-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
156 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
## 1.1.0 | ||
|
||
更新内容: | ||
|
||
- [重要] 前端大重构和优化 @Ar3h | ||
- [重要] 提供 `docker` 一键启动命令 @Ar3h @4ra1n | ||
- [重要] 提供了从 `jar` 文件加载的简易插件系统 @Ar3h | ||
- [重要] 新增 `h2 without js` 全版本通杀链 @unam4 | ||
- [功能] 基于 `spring security` 的登录功能 @springkill @4ra1n | ||
- [功能] 新增两种 `equals` 和 `c3p0 jndi/jdbc` 链 @unam4 | ||
- [功能] `hessian` 新增 `groovy` 利用链 @Ar3h | ||
- [功能] 字节码可添加 `main` 静态入口函数 @Ar3h | ||
- [BUG] 无法正确显示 `favicon.ico` 图标问题 @xcxmiku | ||
- [优化] `server` 探测新增 `netty` 框架探测 @Ar3h | ||
- [优化] 高版本 `Oralce JDK` 可以使用 `BCEL` 相关 @4ra1n | ||
- [优化] 优化某些仅 `unix` 类型的 `gadget` 提示信息 @4ra1n | ||
- [优化] 格式化输出日志,为日志附加颜色 @springkill | ||
- [优化] 启动时检测 `java` 版本给出警告 @4ra1n | ||
- [优化] 优化拦截器逻辑 @ssrsec | ||
- [优化] 优化 `base64` 通用性 @ssrsec | ||
- [文档] 编写新版本使用文档 @ssrsec | ||
|
||
感谢以下用户的贡献: | ||
|
||
- Ar3h (https://github.com/Ar3h) | ||
- 某匿名安全研究师傅 | ||
- unam4 (https://github.com/unam4) | ||
- 小晨曦 (https://github.com/xcxmiku) | ||
- 4ra1n (https://github.com/4ra1n) | ||
- springkill (https://github.com/springkill) | ||
- 说书人 (https://github.com/ssrsec) | ||
|
||
使用 `java -jar java-chains.jar` 即可启动(仅支持 `java 8` 环境) | ||
|
||
推荐使用 `docker` 一键启动(请参考 `README` 页面) | ||
|
||
其中 `chains-config.zip` 是补充插件,解压后放在 `jar` 同级目录即可 | ||
|
||
## 1.0.0 | ||
|
||
初始开源版本 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,54 +1,137 @@ | ||
# Web-Chains | ||
# web-chains | ||
|
||
详细食用文档:https://www.yuque.com/shenjingwa-leuvd/wpqdhf/eekyvau9fcblzzt0?singleDoc# | ||
![](https://img.shields.io/github/downloads/java-chains/web-chains/total) | ||
![](https://img.shields.io/github/v/release/java-chains/web-chains) | ||
|
||
`web-chains` 项目,又名 `java-chains` 项目,由 `Ar3h` 师傅主导开发,漏洞百出和代码审计星球支持 | ||
|
||
<center><img src="/img/000.png" alt=""></center> | ||
|
||
## 简介 | ||
我们站在巨人肩膀上,致力于打造最强的 `Java` 安全研究领域的瑞士军刀 | ||
|
||
web-chains 包含但不限于以下功能: | ||
![](img/001.png) | ||
|
||
- Java 反序列化Payload生成 | ||
- 支持的混淆:随机集合混淆、垃圾类插入、TC_RESET 填充、utf8 overlong encoding 混淆 | ||
- Hessian 1/2 反序列化Payload生成 | ||
## 介绍 | ||
|
||
- Hessian1 支持生成 HessianServlet 格式反序列化数据 | ||
`web-chains` 包含但不限于以下功能: | ||
|
||
- 支持的混淆:随机集合混淆、垃圾类插入、utf8 overlong encoding 混淆 | ||
- 字节码生成 | ||
- `Java` 反序列化原生 `Payload` 生成 | ||
- `Hessian` 1/2 反序列化 `Payload` 生成 | ||
- `Hessian1` 支持生成 `HessianServlet` 格式反序列化数据 | ||
- `Shiro` 数据生成(自定义 `KEY` 使用 `GCM` 混淆字符等) | ||
- `AMF3` 数据生成(基于原生数据多种进阶组合) | ||
- `XStream` 数据生成(基于原生数据多种进阶组合) | ||
- `BCEL` 字节码生成(直接执行命令,内存马生成,回显生成,探测字节码,读写文件) | ||
- `Class` 字节码生成(直接执行命令,内存马生成,回显生成,探测字节码,读写文件) | ||
- 多种数据库 `Payload` 生成(`Derby` | `H2` | `PostgreSql` | `Sqlite`) | ||
- `Fastjson/SnakeYAML/SpringBeanXML/Velocity/OGNL/MVEL/SPEL/JS/GROOVY` | ||
|
||
- 支持自定义类名 | ||
一些混淆方式: | ||
|
||
- 支持自定义字节码版本 | ||
- 随机集合混淆 | ||
- 垃圾类插入 | ||
- 去除字节码符号信息 | ||
- `TC_RESET` 填充 | ||
- `UTF-8 Overlong Encoding` 混淆 | ||
|
||
- 支持生成TemplatesImpl格式 Payload:实现 AbstractTranslet 接口 | ||
一些高级选项: | ||
|
||
- 支持生成SnakeYaml Jar 格式 Payload:实现 javax.script.ScriptEngineFactory 接口 | ||
- 自定义类名/定义字节码版本 | ||
- 选择 `Commons Beanutils` 链的多种 `comparator` 类型 | ||
- 支持生成 `TemplatesImpl` 格式 | ||
- 支持生成 `SnakeYaml Jar` 格式 | ||
- 支持生成 `Fastjson Groovy` 格式 | ||
- 支持生成 `JavaWrapper` 格式 | ||
- 支持生成 `charsets.jar` 格式 | ||
- 支持增强魔改版 `JMG/JEG` 格式 (java echo generator, java memshell generator) | ||
|
||
- 支持生成Fastjson Groovy 格式 Payload:实现 ASTTransformation 接口 | ||
- 支持生成 JavaWrapper 格式 Payload:添加 `public static void _main(String[] argv) {}` 方法 | ||
- 支持生成 charsets.jar 格式 Payload | ||
Exploit 模块: | ||
|
||
- 内置 java echo generator(Jeg)、java memshell generator(Jmg),并根据实战进行魔改 | ||
- JNDI (远程加载字节码,高版本反序列化绕过,高版本 `ref` 绕过,) | ||
- Fake Mysql Server (经典 `JDBC` 攻击必备,基于生成模块多种进阶组合) | ||
- JRMPListener / TCP Server(Derby RCE)/ HTTP Server | ||
|
||
- ... | ||
- Exploit 模块 | ||
- JNDI Exploit | ||
- Fake Mysql | ||
- JRMPListener | ||
- Tcp Server(Derby RCE) | ||
- HTTP Server | ||
使用 `Fake Mysql Server` 进行测试 | ||
|
||
![](img/002.png) | ||
|
||
正在开发中: | ||
|
||
- 一个完善的插件系统 | ||
- 更多的可用的 `gadget` 和 `payload` 生成 | ||
- 字节码混淆(方法名/隐藏方法/花指令/异或混淆等) | ||
- 多种多样的可能的输出类型指定 | ||
- 覆盖更全面的测试和报告 | ||
- 多种 `gadget` 排序方式可选 | ||
- 用户自定义偏好 `gadget` 和 `payload` 展示 | ||
- 更多功能... | ||
|
||
![image-20241102185320189](./assets/image-20241102185320189.png) | ||
## 快速开始 | ||
|
||
你可以通过 `docker` 一条命令启动 `web-chains` 项目(这也是推荐做法) | ||
|
||
```shell | ||
docker run -d \ | ||
--name web-chains \ | ||
--restart=always \ | ||
-p 8011:8011 \ | ||
-p 58080:58080 \ | ||
-p 50389:50389 \ | ||
-p 13999:13999 \ | ||
-p 3308:3308 \ | ||
-p 11527:11527 \ | ||
-p 50000:50000 \ | ||
javachains/webchains:1.1.0 | ||
``` | ||
|
||
## 更多 | ||
生成功能仅使用 `8011` 端口即可,其他端口为 `exploit` 模块使用 | ||
|
||
[![Star History Chart](https://api.star-history.com/svg?repos=Ar3h/web-chains&type=Date)](https://star-history.com/#Ar3h/web-chains&Date) | ||
请使用以下命令获得随机的强用户名密码 | ||
|
||
```shell | ||
docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'username|password' | ||
``` | ||
|
||
输出示例 | ||
|
||
```text | ||
11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | generated random username: fBTWDfwlapmq | ||
11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | generated random password: XSsWerJFGcCjB8FU | ||
``` | ||
|
||
访问 `http://your-ip:8011` 即可(使用这里的用户名密码登录) | ||
|
||
你也可以直接使用 `jar` 版本,使用 `java -jar web-chains.jar` 即可启动(推荐使用 `docker` 方式) | ||
|
||
**特别注意:我们只对 8011 端口进行了保护,需要登陆后访问,其他端口可能存在被反制的风险,请自行注意** | ||
|
||
## 参考和致谢 | ||
|
||
仅支持个人研究学习,切勿用于非法犯罪活动。 | ||
|
||
本项目的开发者、提供者和维护者不对使用者使用工具的行为和后果负责,工具的使用者应自行承担风险。 | ||
|
||
[更新日志 | CHANGELOG](CHANGELOG.md) | ||
|
||
一些参考文档:https://java-chains.yuque.com/org-wiki-java-chains-woznyq/evwydq/tu2n6ycvlasvcw19 | ||
|
||
参考致谢: | ||
|
||
- https://github.com/wh1t3p1g/ysomap | ||
- https://github.com/qi4L/JYso | ||
- https://github.com/X1r0z/JNDIMap | ||
- https://github.com/Whoopsunix/PPPYSO | ||
- https://github.com/4ra1n/mysql-fake-server | ||
- https://github.com/mbechler/marshalsec | ||
- https://github.com/frohoff/ysoserial | ||
- https://github.com/H4cking2theGate/ysogate | ||
- https://github.com/Bl0omZ/JNDIEXP | ||
- https://github.com/kezibei/Urldns | ||
- https://github.com/rebeyond/JNDInjector | ||
- https://github.dev/LxxxSec/CTF-Java-Gadget | ||
- https://xz.aliyun.com/t/5381 | ||
- http://rui0.cn/archives/1408 | ||
|
||
## Star History | ||
|
||
[![Star History Chart](https://api.star-history.com/svg?repos=java-chains/web-chains&type=Date)](https://star-history.com/#java-chains/web-chains&Date) |
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## README | ||
|
||
历史的一些脚本,弃用,但保留备份 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ version: '3' | |
|
||
services: | ||
web-chains: | ||
build: . | ||
build: .. | ||
ports: | ||
- "8011:8011" | ||
volumes: | ||
|