feat: support filter poc by keyword (#248)

* feat: support filter poc by keyword

.github/workflows/lint.yml

@@ -31,10 +31,10 @@ jobs:
 
     - name: Style lint
       run: |
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901 --statistics > current.txt
+        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504 --statistics > current.txt
         git fetch origin
         git checkout origin/"$GITHUB_BASE_REF"
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901 --statistics > base.txt
+        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504 --statistics > base.txt
         if diff base.txt current.txt | grep "^> ./"; then
           false
         fi

docs/CODING.md

@@ -157,7 +157,7 @@ from pocsuite3.lib.utils import random_str
     desc = '/api/v2.0/user/remoteserver.saml接口的name参数存在命令注入'  # 漏洞简要描述
     samples = ['http://192.168.1.1']  # 测试样列，就是用 PoC 测试成功的目标
     install_requires = ['BeautifulSoup4:bs4']  # PoC 第三方模块依赖，请尽量不要使用第三方模块，必要时请参考《PoC第三方模块依赖说明》填写
-   	pocDesc = ''' poc的用法描述 '''
+    pocDesc = ''' poc的用法描述 '''
     dork = {'zoomeye': 'deviceState.admin.hostname'}  # 搜索 dork，如果运行 PoC 时不提供目标且该字段不为空，将会调用插件从搜索引擎获取目标。
     suricata_request = '''http.uri; content: "/api/v2.0/user/remoteserver.saml";'''  # 请求流量 suricata 规则
     suricata_response = ''  # 响应流量 suricata 规则

docs/USAGE.md

@@ -28,7 +28,8 @@ Target:
                         Target URL (e.g. "http://www.site.com/vuln.php?id=1")
   -f URL_FILE, --file URL_FILE
                         Scan multiple targets given in a textual file
-  -r POC [POC ...]      Load POC file from local or remote from seebug website
+  -r POC [POC ...]      Load PoC file from local or remote from seebug website
+  -k POC_KEYWORD        Filter PoC by keyword, e.g. ecshop
   -c CONFIGFILE         Load options from a configuration INI file
 
 Mode:
@@ -49,7 +50,7 @@ Request:
   --proxy-cred PROXY_CRED
                         Proxy authentication credentials (name:password)
   --timeout TIMEOUT     Seconds to wait before timeout connection (default 30)
-  --retry RETRY         Time out retrials times.
+  --retry RETRY         Time out retrials times
   --delay DELAY         Delay between two request of one thread
   --headers HEADERS     Extra headers (e.g. "key1: value1\nkey2: value2")
 
@@ -76,23 +77,23 @@ Account:
 Modules:
   Modules(Seebug, Zoomeye, CEye, Fofa, Quake, Listener) options
 
-  --dork DORK           Zoomeye dork used for search.
+  --dork DORK           Zoomeye dork used for search
   --dork-zoomeye DORK_ZOOMEYE
-                        Zoomeye dork used for search.
+                        Zoomeye dork used for search
   --dork-shodan DORK_SHODAN
-                        Shodan dork used for search.
+                        Shodan dork used for search
   --dork-censys DORK_CENSYS
-                        Censys dork used for search.
+                        Censys dork used for search
   --dork-fofa DORK_FOFA
-                        Fofa dork used for search.
+                        Fofa dork used for search
   --dork-quake DORK_QUAKE
-                        Quake dork used for search.
-  --max-page MAX_PAGE   Max page used in search API.
+                        Quake dork used for search
+  --max-page MAX_PAGE   Max page used in search API
   --search-type SEARCH_TYPE
                         search type used in ZoomEye API, web or host
   --vul-keyword VUL_KEYWORD
-                        Seebug keyword used for search.
-  --ssv-id SSVID        Seebug SSVID number for target PoC.
+                        Seebug keyword used for search
+  --ssv-id SSVID        Seebug SSVID number for target PoC
   --lhost CONNECT_BACK_HOST
                         Connect back host for target PoC in shell mode
   --lport CONNECT_BACK_PORT
@@ -108,12 +109,12 @@ Optimization:
   --pocs-path POCS_PATH
                         User defined poc scripts path
   --threads THREADS     Max number of concurrent network requests (default 1)
-  --batch BATCH         Automatically choose defaut choice without asking.
+  --batch BATCH         Automatically choose defaut choice without asking
   --requires            Check install_requires
-  --quiet               Activate quiet mode, working without logger.
+  --quiet               Activate quiet mode, working without logger
   --ppt                 Hiden sensitive information when published to the network
   --pcap                use scapy capture flow
-  --rule                export rules, default export reqeust and response
+  --rule                export suricata rules, default export reqeust and response
   --rule-req            only export request rule
   --rule-filename RULE_FILENAME
                         Specify the name of the export rule file

manpages/pocsuite.1

@@ -50,6 +50,9 @@ Scan multiple targets given in a textual file
 \fB\-r\fR POC [POC ...]
 Load POC file from local or remote from seebug website
 .TP
+\fB\-k\fR POC_KEYWORD
+Filter PoC by keyword, e.g. ecshop
+.TP
 \fB\-c\fR CONFIGFILE
 Load options from a configuration INI file
 .SS "Mode:"
@@ -90,7 +93,7 @@ Proxy authentication credentials (name:password)
 Seconds to wait before timeout connection (default 30)
 .TP
 \fB\-\-retry\fR RETRY
-Time out retrials times.
+Time out retrials times
 .TP
 \fB\-\-delay\fR DELAY
 Delay between two request of one thread
@@ -116,6 +119,9 @@ fofa user
 \fB\-\-fofa\-token\fR FOFA_TOKEN
 fofa token
 .TP
+\fB\-\-quake\-token\fR QUAKE_TOKEN
+quake token
+.TP
 \fB\-\-censys\-uid\fR CENSYS_UID
 Censys uid
 .TP
@@ -126,31 +132,31 @@ Censys secret
 Modules (Seebug, Zoomeye, CEye, Fofa, Listener) options
 .TP
 \fB\-\-dork\fR DORK
-Zoomeye dork used for search.
+Zoomeye dork used for search
 .TP
 \fB\-\-dork\-zoomeye\fR DORK_ZOOMEYE
-Zoomeye dork used for search.
+Zoomeye dork used for search
 .TP
 \fB\-\-dork\-shodan\fR DORK_SHODAN
-Shodan dork used for search.
+Shodan dork used for search
 .TP
 \fB\-\-dork\-censys\fR DORK_CENSYS
-Censys dork used for search.
+Censys dork used for search
 .TP
 \fB\-\-dork\-fofa\fR DORK_FOFA
-Fofa dork used for search.
+Fofa dork used for search
 .TP
 \fB\-\-max\-page\fR MAX_PAGE
-Max page used in search API.
+Max page used in search API
 .TP
 \fB\-\-search\-type\fR SEARCH_TYPE
 search type used in ZoomEye API, web or host
 .TP
 \fB\-\-vul\-keyword\fR VUL_KEYWORD
-Seebug keyword used for search.
+Seebug keyword used for search
 .TP
 \fB\-\-ssv\-id\fR SSVID
-Seebug SSVID number for target PoC.
+Seebug SSVID number for target PoC
 .TP
 \fB\-\-lhost\fR CONNECT_BACK_HOST
 Connect back host for target PoC in shell mode
@@ -180,13 +186,13 @@ User defined poc scripts path
 Max number of concurrent network requests (default 1)
 .TP
 \fB\-\-batch\fR BATCH
-Automatically choose defalut choice without asking.
+Automatically choose defalut choice without asking
 .TP
 \fB\-\-requires\fR
 Check install_requires
 .TP
 \fB\-\-quiet\fR
-Activate quiet mode, working without logger.
+Activate quiet mode, working without logger
 .TP
 \fB\-\-ppt\fR
 Hiden sensitive information when published to the

pocsuite.ini

@@ -5,6 +5,8 @@ url =
 url_file = 
 ; load poc file from local or remote from seebug website
 poc = ecshop_rce.py
+; filter poc by keyword, e.g. cve-2021-22005
+poc_keyword =
 
 [Mode]
 ; run poc with verify mode
@@ -27,7 +29,7 @@ proxy =
 proxy_cred = 
 ; seconds to wait before timeout connection (default 30)
 timeout = 
-; time out retrials times.
+; time out retrials times
 retry =
 ; delay between two request of one thread
 delay = 
@@ -53,25 +55,25 @@ censys_uid =
 censys_secret =
 
 [Modules]
-; zoomeye dork used for search.
+; zoomeye dork used for search
 dork =
-; zoomeye dork used for search.
+; zoomeye dork used for search
 dork_zoomeye =
-; shodan dork used for search.
+; shodan dork used for search
 dork_shodan =
-; censys dork used for search.
+; censys dork used for search
 dork_censys =
-; fofa dork used for search.
+; fofa dork used for search
 dork_fofa =
-; quake dork used for search.
+; quake dork used for search
 dork_quake =
-; max page used in search api.
+; max page used in search api
 max_page = 1
 ; search type used in zoomeye api, web or host
 search_type = host
-; seebug keyword used for search.
+; seebug keyword used for search
 vul_keyword =
-; seebug ssvid number for target poc.
+; seebug ssvid number for target poc
 ssvid =
 ; connect back host for target poc in shell mode
 connect_back_host =
@@ -91,11 +93,11 @@ plugins =
 pocs_path =
 ; max number of concurrent network requests (default 1)
 threads = 1
-; automatically choose defaut choice without asking.
+; automatically choose defaut choice without asking
 batch = 
 ; check install_requires
 check_requires = False
-; activate quiet mode, working without logger.
+; activate quiet mode, working without logger
 quiet = False
 ; hiden sensitive information when published to the network
 ppt = False

pocsuite3/lib/core/option.py

@@ -4,13 +4,13 @@
 import os
 import re
 import socket
-import socks
 import importlib
-import prettytable
-from termcolor import colored
 from queue import Queue
 from urllib.parse import urlsplit
 
+import socks
+import prettytable
+from termcolor import colored
 from pocsuite3.lib.core.clear import remove_extra_log_message
 from pocsuite3.lib.core.common import boldify_message, check_file, get_file_items, parse_target, \
     get_public_type_members, data_to_stdout
@@ -213,7 +213,8 @@ def _set_multiple_targets():
 
     if conf.dork:
         # enable plugin 'target_from_zoomeye' by default
-        if 'target_from_shodan' not in conf.plugins and 'target_from_fofa' not in conf.plugins and 'target_from_quake' not in conf.plugins:
+        if ('target_from_shodan' not in conf.plugins and 'target_from_fofa' not in conf.plugins
+                and 'target_from_quake' not in conf.plugins):
             conf.plugins.append('target_from_zoomeye')
 
     if conf.dork_zoomeye:
@@ -320,44 +321,58 @@ def _set_pocs_modules():
     # load poc scripts .pyc file support
     if conf.ssvid:
         conf.plugins.append('poc_from_seebug')
+
+    if not (conf.poc or conf.vul_keyword) and conf.poc_keyword:
+        conf.poc = [paths.POCSUITE_POCS_PATH]
+
     if conf.poc:
-        # step1. load system packed poc from pocsuite3/pocs folder
         exists_poc_with_ext = list(
             filter(lambda x: x not in ['__init__.py', '__init__.pyc'], os.listdir(paths.POCSUITE_POCS_PATH)))
         exists_pocs = dict([os.path.splitext(x) for x in exists_poc_with_ext])
         for poc in conf.poc:
-            load_poc_sucess = False
-            if any([poc in exists_poc_with_ext, poc in exists_pocs]):
-                poc_name, poc_ext = os.path.splitext(poc)
-                if poc_ext in ['.py', '.pyc']:
-                    file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc)
-                else:
-                    file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc + exists_pocs.get(poc))
-                if file_path:
-                    info_msg = "loading PoC script '{0}'".format(file_path)
-                    logger.info(info_msg)
-                    load_poc_sucess = load_file_to_module(file_path)
-
-            # step2. load poc from given file path
+            # load poc from pocsuite3/pocs folder or other local path
             try:
-                if not load_poc_sucess:
-                    if not poc.startswith('ssvid-') and check_file(poc):
-                        info_msg = "loading PoC script '{0}'".format(poc)
-                        logger.info(info_msg)
-                        load_poc_sucess = load_file_to_module(poc)
+                _pocs = []
+                load_poc_sucess = False
+
+                if os.path.isfile(poc):
+                    _pocs.append(poc)
+
+                elif any([poc in exists_poc_with_ext, poc in exists_pocs]):
+                    poc_name, poc_ext = os.path.splitext(poc)
+                    if poc_ext in ['.py', '.pyc']:
+                        file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc)
+                    else:
+                        file_path = os.path.join(paths.POCSUITE_POCS_PATH, poc + exists_pocs.get(poc))
+                    _pocs.append(file_path)
+
+                elif check_path(poc):
+                    for root, _, files in os.walk(poc):
+                        files = filter(lambda x: not x.startswith("__") and x.endswith(".py"), files)
+                        _pocs.extend(map(lambda x: os.path.join(root, x), files))
+
+                for p in _pocs:
+                    file_content = open(p, encoding='utf-8').read()
+                    if 'register_poc' not in file_content:
+                        continue
+                    if conf.poc_keyword:
+                        attr_field = re.search(r'vulID.*?def .*?\(', file_content, re.DOTALL)
+                        if attr_field and conf.poc_keyword.lower() not in attr_field.group().lower():
+                            continue
+                    info_msg = "loading PoC script '{0}'".format(p)
+                    logger.info(info_msg)
+                    load_poc_sucess = load_file_to_module(p) or load_poc_sucess
             except PocsuiteSystemException:
                 logger.error('PoC file "{0}" not found'.format(repr(poc)))
                 continue
 
-            # step3. load poc from seebug website using plugin 'poc_from_seebug'
-            if not load_poc_sucess:
-                if poc.startswith('ssvid-'):
-                    info_msg = "loading Poc script 'https://www.seebug.org/vuldb/{0}'".format(poc)
-                    logger.info(info_msg)
-                    if "poc_from_seebug" not in conf.plugins:
-                        conf.plugins.append('poc_from_seebug')
+            # load poc from seebug website using plugin 'poc_from_seebug'
+            if not load_poc_sucess and poc.startswith('ssvid-'):
+                info_msg = "loading Poc script 'https://www.seebug.org/vuldb/{0}'".format(poc)
+                logger.info(info_msg)
+                if "poc_from_seebug" not in conf.plugins:
+                    conf.plugins.append('poc_from_seebug')
 
-    load_keyword_poc_sucess = False
     if conf.vul_keyword:
         # step4. load poc with vul_keyword search seebug website
         info_msg = "loading PoC script from seebug website using search keyword '{0}' ".format(conf.vul_keyword)
@@ -491,6 +506,7 @@ def _set_conf_attributes():
     conf.url_file = None
     conf.mode = 'verify'
     conf.poc = None
+    conf.poc_keyword = None
     conf.cookie = None
     conf.host = None
     conf.referer = None
@@ -724,7 +740,9 @@ def init():
     update()
     _set_multiple_targets()
     _set_user_pocs_path()
-    _set_pocs_modules()  # The poc module module must be in front of the plug-in module, and some parameters in the poc option call the plug-in
+    # The poc module module must be in front of the plug-in module,
+    # and some parameters in the poc option call the plug-in
+    _set_pocs_modules()
     _set_plugins()
     _init_targets_plugins()
     _init_pocs_plugins()

pocsuite3/lib/core/optiondict.py

@@ -7,6 +7,7 @@
         'url': 'string',
         'url_file': 'string',
         'poc': 'string',
+        'poc_keyword': 'string',
         'configFile': 'string'
     },
     'Mode': {

pocsuite3/lib/core/settings.py

@@ -114,7 +114,9 @@
     "version",
     "update",
     "url",
+    "url_file",
     "file",
+    "poc_keyword",
     "verify",
     "attack",
     "shell",