中文 | English
The Web-Chains project, also known as the Java-Chains project, stands on the shoulders of giants and is committed to
building the Swiss Army knife of the strongest Java security research
'Web-Chains' consists of six modules:
Generate: Generate modulesJavadeserialization native 'Payload' generationHessian1/2deserializes 'Payload' generationHessian1supports generating deserialized data inHessianServletformatShirodata generation (custom 'KEY', use 'GCM' to obfuscate characters, etc.)AMF3data generation (multiple advanced combinations based on native data)XStreamdata generation (multiple advanced combinations based on native data)BCELbytecode generation (direct command execution, memory horse generation, echo generation, probe bytecode, read and write files)Classbytecode generation (direct command execution, memory horse generation, echo generation, probe bytecode, read and write files)- Multiple databases JDBC Payload are generated(
Derby|H2|PostgreSql|Sqlite) SnakeYAML/SpringBeanXML/Velocity/OGNL/MVEL/SPEL/JS/GROOVY- Java deserialization and Hessian deserialization support the following obfuscation methods:
- Random set obfuscation
- Garbage class insertion
- Removed bytecode symbol information
TC_RESETpadding, which is only available for Java deserializationUTF-8 Overlong Encodingobfuscation
- Some advanced options:
- Customize the class name/define the bytecode version. Support bytecode obfuscation using Class-Obf
- Select multiple
comparatortypes for theCommons Beanutilschain - Support for generating
TemplatesImplformat - Support for generating
SnakeYaml Jarformat - Support for generating
Fastjson Groovyformat - Support for generating
JavaWrapperformat - Support for generating
charsets.jarformat - Support enhanced magic modification
JMG/JEGformat (java echo generator, java memshell generator)
JNDI: JNDI Injection Utilization ModuleJndiBasicPayload: LDAP remotely loads bytecodeJndiDeserializationPayload: Exploit posture for deserialization based on the javaSerializedData field in LDAPJndiResourceRefPayload: LDAP is based on BeanFactory's Tomcat EL, Groovy, etc. utilizationJndiReferencePayload: LDAP is based on other ObjectFactory Reference exploits, such as various DataSource JDBC exploitsJndiRMIDeserializePayload: Later versions of the JDK bypass RMI deserializationJndiRefBypassPayload: LDAP later version JDK bypassesJndiShowHandPayload: JNDI show hand chain, one-click test routine utilization chain, improve testing efficiency
Fake MySQLFakeMysqlPayload: Classic MySQL JDBC deserialization leverages posesFakeMysqlShowHandPayload: FakeMySQL show hand chain, one-click test of conventional deserialization chain, improve testing efficiency
JRMPListener- It can be used with the JRMPClient deserialization chain
TCP Server- A simple TCP server that can mount the generated Payload file to the TCP port service
- It is suitable for
derbydeserialization RCE scenarios, and can obtain deserialized data directly through the tcp port
HTTP Server- A simple HTTP server that mounts the generated Payload file to the HTTP port service
- It is suitable for scenarios such as remote loading of SpringBeanXML files by postgresql
Note: We only protect port 8011, you need to log in to access, other ports may be at risk of being countered, please pay attention to yourself
You can start the web-chains project with a docker command (this is also recommended)
docker run -d \
--name web-chains \
--restart=always \
-p 8011:8011 \
-p 58080:58080 \
-p 50389:50389 \
-p 50388:50388 \
-p 13999:13999 \
-p 3308:3308 \
-p 11527:11527 \
-p 50000:50000 \
-e CHAINS_AUTH=true \
-e CHAINS_PASS= \
javachains/webchains:1.2.4Authentication and password can be configured via environment variables:
CHAINS_AUTH: Set to true to enable authentication, false to disable it. Authentication is enabled by default.
CHAINS_PASS: Specifies the web password. If this variable is empty, a password will be generated randomly. By default, a password is generated randomly.
docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'Sample output
11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | password: XSsWerJFGcCjB8FU
Just visit http://your-ip:8011 (log in with your username and password here)
You can start it by using java -jar web-chains.jar. After each startup, a randomly generated password will be printed.
It listens on 0.0.0.0 by default. You can access it by visiting http://your-ip:8011 (use the username and password printed earlier to log in).
You can set the web login password via environment variables, for example:
Linux:
export CHAINS_PASS=[your_password] && java -jar web-chains.jarWindows:
set CHAINS_PASS=[your_password] && java -jar web-chains.jarDetailed Documentation: https://www.yuque.com/shenjingwa-leuvd/wpqdhf/war0zkzgzg3c4bzg
It only supports personal research and learning, and should never be used for illegal and criminal activities.
The developers, providers and maintainers of the project are not responsible for the actions and consequences of the user's use of the tool, and the user of the tool shall do so at their own risk.
Acknowledgments:
- https://github.com/wh1t3p1g/ysomap
- https://github.com/qi4L/JYso
- https://github.com/X1r0z/JNDIMap
- https://github.com/Whoopsunix/PPPYSO
- https://github.com/jar-analyzer/class-obf
- https://github.com/4ra1n/mysql-fake-server
- https://github.com/mbechler/marshalsec
- https://github.com/frohoff/ysoserial
- https://github.com/H4cking2theGate/ysogate
- https://github.com/Bl0omZ/JNDIEXP
- https://github.com/kezibei/Urldns
- https://github.com/rebeyond/JNDInjector
- https://github.dev/LxxxSec/CTF-Java-Gadget
- https://github.com/pen4uin/java-memshell-generator
- https://github.com/pen4uin/java-echo-generator
- https://xz.aliyun.com/t/5381
- http://rui0.cn/archives/1408
If you have any questions, please feel free to send issus