yso

package
v1.2.2-sp2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 28, 2023 License: AGPL-3.0 Imports: 15 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	RuntimeExecClass               ClassType = "RuntimeExecClass"
	ProcessBuilderExecClass                  = "ProcessBuilderExecClass"
	ProcessImplExecClass                     = "ProcessImplExecClass"
	DnslogClass                              = "DnslogClass"
	SpringEchoClass                          = "SpringEchoClass"
	ModifyTomcatMaxHeaderSizeClass           = "ModifyTomcatMaxHeaderSizeClass"
	EmptyClassInTemplate                     = "EmptyClassInTemplate"
	TcpReverseClass                          = "TcpReverseClass"
	TcpReverseShellClass                     = "TcpReverseShellClass"
	TomcatEchoClass                          = "TomcatEchoClass"
	BytesClass                               = "BytesClass"
	MultiEchoClass                           = "MultiEchoClass"
)
View Source 
const (
	// CommonsCollections1/3/5/6/7链,需要<=3.2.1版本
	CC31Or321 = "org.apache.commons.collections.functors.ChainedTransformer"
	CC322     = "org.apache.commons.collections.ExtendedProperties$1"
	CC40      = "org.apache.commons.collections4.functors.ChainedTransformer"
	CC41      = "org.apache.commons.collections4.FluentIterable"
	// CommonsBeanutils2链,serialVersionUID不同,1.7x-1.8x为-3490850999041592962,1.9x为-2044202215314119608
	CB17  = "org.apache.commons.beanutils.MappedPropertyDescriptor$1"
	CB18x = "org.apache.commons.beanutils.DynaBeanMapDecorator$MapEntry"
	CB19x = "org.apache.commons.beanutils.BeanIntrospectionData"
	//c3p0 serialVersionUID不同,0.9.2pre2-0.9.5pre8为7387108436934414104,0.9.5pre9-0.9.5.5为7387108436934414104
	C3p092x = "com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase"
	C3p095x = "com.mchange.v2.c3p0.test.AlwaysFailDataSource"
	// AspectJWeaver 需要cc31
	Ajw = "org.aspectj.weaver.tools.cache.SimpleCache"
	// bsh serialVersionUID不同,2.0b4为4949939576606791809,2.0b5为4041428789013517368,2.0.b6无法反序列化
	Bsh20b4 = "bsh.CollectionManager$1"
	Bsh20b5 = "bsh.engine.BshScriptEngine"
	Bsh20b6 = "bsh.collection.CollectionIterator$1"
	// Groovy 1.7.0-2.4.3,serialVersionUID不同,2.4.x为-8137949907733646644,2.3.x为1228988487386910280
	Groovy1702311 = "org.codehaus.groovy.reflection.ClassInfo$ClassInfoSet"
	Groovy24x     = "groovy.lang.Tuple2"
	Groovy244     = "org.codehaus.groovy.runtime.dgm$1170"
	// Becl JDK<8u251
	Becl    = "com.sun.org.apache.bcel.internal.util.ClassLoader"
	Jdk7u21 = "com.sun.corba.se.impl.orbutil.ORBClassLoader"
	// JRE8u20 7u25<=JDK<=8u20,虽然叫JRE8u20其实JDK8u20也可以,这个检测不完美,8u25版本以及JDK<=7u21会误报,可综合Jdk7u21来看
	JRE8u20   = "javax.swing.plaf.metal.MetalFileChooserUI$DirectoryComboBoxModel$1"
	LinuxOS   = "sun.awt.X11.AwtGraphicsConfigData"
	WindowsOS = "sun.awt.windows.WButtonPeer"
)
View Source 
const (
	BeanShell1GadgetName              = "BeanShell1"
	CommonsCollections1GadgetName     = "CommonsCollections1"
	CommonsCollections5GadgetName     = "CommonsCollections5"
	CommonsCollections6GadgetName     = "CommonsCollections6"
	CommonsCollections7GadgetName     = "CommonsCollections7"
	CommonsCollectionsK3GadgetName    = "CommonsCollectionsK3"
	CommonsCollectionsK4GadgetName    = "CommonsCollectionsK4"
	Groovy1GadgetName                 = "Groovy1"
	Click1GadgetName                  = "Click1"
	CommonsBeanutils1GadgetName       = "CommonsBeanutils1"
	CommonsBeanutils183NOCCGadgetName = "CommonsBeanutils183NOCC"
	CommonsBeanutils192NOCCGadgetName = "CommonsBeanutils192NOCC"
	CommonsCollections2GadgetName     = "CommonsCollections2"
	CommonsCollections3GadgetName     = "CommonsCollections3"
	CommonsCollections4GadgetName     = "CommonsCollections4"
	CommonsCollections8GadgetName     = "CommonsCollections8"
	CommonsCollectionsK1GadgetName    = "CommonsCollectionsK1"
	CommonsCollectionsK2GadgetName    = "CommonsCollectionsK2"
	JBossInterceptors1GadgetName      = "JBossInterceptors1"
	JSON1GadgetName                   = "JSON1"
	JavassistWeld1GadgetName          = "JavassistWeld1"
	Jdk7u21GadgetName                 = "Jdk7u21"
	Jdk8u20GadgetName                 = "Jdk8u20"
	URLDNS                            = "URLDNS"
	FindGadgetByDNS                   = "FindGadgetByDNS"
	FindClassByBomb                   = "FindClassByBomb"
)

Variables

View Source 
var Exports = map[string]interface{}{

	"ToBytes": ToBytes,
	"ToBcel":  ToBcel,
	"ToJson":  ToJson,
	"dump":    Dump,

	"GetJavaObjectFromBytes":  GetJavaObjectFromBytes,
	"GetBeanShell1JavaObject": GetBeanShell1JavaObject,
	"GetClick1JavaObject":     GetClick1JavaObject,

	"GetCommonsBeanutils1JavaObject":       GetCommonsBeanutils1JavaObject,
	"GetCommonsBeanutils183NOCCJavaObject": GetCommonsBeanutils183NOCCJavaObject,
	"GetCommonsBeanutils192NOCCJavaObject": GetCommonsBeanutils192NOCCJavaObject,
	"GetCommonsCollections1JavaObject":     GetCommonsCollections1JavaObject,
	"GetCommonsCollections2JavaObject":     GetCommonsCollections2JavaObject,
	"GetCommonsCollections3JavaObject":     GetCommonsCollections3JavaObject,
	"GetCommonsCollections4JavaObject":     GetCommonsCollections4JavaObject,
	"GetCommonsCollections5JavaObject":     GetCommonsCollections5JavaObject,
	"GetCommonsCollections6JavaObject":     GetCommonsCollections6JavaObject,
	"GetCommonsCollections7JavaObject":     GetCommonsCollections7JavaObject,
	"GetCommonsCollections8JavaObject":     GetCommonsCollections8JavaObject,
	"GetCommonsCollectionsK1JavaObject":    GetCommonsCollectionsK1JavaObject,
	"GetCommonsCollectionsK2JavaObject":    GetCommonsCollectionsK2JavaObject,
	"GetCommonsCollectionsK3JavaObject":    GetCommonsCollectionsK3JavaObject,
	"GetCommonsCollectionsK4JavaObject":    GetCommonsCollectionsK4JavaObject,
	"GetGroovy1JavaObject":                 GetGroovy1JavaObject,
	"GetJBossInterceptors1JavaObject":      GetJBossInterceptors1JavaObject,
	"GetURLDNSJavaObject":                  GetURLDNSJavaObject,
	"GetFindGadgetByDNSJavaObject":         GetFindGadgetByDNSJavaObject,

	"GetJSON1JavaObject":          GetJSON1JavaObject,
	"GetJavassistWeld1JavaObject": GetJavassistWeld1JavaObject,
	"GetJdk7u21JavaObject":        GetJdk7u21JavaObject,
	"GetJdk8u20JavaObject":        GetJdk8u20JavaObject,

	"GetAllGadget":            GetAllGadget,
	"GetAllTemplatesGadget":   GetAllTemplatesGadget,
	"GetAllRuntimeExecGadget": GetAllRuntimeExecGadget,

	"GetGadgetNameByFun": GetGadgetNameByFun,

	"GetSimplePrincipalCollectionJavaObject": GetSimplePrincipalCollectionJavaObject,

	"LoadClassFromBytes":  LoadClassFromBytes,
	"LoadClassFromBase64": LoadClassFromBase64,
	"LoadClassFromBCEL":   LoadClassFromBCEL,

	"GenerateClassObjectFromBytes":                     GenerateClassObjectFromBytes,
	"GenerateRuntimeExecEvilClassObject":               GenerateRuntimeExecEvilClassObject,
	"GenerateProcessBuilderExecEvilClassObject":        GenerateProcessBuilderExecEvilClassObject,
	"GenerateProcessImplExecEvilClassObject":           GenerateProcessImplExecEvilClassObject,
	"GenerateDNSlogEvilClassObject":                    GenDnslogClassObject,
	"GenerateSpringEchoEvilClassObject":                GenerateSpringEchoEvilClassObject,
	"GenerateModifyTomcatMaxHeaderSizeEvilClassObject": GenerateModifyTomcatMaxHeaderSizeEvilClassObject,
	"GenerateTcpReverseEvilClassObject":                GenTcpReverseClassObject,
	"GenerateTcpReverseShellEvilClassObject":           GenTcpReverseShellClassObject,
	"GenerateTomcatEchoClassObject":                    GenTomcatEchoClassObject,
	"GenerateMultiEchoClassObject":                     GenMultiEchoClassObject,

	"useBytesEvilClass":         SetBytesEvilClass,
	"useBytesClass":             SetClassBytes,
	"useBase64BytesClass":       SetClassBase64Bytes,
	"useTomcatEchoEvilClass":    SetTomcatEchoEvilClass,
	"useTomcatEchoTemplate":     SetClassTomcatEchoTemplate,
	"useMultiEchoEvilClass":     SetMultiEchoEvilClass,
	"useClassMultiEchoTemplate": SetClassMultiEchoTemplate,

	"useModifyTomcatMaxHeaderSizeTemplate": SetClassModifyTomcatMaxHeaderSizeTemplate,

	"useSpringEchoTemplate":   SetClassSpringEchoTemplate,
	"springHeader":            SetHeader,
	"springParam":             SetParam,
	"springRuntimeExecAction": SetExecAction,
	"springEchoBody":          SetEchoBody,

	"useDNSlogTemplate":  SetClassDnslogTemplate,
	"dnslogDomain":       SetDnslog,
	"useDNSLogEvilClass": SetDnslogEvilClass,

	"useRuntimeExecTemplate":  SetClassRuntimeExecTemplate,
	"command":                 SetExecCommand,
	"useRuntimeExecEvilClass": SetRuntimeExecEvilClass,

	"useProcessBuilderExecTemplate":  SetClassProcessBuilderExecTemplate,
	"useProcessBuilderExecEvilClass": SetProcessBuilderExecEvilClass,

	"useProcessImplExecTemplate":  SetClassProcessImplExecTemplate,
	"useProcessImplExecEvilClass": SetProcessImplExecEvilClass,

	"useTcpReverseTemplate":  SetClassTcpReverseTemplate,
	"tcpReverseHost":         SetTcpReverseHost,
	"tcpReversePort":         SetTcpReversePort,
	"tcpReverseToken":        SetTcpReverseToken,
	"useTcpReverseEvilClass": SetTcpReverseEvilClass,

	"useTcpReverseShellTemplate":  SetClassTcpReverseShellTemplate,
	"useTcpReverseShellEvilClass": SetTcpReverseShellEvilClass,

	"useConstructorExecutor":       SetConstruct,
	"evilClassName":                SetClassName,
	"obfuscationClassConstantPool": SetObfuscation,
}
View Source 
var GadgetInfoMap = map[string]*GadgetInfo{
	BeanShell1GadgetName:              {Name: BeanShell1GadgetName, NameVerbose: "BeanShell1", Help: "", SupportTemplate: false},
	Click1GadgetName:                  {Name: Click1GadgetName, NameVerbose: "Click1", Help: "", SupportTemplate: true},
	CommonsBeanutils1GadgetName:       {Name: CommonsBeanutils1GadgetName, NameVerbose: "CommonsBeanutils1", Help: "", SupportTemplate: true},
	CommonsBeanutils183NOCCGadgetName: {Name: CommonsBeanutils183NOCCGadgetName, NameVerbose: "CommonsBeanutils183NOCC", Help: "使用String.CASE_INSENSITIVE_ORDER作为comparator,去除了cc链的依赖", SupportTemplate: true},
	CommonsBeanutils192NOCCGadgetName: {Name: CommonsBeanutils192NOCCGadgetName, NameVerbose: "CommonsBeanutils192NOCC", Help: "使用String.CASE_INSENSITIVE_ORDER作为comparator,去除了cc链的依赖", SupportTemplate: true},
	CommonsCollections1GadgetName:     {Name: CommonsCollections1GadgetName, NameVerbose: "CommonsCollections1", Help: "", SupportTemplate: false},
	CommonsCollections2GadgetName:     {Name: CommonsCollections2GadgetName, NameVerbose: "CommonsCollections2", Help: "", SupportTemplate: true},
	CommonsCollections3GadgetName:     {Name: CommonsCollections3GadgetName, NameVerbose: "CommonsCollections3", Help: "", SupportTemplate: true},
	CommonsCollections4GadgetName:     {Name: CommonsCollections4GadgetName, NameVerbose: "CommonsCollections4", Help: "", SupportTemplate: true},
	CommonsCollections5GadgetName:     {Name: CommonsCollections5GadgetName, NameVerbose: "CommonsCollections5", Help: "", SupportTemplate: false},
	CommonsCollections6GadgetName:     {Name: CommonsCollections6GadgetName, NameVerbose: "CommonsCollections6", Help: "", SupportTemplate: false},
	CommonsCollections7GadgetName:     {Name: CommonsCollections7GadgetName, NameVerbose: "CommonsCollections7", Help: "", SupportTemplate: false},
	CommonsCollections8GadgetName:     {Name: CommonsCollections8GadgetName, NameVerbose: "CommonsCollections8", Help: "", SupportTemplate: true},
	CommonsCollectionsK1GadgetName:    {Name: CommonsCollectionsK1GadgetName, NameVerbose: "CommonsCollectionsK1", Help: "", SupportTemplate: true},
	CommonsCollectionsK2GadgetName:    {Name: CommonsCollectionsK2GadgetName, NameVerbose: "CommonsCollectionsK2", Help: "", SupportTemplate: true},
	CommonsCollectionsK3GadgetName:    {Name: CommonsCollectionsK3GadgetName, NameVerbose: "CommonsCollectionsK3", Help: "", SupportTemplate: false},
	CommonsCollectionsK4GadgetName:    {Name: CommonsCollectionsK4GadgetName, NameVerbose: "CommonsCollectionsK4", Help: "", SupportTemplate: false},
	Groovy1GadgetName:                 {Name: Groovy1GadgetName, NameVerbose: "Groovy1", Help: "", SupportTemplate: false},
	JBossInterceptors1GadgetName:      {Name: JBossInterceptors1GadgetName, NameVerbose: "JBossInterceptors1", Help: "", SupportTemplate: true},
	JSON1GadgetName:                   {Name: JSON1GadgetName, NameVerbose: "JSON1", Help: "", SupportTemplate: true},
	JavassistWeld1GadgetName:          {Name: JavassistWeld1GadgetName, NameVerbose: "JavassistWeld1", Help: "", SupportTemplate: true},
	Jdk7u21GadgetName:                 {Name: Jdk7u21GadgetName, NameVerbose: "Jdk7u21", Help: "", SupportTemplate: true},
	Jdk8u20GadgetName:                 {Name: Jdk8u20GadgetName, NameVerbose: "Jdk8u20", Help: "", SupportTemplate: true},
	URLDNS:                            {Name: URLDNS, NameVerbose: URLDNS, Help: "通过URL对象触发dnslog", SupportTemplate: false},
	FindGadgetByDNS:                   {Name: FindGadgetByDNS, NameVerbose: FindGadgetByDNS, Help: "通过URLDNS这个gadget探测class,进而判断gadget", SupportTemplate: false},
}
View Source 
var LDAPExports = map[string]interface{}{
	"NewLdapServer":         ldapserver.NewLdapServer,
	"NewLdapServerWithPort": ldapserver.NewLdapServerWithPort,
}

Functions

func AllCmdWrapper 

func AllCmdWrapper(cmd string) []string

func BashCmdWrapper 

func BashCmdWrapper(cmd string) string

func ClojureCmdWrapper 

func ClojureCmdWrapper(cmd string) string

func CreateTemplateByClassObject 

func CreateTemplateByClassObject(class *javaclassparser.ClassObject) *yserx.JavaObject

func Dump 

func Dump(i interface{}) (string, error)

func GenDnslogClassObject 

func GenDnslogClassObject(domain string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

dnslog生成

func GenEmptyClassInTemplateClassObject 

func GenEmptyClassInTemplateClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

空类生成(用于template)

func GenMultiEchoClassObject 

func GenMultiEchoClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTcpReverseClassObject 

func GenTcpReverseClassObject(host string, port int, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTcpReverseShellClassObject 

func GenTcpReverseShellClassObject(host string, port int, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenTomcatEchoClassObject 

func GenTomcatEchoClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateClassObjectFromBytes 

func GenerateClassObjectFromBytes(bytes []byte, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateModifyTomcatMaxHeaderSizeEvilClassObject 

func GenerateModifyTomcatMaxHeaderSizeEvilClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateProcessBuilderExecEvilClassObject 

func GenerateProcessBuilderExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateProcessImplExecEvilClassObject 

func GenerateProcessImplExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateRuntimeExecEvilClassObject 

func GenerateRuntimeExecEvilClassObject(cmd string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func GenerateSpringEchoEvilClassObject 

func GenerateSpringEchoEvilClassObject(options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

spring生成

func GenerateTemplates 

func GenerateTemplates(cmd string) []*yserx.JavaObject

func GetAllClassGenerator 

func GetAllClassGenerator() map[ClassType]*ClassPayload

func GetAllGadget 

func GetAllGadget() []interface{}

func GetGadgetChecklist 

func GetGadgetChecklist() map[string]string

func GetGadgetNameByFun 

func GetGadgetNameByFun(i interface{}) (string, error)

func IndexFromBytes 

func IndexFromBytes(byt []byte, sub interface{}) int

func JavaSerializableObjectDumper 

func JavaSerializableObjectDumper(javaObject *JavaObject) (string, error)

func LoadClassFromBCEL added in v1.2.3 

func LoadClassFromBCEL(data string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func LoadClassFromBase64 added in v1.2.3 

func LoadClassFromBase64(base64 string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func LoadClassFromBytes added in v1.2.3 

func LoadClassFromBytes(bytes []byte, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func LoadClassFromJson added in v1.2.3 

func LoadClassFromJson(jsonData string, options ...GenClassOptionFun) (*javaclassparser.ClassObject, error)

func PerlCmdWrapper 

func PerlCmdWrapper(cmd string) string

func PowerShellCmdWrapper 

func PowerShellCmdWrapper(cmd string) string

func PythonCmdWrapper 

func PythonCmdWrapper(cmd string) string

func RepClassName 

func RepClassName(echoTmplClass []byte, oldN string, newN string) []byte

func RepCmd 

func RepCmd(echoTmplClass []byte, zw string, cmd string) []byte

func ReplaceClassNameInJavaSerilizable 

func ReplaceClassNameInJavaSerilizable(objSer yserx.JavaSerializable, old string, new string, times int) error

ReplaceClassNameInJavaSerilizable 这个 ClassName 指的是要探测的目标 jar 包里是否存在该 ClassName

func ReplaceStringInJavaSerilizable 

func ReplaceStringInJavaSerilizable(objSer yserx.JavaSerializable, old string, new string, times int) error

func SetJavaObjectClass 

func SetJavaObjectClass(object yserx.JavaSerializable, classObject *javaclassparser.ClassObject) error

func SetTemplateObjectClass 

func SetTemplateObjectClass(object *yserx.JavaObject, classBytes []byte) error

func ToBcel 

func ToBcel(i interface{}) (string, error)

func ToBytes 

func ToBytes(i interface{}) ([]byte, error)

func ToJson 

func ToJson(i interface{}) (string, error)

Types

type ClassConfig 

type ClassConfig struct {
	Errors     []error
	ClassType  ClassType
	ClassBytes []byte
	//ClassTemplate *javaclassparser.ClassObject
	//公共参数
	ClassName     string
	IsObfuscation bool
	IsConstruct   bool
	//exec参数
	Command string
	//dnslog参数
	Domain string
	//spring参数
	HeaderKey    string
	HeaderVal    string
	HeaderKeyAu  string
	HeaderValAu  string
	Param        string
	IsEchoBody   bool
	IsExecAction bool
	//Reverse参数
	Host  string
	Port  int
	Token string
}

func NewClassConfig 

func NewClassConfig(options ...GenClassOptionFun) *ClassConfig

func (*ClassConfig) AddError 

func (cf *ClassConfig) AddError(err error)

func (*ClassConfig) ConfigCommonOptions 

func (cf *ClassConfig) ConfigCommonOptions(obj *javaclassparser.ClassObject) error

func (*ClassConfig) GenerateClassObject 

func (cf *ClassConfig) GenerateClassObject() (obj *javaclassparser.ClassObject, err error)

type ClassPayload 

type ClassPayload struct {
	ClassName string
	Help      string
	Generator func(*ClassConfig) (*javaclassparser.ClassObject, error)
}

type ClassType 

type ClassType string

type GadgetFunc 

type GadgetFunc func(cmd string) (yserx.JavaSerializable, error)

func GetEchoCommonsCollections2 

func GetEchoCommonsCollections2() GadgetFunc

type GadgetInfo 

type GadgetInfo struct {
	Name            string
	NameVerbose     string
	Help            string
	SupportTemplate bool
}

func (*GadgetInfo) GetHelp 

func (g *GadgetInfo) GetHelp() string

func (*GadgetInfo) GetName 

func (g *GadgetInfo) GetName() string

func (*GadgetInfo) GetNameVerbose 

func (g *GadgetInfo) GetNameVerbose() string

func (*GadgetInfo) IsSupportTemplate 

func (g *GadgetInfo) IsSupportTemplate() bool

type GenClassOptionFun 

type GenClassOptionFun func(config *ClassConfig)

func SetBytesEvilClass 

func SetBytesEvilClass(data []byte) GenClassOptionFun

生成自定义Class

func SetClassBase64Bytes 

func SetClassBase64Bytes(base64 string) GenClassOptionFun

func SetClassBytes 

func SetClassBytes(data []byte) GenClassOptionFun

func SetClassDnslogTemplate 

func SetClassDnslogTemplate() GenClassOptionFun

dnslog参数

func SetClassModifyTomcatMaxHeaderSizeTemplate 

func SetClassModifyTomcatMaxHeaderSizeTemplate() GenClassOptionFun

ModifyTomcatMaxHeaderSize

func SetClassMultiEchoTemplate 

func SetClassMultiEchoTemplate() GenClassOptionFun

MultiEcho

func SetClassName 

func SetClassName(className string) GenClassOptionFun

公共参数

func SetClassProcessBuilderExecTemplate 

func SetClassProcessBuilderExecTemplate() GenClassOptionFun

ProcessBuilderExec 参数

func SetClassProcessImplExecTemplate 

func SetClassProcessImplExecTemplate() GenClassOptionFun

ProcessImplExec 参数

func SetClassRuntimeExecTemplate 

func SetClassRuntimeExecTemplate() GenClassOptionFun

RuntimeExec 参数

func SetClassSpringEchoTemplate 

func SetClassSpringEchoTemplate() GenClassOptionFun

spring参数

func SetClassTcpReverseShellTemplate 

func SetClassTcpReverseShellTemplate() GenClassOptionFun

生成tcp反弹shell

func SetClassTcpReverseTemplate 

func SetClassTcpReverseTemplate() GenClassOptionFun

生成tcp反连

func SetClassTomcatEchoTemplate 

func SetClassTomcatEchoTemplate() GenClassOptionFun

Tomcat回显

func SetConstruct 

func SetConstruct() GenClassOptionFun

func SetDnslog 

func SetDnslog(addr string) GenClassOptionFun

func SetDnslogEvilClass 

func SetDnslogEvilClass(addr string) GenClassOptionFun

func SetEchoBody 

func SetEchoBody() GenClassOptionFun

func SetExecAction 

func SetExecAction() GenClassOptionFun

func SetExecCommand 

func SetExecCommand(cmd string) GenClassOptionFun

func SetHeader 

func SetHeader(key string, val string) GenClassOptionFun

func SetMultiEchoEvilClass 

func SetMultiEchoEvilClass() GenClassOptionFun

func SetObfuscation 

func SetObfuscation() GenClassOptionFun

func SetParam 

func SetParam(val string) GenClassOptionFun

func SetProcessBuilderExecEvilClass 

func SetProcessBuilderExecEvilClass(cmd string) GenClassOptionFun

func SetProcessImplExecEvilClass 

func SetProcessImplExecEvilClass(cmd string) GenClassOptionFun

func SetRuntimeExecEvilClass 

func SetRuntimeExecEvilClass(cmd string) GenClassOptionFun

func SetTcpReverseEvilClass 

func SetTcpReverseEvilClass(host string, port int) GenClassOptionFun

func SetTcpReverseHost 

func SetTcpReverseHost(host string) GenClassOptionFun

func SetTcpReversePort 

func SetTcpReversePort(port int) GenClassOptionFun

func SetTcpReverseShellEvilClass 

func SetTcpReverseShellEvilClass(host string, port int) GenClassOptionFun

func SetTcpReverseToken 

func SetTcpReverseToken(token string) GenClassOptionFun

func SetTomcatEchoEvilClass 

func SetTomcatEchoEvilClass() GenClassOptionFun

type JavaObject 

type JavaObject struct {
	yserx.JavaSerializable
	// contains filtered or unexported fields
}

func ConfigJavaObject 

func ConfigJavaObject(templ []byte, name string, options ...GenClassOptionFun) (*JavaObject, error)

func GetBeanShell1JavaObject 

func GetBeanShell1JavaObject(cmd string) (*JavaObject, error)

func GetClick1JavaObject 

func GetClick1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils183NOCCJavaObject 

func GetCommonsBeanutils183NOCCJavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils192NOCCJavaObject 

func GetCommonsBeanutils192NOCCJavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsBeanutils1JavaObject 

func GetCommonsBeanutils1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections1JavaObject 

func GetCommonsCollections1JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections2JavaObject 

func GetCommonsCollections2JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections3JavaObject 

func GetCommonsCollections3JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections4JavaObject 

func GetCommonsCollections4JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollections5JavaObject 

func GetCommonsCollections5JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections6JavaObject 

func GetCommonsCollections6JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections7JavaObject 

func GetCommonsCollections7JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollections8JavaObject 

func GetCommonsCollections8JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK1JavaObject 

func GetCommonsCollectionsK1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK2JavaObject 

func GetCommonsCollectionsK2JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetCommonsCollectionsK3JavaObject 

func GetCommonsCollectionsK3JavaObject(cmd string) (*JavaObject, error)

func GetCommonsCollectionsK4JavaObject 

func GetCommonsCollectionsK4JavaObject(cmd string) (*JavaObject, error)

func GetFindClassByBombJavaObject 

func GetFindClassByBombJavaObject(className string) (*JavaObject, error)

GetFindClassByBombJavaObject 扫描目标存在指定的 className 时,将会耗部分服务器性能达到间接延时的目的

func GetFindGadgetByDNSJavaObject 

func GetFindGadgetByDNSJavaObject(url string) (*JavaObject, error)

func GetGroovy1JavaObject 

func GetGroovy1JavaObject(cmd string) (*JavaObject, error)

func GetJBossInterceptors1JavaObject 

func GetJBossInterceptors1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJSON1JavaObject 

func GetJSON1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJavaObjectFromBytes 

func GetJavaObjectFromBytes(byt []byte) (*JavaObject, error)

func GetJavassistWeld1JavaObject 

func GetJavassistWeld1JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJdk7u21JavaObject 

func GetJdk7u21JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetJdk8u20JavaObject 

func GetJdk8u20JavaObject(options ...GenClassOptionFun) (*JavaObject, error)

func GetSimplePrincipalCollectionJavaObject 

func GetSimplePrincipalCollectionJavaObject() (*JavaObject, error)

func GetURLDNSJavaObject 

func GetURLDNSJavaObject(url string) (*JavaObject, error)

func (*JavaObject) Verbose 

func (a *JavaObject) Verbose() *GadgetInfo

type JavaStruct 

type JavaStruct struct {
	Name        string
	Value       interface{}
	IsBytes     bool
	ClassName   string
	Type        byte
	TypeVerbose string
	Fields      []*JavaStruct
	BlockData   []*JavaStruct
}

func WalkJavaSerializableObject 

func WalkJavaSerializableObject(objSer yserx.JavaSerializable, handle WalkJavaSerializableObjectHandle) *JavaStruct

type RuntimeExecGadget 

type RuntimeExecGadget func(cmd string) (*JavaObject, error)

func GetAllRuntimeExecGadget 

func GetAllRuntimeExecGadget() []RuntimeExecGadget

type Temper 

type Temper func(cmd string) string

type TemplatesGadget 

type TemplatesGadget func(options ...GenClassOptionFun) (*JavaObject, error)

func GetAllTemplatesGadget 

func GetAllTemplatesGadget() []TemplatesGadget

type WalkJavaSerializableObjectHandle 

type WalkJavaSerializableObjectHandle func(desc *yserx.JavaClassDesc, objSer yserx.JavaSerializable)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.