Skip to content

proof-of-concept.md

Latest commit

 

History

History
307 lines (233 loc) · 6.89 KB

proof-of-concept.md

File metadata and controls

307 lines (233 loc) · 6.89 KB

💣 Proof of Concept (PoC)

Overview

Vulnerability confirmed → Now achieve highest possible exploitation impact and automate it.

PoC Phases

Full Chain Exploitation
         ↓
  Exploit Development
         ↓
 Test on Real Target

Phase 1: Full Chain Exploitation

Goal

Document working exploitation process step-by-step.

What to Document

Element Description
Initial target location Entry point URL/endpoint
Client-side payload First payload sent
Additional payloads For chained vulnerabilities
Bypasses WAF, filter, encoding bypasses

Process

1. Start from client-side input
         ↓
2. Document each payload needed
         ↓
3. If chaining vulns, document each step
         ↓
4. If blocked, work on bypass
         ↓
5. Proceed to next step
         ↓
6. Repeat until full exploitation

Chained Vulnerability Example

Step 1: SQLi to bypass authentication
   Payload: admin' OR '1'='1
   Result: Logged in as admin
         ↓
Step 2: File upload as admin
   Payload: shell.php.jpg with PHP content
   Bypass: Double extension
   Result: Shell uploaded
         ↓
Step 3: RCE via uploaded shell
   Location: /uploads/shell.php.jpg
   Payload: ?cmd=whoami
   Result: Command execution

Handling Blocks

Block Action
WAF blocks payload Research bypasses, encoding
Filter removes chars Find alternative chars/encoding
Blind exploitation Develop OOB or time-based
Rate limiting Add delays, use multiple sessions

If Full Exploitation Fails

  • Still report vulnerability
  • Severity may be reduced
  • Document what was achieved
  • Note what prevented full exploitation

Tip: Persist! If you can't achieve full exploitation, someone else will with better bypasses or chained vulns.

Phase 2: Exploit Development

Goal

Write script that automatically reproduces exploitation steps.

Language Selection

Use Case Language Reason
Network/Web applications Python Cross-platform, good libraries
Client-side (CSRF, etc.) JavaScript Only executes in browsers
Web + client-side chain Python + JavaScript JS for client, Python for backend
Binary exploitation Python Good debugging libraries (pwntools)
OS targeting Bash/PowerShell Pre-installed on target OS
Thick client/advanced Application's language Reuse code/functions

Python Exploit Structure

#!/usr/bin/env python3
import requests
import sys

class Exploit:
    def __init__(self, target, port):
        self.target = target
        self.port = port
        self.session = requests.Session()
    
    def check_vuln(self):
        """Verify target is vulnerable"""
        pass
    
    def stage1_auth_bypass(self):
        """First stage: bypass authentication"""
        pass
    
    def stage2_upload_shell(self):
        """Second stage: upload web shell"""
        pass
    
    def stage3_rce(self, cmd):
        """Third stage: execute commands"""
        pass
    
    def cleanup(self):
        """Remove traces of exploitation"""
        pass
    
    def run(self):
        """Main exploitation flow"""
        try:
            if not self.check_vuln():
                print("[-] Target not vulnerable")
                return False
            
            self.stage1_auth_bypass()
            self.stage2_upload_shell()
            self.stage3_rce("whoami")
            return True
        except Exception as e:
            print(f"[-] Error: {e}")
            self.cleanup()
            return False
        finally:
            self.cleanup()

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target> <port>")
        sys.exit(1)
    
    exploit = Exploit(sys.argv[1], int(sys.argv[2]))
    exploit.run()

Key Exploit Features

Feature Purpose
Error handling Graceful failure, cleanup on error
Cleanup function Remove traces
Modular stages Easy to debug/modify
Verification Confirm target is vulnerable first
Configurability Easy to change target

Phase 3: Test on Real Target

Before Testing on Production

  • Thoroughly tested on test environment
  • All security mechanisms enabled during tests
  • Works fully automatically
  • Safe to run (no data loss/downtime)

Modifications for Production

# Change target details
TARGET = "production.target.com"  # Was: "test.local"
PORT = 443                        # Was: 8080
USE_HTTPS = True                  # Was: False

Safety Requirements

Requirement Implementation
Revertible Can undo all changes
Clean traces Remove created files/accounts
Handle errors Cleanup even on failure
Non-destructive Never modify critical data
No downtime Operations don't crash services

What to Clean Up

Action Taken Cleanup Required
Created account Delete account
Modified data Reset to original
Uploaded files Delete files
Changed configs Restore configs
Created DB entries Remove entries

Error Handling Pattern

def exploit(self):
    created_user = None
    uploaded_file = None
    
    try:
        # Stage 1
        created_user = self.create_user()
        
        # Stage 2
        uploaded_file = self.upload_shell()
        
        # Stage 3
        result = self.execute_command()
        
        return result
        
    except Exception as e:
        print(f"[-] Exploit failed: {e}")
        raise
        
    finally:
        # Always cleanup
        if uploaded_file:
            self.delete_file(uploaded_file)
        if created_user:
            self.delete_user(created_user)

PoC Documentation Template

# Vulnerability: [Name]

## Summary
Brief description of the vulnerability.

## Affected Version
- Application: v1.2.3
- Component: /api/upload

## Prerequisites
- Valid user account
- Network access to target

## Exploitation Steps

### Step 1: Authentication Bypass
Payload: `admin' OR '1'='1`
Endpoint: POST /login

### Step 2: Shell Upload
Payload: [shell.php content]
Bypass: Double extension
Endpoint: POST /upload

### Step 3: RCE
Command: `whoami`
Endpoint: GET /uploads/shell.php.jpg?cmd=whoami

## Proof
[Screenshot or output]

## Remediation
[Recommended fix]

Checklist

Full Chain Exploitation

  • All steps documented
  • All payloads recorded
  • Bypasses identified and tested
  • Can reproduce manually

Exploit Development

  • Script automates all steps
  • Error handling implemented
  • Cleanup function works
  • Tested on test environment

Production Testing

  • Target details configured
  • Safe to run verified
  • Cleanup confirmed working
  • Successful execution documented