-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit c616163
Showing
34 changed files
with
1,834 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# 用友NC系列漏洞检测利用工具 | ||
|
||
<a href="https://github.com/wgpsec/YongYouNcTool"><img alt="Release" src="https://img.shields.io/badge/YongYouNcTool-1.0-ff69b4"></a> | ||
<a href="https://github.com/wgpsec/YongYouNcTool"><img alt="Release" src="https://img.shields.io/badge/LICENSE-GPL-important"></a> | ||
![GitHub Repo stars](https://img.shields.io/github/stars/wgpsec/YongYouNcTool?color=success) | ||
![GitHub forks](https://img.shields.io/github/forks/wgpsec/YongYouNcTool) | ||
![GitHub all release](https://img.shields.io/github/downloads/wgpsec/YongYouNcTool/total?color=blueviolet) | ||
|
||
用友NC系列漏洞检测利用工具,支持一键检测、命令执行回显、文件落地、一键打入内存马、文件读取等 | ||
|
||
> 免责声明:此工具仅限于安全研究,用户承担因使用此工具而导致的所有法律和相关责任!作者不承担任何法律责任! | ||
## 🕳️ 目前已集成 | ||
* BshServlet rce | ||
* jsInvoke rce | ||
* DeleteServlet cc6 反序列化 | ||
* DownloadServlet cc6 反序列化 | ||
* FileReceiveServlet cc6 反序列化 | ||
* fsDownloadServlet cc6 反序列化 | ||
* MonitorServlet cc6 反序列化 | ||
* MxServlet cc6 反序列化 | ||
* monitorservlet cc6 反序列化 | ||
* UploadServlet cc6 反序列化 | ||
* NCMessageServlet cc7 反序列化 | ||
* NCFindWeb 文件读取/列目录 | ||
|
||
## ✨ 功能 | ||
### 一键检测 | ||
![](assets/16924375083496.jpg) | ||
|
||
### 命令执行回显 | ||
![](assets/16924376039908.jpg) | ||
|
||
### 文件落地 | ||
![](assets/16924377312020.jpg) | ||
|
||
### 一键打入内存马 | ||
![](assets/16924377580193.jpg) | ||
|
||
|
||
### 文件读取/目录浏览 | ||
![](assets/16924379583511.jpg) | ||
|
||
### http/socks5代理 | ||
![](assets/16924380582585.jpg) | ||
|
||
## ⚠️说明 | ||
* 不同类型的漏洞能够利用的方式也不同,比如有的能打内存而有的不能(也有的是暂未实现进去) | ||
* 不同的实战环境可能存在差异,请理性看待。 | ||
* jsInvoke rce命令执行模块建议打了一次后抓包出来手动执行,目前的方案是执行一次就写入一个文件,很不优雅。另外就是为了兼容windows和linux,工具内置了两种命令格式,但由于目标环境原因命令实际上会被执行两次,所以还是建议抓包出来手动执行后续命令。 | ||
|
||
## 共建 | ||
很多点还需要完善,欢迎各位提issues、pull | ||
* suo5一键打内存马,通过cc链直接打一直没测试成功 | ||
* 还有部分已知nday还没集成进去 | ||
|
||
## 交流 | ||
![](assets/16924384593877.jpg) | ||
![](assets/16924384697485.jpg) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<groupId>org.example</groupId> | ||
<artifactId>YongYouNc</artifactId> | ||
<version>1.0-SNAPSHOT</version> | ||
|
||
<properties> | ||
<maven.compiler.source>8</maven.compiler.source> | ||
<maven.compiler.target>8</maven.compiler.target> | ||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | ||
</properties> | ||
|
||
<dependencies> | ||
<!-- OkHttp Dependency --> | ||
<dependency> | ||
<groupId>com.squareup.okhttp3</groupId> | ||
<artifactId>okhttp</artifactId> | ||
<version>5.0.0-alpha.11</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.formdev</groupId> | ||
<artifactId>flatlaf</artifactId> | ||
<version>3.2</version> | ||
</dependency> | ||
|
||
|
||
</dependencies> | ||
</project> |
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,170 @@ | ||
package Util; | ||
|
||
|
||
import javax.net.ssl.SSLContext; | ||
import javax.net.ssl.TrustManager; | ||
import javax.net.ssl.X509TrustManager; | ||
import okhttp3.Authenticator; | ||
import okhttp3.Credentials; | ||
import okhttp3.MediaType; | ||
import okhttp3.OkHttpClient; | ||
import okhttp3.Request; | ||
import okhttp3.RequestBody; | ||
import okhttp3.Response; | ||
import okhttp3.Route; | ||
import okio.BufferedSink; | ||
|
||
import java.io.IOException; | ||
import java.io.InputStream; | ||
import java.net.InetSocketAddress; | ||
import java.net.Proxy; | ||
import java.util.Map; | ||
|
||
public class HttpUtil { | ||
|
||
|
||
private static final OkHttpClient client = getInsecureOkHttpClient(); | ||
|
||
private static OkHttpClient getInsecureOkHttpClient() { | ||
try { | ||
final TrustManager[] trustAllCerts = new TrustManager[]{ | ||
new X509TrustManager() { | ||
@Override | ||
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException { | ||
} | ||
|
||
@Override | ||
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException { | ||
} | ||
|
||
@Override | ||
public java.security.cert.X509Certificate[] getAcceptedIssuers() { | ||
return new java.security.cert.X509Certificate[]{}; | ||
} | ||
} | ||
}; | ||
|
||
SSLContext sslContext = SSLContext.getInstance("SSL"); | ||
sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); | ||
OkHttpClient.Builder builder = new OkHttpClient.Builder(); | ||
builder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]); | ||
builder.hostnameVerifier((hostname, session) -> true); | ||
|
||
return builder.build(); | ||
} catch (Exception e) { | ||
throw new RuntimeException(e); | ||
} | ||
} | ||
|
||
|
||
public static Response get(String url, Map<String, String> headers, ProxyConfig proxyConfig) throws IOException { | ||
Request.Builder requestBuilder = new Request.Builder().url(url); | ||
|
||
// 添加请求头 | ||
if (headers != null) { | ||
for (Map.Entry<String, String> header : headers.entrySet()) { | ||
requestBuilder.addHeader(header.getKey(), header.getValue()); | ||
} | ||
} | ||
|
||
Request request = requestBuilder.build(); | ||
OkHttpClient.Builder clientBuilder = client.newBuilder(); | ||
|
||
// 如果设置了代理 | ||
if (proxyConfig != null) { | ||
clientBuilder.proxy(proxyConfig.getProxy()); | ||
if (proxyConfig.getUsername() != null && proxyConfig.getPassword() != null) { | ||
clientBuilder.proxyAuthenticator(proxyConfig.getAuthenticator()); | ||
} | ||
} | ||
|
||
return clientBuilder.build().newCall(request).execute(); | ||
} | ||
|
||
public static Response post(String url, Map<String, String> headers, RequestBody body, ProxyConfig proxyConfig) throws IOException { | ||
Request.Builder requestBuilder = new Request.Builder().url(url).post(body); | ||
|
||
// 添加请求头 | ||
if (headers != null) { | ||
for (Map.Entry<String, String> header : headers.entrySet()) { | ||
requestBuilder.addHeader(header.getKey(), header.getValue()); | ||
} | ||
} | ||
|
||
Request request = requestBuilder.build(); | ||
OkHttpClient.Builder clientBuilder = client.newBuilder(); | ||
|
||
// 如果设置了代理 | ||
if (proxyConfig != null) { | ||
clientBuilder.proxy(proxyConfig.getProxy()); | ||
if (proxyConfig.getUsername() != null && proxyConfig.getPassword() != null) { | ||
clientBuilder.proxyAuthenticator(proxyConfig.getAuthenticator()); | ||
} | ||
} | ||
|
||
return clientBuilder.build().newCall(request).execute(); | ||
} | ||
|
||
public static Response post(String url, Map<String, String> headers, InputStream inputStream, MediaType mediaType, ProxyConfig proxyConfig) throws IOException { | ||
RequestBody requestBody = createRequestBodyFromStream(inputStream, mediaType); | ||
return post(url, headers, requestBody, proxyConfig); | ||
} | ||
|
||
public static RequestBody createRequestBodyFromStream(final InputStream inputStream, final MediaType mediaType) { | ||
return new RequestBody() { | ||
@Override | ||
public MediaType contentType() { | ||
return mediaType; | ||
} | ||
|
||
@Override | ||
public long contentLength() { | ||
try { | ||
return inputStream.available(); | ||
} catch (IOException e) { | ||
return 0; | ||
} | ||
} | ||
|
||
@Override | ||
public void writeTo(BufferedSink sink) throws IOException { | ||
sink.writeAll(okio.Okio.source(inputStream)); | ||
} | ||
}; | ||
} | ||
|
||
// 代理配置类 | ||
public static class ProxyConfig { | ||
private final Proxy proxy; | ||
private final String username; | ||
private final String password; | ||
|
||
public ProxyConfig(Proxy.Type type, String hostname, int port, String username, String password) { | ||
this.proxy = new Proxy(type, new InetSocketAddress(hostname, port)); | ||
this.username = username; | ||
this.password = password; | ||
} | ||
|
||
public Proxy getProxy() { | ||
return proxy; | ||
} | ||
|
||
public String getUsername() { | ||
return username; | ||
} | ||
|
||
public String getPassword() { | ||
return password; | ||
} | ||
|
||
public Authenticator getAuthenticator() { | ||
return new Authenticator() { | ||
@Override | ||
public Request authenticate(Route route, Response response) throws IOException { | ||
String credential = Credentials.basic(username, password); | ||
return response.request().newBuilder().header("Proxy-Authorization", credential).build(); | ||
} | ||
}; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package Util; | ||
|
||
import java.util.Random; | ||
|
||
public class RandomStringGenerator { | ||
|
||
private static final String CHAR_SET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; | ||
private static final String LETTER_SET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; | ||
private static final Random random = new Random(); | ||
|
||
public static String generateRandomString(int length) { | ||
if (length <= 0) { | ||
return ""; | ||
} | ||
|
||
StringBuilder result = new StringBuilder(length); | ||
|
||
// 为第一个字符选择一个字母 | ||
int randomIndex = random.nextInt(LETTER_SET.length()); | ||
result.append(LETTER_SET.charAt(randomIndex)); | ||
|
||
// 为剩余的字符选择随机字符 | ||
for (int i = 1; i < length; i++) { | ||
randomIndex = random.nextInt(CHAR_SET.length()); | ||
result.append(CHAR_SET.charAt(randomIndex)); | ||
} | ||
|
||
return result.toString(); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package Util; | ||
|
||
|
||
import javax.swing.*; | ||
import java.awt.*; | ||
import java.awt.event.FocusAdapter; | ||
import java.awt.event.FocusEvent; | ||
|
||
public class TextFieldPlaceholderHelper { | ||
|
||
public static void setPlaceholder(JTextField textField, String placeholder) { | ||
textField.setText(placeholder); | ||
textField.setForeground(Color.GRAY); | ||
|
||
textField.addFocusListener(new FocusAdapter() { | ||
@Override | ||
public void focusGained(FocusEvent e) { | ||
if (textField.getText().equals(placeholder)) { | ||
textField.setText(""); | ||
textField.setForeground(Color.BLACK); | ||
} | ||
} | ||
|
||
@Override | ||
public void focusLost(FocusEvent e) { | ||
if (textField.getText().isEmpty()) { | ||
textField.setText(placeholder); | ||
textField.setForeground(Color.GRAY); | ||
} | ||
} | ||
}); | ||
} | ||
} |
Oops, something went wrong.