1

README.md

@@ -0,0 +1,60 @@
+# 用友NC系列漏洞检测利用工具
+
+<a href="https://github.com/wgpsec/YongYouNcTool"><img alt="Release" src="https://img.shields.io/badge/YongYouNcTool-1.0-ff69b4"></a>
+<a href="https://github.com/wgpsec/YongYouNcTool"><img alt="Release" src="https://img.shields.io/badge/LICENSE-GPL-important"></a>
+![GitHub Repo stars](https://img.shields.io/github/stars/wgpsec/YongYouNcTool?color=success)
+![GitHub forks](https://img.shields.io/github/forks/wgpsec/YongYouNcTool)
+![GitHub all release](https://img.shields.io/github/downloads/wgpsec/YongYouNcTool/total?color=blueviolet)  
+
+用友NC系列漏洞检测利用工具，支持一键检测、命令执行回显、文件落地、一键打入内存马、文件读取等
+
+> 免责声明：此工具仅限于安全研究，用户承担因使用此工具而导致的所有法律和相关责任！作者不承担任何法律责任！
+
+## 🕳️ 目前已集成
+* BshServlet rce
+* jsInvoke rce
+* DeleteServlet cc6 反序列化
+* DownloadServlet cc6 反序列化
+* FileReceiveServlet cc6 反序列化
+* fsDownloadServlet cc6 反序列化
+* MonitorServlet cc6 反序列化
+* MxServlet cc6 反序列化
+* monitorservlet cc6 反序列化
+* UploadServlet cc6 反序列化
+* NCMessageServlet cc7 反序列化
+* NCFindWeb 文件读取/列目录
+
+## ✨ 功能
+###  一键检测
+![](assets/16924375083496.jpg)
+
+###  命令执行回显
+![](assets/16924376039908.jpg)
+
+###  文件落地
+![](assets/16924377312020.jpg)
+
+###  一键打入内存马
+![](assets/16924377580193.jpg)
+
+
+###  文件读取/目录浏览
+![](assets/16924379583511.jpg)
+
+###  http/socks5代理
+![](assets/16924380582585.jpg)
+
+## ⚠️说明
+* 不同类型的漏洞能够利用的方式也不同，比如有的能打内存而有的不能(也有的是暂未实现进去)
+* 不同的实战环境可能存在差异，请理性看待。
+* jsInvoke rce命令执行模块建议打了一次后抓包出来手动执行，目前的方案是执行一次就写入一个文件，很不优雅。另外就是为了兼容windows和linux，工具内置了两种命令格式，但由于目标环境原因命令实际上会被执行两次，所以还是建议抓包出来手动执行后续命令。
+
+## 共建
+很多点还需要完善，欢迎各位提issues、pull
+* suo5一键打内存马，通过cc链直接打一直没测试成功
+* 还有部分已知nday还没集成进去
+
+## 交流
+![](assets/16924384593877.jpg)
+![](assets/16924384697485.jpg)
+

pom.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>YongYouNc</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <maven.compiler.source>8</maven.compiler.source>
+        <maven.compiler.target>8</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <!-- OkHttp Dependency -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>5.0.0-alpha.11</version>
+        </dependency>
+        <dependency>
+            <groupId>com.formdev</groupId>
+            <artifactId>flatlaf</artifactId>
+            <version>3.2</version>
+        </dependency>
+
+
+    </dependencies>
+</project>

src/main/java/Util/HttpUtil.java

@@ -0,0 +1,170 @@
+package Util;
+
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import okhttp3.Authenticator;
+import okhttp3.Credentials;
+import okhttp3.MediaType;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+import okhttp3.Route;
+import okio.BufferedSink;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetSocketAddress;
+import java.net.Proxy;
+import java.util.Map;
+
+public class HttpUtil {
+
+
+    private static final OkHttpClient client = getInsecureOkHttpClient();
+
+    private static OkHttpClient getInsecureOkHttpClient() {
+        try {
+            final TrustManager[] trustAllCerts = new TrustManager[]{
+                    new X509TrustManager() {
+                        @Override
+                        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException {
+                        }
+
+                        @Override
+                        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException {
+                        }
+
+                        @Override
+                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                            return new java.security.cert.X509Certificate[]{};
+                        }
+                    }
+            };
+
+            SSLContext sslContext = SSLContext.getInstance("SSL");
+            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+            OkHttpClient.Builder builder = new OkHttpClient.Builder();
+            builder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]);
+            builder.hostnameVerifier((hostname, session) -> true);
+
+            return builder.build();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+
+    public static Response get(String url, Map<String, String> headers, ProxyConfig proxyConfig) throws IOException {
+        Request.Builder requestBuilder = new Request.Builder().url(url);
+
+        // 添加请求头
+        if (headers != null) {
+            for (Map.Entry<String, String> header : headers.entrySet()) {
+                requestBuilder.addHeader(header.getKey(), header.getValue());
+            }
+        }
+
+        Request request = requestBuilder.build();
+        OkHttpClient.Builder clientBuilder = client.newBuilder();
+
+        // 如果设置了代理
+        if (proxyConfig != null) {
+            clientBuilder.proxy(proxyConfig.getProxy());
+            if (proxyConfig.getUsername() != null && proxyConfig.getPassword() != null) {
+                clientBuilder.proxyAuthenticator(proxyConfig.getAuthenticator());
+            }
+        }
+
+        return clientBuilder.build().newCall(request).execute();
+    }
+
+    public static Response post(String url, Map<String, String> headers, RequestBody body, ProxyConfig proxyConfig) throws IOException {
+        Request.Builder requestBuilder = new Request.Builder().url(url).post(body);
+
+        // 添加请求头
+        if (headers != null) {
+            for (Map.Entry<String, String> header : headers.entrySet()) {
+                requestBuilder.addHeader(header.getKey(), header.getValue());
+            }
+        }
+
+        Request request = requestBuilder.build();
+        OkHttpClient.Builder clientBuilder = client.newBuilder();
+
+        // 如果设置了代理
+        if (proxyConfig != null) {
+            clientBuilder.proxy(proxyConfig.getProxy());
+            if (proxyConfig.getUsername() != null && proxyConfig.getPassword() != null) {
+                clientBuilder.proxyAuthenticator(proxyConfig.getAuthenticator());
+            }
+        }
+
+        return clientBuilder.build().newCall(request).execute();
+    }
+
+    public static Response post(String url, Map<String, String> headers, InputStream inputStream, MediaType mediaType, ProxyConfig proxyConfig) throws IOException {
+        RequestBody requestBody = createRequestBodyFromStream(inputStream, mediaType);
+        return post(url, headers, requestBody, proxyConfig);
+    }
+
+    public static RequestBody createRequestBodyFromStream(final InputStream inputStream, final MediaType mediaType) {
+        return new RequestBody() {
+            @Override
+            public MediaType contentType() {
+                return mediaType;
+            }
+
+            @Override
+            public long contentLength() {
+                try {
+                    return inputStream.available();
+                } catch (IOException e) {
+                    return 0;
+                }
+            }
+
+            @Override
+            public void writeTo(BufferedSink sink) throws IOException {
+                sink.writeAll(okio.Okio.source(inputStream));
+            }
+        };
+    }
+
+    // 代理配置类
+    public static class ProxyConfig {
+        private final Proxy proxy;
+        private final String username;
+        private final String password;
+
+        public ProxyConfig(Proxy.Type type, String hostname, int port, String username, String password) {
+            this.proxy = new Proxy(type, new InetSocketAddress(hostname, port));
+            this.username = username;
+            this.password = password;
+        }
+
+        public Proxy getProxy() {
+            return proxy;
+        }
+
+        public String getUsername() {
+            return username;
+        }
+
+        public String getPassword() {
+            return password;
+        }
+
+        public Authenticator getAuthenticator() {
+            return new Authenticator() {
+                @Override
+                public Request authenticate(Route route, Response response) throws IOException {
+                    String credential = Credentials.basic(username, password);
+                    return response.request().newBuilder().header("Proxy-Authorization", credential).build();
+                }
+            };
+        }
+    }
+}

src/main/java/Util/RandomStringGenerator.java

@@ -0,0 +1,31 @@
+package Util;
+
+import java.util.Random;
+
+public class RandomStringGenerator {
+
+    private static final String CHAR_SET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    private static final String LETTER_SET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+    private static final Random random = new Random();
+
+    public static String generateRandomString(int length) {
+        if (length <= 0) {
+            return "";
+        }
+
+        StringBuilder result = new StringBuilder(length);
+
+        // 为第一个字符选择一个字母
+        int randomIndex = random.nextInt(LETTER_SET.length());
+        result.append(LETTER_SET.charAt(randomIndex));
+
+        // 为剩余的字符选择随机字符
+        for (int i = 1; i < length; i++) {
+            randomIndex = random.nextInt(CHAR_SET.length());
+            result.append(CHAR_SET.charAt(randomIndex));
+        }
+
+        return result.toString();
+    }
+
+}

src/main/java/Util/TextFieldPlaceholderHelper.java

@@ -0,0 +1,33 @@
+package Util;
+
+
+import javax.swing.*;
+import java.awt.*;
+import java.awt.event.FocusAdapter;
+import java.awt.event.FocusEvent;
+
+public class TextFieldPlaceholderHelper {
+
+    public static void setPlaceholder(JTextField textField, String placeholder) {
+        textField.setText(placeholder);
+        textField.setForeground(Color.GRAY);
+
+        textField.addFocusListener(new FocusAdapter() {
+            @Override
+            public void focusGained(FocusEvent e) {
+                if (textField.getText().equals(placeholder)) {
+                    textField.setText("");
+                    textField.setForeground(Color.BLACK);
+                }
+            }
+
+            @Override
+            public void focusLost(FocusEvent e) {
+                if (textField.getText().isEmpty()) {
+                    textField.setText(placeholder);
+                    textField.setForeground(Color.GRAY);
+                }
+            }
+        });
+    }
+}