feat: support BigInteger packer

Wans · ReaJason · commit df47f2ed023e · 2025-08-25T19:25:54.000+08:00
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertion.java b/integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertion.java
@@ -355,6 +355,7 @@ public static void injectIsOk(String url, String shellType, ShellTool shellTool,
             case Hessian2Deserialize -> VulTool.postIsOk(url + "/hessian2", content);
             case XMLDecoderScriptEngine, XMLDecoderDefineClass -> VulTool.postIsOk(url + "/xmlDecoder", content);
             case Base64 -> VulTool.postIsOk(url + "/b64", content);
+            case BigInteger -> VulTool.postIsOk(url + "/biginteger", content);
             case XxlJob -> VulTool.xxlJobExecutor(url + "/run", content);
             case H2, H2JS, H2Javac -> VulTool.postIsOk(url + "/jdbc", content);
             default -> throw new IllegalStateException("Unexpected value: " + packer);
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat10ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat10ContainerTest.java
@@ -60,7 +60,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat11ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat11ContainerTest.java
@@ -61,7 +61,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JSPX, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JSPX, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat11JRE21ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat11JRE21ContainerTest.java
@@ -62,7 +62,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat5ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat5ContainerTest.java
@@ -61,7 +61,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat6ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat6ContainerTest.java
@@ -59,7 +59,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat7ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat7ContainerTest.java
@@ -60,7 +60,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat8ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat8ContainerTest.java
@@ -62,7 +62,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.WEBSOCKET,
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE);
-        List<Packers> testPackers = List.of(Packers.ClassLoaderJSP, Packers.DefineClassJSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.ClassLoaderJSP, Packers.DefineClassJSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
     }
 
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat9ContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat9ContainerTest.java
@@ -60,7 +60,7 @@ static Stream<Arguments> casesProvider() {
                 ShellType.AGENT_FILTER_CHAIN,
                 ShellType.CATALINA_AGENT_CONTEXT_VALVE
         );
-        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher);
+        List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher, Packers.BigInteger);
         return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);
     }
 
diff --git a/packer/src/main/java/com/reajason/javaweb/packer/BigIntegerPacker.java b/packer/src/main/java/com/reajason/javaweb/packer/BigIntegerPacker.java
@@ -0,0 +1,13 @@
+package com.reajason.javaweb.packer;
+
+import lombok.SneakyThrows;
+
+import java.math.BigInteger;
+
+public class BigIntegerPacker implements Packer {
+    @Override
+    @SneakyThrows
+    public String pack(ClassPackerConfig config) {
+        return new BigInteger(config.getClassBytes()).toString(36);
+    }
+}
diff --git a/packer/src/main/java/com/reajason/javaweb/packer/Packers.java b/packer/src/main/java/com/reajason/javaweb/packer/Packers.java
@@ -65,6 +65,11 @@ public enum Packers {
 
     Jar(new DefaultJarPacker()),
 
+    /**
+     * BigInteger
+     */
+    BigInteger(new BigIntegerPacker()),
+
     /**
      * BCEL
      */
diff --git a/vul/vul-webapp-jakarta/src/main/java/jakarta/BigIntegerClassLaoderServlet.java b/vul/vul-webapp-jakarta/src/main/java/jakarta/BigIntegerClassLaoderServlet.java
@@ -0,0 +1,51 @@
+package jakarta;
+
+import jakarta.servlet.*;
+
+import java.io.IOException;
+
+/**
+ * @author Wans
+ * @since 2025/08/25
+ */
+public class BigIntegerClassLaoderServlet extends ClassLoader implements Servlet {
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+
+    }
+
+    @Override
+    public ServletConfig getServletConfig() {
+        return null;
+    }
+
+    @Override
+    public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+        String data = req.getParameter("data");
+        try {
+            byte[] bytes = decodeBigInteger(data);
+            Object obj = defineClass(null, bytes, 0, bytes.length).newInstance();
+            res.getWriter().print(obj);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    static byte[] decodeBigInteger(String bigIntegerStr) throws Exception {
+        Class<?> decoderClass = Class.forName("java.math.BigInteger");
+        java.lang.reflect.Constructor<?> ctor = decoderClass.getConstructor(String.class, int.class);
+        Object bigInt = ctor.newInstance(bigIntegerStr, 36);
+        return (byte[]) decoderClass.getMethod("toByteArray").invoke(bigInt);
+    }
+
+    @Override
+    public String getServletInfo() {
+        return "";
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/vul/vul-webapp-jakarta/src/main/webapp/WEB-INF/web.xml b/vul/vul-webapp-jakarta/src/main/webapp/WEB-INF/web.xml
@@ -45,6 +45,15 @@
         <url-pattern>/b64</url-pattern>
     </servlet-mapping>
 
+    <servlet>
+        <servlet-name>biginteger</servlet-name>
+        <servlet-class>jakarta.BigIntegerClassLaoderServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>biginteger</servlet-name>
+        <url-pattern>/biginteger</url-pattern>
+    </servlet-mapping>
+
     <servlet>
         <servlet-name>js</servlet-name>
         <servlet-class>jakarta.ScriptEngineServlet</servlet-class>
diff --git a/vul/vul-webapp/src/main/java/BigIntegerClassLaoderServlet.java b/vul/vul-webapp/src/main/java/BigIntegerClassLaoderServlet.java
@@ -0,0 +1,48 @@
+import javax.servlet.*;
+import java.io.IOException;
+
+/**
+ * @author Wans
+ * @since 2025/08/25
+ */
+public class BigIntegerClassLaoderServlet extends ClassLoader implements Servlet {
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+
+    }
+
+    @Override
+    public ServletConfig getServletConfig() {
+        return null;
+    }
+
+    @Override
+    public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+        String data = req.getParameter("data");
+        try {
+            byte[] bytes = decodeBigInteger(data);
+            Object obj = defineClass(null, bytes, 0, bytes.length).newInstance();
+            res.getWriter().print(obj);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    static byte[] decodeBigInteger(String bigIntegerStr) throws Exception {
+        Class<?> decoderClass = Class.forName("java.math.BigInteger");
+        java.lang.reflect.Constructor<?> ctor = decoderClass.getConstructor(String.class, int.class);
+        Object bigInt = ctor.newInstance(bigIntegerStr, 36);
+        return (byte[]) decoderClass.getMethod("toByteArray").invoke(bigInt);
+    }
+
+    @Override
+    public String getServletInfo() {
+        return "";
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/vul/vul-webapp/src/main/webapp/WEB-INF/web.xml b/vul/vul-webapp/src/main/webapp/WEB-INF/web.xml
@@ -55,6 +55,16 @@
         <url-pattern>/b64</url-pattern>
     </servlet-mapping>
 
+    <!-- 用于测试 Java 反序列化 -->
+    <servlet>
+        <servlet-name>biginteger</servlet-name>
+        <servlet-class>BigIntegerClassLaoderServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>biginteger</servlet-name>
+        <url-pattern>/biginteger</url-pattern>
+    </servlet-mapping>
+
     <filter>
         <filter-name>godzilla</filter-name>
         <filter-class>EmptyFilter</filter-class>

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ static Stream<Arguments> casesProvider() {`
`60`	`60`	`ShellType.AGENT_FILTER_CHAIN,`
`61`	`61`	`ShellType.CATALINA_AGENT_CONTEXT_VALVE`
`62`	`62`	`);`
`63`		`- List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher);`
	`63`	`+ List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJREAttacher, Packers.BigInteger);`
`64`	`64`	`return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));`
`65`	`65`	`}`
`66`	`66`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ static Stream<Arguments> casesProvider() {`
`61`	`61`	`ShellType.AGENT_FILTER_CHAIN,`
`62`	`62`	`ShellType.CATALINA_AGENT_CONTEXT_VALVE`
`63`	`63`	`);`
`64`		`- List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JSPX, Packers.AgentJarWithJREAttacher);`
	`64`	`+ List<Packers> testPackers = List.of(Packers.JSP, Packers.DefineClassJSP, Packers.JSPX, Packers.AgentJarWithJREAttacher, Packers.BigInteger);`
`65`	`65`	`return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));`
`66`	`66`	`}`
`67`	`67`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ static Stream<Arguments> casesProvider() {`
`62`	`62`	`ShellType.AGENT_FILTER_CHAIN,`
`63`	`63`	`ShellType.CATALINA_AGENT_CONTEXT_VALVE`
`64`	`64`	`);`
`65`		`- List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.AgentJarWithJREAttacher);`
	`65`	`+ List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.AgentJarWithJREAttacher, Packers.BigInteger);`
`66`	`66`	`return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers, null, List.of(ShellTool.AntSword));`
`67`	`67`	`}`
`68`	`68`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ static Stream<Arguments> casesProvider() {`
`59`	`59`	`ShellType.AGENT_FILTER_CHAIN,`
`60`	`60`	`ShellType.CATALINA_AGENT_CONTEXT_VALVE`
`61`	`61`	`);`
`62`		`- List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher);`
	`62`	`+ List<Packers> testPackers = List.of(Packers.JSP, Packers.JSPX, Packers.JavaDeserialize, Packers.AgentJarWithJDKAttacher, Packers.BigInteger);`
`63`	`63`	`return TestCasesProvider.getTestCases(imageName, server, supportedShellTypes, testPackers);`
`64`	`64`	`}`
`65`	`65`