -51,6 +51,22 @@
     collectionsAbc = collections
 
 
+def urlparse(address):
+    # https://stackoverflow.com/questions/50499273/urlparse-fails-with-simple-url
+    try:
+        ip = ip_address(address)
+        if ip.version == 4:
+            return urllib.parse.urlparse(f'tcp://{address}')
+        elif ip.version == 6:
+            return urllib.parse.urlparse(f'tcp://[{address}]')
+    except ValueError:
+        pass
+
+    if not re.search(r'^[A-Za-z0-9+.\-]+://', address):
+        address = f'tcp://{address}'
+    return urllib.parse.urlparse(address)
+
+
 def read_binary(filename):
     content = ''
     with open(filename, 'rb') as f:
@@ -242,7 +258,8 @@ def parse_target_url(url):
         ret = "[" + ret + "]"
 
     if not re.search("^http[s]*://", ret, re.I) and not re.search("^ws[s]*://", ret, re.I) and '://' not in ret:
-        if re.search(":443[/]*$", ret):
+        port = urlparse(ret).port
+        if port and str(port).endswith('443'):
             ret = "https://" + ret
         else:
             ret = "http://" + ret
@@ -343,11 +360,10 @@ def get_file_items(filename, comment_prefix='#', unicode_=True, lowercase=False,
     try:
         with open(filename, 'r') as f:
             for line in f.readlines():
-                # xreadlines doesn't return unicode strings when codecs.open() is used
-                if comment_prefix and line.find(comment_prefix) != -1:
-                    line = line[:line.find(comment_prefix)]
-
                 line = line.strip()
+                # xreadlines doesn't return unicode strings when codecs.open() is used
+                if comment_prefix and line.startswith(comment_prefix):
+                    continue
 
                 if not unicode_:
                     try:
@@ -376,38 +392,41 @@ def get_file_items(filename, comment_prefix='#', unicode_=True, lowercase=False,
     return ret if not unique else ret.keys()
 
 
-def parse_target(address):
-    target = None
-    if is_domain_format(address) \
-            or is_url_format(address) \
-            or is_ip_address_with_port_format(address):
-        target = address
+def parse_target(address, additional_ports=[]):
+    # parse IPv4/IPv6 CIDR
+    targets = OrderedSet()
+    try:
+        for ip in ip_network(address, strict=False).hosts():
 
-    elif is_ipv6_url_format(address):
-        conf.ipv6 = True
-        target = address
+            if ip.version == 6:
+                conf.ipv6 = True
 
-    elif is_ip_address_format(address):
-        try:
-            ip = ip_address(address)
-            target = ip.exploded
-        except ValueError:
-            pass
-    else:
-        if is_ipv6_address_format(address):
+            targets.add(str(ip))
+
+            for port in additional_ports:
+                targets.add(f'[{ip}]:{port}' if conf.ipv6 else f'{ip}:{port}')
+
+        return targets
+
+    except ValueError:
+        pass
+
+    # URL
+    try:
+        if ip_address(urlparse(address).hostname).version == 6:
             conf.ipv6 = True
-            try:
-                ip = ip_address(address)
-                target = ip.exploded
-            except ValueError:
-                try:
-                    network = ip_network(address, strict=False)
-                    for host in network.hosts():
-                        target = host.exploded
-                except ValueError:
-                    pass
+    except ValueError:
+        pass
 
-    return target
+    targets.add(address)
+    pr = urlparse(address)
+    for port in additional_ports:
+        netloc = f'[{pr.hostname}]:{port}' if conf.ipv6 else f'{pr.hostname}:{port}'
+        t = pr._replace(netloc=netloc).geturl()
+        if t.startswith('tcp://'):
+            t = t.lstrip('tcp://')
+        targets.add(t)
+    return targets
 
 
 def single_time_log_message(message, level=logging.INFO, flag=None):
@@ -510,7 +529,7 @@ def get_host_ip(dst='8.8.8.8', check_private=True):
     finally:
         s.close()
 
-    if check_private and ipaddress.ip_address(ip).is_private:
+    if check_private and ip_address(ip).is_private:
         logger.warn(
             f'your wan ip {mosaic(ip)} is a private ip, '
             'there may be some issues in the next stages of exploitation'