The exploit of those things - from theory to practical-vulnerability warning-the black bar safety net

ID MYHACK58:62201678282
Type myhack58
Reporter RickGray
Modified 2016-08-23T00:00:00


It seems like long time no post, recently on a whim ready to talk about “the exploit of that thing is.” Now there is a phenomenon is that once a hazard the higher the vulnerability verification PoC or the use of EXP is released, there will be a large group of hungry unbearable hat to brush hole, for a passerby to me, look a little jealous. XD

Brush the hole normalized to brush the hole, the eggs still have to be ripped. Vulnerabilities from disclosure to the researcher analysis and verification, and then to the PoC of writing, and then to the mass scanning detection, in which the interlocking vulnerabilities of the emergency life cycle, I think the most crucial part of the should be considered a PoC to prepare and exploit this in two parts:


  • PoC preparation - reproduction of vulnerability of the environment, the vulnerability reproduce the process Code of the process
  • Vulnerability detection - use writing good PoC to verify that the test target the existence of a vulnerability, it is noted that in this process or in preparing the PoC when required to do safe, effective and harmless, as far as possible or to avoid the scanning process on the target host to produce a non-recoverable impact

First, let's talk about PoC. Write the PoC in my opinion is a security researcher or vulnerability analysis daily the most basic work, the authors of the vulnerability validation analysis of the process by the code described down, according to different types of vulnerability to prepare the corresponding PoC. According to the annual preparation of PoC accumulation of experience, personally think that writing the PoC should follow a few prospective side, as follows:

  • Randomness
  • Deterministic
  • Universal type

You might think I'm too surgery? Then I little by little put them speak clearly.

PoC guidelines & examples

i. Randomness

The PoC involved in the key variables or data should be random, do not use a fixed variable value of the generated Payload, the ability to randomly generate to try to randomly generated such as: Upload File name, and webshell password, Alert string, MD5 value, let's look at a few examples I can really not fight advertising, the examples mostly used pocsuite PoC framework: the


On the shown code is WordPress a theme leads to arbitrary file upload vulnerability in the authentication code key portion, can be seen above the use of the kstest.php as each test using the Upload File name, it is very obvious here is the use of a fixed file name, contrary to the above mentioned the randomness of the quasi-side. Here are more long-winded sentence, I did not say that in the PoC the use of fixed variables, or data there is nothing wrong, but there will be random of the random data can be reduced in the scan detection process assume some of the risks specific what are the risks of your own brain Supplement.

According to the randomness of the quasi-side you can modify the code as follows:


After the change uploaded file name each time is a randomly generated 6-bit characters, personally think that in a certain extent, reduce the scan detected interaction data is tracking the possibility.

ii. Certainty

PoC can pass the test the content returned to find only the determined identification to illustrate the vulnerability exists, and this identification needs to be targeted, do not use too vague a condition to judge, such as: the HTTP request to return to the state, fixed the page can be controlled. Similarly, the following example to illustrate:


On the figure shown in the code is a Web application of a UNION type SQL injection vulnerability in the authentication code, The code directly by splicing -1' union select 1,md5(1) - to be injected, due to the vulnerability data back to the display, so if the test injection is successful the page will print out the md5(1) Value c4ca4238a0b923820dcc509a6f75849b, apparently this PoC looks and no problem, but the combination of the guidelines the first article of randomness, I think it should be using md5(rand_num) as the identifier to determine the better, because of the randomization, the accuracy rate is higher:


This is not pit you, in the unlikely event a site does not exist vulnerability, but the page is there a c4ca4238a0b923820dcc509a6f75849b, what do you think?

Here let me say a Python requests library users may ignore a problem. Sometimes we get to a request to return the object, would be like the following code to do a pre-judgment:


Some may say, a Python in the condition nonempty is true, but there really is so treated? Not, after a combat encounter the pit and later test found that the Response object of the condition is determined by the HTTP return status code to be judged, when the status code in the range [4 0 0, 6 0 0], the conditional will return False. No letter of its own test.)

Why am I mentioning this?, it's because sometimes we test the exploit or the Payload hit in the past, the target may be because the back-end processing logic error and returns 5 0 0, but this time actually in the page there is already vulnerability there the logo appears, if this before you just said of method in advance for the Response object for a condition is determined, then this time it will lead to false negatives. So, you know what to do?

iii. Versatility

PoC in the use of the Payload or included in the detection code should take into account the individual environment or platform can be constructed out of the generic Payload do not use the single target detection code, do not only consider the vulnerability reproduction of the environment, such as: the file contains a path in the form, the command execution in the execution of the command. The following figure is WordPress a plug-in lead to arbitrary File Download vulnerability:


[1] [2] [3] [4] next