base on JNDIExploit or a ysoserial. <p align="center"> <img src="docs/img/logo.png" width="120"> </p> <h1 align="center"> JYso </h1> <p align="center"> <img src="https://img.shields.io/badge/JDK-1.8+-orange" /> <img src="https://img.shields.io/badge/gradle-8.7-blue" /> <img src="https://img.shields.io/badge/SDL-Groovy-green" /> <p align="center"> 可以同时当做 ysoserial 与 JNDIExploit 使用的工具，同时具备多种JNDI高版本、WAF、RASP的Bypass功能 </p> <p align="center"> 中文文档 | <a href="README.en.md">English</a> </p> ## 🚀 上手指南 📢 请务必花一点时间阅读此文档，有助于你快速熟悉JYso！ 🧐 使用文档[Wiki](https://github.com/qi4L/JYso/wiki)。 ✔ 下载最新版本的[Releases](https://github.com/qi4L/JYso/releases)。 ## 👍 特点 + JNDI 账号密码启动 + JNDI 路由隐藏或加密 + JNDI 高版本Bypass + 自定义修改内存马的路径、密码、验证的HTTP头与值 + 内存马支持[无文件落地Agent打入](https://xz.aliyun.com/t/10075?time__1311=mq%2BxBD9QDQe4yDBkPoN%2BuDAO%3DnB5x&alichlgref=https%3A%2F%2Fxz.aliyun.com%2Fsearch%3Fkeyword%3Drebeyond) + 内存马写入 JRE 或环境变量来隐藏 + 序列化数据加脏数据 + [序列化数据进行3字节对应的UTF-8编码](https://whoopsunix.com/docs/PPPYSO/advance/UTFMIX/) + TemplatesImpl 的 _bytecodes 特征消除且做了大小缩减 + SignedObject 二次反序列化，可用于绕过如 TemplatesImpl 黑名单，CTF 中常出现的 CC 无数组加黑名单等 + 解决 Shiro Header 头部过长，从 request 中获取指定参数的值进行类加载 + 动态生成混淆的类名 + MSF/CS 上线 + 通过JDBC来进行代码执行 如果你有其他很棒的想法请务必告诉我！😎 ## 🐯 编译 下载 gradle8.7+ 并配置到全局环境变量中，在项目根目录下执行 ```shell ./gradlew shadowJar ``` ## 🌲目录结构 更多信息请参阅[目录结构说明](docs/directory_structure.md)。 ## ✨ CTStack <img src="https://ctstack-oss.oss-cn-beijing.aliyuncs.com/CT%20Stack-2.png" width="30%" /> JYso 现已加入 [CTStack](https://stack.chaitin.com/tool/detail/1303) 社区 ## ✨ 404StarLink 2.0 - Galaxy JYso 是 404Team [404StarLink 2.0](https://github.com/knownsec/404StarLink) 中的一环，如果您有 关于JYso的问题或者想找伙伴交流，可以参考星链加群方式项目。 + https://github.com/knownsec/404StarLink2.0-Galaxy#community 1. [入选2024年KCon兵器谱](https://kcon.knownsec.com/index.php?s=bqp&c=category&id=3) ## 📷 参考 - https://github.com/veracode-research/rogue-jndi - https://github.com/welk1n/JNDI-Injection-Exploit - https://github.com/welk1n/JNDI-Injection-Bypass - https://github.com/WhiteHSBG/JNDIExploit - https://github.com/su18/ysoserial - https://github.com/rebeyond/Behinder - https://github.com/Whoopsunix/utf-8-overlong-encoding - https://github.com/mbechler/marshalsec - https://t.zsxq.com/17LkqCzk8 - https://mp.weixin.qq.com/s/fcuKNfLXiFxWrIYQPq7OCg - https://xz.aliyun.com/t/11640?time__1311=mqmx0DBDuDnQ340vo4%2BxCwg%3DQai%3DYzaq4D&alichlgref=https%3A%2F%2Fxz.aliyun.com%2Fu%2F8697 - https://archive.conference.hitb.org/hitbsecconf2021sin/sessions/make-jdbc-attacks-brilliant-again/ - https://tttang.com/archive/1405/#toc_0x03-jdbc-rce - https://xz.aliyun.com/t/10656?time__1311=mq%2BxBDy7G%3DLOD%2FD0DoYg0%3DDR0HG8KeD&alichlgref=https%3A%2F%2Ftttang.com%2F#toc-7 - https://whoopsunix.com/docs/PPPYSO/advance/UTFMIX/ - https://tttang.com/archive/1405/#toc_groovyclassloader - https://xz.aliyun.com/t/10656?time__1311=mq%2BxBDy7G%3DLOD%2FD0DoY4AKqiKD%3DOQjqx&alichlgref=https%3A%2F%2Ftttang.com%2F - https://www.leavesongs.com/PENETRATION/use-tls-proxy-to-exploit-ldaps.html - https://tttang.com/archive/1405/#toc_druid ", Assign "at most 3 tags" to the expected json: {"id":"6841","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"