yso

package
v1.2.1-sp4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 25, 2023 License: AGPL-3.0 Imports: 15 Imported by: 1

Documentation

Index

Constants

View Source
const (
	RuntimeExecClass               ClassType = "RuntimeExecClass"
	ProcessBuilderExecClass                  = "ProcessBuilderExecClass"
	ProcessImplExecClass                     = "ProcessImplExecClass"
	DnslogClass                              = "DnslogClass"
	SpringEchoClass                          = "SpringEchoClass"
	ModifyTomcatMaxHeaderSizeClass           = "ModifyTomcatMaxHeaderSizeClass"
	EmptyClassInTemplate                     = "EmptyClassInTemplate"
	TcpReverseClass                          = "TcpReverseClass"
	TcpReverseShellClass                     = "TcpReverseShellClass"
	TomcatEchoClass                          = "TomcatEchoClass"
	BytesClass                               = "BytesClass"
	MultiEchoClass                           = "MultiEchoClass"
)
View Source
const (
	// CommonsCollections1/3/5/6/7链,需要<=3.2.1版本
	CC31Or321 = "org.apache.commons.collections.functors.ChainedTransformer"
	CC322     = "org.apache.commons.collections.ExtendedProperties$1"
	CC40      = "org.apache.commons.collections4.functors.ChainedTransformer"
	CC41      = "org.apache.commons.collections4.FluentIterable"
	// CommonsBeanutils2链,serialVersionUID不同,1.7x-1.8x为-3490850999041592962,1.9x为-2044202215314119608
	CB17  = "org.apache.commons.beanutils.MappedPropertyDescriptor$1"
	CB18x = "org.apache.commons.beanutils.DynaBeanMapDecorator$MapEntry"
	CB19x = "org.apache.commons.beanutils.BeanIntrospectionData"
	//c3p0 serialVersionUID不同,0.9.2pre2-0.9.5pre8为7387108436934414104,0.9.5pre9-0.9.5.5为7387108436934414104
	C3p092x = "com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase"
	C3p095x = "com.mchange.v2.c3p0.test.AlwaysFailDataSource"
	// AspectJWeaver 需要cc31
	Ajw = "org.aspectj.weaver.tools.cache.SimpleCache"
	// bsh serialVersionUID不同,2.0b4为4949939576606791809,2.0b5为4041428789013517368,2.0.b6无法反序列化
	Bsh20b4 = "bsh.CollectionManager$1"
	Bsh20b5 = "bsh.engine.BshScriptEngine"
	Bsh20b6 = "bsh.collection.CollectionIterator$1"
	// Groovy 1.7.0-2.4.3,serialVersionUID不同,2.4.x为-8137949907733646644,2.3.x为1228988487386910280
	Groovy1702311 = "org.codehaus.groovy.reflection.ClassInfo$ClassInfoSet"
	Groovy24x     = "groovy.lang.Tuple2"
	Groovy244     = "org.codehaus.groovy.runtime.dgm$1170"
	// Becl JDK<8u251
	Becl    = "com.sun.org.apache.bcel.internal.util.ClassLoader"
	Jdk7u21 = "com.sun.corba.se.impl.orbutil.ORBClassLoader"
	// JRE8u20 7u25<=JDK<=8u20,虽然叫JRE8u20其实JDK8u20也可以,这个检测不完美,8u25版本以及JDK<=7u21会误报,可综合Jdk7u21来看
	JRE8u20   = "javax.swing.plaf.metal.MetalFileChooserUI$DirectoryComboBoxModel$1"
	LinuxOS   = "sun.awt.X11.AwtGraphicsConfigData"
	WindowsOS = "sun.awt.windows.WButtonPeer"
)
View Source
const (
	BeanShell1GadgetName              = "BeanShell1"
	CommonsCollections1GadgetName     = "CommonsCollections1"
	CommonsCollections5GadgetName     = "CommonsCollections5"
	CommonsCollections6GadgetName     = "CommonsCollections6"
	CommonsCollections7GadgetName     = "CommonsCollections7"
	CommonsCollectionsK3GadgetName    = "CommonsCollectionsK3"
	CommonsCollectionsK4GadgetName    = "CommonsCollectionsK4"
	Groovy1GadgetName                 = "Groovy1"
	Click1GadgetName                  = "Click1"
	CommonsBeanutils1GadgetName       = "CommonsBeanutils1"
	CommonsBeanutils183NOCCGadgetName = "CommonsBeanutils183NOCC"
	CommonsBeanutils192NOCCGadgetName = "CommonsBeanutils192NOCC"
	CommonsCollections2GadgetName     = "CommonsCollections2"
	CommonsCollections3GadgetName     = "CommonsCollections3"
	CommonsCollections4GadgetName     = "CommonsCollections4"
	CommonsCollections8GadgetName     = "CommonsCollections8"
	CommonsCollectionsK1GadgetName    = "CommonsCollectionsK1"
	CommonsCollectionsK2GadgetName    = "CommonsCollectionsK2"
	JBossInterceptors1GadgetName      = "JBossInterceptors1"
	JSON1GadgetName                   = "JSON1"
	JavassistWeld1GadgetName          = "JavassistWeld1"
	Jdk7u21GadgetName                 = "Jdk7u21"
	Jdk8u20GadgetName                 = "Jdk8u20"
	URLDNS                            = "URLDNS"
	FindGadgetByDNS                   = "FindGadgetByDNS"
	FindClassByBomb                   = "FindClassByBomb"
)

Variables

View Source
var Exports = map[string]interface{}{

	"ToBytes": ToBytes,
	"ToBcel":  ToBcel,
	"ToJson":  ToJson,
	"dump":    Dump,

	"GetJavaObjectFromBytes":  GetJavaObjectFromBytes,
	"GetBeanShell1JavaObject": GetBeanShell1JavaObject,
	"GetClick1JavaObject":     GetClick1JavaObject,

	"GetCommonsBeanutils1JavaObject":       GetCommonsBeanutils1JavaObject,
	"GetCommonsBeanutils183NOCCJavaObject": GetCommonsBeanutils183NOCCJavaObject,
	"GetCommonsBeanutils192NOCCJavaObject": GetCommonsBeanutils192NOCCJavaObject,
	"GetCommonsCollections1JavaObject":     GetCommonsCollections1JavaObject,
	"GetCommonsCollections2JavaObject":     GetCommonsCollections2JavaObject,
	"GetCommonsCollections3JavaObject":     GetCommonsCollections3JavaObject,
	"GetCommonsCollections4JavaObject":     GetCommonsCollections4JavaObject,
	"GetCommonsCollections5JavaObject":     GetCommonsCollections5JavaObject,
	"GetCommonsCollections6JavaObject":     GetCommonsCollections6JavaObject,
	"GetCommonsCollections7JavaObject":     GetCommonsCollections7JavaObject,
	"GetCommonsCollections8JavaObject":     GetCommonsCollections8JavaObject,
	"GetCommonsCollectionsK1JavaObject":    GetCommonsCollectionsK1JavaObject,
	"GetCommonsCollectionsK2JavaObject":    GetCommonsCollectionsK2JavaObject,
	"GetCommonsCollectionsK3JavaObject":    GetCommonsCollectionsK3JavaObject,
	"GetCommonsCollectionsK4JavaObject":    GetCommonsCollectionsK4JavaObject,
	"GetGroovy1JavaObject":                 GetGroovy1JavaObject,
	"GetJBossInterceptors1JavaObject":      GetJBossInterceptors1JavaObject,
	"GetURLDNSJavaObject":                  GetURLDNSJavaObject,
	"GetFindGadgetByDNSJavaObject":         GetFindGadgetByDNSJavaObject,

	"GetJSON1JavaObject":          GetJSON1JavaObject,
	"GetJavassistWeld1JavaObject": GetJavassistWeld1JavaObject,
	"GetJdk7u21JavaObject":        GetJdk7u21JavaObject,
	"GetJdk8u20JavaObject":        GetJdk8u20JavaObject,

	"GetAllGadget":            GetAllGadget,
	"GetAllTemplatesGadget":   GetAllTemplatesGadget,
	"GetAllRuntimeExecGadget": GetAllRuntimeExecGadget,

	"GetGadgetNameByFun": GetGadgetNameByFun,

	"GetSimplePrincipalCollectionJavaObject": GetSimplePrincipalCollectionJavaObject,

	"GenerateClassObjectFromBytes":                     GenerateClassObjectFromBytes,
	"GenerateRuntimeExecEvilClassObject":               GenerateRuntimeExecEvilClassObject,
	"GenerateProcessBuilderExecEvilClassObject":        GenerateProcessBuilderExecEvilClassObject,
	"GenerateProcessImplExecEvilClassObject":           GenerateProcessImplExecEvilClassObject,
	"GenerateDNSlogEvilClassObject":                    GenDnslogClassObject,
	"GenerateSpringEchoEvilClassObject":                GenerateSpringEchoEvilClassObject,
	"GenerateModifyTomcatMaxHeaderSizeEvilClassObject": GenerateModifyTomcatMaxHeaderSizeEvilClassObject,
	"GenerateTcpReverseEvilClassObject":                GenTcpReverseClassObject,
	"GenerateTcpReverseShellEvilClassObject":           GenTcpReverseShellClassObject,
	"GenerateTomcatEchoClassObject":                    GenTomcatEchoClassObject,
	"GenerateMultiEchoClassObject":                     GenMultiEchoClassObject,

	"useBytesEvilClass":         SetBytesEvilClass,
	"useBytesClass":             SetClassBytes,
	"useBase64BytesClass":       SetClassBase64Bytes,
	"useTomcatEchoEvilClass":    SetTomcatEchoEvilClass,
	"useTomcatEchoTemplate":     SetClassTomcatEchoTemplate,
	"useMultiEchoEvilClass":     SetMultiEchoEvilClass,
	"useClassMultiEchoTemplate": SetClassMultiEchoTemplate,

	"useModifyTomcatMaxHeaderSizeTemplate": SetClassModifyTomcatMaxHeaderSizeTemplate,

	"useSpringEchoTemplate":   SetClassSpringEchoTemplate,
	"springHeader":            SetHeader,
	"springParam":             SetParam,
	"springRuntimeExecAction": SetExecAction,
	"springEchoBody":          SetEchoBody,

	"useDNSlogTemplate":  SetClassDnslogTemplate,
	"dnslogDomain":       SetDnslog,
	"useDNSLogEvilClass": SetDnslogEvilClass,

	"useRuntimeExecTemplate":  SetClassRuntimeExecTemplate,
	"command":                 SetExecCommand,
	"useRuntimeExecEvilClass": SetRuntimeExecEvilClass,

	"useProcessBuilderExecTemplate":  SetClassProcessBuilderExecTemplate,
	"useProcessBuilderExecEvilClass": SetProcessBuilderExecEvilClass,

	"useProcessImplExecTemplate":  SetClassProcessImplExecTemplate,
	"useProcessImplExecEvilClass": SetProcessImplExecEvilClass,

	"useTcpReverseTemplate":  SetClassTcpReverseTemplate,
	"tcpReverseHost":         SetTcpReverseHost,
	"tcpReversePort":         SetTcpReversePort,
	"tcpReverseToken":        SetTcpReverseToken,
	"useTcpReverseEvilClass": SetTcpReverseEvilClass,

	"useTcpReverseShellTemplate":  SetClassTcpReverseShellTemplate,
	"useTcpReverseShellEvilClass": SetTcpReverseShellEvilClass,

	"useConstructorExecutor":       SetConstruct,
	"evilClassName":                SetClassName,
	"obfuscationClassConstantPool": SetObfuscation,
}
View Source
var GadgetInfoMap = map[string]*GadgetInfo{
	BeanShell1GadgetName:              {Name: BeanShell1GadgetName, NameVerbose: "BeanShell1", Help: "", SupportTemplate: false},
	Click1GadgetName:                  {Name: Click1GadgetName, NameVerbose: "Click1", Help: "", SupportTemplate: true},
	CommonsBeanutils1GadgetName:       {Name: CommonsBeanutils1GadgetName, NameVerbose: "CommonsBeanutils1", Help: "", SupportTemplate: true},
	CommonsBeanutils183NOCCGadgetName: {Name: CommonsBeanutils183NOCCGadgetName, NameVerbose: "CommonsBeanutils183NOCC", Help: "使用String.CASE_INSENSITIVE_ORDER作为comparator,去除了cc链的依赖", SupportTemplate: true},
	CommonsBeanutils192NOCCGadgetName: {Name: CommonsBeanutils192NOCCGadgetName, NameVerbose: "CommonsBeanutils192NOCC", Help: "使用String.CASE_INSENSITIVE_ORDER作为comparator,去除了cc链的依赖", SupportTemplate: true},
	CommonsCollections1GadgetName:     {Name: CommonsCollections1GadgetName, NameVerbose: "CommonsCollections1", Help: "", SupportTemplate: false},
	CommonsCollections2GadgetName:     {Name: CommonsCollections2GadgetName, NameVerbose: "CommonsCollections2", Help: "", SupportTemplate: true},
	CommonsCollections3GadgetName:     {Name: CommonsCollections3GadgetName, NameVerbose: "CommonsCollections3", Help: "", SupportTemplate: true},
	CommonsCollections4GadgetName:     {Name: CommonsCollections4GadgetName, NameVerbose: "CommonsCollections4", Help: "", SupportTemplate: true},
	CommonsCollections5GadgetName:     {Name: CommonsCollections5GadgetName, NameVerbose: "CommonsCollections5", Help: "", SupportTemplate: false},
	CommonsCollections6GadgetName:     {Name: CommonsCollections6GadgetName, NameVerbose: "CommonsCollections6", Help: "", SupportTemplate: false},
	CommonsCollections7GadgetName:     {Name: CommonsCollections7GadgetName, NameVerbose: "CommonsCollections7", Help: "", SupportTemplate: false},
	CommonsCollections8GadgetName:     {Name: CommonsCollections8GadgetName, NameVerbose: "CommonsCollections8", Help: "", SupportTemplate: true},
	CommonsCollectionsK1GadgetName:    {Name: CommonsCollectionsK1GadgetName, NameVerbose: "CommonsCollectionsK1", Help: "", SupportTemplate: true},
	CommonsCollectionsK2GadgetName:    {Name: CommonsCollectionsK2GadgetName, NameVerbose: "CommonsCollectionsK2", Help: "", SupportTemplate: true},
	CommonsCollectionsK3GadgetName:    {Name: CommonsCollectionsK3GadgetName, NameVerbose: "CommonsCollectionsK3", Help: "", SupportTemplate: false},
	CommonsCollectionsK4GadgetName:    {Name: CommonsCollectionsK4GadgetName, NameVerbose: "CommonsCollectionsK4", Help: "", SupportTemplate: false},
	Groovy1GadgetName:                 {Name: Groovy1GadgetName, NameVerbose: "Groovy1", Help: "", SupportTemplate: false},
	JBossInterceptors1GadgetName:      {Name: JBossInterceptors1GadgetName, NameVerbose: "JBossInterceptors1", Help: "", SupportTemplate: true},
	JSON1GadgetName:                   {Name: JSON1GadgetName, NameVerbose: "JSON1", Help: "", SupportTemplate: true},
	JavassistWeld1GadgetName:          {Name: JavassistWeld1GadgetName, NameVerbose: "JavassistWeld1", Help: "", SupportTemplate: true},
	Jdk7u21GadgetName:                 {Name: Jdk7u21GadgetName, NameVerbose: "Jdk7u21", Help: "", SupportTemplate: true},
	Jdk8u20GadgetName:                 {Name: Jdk8u20GadgetName, NameVerbose: "Jdk8u20", Help: "", SupportTemplate: true},
	URLDNS:                            {Name: URLDNS, NameVerbose: URLDNS, Help: "通过URL对象触发dnslog", SupportTemplate: false},
	FindGadgetByDNS:                   {Name: FindGadgetByDNS, NameVerbose: FindGadgetByDNS, Help: "通过URLDNS这个gadget探测class,进而判断gadget", SupportTemplate: false},
}
View Source
var LDAPExports = map[string]interface{}{
	"NewLdapServer":         ldapserver.NewLdapServer,
	"NewLdapServerWithPort": ldapserver.NewLdapServerWithPort,
}

Functions

func AllCmdWrapper

func AllCmdWrapper(cmd string) []string

func BashCmdWrapper

func BashCmdWrapper(cmd string) string

func ClojureCmdWrapper

func ClojureCmdWrapper(cmd string) string

func CreateTemplateByClassObject

func CreateTemplateByClassObject(class *javaclassparser.ClassObject) *yserx.JavaObject

func Dump

func Dump(i interface{}) (string, error)

func GenDnslogClassObject

func GenDnslogClassObject(domain string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

dnslog生成

func GenEmptyClassInTemplateClassObject

func GenEmptyClassInTemplateClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

空类生成(用于template)

func GenMultiEchoClassObject

func GenMultiEchoClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTcpReverseClassObject

func GenTcpReverseClassObject(host string, port int, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTcpReverseShellClassObject

func GenTcpReverseShellClassObject(host string, port int, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTomcatEchoClassObject

func GenTomcatEchoClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateClassObjectFromBytes

func GenerateClassObjectFromBytes(bytes []byte, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateModifyTomcatMaxHeaderSizeEvilClassObject

func GenerateModifyTomcatMaxHeaderSizeEvilClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateProcessBuilderExecEvilClassObject

func GenerateProcessBuilderExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateProcessImplExecEvilClassObject

func GenerateProcessImplExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateRuntimeExecEvilClassObject

func GenerateRuntimeExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateSpringEchoEvilClassObject

func GenerateSpringEchoEvilClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

spring生成

func GenerateTemplates

func GenerateTemplates(cmd string) []*yserx.JavaObject

func GetAllClassGenerator

func GetAllClassGenerator() map[ClassType]*ClassPayload

func GetAllGadget

func GetAllGadget() []interface{}

func GetGadgetChecklist

func GetGadgetChecklist() map[string]string

func GetGadgetNameByFun

func GetGadgetNameByFun(i interface{}) (string, error)

func IndexFromBytes

func IndexFromBytes(byt []byte, sub interface{}) int

func JavaSerializableObjectDumper

func JavaSerializableObjectDumper(javaObject *JavaObject) (string, error)

func PerlCmdWrapper

func PerlCmdWrapper(cmd string) string

func PowerShellCmdWrapper

func PowerShellCmdWrapper(cmd string) string

func PythonCmdWrapper

func PythonCmdWrapper(cmd string) string

func RepClassName

func RepClassName(echoTmplClass []byte, oldN string, newN string) []byte

func RepCmd

func RepCmd(echoTmplClass []byte, zw string, cmd string) []byte

func ReplaceClassNameInJavaSerilizable

func ReplaceClassNameInJavaSerilizable(objSer yserx.JavaSerializable, old string, new string, times int) error

ReplaceClassNameInJavaSerilizable 这个 ClassName 指的是要探测的目标 jar 包里是否存在该 ClassName

func ReplaceStringInJavaSerilizable

func ReplaceStringInJavaSerilizable(objSer yserx.JavaSerializable, old string, new string, times int) error

func SetJavaObjectClass

func SetJavaObjectClass(object yserx.JavaSerializable, classObject *javaclassparser.ClassObject) error

func SetTemplateObjectClass

func SetTemplateObjectClass(object *yserx.JavaObject, classBytes []byte) error

func ToBcel

func ToBcel(i interface{}) (string, error)

func ToBytes

func ToBytes(i interface{}) ([]byte, error)

func ToJson

func ToJson(i interface{}) (string, error)

Types

type ClassConfig

type ClassConfig struct {
	Errors     []error
	ClassType  ClassType
	ClassBytes []byte
	//ClassTemplate *javaclassparser.ClassObject
	//公共参数
	ClassName     string
	IsObfuscation bool
	IsConstruct   bool
	//exec参数
	Command string
	//dnslog参数
	Domain string
	//spring参数
	HeaderKey    string
	HeaderVal    string
	HeaderKeyAu  string
	HeaderValAu  string
	Param        string
	IsEchoBody   bool
	IsExecAction bool
	//Reverse参数
	Host  string
	Port  int
	Token string
}

func NewClassConfig

func NewClassConfig(options ...GenClassOptionFun) *ClassConfig

func (*ClassConfig) AddError

func (cf *ClassConfig) AddError(err error)

func (*ClassConfig) ConfigCommonOptions

func (cf *ClassConfig) ConfigCommonOptions(obj *javaclassparser.ClassObject) error

func (*ClassConfig) GenerateClassObject

func (cf *ClassConfig) GenerateClassObject() (obj *javaclassparser.ClassObject, err error)

type ClassPayload

type ClassPayload struct {
	ClassName string
	Help      string
	Generator func(*ClassConfig) (*javaclassparser.ClassObject, error)
}

type ClassType

type ClassType string

type GadgetFunc

type GadgetFunc func(cmd string) (yserx.JavaSerializable, error)

func GetEchoCommonsCollections2

func GetEchoCommonsCollections2() GadgetFunc

type GadgetInfo

type GadgetInfo struct {
	Name            string
	NameVerbose     string
	Help            string
	SupportTemplate bool
}

func (*GadgetInfo) GetHelp

func (g *GadgetInfo) GetHelp() string

func (*GadgetInfo) GetName

func (g *GadgetInfo) GetName() string

func (*GadgetInfo) GetNameVerbose

func (g *GadgetInfo) GetNameVerbose() string

func (*GadgetInfo) IsSupportTemplate

func (g *GadgetInfo) IsSupportTemplate() bool

type GenClassOptionFun

type GenClassOptionFun func(config *ClassConfig)

func SetBytesEvilClass

func SetBytesEvilClass(data []byte) GenClassOptionFun

生成自定义Class

func SetClassBase64Bytes

func SetClassBase64Bytes(base64 string) GenClassOptionFun

func SetClassBytes

func SetClassBytes(data []byte) GenClassOptionFun

func SetClassDnslogTemplate

func SetClassDnslogTemplate() GenClassOptionFun

dnslog参数

func SetClassModifyTomcatMaxHeaderSizeTemplate

func SetClassModifyTomcatMaxHeaderSizeTemplate() GenClassOptionFun

ModifyTomcatMaxHeaderSize

func SetClassMultiEchoTemplate

func SetClassMultiEchoTemplate() GenClassOptionFun

MultiEcho

func SetClassName

func SetClassName(className string) GenClassOptionFun

公共参数

func SetClassProcessBuilderExecTemplate

func SetClassProcessBuilderExecTemplate() GenClassOptionFun

ProcessBuilderExec 参数

func SetClassProcessImplExecTemplate

func SetClassProcessImplExecTemplate() GenClassOptionFun

ProcessImplExec 参数

func SetClassRuntimeExecTemplate

func SetClassRuntimeExecTemplate() GenClassOptionFun

RuntimeExec 参数

func SetClassSpringEchoTemplate

func SetClassSpringEchoTemplate() GenClassOptionFun

spring参数

func SetClassTcpReverseShellTemplate

func SetClassTcpReverseShellTemplate() GenClassOptionFun

生成tcp反弹shell

func SetClassTcpReverseTemplate

func SetClassTcpReverseTemplate() GenClassOptionFun

生成tcp反连

func SetClassTomcatEchoTemplate

func SetClassTomcatEchoTemplate() GenClassOptionFun

Tomcat回显

func SetConstruct

func SetConstruct() GenClassOptionFun

func SetDnslog

func SetDnslog(addr string) GenClassOptionFun

func SetDnslogEvilClass

func SetDnslogEvilClass(addr string) GenClassOptionFun

func SetEchoBody

func SetEchoBody() GenClassOptionFun

func SetExecAction

func SetExecAction() GenClassOptionFun

func SetExecCommand

func SetExecCommand(cmd string) GenClassOptionFun

func SetHeader

func SetHeader(key string, val string) GenClassOptionFun

func SetMultiEchoEvilClass

func SetMultiEchoEvilClass() GenClassOptionFun

func SetObfuscation

func SetObfuscation() GenClassOptionFun

func SetParam

func SetParam(val string) GenClassOptionFun

func SetProcessBuilderExecEvilClass

func SetProcessBuilderExecEvilClass(cmd string) GenClassOptionFun

func SetProcessImplExecEvilClass

func SetProcessImplExecEvilClass(cmd string) GenClassOptionFun

func SetRuntimeExecEvilClass

func SetRuntimeExecEvilClass(cmd string) GenClassOptionFun

func SetTcpReverseEvilClass

func SetTcpReverseEvilClass(host string, port int) GenClassOptionFun

func SetTcpReverseHost

func SetTcpReverseHost(host string) GenClassOptionFun

func SetTcpReversePort

func SetTcpReversePort(port int) GenClassOptionFun

func SetTcpReverseShellEvilClass

func SetTcpReverseShellEvilClass(host string, port int) GenClassOptionFun

func SetTcpReverseToken

func SetTcpReverseToken(token string) GenClassOptionFun

func SetTomcatEchoEvilClass

func SetTomcatEchoEvilClass() GenClassOptionFun

type JavaObject

type JavaObject struct {
	yserx.JavaSerializable
	// contains filtered or unexported fields
}

func ConfigJavaObject

func ConfigJavaObject(templ []byte, name string, options ...GenClassOptionFun) (*JavaObject, error)

func GetBeanShell1JavaObject

func GetBeanShell1JavaObject(cmd string) (*JavaObject, error)

func GetClick1JavaObject

func GetClick1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils183NOCCJavaObject

func GetCommonsBeanutils183NOCCJavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils192NOCCJavaObject

func GetCommonsBeanutils192NOCCJavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils1JavaObject

func GetCommonsBeanutils1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections1JavaObject

func GetCommonsCollections1JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections2JavaObject

func GetCommonsCollections2JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections3JavaObject

func GetCommonsCollections3JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections4JavaObject

func GetCommonsCollections4JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections5JavaObject

func GetCommonsCollections5JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections6JavaObject

func GetCommonsCollections6JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections7JavaObject

func GetCommonsCollections7JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections8JavaObject

func GetCommonsCollections8JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK1JavaObject

func GetCommonsCollectionsK1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK2JavaObject

func GetCommonsCollectionsK2JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK3JavaObject

func GetCommonsCollectionsK3JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollectionsK4JavaObject

func GetCommonsCollectionsK4JavaObject(cmd string) (*JavaObject, error)

func GetFindClassByBombJavaObject

func GetFindClassByBombJavaObject(className string) (*JavaObject, error)

GetFindClassByBombJavaObject 扫描目标存在指定的 className 时,将会耗部分服务器性能达到间接延时的目的

func GetFindGadgetByDNSJavaObject

func GetFindGadgetByDNSJavaObject(url string) (*JavaObject, error)

func GetGroovy1JavaObject

func GetGroovy1JavaObject(cmd string) (*JavaObject, error)

func GetJBossInterceptors1JavaObject

func GetJBossInterceptors1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJSON1JavaObject

func GetJSON1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJavaObjectFromBytes

func GetJavaObjectFromBytes(byt []byte) (*JavaObject, error)

func GetJavassistWeld1JavaObject

func GetJavassistWeld1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJdk7u21JavaObject

func GetJdk7u21JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJdk8u20JavaObject

func GetJdk8u20JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetSimplePrincipalCollectionJavaObject

func GetSimplePrincipalCollectionJavaObject() (*JavaObject, error)

func GetURLDNSJavaObject

func GetURLDNSJavaObject(url string) (*JavaObject, error)

func (*JavaObject) Verbose

func (a *JavaObject) Verbose() *GadgetInfo

type JavaStruct

type JavaStruct struct {
	Name        string
	Value       interface{}
	IsBytes     bool
	ClassName   string
	Type        byte
	TypeVerbose string
	Fields      []*JavaStruct
	BlockData   []*JavaStruct
}

func WalkJavaSerializableObject

func WalkJavaSerializableObject(objSer yserx.JavaSerializable, handle WalkJavaSerializableObjectHandle) *JavaStruct

type RuntimeExecGadget

type RuntimeExecGadget func(cmd string) (*JavaObject, error)

func GetAllRuntimeExecGadget

func GetAllRuntimeExecGadget() []RuntimeExecGadget

type Temper

type Temper func(cmd string) string

type TemplatesGadget

type TemplatesGadget func(options ...GenClassOptionFun) (*JavaObject, error)

func GetAllTemplatesGadget

func GetAllTemplatesGadget() []TemplatesGadget

type WalkJavaSerializableObjectHandle

type WalkJavaSerializableObjectHandle func(desc *yserx.JavaClassDesc, objSer yserx.JavaSerializable)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL