Share
## https://sploitus.com/exploit?id=48CB0B24-8B26-5239-AC5C-FDFA59633797
# create-poc-template
[δΈζ](README_CN.md)
A skill for AI coding agents, containing the full development reference for Pocsuite3 and Nuclei β so agents stop hallucinating API calls when writing PoC and exploit scripts.
## Why
After watching various AI coding tools write dozens of PoCs, a pattern emerged: the agent understands vulnerability logic, constructs payloads, and structures code just fine. Then it calls `self.options.get()` instead of `self.get_option()`, misspells `condition` in a Nuclei matcher, or invents POCBase attributes that don't exist.
This isn't a capability problem. It's a reference problem. The agent has no accurate docs at hand, and whatever blog posts search engines return are usually outdated or wrong.
The fix: tear apart the framework source and official docs into small, precisely searchable pieces the agent can load on demand.
## Contents
### Pocsuite3 (verified against v2.1.0 source, 10 files)
Cross-referenced against `api/__init__.py`, `lib/core/poc.py`, `lib/core/enums.py`, and `lib/utils/__init__.py` from the `knownsec/pocsuite3` repo:
- **POCBase class**: all 22 declarable attributes, 13 runtime-injected attributes, every method with signatures
- **Output class**: 6 methods, full attribute list
- **Parameter system**: `_options()` pattern, all 8 Opt* types (including CLI limitations), 3 categories of auto-injected options, get/set methods
- **59 VUL_TYPE values**: from CODE_EXECUTION to OTHER, grouped by category
- **24 POC_CATEGORY entries**: EXPLOITS(4) + TOOLS(1) + PROTOCOL(19, with port mappings)
- **Shell & shellcode**: REVERSE_PAYLOAD, BIND_PAYLOAD, bind_shell variants, generate_shellcode_list, OSShellcodes, WebShell, bash/powershell encoders
- **Search engines**: ZoomEye, Seebug, Shodan, Fofa, Quake, Hunter, Censys
- **DNSLog**: CEye and Interactsh
- **Programmatic API & tools**: init_pocsuite/start_pocsuite, PHTTPServer, Nuclei template loader, remote files, plugin system
- **3 complete examples**: Webmin RCE (CVE-2019-15107), Flask SSTI RCE, Redis unauth β plus CLI usage and best practices
### Nuclei (verified against official docs, 17 files)
Pulled from every relevant page under `docs.projectdiscovery.io/templates/`:
- **Template structure**: id, info block, variables
- **HTTP split three ways**:
- Basic: path variable table, headers/body, cookies, raw requests, unsafe, multi-request conditions
- Payloads: batteringram/pitchfork/clusterbomb, Fuzzing (pre-condition/part/type/mode/keys/analyzer/time_delay)
- Advanced: Race conditions, HTTP pipelining, connection pooling
- **DNS**: all record types, available part values
- **Code**: engine list, args/pattern, output references
- **Headless**: 20+ action quick-reference, selector syntax, waitdialog, login detection example
- **Network (TCP)**: hex input, read-size, TLS, multi-port
- **File**: extension filtering, denylist, default exclusions
- **Flow**: conditional short-circuit, JS orchestration (iterate/set/template/log), vhost enum example, internal matchers, Dedupe
- **Multi-Protocol**: protocol prefix variable table, DNS+HTTP+SSL example, comparison with Workflows
- **JavaScript protocol**: code/pre-condition/init nodes, 20 nuclei/* modules, SSH fingerprint/SSH bruteforce/init preload examples
- **Matchers**: 7 types + AND/OR/Negative/Internal/Global conditions + DSL response variables
- **Extractors**: 5 types + dynamic extractors (cross-request value sharing)
- **OOB**: Preprocessors (randstr) + OOB testing (interactsh, 3 match parts)
- **Helper Functions**: 70 DSL functions (encoding, hashing, string ops, random, datetime, JWT, DNS, deserialization)
- **Workflows**: generic, conditional, matcher-branched, nested chaining, shared context
## Why 28 files
The skill system's `references/` directory doesn't auto-load into context. The agent reads files only when it needs them. Writing an HTTP template means loading roughly 3 files and 200 lines, not swallowing 1200 lines of nuclei docs whole.
Most files are under 100 lines. The longest is the examples file at 277.
```
poc-dev/
βββ SKILL.md Entry point: framework selection + doc index
βββ references/
βββ pocsuite3/ 10 files
β βββ pocbase.md POCBase class reference
β βββ output.md Output class
β βββ options.md Parameter system
β βββ enum-vul.md 59 vulnerability types
β βββ enum-category.md POC_CATEGORY + PLUGIN_TYPE
β βββ shell.md Shell/shellcode/webshell
β βββ search.md 7 search engines
β βββ dnslog.md CEye + Interactsh
β βββ api.md Programmatic API, remote files, tools
β βββ examples.md 3 PoCs + CLI + best practices
βββ nuclei/ 17 files
βββ structure.md Template skeleton
βββ http-basic.md GET/POST, raw, unsafe, cookies, multi-request
βββ http-payloads.md Payloads (3 attack modes) + Fuzzing
βββ http-advanced.md Race conditions, pipelining, pooling
βββ dns.md DNS protocol
βββ code.md Code protocol
βββ headless.md Browser automation
βββ network.md TCP raw bytes
βββ file.md Local file scanning
βββ flow.md Conditional flow + JS orchestration
βββ multi-protocol.md Cross-protocol variable sharing
βββ javascript.md JS runtime + 20 modules
βββ matchers.md 7 matcher types
βββ extractors.md 5 extractor types
βββ oob.md Preprocessors + OOB testing
βββ functions.md 70 DSL functions
βββ workflows.md Workflow orchestration
```
## Usage
This skill works with any AI coding tool that supports the skill format (Claude Code, Codex, and others).
It picks the framework based on context: simple HTTP detection β Nuclei YAML; complex Python logic or exploitation β Pocsuite3; browser automation β Nuclei Headless; non-standard protocols β Nuclei JavaScript.
## Known gaps
- **Non-HTTP protocol PoC examples are sparse**: Redis unauth is covered, but SMB/SSH/FTP have only API references, no full examples
- **Only SSH has examples for JavaScript protocol modules**: the other 19 modules are listed by name only β the official docs themselves are thin here
- **Version drift**: Pocsuite3 docs target v2.1.0 from GitHub source. Nuclei docs were pulled from the docs site and may be ahead of or behind your installed version
## License
MIT. See [LICENSE](LICENSE).