diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
new file mode 100644
index 0000000..0a5d792
--- /dev/null
+++ b/.github/release-drafter.yml
@@ -0,0 +1,4 @@
+template: |
+ ## What’s Changed
+
+ $CHANGES
\ No newline at end of file
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
new file mode 100644
index 0000000..9e54438
--- /dev/null
+++ b/.github/workflows/build-and-release.yml
@@ -0,0 +1,173 @@
+name: Build and Release
+
+on:
+ workflow_dispatch:
+ inputs:
+ version:
+ description: "Release version (e.g. 1.3.1)"
+ required: true
+ type: string
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ env:
+ JAVA_VERSION: '8'
+ NODE_VERSION: '23.2.0'
+ PNPM_VERSION: '9.13.2'
+
+ steps:
+ - name: Checkout Backend Code
+ uses: actions/checkout@v3
+ with:
+ repository: Java-Chains/chains
+ token: ${{ secrets.DEPENDENCY_REPO_TOKEN }}
+ fetch-depth: 0 # Required to fetch all history for tag detection
+
+ - name: Set up Temurin JDK ${{ env.JAVA_VERSION }}
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: ${{ env.JAVA_VERSION }}
+ cache: 'maven'
+
+ - name: Set up Maven
+ uses: stCarolas/setup-maven@v5
+ with:
+ maven-version: 3.9.6
+
+ - name: Cache Maven dependencies
+ uses: actions/cache@v3
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-maven-
+
+ - name: Clone and Install Dev Jars
+ run: |
+ git clone https://${{ secrets.DEPENDENCY_REPO_TOKEN }}@github.com/Java-Chains/chains-dev-jars.git chains-dev-jars
+ cd chains-dev-jars
+ bash mvn_install.sh
+ cd ..
+
+ - name: Build and Install java-echo-generator
+ run: |
+ git clone https://${{ secrets.DEPENDENCY_REPO_TOKEN }}@github.com/Java-Chains/java-echo-generator.git java-echo-generator
+ cd java-echo-generator
+ mvn clean install -DskipTests
+ cd ..
+
+ - name: Build and Install java-memshell-generator
+ run: |
+ git clone https://${{ secrets.DEPENDENCY_REPO_TOKEN }}@github.com/Java-Chains/java-memshell-generator.git java-memshell-generator
+ cd java-memshell-generator
+ mvn clean install -DskipTests
+ cd ..
+
+ # 前端
+ - name: Set up Node.js ${{ env.NODE_VERSION }}
+ uses: actions/setup-node@v3
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+
+ - name: Setup pnpm
+ uses: pnpm/action-setup@v2
+ with:
+ version: ${{ env.PNPM_VERSION }}
+
+ - name: Build Frontend
+ run: |
+ git clone https://${{ secrets.DEPENDENCY_REPO_TOKEN }}@github.com/Java-chains/java-chains-front.git java-chains-front
+ cd java-chains-front
+ pnpm install
+ pnpm build:prod
+ cd ..
+
+ - name: Copy Frontend Assets to Backend
+ run: |
+ mkdir -p java-chains/src/main/resources/static
+ rm -rf java-chains/src/main/resources/static/*
+ cp -r java-chains-front/dist/* java-chains/src/main/resources/static/
+
+ - name: Build Backend
+ run: mvn clean package -DskipTests
+
+ - name: Create Release Directory
+ run: mkdir release
+
+ - name: Copy Java-Chains JAR to Release
+ run: cp java-chains-*.jar release/java-chains.jar
+
+ - name: Copy Chain-All JAR to Release
+ run: cp chains-all-*.jar release/chains-all.jar
+
+ - name: Upload Release Artifact (for non-tag pushes)
+ uses: actions/upload-artifact@v4
+ with:
+ name: release-${{ inputs.version }}
+ path: release/
+
+
+ release_draft:
+ needs: build
+ permissions: write-all
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Download Artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: release-${{ inputs.version }}
+ path: release/
+
+ - name: Create Release
+ id: create_release
+ uses: actions/create-release@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.JAVA_CHAINS_RELEASE_TOKEN }}
+ with:
+ tag_name: ${{ inputs.version }}
+ release_name: Release ${{ inputs.version }}
+ draft: true
+
+ - name: Upload Java-Chains Release Asset
+ id: upload-java-chains-release-asset
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.JAVA_CHAINS_RELEASE_TOKEN }}
+ with:
+ upload_url: ${{ steps.create_release.outputs.upload_url }}
+ asset_path: release/java-chains.jar
+ asset_name: java-chains-${{ inputs.version }}.jar
+ asset_content_type: application/java-archive
+
+ - name: Upload Chains-All Release Asset
+ id: upload-chains-all-release-asset
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.JAVA_CHAINS_RELEASE_TOKEN }}
+ with:
+ upload_url: ${{ steps.create_release.outputs.upload_url }}
+ asset_path: release/chains-all.jar
+ asset_name: chains-all-${{ inputs.version }}.jar
+ asset_content_type: application/java-archive
+
+ - name: Clone chains-config And Create Distribution Archive
+ run: |
+ cd release
+ git clone https://${{ secrets.DEPENDENCY_REPO_TOKEN }}@github.com/Java-Chains/chains-config.git chains-config
+ rm -rf chains-config/.git
+ tar -czvf java-chains-all.tar.gz java-chains.jar chains-config
+ cd ..
+
+ - name: Upload Release Asset (Tarball)
+ id: upload-release-asset-tar
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.JAVA_CHAINS_RELEASE_TOKEN }}
+ with:
+ upload_url: ${{ steps.create_release.outputs.upload_url }}
+ asset_path: release/java-chains-all.tar.gz
+ asset_name: java-chains-${{ inputs.version }}-all.tar.gz
+ asset_content_type: application/gzip
\ No newline at end of file
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
new file mode 100644
index 0000000..0e3eb1f
--- /dev/null
+++ b/.github/workflows/release-docker.yml
@@ -0,0 +1,54 @@
+name: Release to Docker
+
+on:
+ workflow_dispatch:
+ inputs:
+ version:
+ description: "Release version tag (e.g. 1.3.1)"
+ required: true
+ type: string
+
+jobs:
+ build-and-push:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout This Repository
+ uses: actions/checkout@v4
+
+ - name: Download And Extract Release Artifact
+ uses: robinraju/release-downloader@v1
+ with:
+ token: ${{ secrets.JAVA_CHAINS_RELEASE_TOKEN }}
+ repository: vulhub/java-chains
+ tag: ${{ inputs.version }}
+ out-file-path: ./ # 下载到当前目录下
+ fileName: java-chains-${{ inputs.version }}-all.tar.gz
+ extract: true # 解压缩
+
+ - name: Show Files
+ run: |
+ pwd
+ ls -lah
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Log in to the Docker hub
+ uses: docker/login-action@v3
+ with:
+ username: ${{ secrets.DOCKER_HUB_USERNAME }}
+ password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+ - name: Build and push image to Docker Hub
+ uses: docker/build-push-action@v6
+ with:
+ file: Dockerfile
+ context: .
+ platforms: linux/amd64,linux/arm64
+ push: true
+ tags: |
+ javachains/javachains:${{ inputs.version }}
+ javachains/javachains:latest
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2178617..1e82093 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,120 +1,122 @@
-## 1.2.3
+## 1.4.1
+
+**Added**
+
+1. Added partial fastjson payload generation capabilities and a Unicode-based WAF bypass technique by
+ @xcxmiku. [Reference article](https://mp.weixin.qq.com/s?__biz=Mzg3NzczOTA3OQ==&mid=2247486066&idx=1&sn=25021413b4ca3be4037ea3819ff12bdc&chksm=cec076c7d99fce55e8eebc531a6c5e6363182ba166120fc676a4c161788ed43a5863efe57fff&mpshare=1&scene=1&srcid=0319gACpuJIZjaROthkFVH3Y&sharer_shareinfo=78b3da8cba5f6492f886dc1da02f001a&sharer_shareinfo_first=78b3da8cba5f6492f886dc1da02f001a#rd)
+2. Display the User-Agent value of incoming HTTPServer requests.
+3. Introduced a file upload parameter type to facilitate the customization of binary bytecode files. Refer to the
+ corresponding Gadget: BytecodeFromUploadFile.
+4. Introduced JmgCustomShellGadget, enabling the injection of custom memory shells.
+5. Added support for specifying the listening address through environment variables.
+
+**Changed**
+
+1. Removed the `comparatorType` option from the CB chain.
+2. Parameter values in log outputs are now displayed with a maximum length of 200 characters.
+3. Fixed a concatenation error (#9).
+4. Improved the frontend display of "Choice" selection parameters.
+5. Fixed an exception related to custom bytecode.
+6. Improved the frontend display of preset chains.
+7. In download/save mode, the output format is automatically switched to Raw.
+
+## 1.4.0
+
+**Added**
+
+- Integrated some FastjsonPayload @iSafeBlue
+- Added the following Expression Injection Payloads:
+ - FreeMarker
+ - JXPath @unam4
+ - Thymeleaf @unam4
+ - Aviator @ReaJason
+ - JINJava @ReaJason
+ - Velocity @ReaJason
+- When exploit modules are generated, they automatically check if the service port is open, and if not, automatically
+ start it.
+
+**Changed**
+
+- java-chains migrated to the vulhub project.
+- Project renamed from web-chains to java-chains.
+- [class-obf](https://github.com/jar-analyzer/class-obf) obfuscation project updated from v1.4.0 to v1.5.0.
+- Removed WriteFile bytecode.
+- Removed the "delete" option from DownloadExec and WriteFileExec bytecode gadgets.
+- Gadget IP parameter now defaults to 127.0.0.1.
+
+## 1.3.1
+
+**Added**
+
+- SpringAopAspectjweaver Chain
+
+**Bugfix**
+
+- Fixed issue where Payload parameters were ineffective in version 1.3.0
+- Fixed parameter setting errors for some Gadgets
+
+**Optimization**
+
+- Improved generation speed for large packets of overlong UTF8 dirty data
+- Added support for obfuscation in secondary deserialization
+- Improved descriptions for some chains
+- Added extra information to the Context output box
+- Frontend display improvements
+- i18n
+
+## 1.3.0
+
+- [Feature] Added [SerializationDumper](https://github.com/NickstaDB/SerializationDumper) for parsing Java serialized
+ data, enabling custom modification of class SUIDs, etc.
+- [Feature] Enabled Chains plugin development. See: https://github.com/Java-Chains/chains-plugin-demo. The frontend
+ supports plugin reloading.
+- [Feature] Added Hessian2ToStringPayload; a toString chain can be triggered via `except`.
+- [Feature] The frontend now displays basic information for all Payloads and Gadgets.
+- [Feature] Added CommonsBeanutils5 Gadget, suitable for cb version 1.10.
+- [Feature] Added FakeMySQLReadPayload for file reading exploitation, compatible with `fileread_/etc/passwd` format.
+ See https://github.com/4ra1n/mysql-fake-server.
+- [Feature] The Generate module now offers a URL Encoding option.
+- [Feature] Added the `preTags` field in gadget annotations, which can be used to specify preceding chains.
+- [Feature] Synchronously updated [Class-Obf](https://github.com/jar-analyzer/class-obf) to version v1.4.0.
+- [Improvement] JNDI, JRMP, etc. modules will now provide a warning if the port is not open.
+- [Improvement] Improved frontend icon display.
+- [Improvement] Refactored backend code.
+- [Bugfix] Fixed the Groovy Jar generation issue. Fastjson Groovy Jars can now be generated through OtherPayload ->
+ GroovyJarConvert.
+
+## 1.2.4
+
+- [Feature] Synchronized update to Class-Obf v1.3.1 (https://github.com/jar-analyzer/class-obf) @4ra1n
+- [Feature] Synchronously update java-memshell-generator to version v1.0.9
+- [Feature] Added XmlDeSerPayload @unam4
+- [Feature] Added OpengaussJdbc chain @guchangan1
+- [Feature] Customize web login password, customize whether to disable authentication.
+- [Optimization] java-memshell-generator (Jmg) optimizes error message prompts; supports automatically generating random
+ string parameters to reduce signatures.
-- [功能] 支持字节码混淆,集成 Class-Obf(https://github.com/jar-analyzer/class-obf)项目 @4ra1n
-- [功能] 新增 ExpressionPayload、JDBCPayload,方便生成表达式相关Payload以及JDBC URL相关Payload @Ar3h
-- [优化] FakeMySQL日志更详细的输出 @Ar3h
-- [BUG] 修复前端展开BUG @Ar3h
+## 1.2.3
+- [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n
+- [Feature] Added ExpressionPayload and JDBCPayload for easier generation of expression-related Payloads and JDBC
+ URL-related Payloads by @Ar3h
+- [Improvement] Enhanced FakeMySQL logging with more detailed output by @Ar3h
+- [Bugfix] Fixed front-end expansion issue by @Ar3h
## 1.2.2
-更新内容:
-
-- [功能] 支持国际化,页面支持英文切换,登陆页面后右上角可进行切换语言 @Ar3h
-- [功能] 新增 `OneForAllEcho` Gadget,属于字节码类型,可实现Tomcat、WebLogic、Jetty、Spring环境下的一键回显 @4ra1n
-- [功能] 新增 `XMLDecoder` Payload 生成 @4ra1n
-- [新链] 新增 HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory 三条hutools相关Getter链 @unam4
-- [优化] Java反序列化支持完全 UTF8 Overlong(参考 PPPYSO 项目) @Ar3h
-- [优化] 优化前端Gadget选项提示,前端使用青色提醒Gadget存在一些不适用的情况,需要阅读详细说明后自行判断 @Ar3h
-- [优化] 拆分出 DNSLogWithInfo 链,专门用于通过DNSLog回显gadget链信息,方便在梭哈链中进行判断可用链 @Ar3h
-- [优化] 前端添加缓存,减少请求量,提高速度 @Ar3h
-- [BUG] 修复 DNSLog、DNSLogAndHttp 无法正常使用的严重BUG
-
-感谢以下用户的贡献:
-
-- Ar3h (https://github.com/Ar3h)
-- 4ra1n (https://github.com/4ra1n)
-- unam4 (https://github.com/unam4)
-
-推荐使用 Docker 一键启动
-
-## 1.2.1
-
-更新内容:
-
-- [功能] 新增 `Hessian LazyValueWithSleep` 链 @unam4
-- [功能] 新增 `TomcatEcho` 回显 (可在 `Jeg` 无法使用时使用) @匿名
-- [优化] 优化预设链的描述 @Ar3h
-- [优化] 优化 `JNDI` 相关以及部分 `Gadget` 的描述 @Ar3h
-
-感谢以下用户的贡献:
-
-- Ar3h (https://github.com/Ar3h)
-- unam4 (https://github.com/unam4)
-- 某匿名安全研究师傅
-
-使用 `java -jar java-chains.jar` 即可启动
-
-推荐使用 `docker` 一键启动
-
-## 1.2.0
-
-更新内容:
-
-- [重要] 新增预设链功能,常用链可实现一键勾选 @Ar3h
-- [重要] 所有选项和配置添加详细的描述提示信息 @Ar3h
-- [功能] 支持下载 `payload` 为文件功能 @Ar3h
-- [功能] `OtherPayload` 新增 `JMG` 格式的 `JSP` @Ar3h
-- [功能] `OtherPayload` 新增 `Java` 两种命令处理 @4ra1n
-- [BUG] 修复前端 `gadget` 参数描述信息显示异常问题 @Ar3h
-- [BUG] 修复前端部分 `payload` 传参错误搭导致无效生成 @Ar3h
-- [BUG] 修复 `JSP` 模板无法正常使用的 `BUG` @Ar3h
-- [BUG] 没有导入 `aspectj` 依赖导致部分 `gadget` 错误 @Ar3h
-- [优化] 优化部分 `gadget` 的优先级排序 @Ar3h
-- [优化] 支持展示 `jmg` 的提示输出信息 @Ar3h
-- [优化] 登录用户名固定 `admin` 仅随机登陆密码 @4ra1n
-- [优化] 安全方面删除 `security path` 功能 @4ra1n @ssrsec
-- [优化] 前端默认使用更好看的黑色主题 @Ar3h
-- [优化] 前端界面 `run` 和 `copy` 按钮位置优化 @Ar3h
-
-感谢以下用户的贡献:
-
-- Ar3h (https://github.com/Ar3h)
-- 4ra1n (https://github.com/4ra1n)
-- 说书人 (https://github.com/ssrsec)
-
-使用 `java -jar java-chains.jar` 即可启动
-
-推荐使用 `docker` 一键启动
-
-## 1.1.0
-
-更新内容:
-
-- [重要] 前端大重构和优化 @Ar3h
-- [重要] 提供 `docker` 一键启动命令 @Ar3h @4ra1n
-- [重要] 提供了从 `jar` 文件加载的简易插件系统 @Ar3h
-- [重要] 新增 `h2 without js` 全版本通杀链 @unam4
-- [功能] 基于 `spring security` 的登录功能 @springkill @4ra1n
-- [功能] 新增两种 `equals` 和 `c3p0 jndi/jdbc` 链 @unam4
-- [功能] `hessian` 新增 `groovy` 利用链 @Ar3h
-- [功能] 字节码可添加 `main` 静态入口函数 @Ar3h
-- [BUG] 无法正确显示 `favicon.ico` 图标问题 @xcxmiku
-- [优化] `server` 探测新增 `netty` 框架探测 @Ar3h
-- [优化] 高版本 `Oralce JDK` 可以使用 `BCEL` 相关 @4ra1n
-- [优化] 优化某些仅 `unix` 类型的 `gadget` 提示信息 @4ra1n
-- [优化] 格式化输出日志,为日志附加颜色 @springkill
-- [优化] 启动时检测 `java` 版本给出警告 @4ra1n
-- [优化] 优化拦截器逻辑 @ssrsec
-- [优化] 优化 `base64` 通用性 @ssrsec
-- [文档] 编写新版本使用文档 @ssrsec
-
-感谢以下用户的贡献:
-
-- Ar3h (https://github.com/Ar3h)
-- 某匿名安全研究师傅
-- unam4 (https://github.com/unam4)
-- 小晨曦 (https://github.com/xcxmiku)
-- 4ra1n (https://github.com/4ra1n)
-- springkill (https://github.com/springkill)
-- 说书人 (https://github.com/ssrsec)
-
-使用 `java -jar java-chains.jar` 即可启动(仅支持 `java 8` 环境)
-
-推荐使用 `docker` 一键启动(请参考 `README` 页面)
-
-其中 `chains-config.zip` 是补充插件,解压后放在 `jar` 同级目录即可
-
-## 1.0.0
+What's new:
+
+- [Feature] Support internationalization, the page supports English switching, and the language can be switched in the
+ upper right corner after landing on the page @Ar3h
+- [Feature] Added 'OneForAllEcho' Gadget, which is a bytecode type, which can realize one-click echo in Tomcat,
+ WebLogic, Jetty, and Spring environments @4ra1n
+- [Feature] Added 'XMLDecoder' Payload generation @4ra1n
+- [New Chain] Added three Getter chains: HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory @unam4
+- [Improve] Java deserialization support for full UTF8 overlong (see PPPYSO project) @Ar3h
+- [Optimization] Optimized the prompt of the front-end Gadget option, the front-end uses cyan to remind that Gadget is
+ not applicable to some situations, and you need to read the detailed description and make your own judgment @Ar3h
+- [Improve] Split out the DNSLogWithInfo chain, which is specially used to echo the gadget chain information through
+ DNSLog, which is convenient for judging the available chain in the stud chain @Ar3h
+- [Improve] Add cache to the front-end to reduce the number of requests and improve the speed @Ar3h
+- [BUG] Fixed the serious bug that DNSLog and DNSLogAndHttp could not be used normally
-初始开源版本
\ No newline at end of file
diff --git a/CHANGELOG.zh-cn.md b/CHANGELOG.zh-cn.md
new file mode 100644
index 0000000..4efd2bf
--- /dev/null
+++ b/CHANGELOG.zh-cn.md
@@ -0,0 +1,208 @@
+## 1.4.1
+
+**Added**
+
+1. 新增部分 fastjson payload 生成,以及 unicode 绕 waf 方案
+ @xcxmiku [参考文章](https://mp.weixin.qq.com/s?__biz=Mzg3NzczOTA3OQ==&mid=2247486066&idx=1&sn=25021413b4ca3be4037ea3819ff12bdc&chksm=cec076c7d99fce55e8eebc531a6c5e6363182ba166120fc676a4c161788ed43a5863efe57fff&mpshare=1&scene=1&srcid=0319gACpuJIZjaROthkFVH3Y&sharer_shareinfo=78b3da8cba5f6492f886dc1da02f001a&sharer_shareinfo_first=78b3da8cba5f6492f886dc1da02f001a#rd)
+2. 展示 HTTPServer 请求来源 User-Agent 值
+3. 新增文件上传参数类型,方便自定义二进制字节码文件,参考对应 Gadget: BytecodeFromUploadFile
+4. 新增 JmgCustomShellGadget,可实现注入自定义内存马
+5. 支持通过环境变量指定监听的 address
+
+**Changed**
+
+1. 移除了 CB 链中的 comparatorType 选项
+2. 日志输出参数值最多展示 200 个字符
+3. 修复拼接错误 #9
+4. 优化 Choice 选择参数的前端显示
+5. 修复自定义字节码导致的异常
+6. 优化前端预设链的显示
+7. 在下载/保存模式下,输出格式将自动切换为 Raw 格式
+
+## 1.4.0
+
+**Added**
+
+- 集成部分 FastjsonPayload @iSafeBlue
+- 添加以下表达式注入 Payload
+ - FreeMarker
+ - JXPath @unam4
+ - Thymeleaf @unam4
+ - Aviator @ReaJason
+ - JINJava @ReaJason
+ - Velocity @ReaJason
+- Exploit 模块生成时自动判断服务端口是否开放,若未开放则自动启动
+
+**Changed**
+
+- java-chains 迁移至 vulhub 项目下
+- 项目从 web-chains 更名 java-chains
+- [class-obf](https://github.com/jar-analyzer/class-obf) 混淆项目 从 v1.4.0 更新至 v1.5.0
+- 删除 WriteFile 字节码
+
+## 1.3.1
+
+**新增**
+
+- SpringAopAspectjweaver 链
+
+**Bug修复**
+
+- 修复在 1.3.0 版本中 Payload 参数不生效问题
+- 修复一些 Gadget 参数设置报错问题
+
+**优化**
+
+- 提高脏数据 overlong utf8 大包生成速度
+- 在二次反序列化中支持混淆
+- 部分链的描述
+- Context 输出框新增额外信息
+- 前端UI显示
+- i18n
+
+## 1.3.0
+
+- [功能] 新增 [SerializationDumper](https://github.com/NickstaDB/SerializationDumper) 解析Java序列化数据,并自定义修改任意类
+ SUID 等功能
+- [功能] 开放 Chains 插件编写,参考:https://github.com/Java-Chains/chains-plugin-demo ,前端支持reload重加载插件
+- [功能] 新增 Hessian2ToStringPayload,通过 except 可触发toString链
+- [功能] 前端提供展示所有 Payload、Gadget 基础信息
+- [功能] 新增 CommonsBeanutils5 Gadget,适用于 cb 1.10 版本
+- [功能] 新增 FakeMySQLReadPayload 读文件利用,同时兼容 fileread_/etc/passwd 格式
+ ,参考 https://github.com/4ra1n/mysql-fake-server
+- [功能] Generate 生成模块提供 URL Encoding 编码选项
+- [功能] gadget 注解中新增 preTags 字段,可用于指定前面的链
+- [功能] 同步更新 [Class-Obf](https://github.com/jar-analyzer/class-obf) v1.4.0 版本
+- [优化] JNDI、JRMP 等模块若端口未开放则会进行提醒
+- [优化] 前端图标展示
+- [优化] 整理后端代码
+- [Bugfix] 修复Groovy生成Jar的问题。现在可以通过 OtherPayload -> GroovyJarConvert 中生成 Fastjson Groovy Jar
+
+## 1.2.4
+
+- [功能] 同步更新 Class-Obf v1.3.1 版本 (https://github.com/jar-analyzer/class-obf) @4ra1n
+- [功能] 同步更新 java-memshell-generator(Jmg) v1.0.9 版本
+- [功能] 新增 XmlDeSerPayload @unam4
+- [功能] 新增 OpengaussJdbc 链 @guchangan1
+- [功能] 自定义web登录密码,自定义是否关闭鉴权
+- [优化] java-memshell-generator(Jmg) 优化报错提示;支持自动生成随机字符串参数,用于减少特征
+
+## 1.2.3
+
+- [功能] 支持字节码混淆,集成 Class-Obf(https://github.com/jar-analyzer/class-obf)项目 @4ra1n
+- [功能] 新增 ExpressionPayload、JDBCPayload,方便生成表达式相关Payload以及JDBC URL相关Payload @Ar3h
+- [优化] FakeMySQL日志更详细的输出 @Ar3h
+- [BUG] 修复前端展开BUG @Ar3h
+
+## 1.2.2
+
+更新内容:
+
+- [功能] 支持国际化,页面支持英文切换,登陆页面后右上角可进行切换语言 @Ar3h
+- [功能] 新增 `OneForAllEcho` Gadget,属于字节码类型,可实现Tomcat、WebLogic、Jetty、Spring环境下的一键回显 @4ra1n
+- [功能] 新增 `XMLDecoder` Payload 生成 @4ra1n
+- [新链] 新增 HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory 三条hutools相关Getter链 @unam4
+- [优化] Java反序列化支持完全 UTF8 Overlong(参考 PPPYSO 项目) @Ar3h
+- [优化] 优化前端Gadget选项提示,前端使用青色提醒Gadget存在一些不适用的情况,需要阅读详细说明后自行判断 @Ar3h
+- [优化] 拆分出 DNSLogWithInfo 链,专门用于通过DNSLog回显gadget链信息,方便在梭哈链中进行判断可用链 @Ar3h
+- [优化] 前端添加缓存,减少请求量,提高速度 @Ar3h
+- [BUG] 修复 DNSLog、DNSLogAndHttp 无法正常使用的严重BUG
+
+感谢以下用户的贡献:
+
+- Ar3h (https://github.com/Ar3h)
+- 4ra1n (https://github.com/4ra1n)
+- unam4 (https://github.com/unam4)
+
+推荐使用 Docker 一键启动
+
+## 1.2.1
+
+更新内容:
+
+- [功能] 新增 `Hessian LazyValueWithSleep` 链 @unam4
+- [功能] 新增 `TomcatEcho` 回显 (可在 `Jeg` 无法使用时使用) @匿名
+- [优化] 优化预设链的描述 @Ar3h
+- [优化] 优化 `JNDI` 相关以及部分 `Gadget` 的描述 @Ar3h
+
+感谢以下用户的贡献:
+
+- Ar3h (https://github.com/Ar3h)
+- unam4 (https://github.com/unam4)
+- 某匿名安全研究师傅
+
+使用 `java -jar java-chains.jar` 即可启动
+
+推荐使用 `docker` 一键启动
+
+## 1.2.0
+
+更新内容:
+
+- [重要] 新增预设链功能,常用链可实现一键勾选 @Ar3h
+- [重要] 所有选项和配置添加详细的描述提示信息 @Ar3h
+- [功能] 支持下载 `payload` 为文件功能 @Ar3h
+- [功能] `OtherPayload` 新增 `JMG` 格式的 `JSP` @Ar3h
+- [功能] `OtherPayload` 新增 `Java` 两种命令处理 @4ra1n
+- [BUG] 修复前端 `gadget` 参数描述信息显示异常问题 @Ar3h
+- [BUG] 修复前端部分 `payload` 传参错误搭导致无效生成 @Ar3h
+- [BUG] 修复 `JSP` 模板无法正常使用的 `BUG` @Ar3h
+- [BUG] 没有导入 `aspectj` 依赖导致部分 `gadget` 错误 @Ar3h
+- [优化] 优化部分 `gadget` 的优先级排序 @Ar3h
+- [优化] 支持展示 `jmg` 的提示输出信息 @Ar3h
+- [优化] 登录用户名固定 `admin` 仅随机登陆密码 @4ra1n
+- [优化] 安全方面删除 `security path` 功能 @4ra1n @ssrsec
+- [优化] 前端默认使用更好看的黑色主题 @Ar3h
+- [优化] 前端界面 `run` 和 `copy` 按钮位置优化 @Ar3h
+
+感谢以下用户的贡献:
+
+- Ar3h (https://github.com/Ar3h)
+- 4ra1n (https://github.com/4ra1n)
+- 说书人 (https://github.com/ssrsec)
+
+使用 `java -jar java-chains.jar` 即可启动
+
+推荐使用 `docker` 一键启动
+
+## 1.1.0
+
+更新内容:
+
+- [重要] 前端大重构和优化 @Ar3h
+- [重要] 提供 `docker` 一键启动命令 @Ar3h @4ra1n
+- [重要] 提供了从 `jar` 文件加载的简易插件系统 @Ar3h
+- [重要] 新增 `h2 without js` 全版本通杀链 @unam4
+- [功能] 基于 `spring security` 的登录功能 @springkill @4ra1n
+- [功能] 新增两种 `equals` 和 `c3p0 jndi/jdbc` 链 @unam4
+- [功能] `hessian` 新增 `groovy` 利用链 @Ar3h
+- [功能] 字节码可添加 `main` 静态入口函数 @Ar3h
+- [BUG] 无法正确显示 `favicon.ico` 图标问题 @xcxmiku
+- [优化] `server` 探测新增 `netty` 框架探测 @Ar3h
+- [优化] 高版本 `Oralce JDK` 可以使用 `BCEL` 相关 @4ra1n
+- [优化] 优化某些仅 `unix` 类型的 `gadget` 提示信息 @4ra1n
+- [优化] 格式化输出日志,为日志附加颜色 @springkill
+- [优化] 启动时检测 `java` 版本给出警告 @4ra1n
+- [优化] 优化拦截器逻辑 @ssrsec
+- [优化] 优化 `base64` 通用性 @ssrsec
+- [文档] 编写新版本使用文档 @ssrsec
+
+感谢以下用户的贡献:
+
+- Ar3h (https://github.com/Ar3h)
+- 某匿名安全研究师傅
+- unam4 (https://github.com/unam4)
+- 小晨曦 (https://github.com/xcxmiku)
+- 4ra1n (https://github.com/4ra1n)
+- springkill (https://github.com/springkill)
+- 说书人 (https://github.com/ssrsec)
+
+使用 `java -jar java-chains.jar` 即可启动(仅支持 `java 8` 环境)
+
+推荐使用 `docker` 一键启动(请参考 `README` 页面)
+
+其中 `chains-config.zip` 是补充插件,解压后放在 `jar` 同级目录即可
+
+## 1.0.0
+
+初始开源版本
\ No newline at end of file
diff --git a/CHANGELOG_EN.md b/CHANGELOG_EN.md
deleted file mode 100644
index cee00c5..0000000
--- a/CHANGELOG_EN.md
+++ /dev/null
@@ -1,25 +0,0 @@
-## 1.2.3
-
-- [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n
-- [Feature] Added ExpressionPayload and JDBCPayload for easier generation of expression-related Payloads and JDBC URL-related Payloads by @Ar3h
-- [Improvement] Enhanced FakeMySQL logging with more detailed output by @Ar3h
-- [Bugfix] Fixed front-end expansion issue by @Ar3h
-
-## 1.2.2
-
-What's new:
-
-- [Feature] Support internationalization, the page supports English switching, and the language can be switched in the
- upper right corner after landing on the page @Ar3h
-- [Feature] Added 'OneForAllEcho' Gadget, which is a bytecode type, which can realize one-click echo in Tomcat,
- WebLogic, Jetty, and Spring environments @4ra1n
-- [Feature] Added 'XMLDecoder' Payload generation @4ra1n
-- [New Chain] Added three Getter chains: HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory @unam4
-- [Improve] Java deserialization support for full UTF8 overlong (see PPPYSO project) @Ar3h
-- [Optimization] Optimized the prompt of the front-end Gadget option, the front-end uses cyan to remind that Gadget is
- not applicable to some situations, and you need to read the detailed description and make your own judgment @Ar3h
-- [Improve] Split out the DNSLogWithInfo chain, which is specially used to echo the gadget chain information through
- DNSLog, which is convenient for judging the available chain in the stud chain @Ar3h
-- [Improve] Add cache to the front-end to reduce the number of requests and improve the speed @Ar3h
-- [BUG] Fixed the serious bug that DNSLog and DNSLogAndHttp could not be used normally
-
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e95b181
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM eclipse-temurin:8u432-b06-jdk-jammy
+
+RUN addgroup --system appgroup && adduser --system appuser --ingroup appgroup
+
+WORKDIR /chains
+
+COPY --chown=appuser:appgroup java-chains.jar /chains/java-chains.jar
+COPY --chown=appuser:appgroup chains-config/ /chains/chains-config/
+
+USER appuser
+
+CMD ["java","-jar","-Xms512m","-Xmx2g","-XX:+UseG1GC","/chains/java-chains.jar"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 52ebcb6..a23bf02 100644
--- a/README.md
+++ b/README.md
@@ -1,128 +1,44 @@
-
-Web Chains
+English | 简体中文
+Java Chains
-`Web-Chains` 项目,又名 `Java-Chains` 项目,我们站在巨人肩膀上,致力于打造最强的 `Java` 安全研究领域的瑞士军刀
+`Java-Chains` is a Java Payload generation and vulnerability exploitation web platform, designed to facilitate security
+researchers in quickly generating Java Payloads and conveniently and rapidly testing vulnerabilities such as JNDI
+injection, MySQL JDBC deserialization, and JRMP deserialization. It aims to improve testing efficiency to a certain
+extent.
+
+> Standing on the shoulders of giants
-## 介绍
-
-`Web-Chains` 含有六大模块:
-
-1. `Generate`: 生成模块
- - `Java` 反序列化原生 `Payload` 生成
- - `Hessian1/2` 反序列化 `Payload` 生成
- - `Hessian1` 支持生成 `HessianServlet` 格式反序列化数据
- - `Shiro` 数据生成(自定义 `KEY` 使用 `GCM` 混淆字符等)
- - `AMF3` 数据生成(基于原生数据多种进阶组合)
- - `XStream` 数据生成(基于原生数据多种进阶组合)
- - `BCEL` 字节码生成(直接执行命令,内存马生成,回显生成,探测字节码,读写文件)
- - `Class` 字节码生成(直接执行命令,内存马生成,回显生成,探测字节码,读写文件)
- - 多种数据库 JDBC Payload 生成(`Derby` | `H2` | `PostgreSql` | `Sqlite`)
- - `SnakeYAML/SpringBeanXML/Velocity/OGNL/MVEL/SPEL/JS/GROOVY`
- - Java反序列化、Hessian反序列化支持以下混淆方式:
- - 随机集合混淆
- - 垃圾类插入
- - 去除字节码符号信息
- - `TC_RESET` 填充,仅适用于Java反序列化
- - `UTF-8 Overlong Encoding` 混淆
- - 一些高级选项:
- - 自定义类名/定义字节码版本,支持使用 Class-Obf 进行字节码混淆
- - 选择 `Commons Beanutils` 链的多种 `comparator` 类型
- - 支持生成 `TemplatesImpl` 格式
- - 支持生成 `SnakeYaml Jar` 格式
- - 支持生成 `Fastjson Groovy` 格式
- - 支持生成 `JavaWrapper` 格式
- - 支持生成 `charsets.jar` 格式
- - 支持增强魔改版 `JMG/JEG` 格式 (java echo generator, java memshell generator)
-2. JNDI: JNDI 注入利用模块
- - `JndiBasicPayload`: LDAP 远程加载字节码
- - `JndiDeserializationPayload`: LDAP 中基于 javaSerializedData 字段实现的反序列化
- - `JndiResourceRefPayload`: LDAP 基于 BeanFactory 的 Tomcat EL、Groovy等利用
- - `JndiReferencePayload`: LDAP 基于其他 ObjectFactory 的Reference利用,例如各种DataSource JDBC利用
- - `JndiRMIDeserializePayload`: LDAP 高版本 JDK 绕过之RMI反序列化
- - `JndiRefBypassPayload`: LDAP 高版本 JDK 绕过之ReferenceBypass
- - `JndiShowHandPayload`: JNDI梭哈链,一键测试常规利用链,提高测试效率
-3. `Fake MySQL`
- - `FakeMysqlPayload`: 经典 MySQL JDBC 反序列化利用姿势
- - `FakeMysqlShowHandPayload`: FakeMySQL梭哈链,一键测试常规反序列化链,提高测试效率
-4. `JRMPListener`
- - 可配合 JRMPClient 反序列化链实现RMI低版本的绕过
-5. `TCP Server`
- - 一个简易的 TCP Server,可以将生成的Payload文件挂载到TCP端口服务上
- - 适用于 Derby 反序列化 RCE 场景,可直接通过tcp端口获取反序列化数据
-6. `HTTP Server`
- - 一个简易的HTTP服务器,将生成的Payload文件挂载到HTTP端口服务上
- - 适用于 postgresql 远程加载 SpringBeanXML 文件等场景
-
-## 快速开始
-
-**特别注意:我们只对 8011 端口进行了保护,需要登陆后访问,其他端口可能存在被反制的风险,请自行注意**
-
-### 方式一:Docker
-
-你可以通过 `docker` 一条命令启动 `web-chains` 项目(这也是推荐做法)
-
-```shell
-docker run -d \
- --name web-chains \
- --restart=always \
- -p 8011:8011 \
- -p 58080:58080 \
- -p 50389:50389 \
- -p 50388:50388 \
- -p 13999:13999 \
- -p 3308:3308 \
- -p 11527:11527 \
- -p 50000:50000 \
- javachains/webchains:1.2.3
-```
-
-生成功能仅使用 `8011` 端口即可,其他端口为 `exploit` 模块使用
-
-请使用以下命令获得随机生成的强密码
-
-```shell
-docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'
-```
-
-输出示例
-
-```text
-11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | password: XSsWerJFGcCjB8FU
-```
-
-访问 `http://your-ip:8011` 即可(使用这里的用户名密码登录)
-
-### 方式二:Jar包启动
-
-使用 `java -jar web-chains-v1.2.3.jar` 即可启动
-
-## 详细使用
-
-详细使用文档:https://www.yuque.com/shenjingwa-leuvd/wpqdhf/eekyvau9fcblzzt0
-
-## 更新内容
+## Get started quickly
+
+https://java-chains.vulhub.org/docs/guide
+
+## Updated content
[CHANGELOG.md](./CHANGELOG.md)
-## 参考和致谢
+## References and acknowledgments
-仅支持个人研究学习,切勿用于非法犯罪活动。
+It only supports personal research and learning, and should never be used for illegal and criminal activities.
-本项目的开发者、提供者和维护者不对使用者使用工具的行为和后果负责,工具的使用者应自行承担风险。
+The developers, providers and maintainers of the project are not responsible for the actions and consequences of the
+user's use of the tool, and the user of the tool shall do so at their own risk.
-参考致谢:
+Acknowledgments:
- https://github.com/wh1t3p1g/ysomap
- https://github.com/qi4L/JYso
@@ -139,17 +55,14 @@ docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -
- https://github.dev/LxxxSec/CTF-Java-Gadget
- https://github.com/pen4uin/java-memshell-generator
- https://github.com/pen4uin/java-echo-generator
+- https://github.com/NickstaDB/SerializationDumper
- https://xz.aliyun.com/t/5381
- http://rui0.cn/archives/1408
-## 交流
+## Communication
-交流群请扫码
-
-
- 
-
+If you have any questions, please feel free to send issus
## Star History
-[](https://star-history.com/#java-chains/web-chains&Date)
+[](https://star-history.com/#vulhub/java-chains&Date)
diff --git a/README.zh-cn.md b/README.zh-cn.md
new file mode 100644
index 0000000..9049f67
--- /dev/null
+++ b/README.zh-cn.md
@@ -0,0 +1,62 @@
+
+Java Chains
+
+
+`Java-Chains` 是一个 Java Payload 生成与漏洞利用 Web 平台,便于广大安全研究员快速生成 Java Payload,以及对
+JNDI 注入、MySQL JDBC 反序列化、JRMP 反序列化等漏洞进行方便快速测试,能够在一定程度上提高测试效率。
+
+> 站在巨人肩膀上
+
+
+ 
+
+
+## 快速开始
+
+https://java-chains.vulhub.org/zh/docs/guide
+
+## 更新内容
+
+[CHANGELOG.zh-cn.md](./CHANGELOG.zh-cn.md)
+
+## 参考和致谢
+
+仅支持个人研究学习,切勿用于非法犯罪活动。
+
+本项目的开发者、提供者和维护者不对使用者使用工具的行为和后果负责,工具的使用者应自行承担风险。
+
+参考致谢:
+
+- https://github.com/wh1t3p1g/ysomap
+- https://github.com/qi4L/JYso
+- https://github.com/X1r0z/JNDIMap
+- https://github.com/Whoopsunix/PPPYSO
+- https://github.com/jar-analyzer/class-obf
+- https://github.com/4ra1n/mysql-fake-server
+- https://github.com/jar-analyzer/class-obf
+- https://github.com/mbechler/marshalsec
+- https://github.com/frohoff/ysoserial
+- https://github.com/H4cking2theGate/ysogate
+- https://github.com/Bl0omZ/JNDIEXP
+- https://github.com/kezibei/Urldns
+- https://github.com/rebeyond/JNDInjector
+- https://github.dev/LxxxSec/CTF-Java-Gadget
+- https://github.com/pen4uin/java-memshell-generator
+- https://github.com/pen4uin/java-echo-generator
+- https://github.com/NickstaDB/SerializationDumper
+- https://xz.aliyun.com/t/5381
+- http://rui0.cn/archives/1408
+
+## Star History
+
+[](https://star-history.com/#vulhub/java-chains&Date)
diff --git a/README_EN.md b/README_EN.md
deleted file mode 100644
index 674a998..0000000
--- a/README_EN.md
+++ /dev/null
@@ -1,154 +0,0 @@
-中文 | English
-Web Chains
-
-
-The `Web-Chains` project, also known as the `Java-Chains` project, stands on the shoulders of giants and is committed to
-building the Swiss Army knife of the strongest `Java` security research
-
-
- 
-
-
-## 介绍
-
-'Web-Chains' consists of six modules:
-
-1. `Generate`: Generate modules
- - `Java` deserialization native 'Payload' generation
- - `Hessian1/2` deserializes 'Payload' generation
- - `Hessian1` supports generating deserialized data in `HessianServlet` format
- - `Shiro` data generation (custom 'KEY', use 'GCM' to obfuscate characters, etc.)
- - `AMF3` data generation (multiple advanced combinations based on native data)
- - `XStream` data generation (multiple advanced combinations based on native data)
- - `BCEL` bytecode generation (direct command execution, memory horse generation, echo generation, probe bytecode,
- read and write files)
- - `Class` bytecode generation (direct command execution, memory horse generation, echo generation, probe bytecode,
- read and write files)
- - Multiple databases JDBC Payload are generated(`Derby` | `H2` | `PostgreSql` | `Sqlite`)
- - `SnakeYAML/SpringBeanXML/Velocity/OGNL/MVEL/SPEL/JS/GROOVY`
- - Java deserialization and Hessian deserialization support the following obfuscation methods:
- - Random set obfuscation
- - Garbage class insertion
- - Removed bytecode symbol information
- - `TC_RESET` padding, which is only available for Java deserialization
- - `UTF-8 Overlong Encoding` obfuscation
- - Some advanced options:
- - Customize the class name/define the bytecode version. Support bytecode obfuscation using Class-Obf
- - Select multiple `comparator` types for the `Commons Beanutils` chain
- - Support for generating `TemplatesImpl` format
- - Support for generating `SnakeYaml Jar` format
- - Support for generating `Fastjson Groovy` format
- - Support for generating `JavaWrapper` format
- - Support for generating `charsets.jar` format
- - Support enhanced magic modification `JMG/JEG` format (java echo generator, java memshell generator)
-2. `JNDI`: JNDI Injection Utilization Module
- - `JndiBasicPayload`: LDAP remotely loads bytecode
- - `JndiDeserializationPayload`: Exploit posture for deserialization based on the javaSerializedData field in LDAP
- - `JndiResourceRefPayload`: LDAP is based on BeanFactory's Tomcat EL, Groovy, etc. utilization
- - `JndiReferencePayload`: LDAP is based on other ObjectFactory Reference exploits, such as various DataSource JDBC exploits
- - `JndiRMIDeserializePayload`: Later versions of the JDK bypass RMI deserialization
- - `JndiRefBypassPayload`: LDAP later version JDK bypasses
- - `JndiShowHandPayload`: JNDI show hand chain, one-click test routine utilization chain, improve testing efficiency
-3. `Fake MySQL`
- - `FakeMysqlPayload`: Classic MySQL JDBC deserialization leverages poses
- - `FakeMysqlShowHandPayload`: FakeMySQL show hand chain, one-click test of conventional deserialization chain, improve testing efficiency
-4. `JRMPListener`
- - It can be used with the JRMPClient deserialization chain
-5. `TCP Server`
- - A simple TCP server that can mount the generated Payload file to the TCP port service
- - It is suitable for `derby` deserialization RCE scenarios, and can obtain deserialized data directly through the tcp port
-6. `HTTP Server`
- - A simple HTTP server that mounts the generated Payload file to the HTTP port service
- - It is suitable for scenarios such as remote loading of SpringBeanXML files by postgresql
-
-## Get Started Quickly
-
-**Note: We only protect port 8011, you need to log in to access, other ports may be at risk of being countered, please pay attention to yourself**
-
-### Method 1: Docker
-
-You can start the web-chains project with a docker command (this is also recommended)
-
-```shell
-docker run -d \
- --name web-chains \
- --restart=always \
- -p 8011:8011 \
- -p 58080:58080 \
- -p 50389:50389 \
- -p 50388:50388 \
- -p 13999:13999 \
- -p 3308:3308 \
- -p 11527:11527 \
- -p 50000:50000 \
- javachains/webchains:1.2.3
-```
-
-The build function only uses the `8011` port, and the other ports are used by the `exploit` module
-
-Please use the following command to get a randomly generated strong password
-
-```shell
-docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'
-```
-
-Sample output
-
-```text
-11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | password: XSsWerJFGcCjB8FU
-```
-
-Just visit `http://your-ip:8011` (log in with your username and password here)
-
-### Method 2: Start the JAR package
-
-Use `java -jar web-chains-v1.2.3.jar` to get started
-
-## Detailed use
-
-Detailed Documentation: https://www.yuque.com/shenjingwa-leuvd/wpqdhf/war0zkzgzg3c4bzg
-
-## Updated content
-
-[CHANGELOG_EN.md](./CHANGELOG_EN.md)
-
-## References and acknowledgments
-
-It only supports personal research and learning, and should never be used for illegal and criminal activities.
-
-The developers, providers and maintainers of the project are not responsible for the actions and consequences of the user's use of the tool, and the user of the tool shall do so at their own risk.
-
-Acknowledgments:
-
-- https://github.com/wh1t3p1g/ysomap
-- https://github.com/qi4L/JYso
-- https://github.com/X1r0z/JNDIMap
-- https://github.com/Whoopsunix/PPPYSO
-- https://github.com/jar-analyzer/class-obf
-- https://github.com/4ra1n/mysql-fake-server
-- https://github.com/mbechler/marshalsec
-- https://github.com/frohoff/ysoserial
-- https://github.com/H4cking2theGate/ysogate
-- https://github.com/Bl0omZ/JNDIEXP
-- https://github.com/kezibei/Urldns
-- https://github.com/rebeyond/JNDInjector
-- https://github.dev/LxxxSec/CTF-Java-Gadget
-- https://github.com/pen4uin/java-memshell-generator
-- https://github.com/pen4uin/java-echo-generator
-- https://xz.aliyun.com/t/5381
-- http://rui0.cn/archives/1408
-
-## Communication
-
-If you have any questions, please feel free to send issus
-
-## Star History
-
-[](https://star-history.com/#java-chains/web-chains&Date)
diff --git a/img/group.png b/img/group.png
deleted file mode 100644
index 056a758..0000000
Binary files a/img/group.png and /dev/null differ
diff --git a/img/main.png b/img/main.png
index 501a6c7..32ca9a0 100644
Binary files a/img/main.png and b/img/main.png differ
diff --git a/img/main.zh-cn.png b/img/main.zh-cn.png
new file mode 100644
index 0000000..ee2ceb8
Binary files /dev/null and b/img/main.zh-cn.png differ
diff --git a/img/main_EN.png b/img/main_EN.png
deleted file mode 100644
index c871ead..0000000
Binary files a/img/main_EN.png and /dev/null differ
diff --git a/img/zanShang.jpg b/img/zanShang.jpg
deleted file mode 100644
index bbd7a9c..0000000
Binary files a/img/zanShang.jpg and /dev/null differ
diff --git a/old/Dockerfile b/old/Dockerfile
deleted file mode 100644
index b5a263d..0000000
--- a/old/Dockerfile
+++ /dev/null
@@ -1,46 +0,0 @@
-# 使用 Ubuntu 20.04 基础镜像
-FROM ubuntu:20.04
-
-# 设置环境变量以避免交互式安装提示
-ENV DEBIAN_FRONTEND=noninteractive
-
-# 清除所有代理环境变量并设置 apt 配置禁用代理
-RUN unset http_proxy https_proxy ftp_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY && \
- echo 'Acquire::http::Proxy "false";' > /etc/apt/apt.conf.d/00proxy && \
- echo 'Acquire::https::Proxy "false";' >> /etc/apt/apt.conf.d/00proxy
-
-# 更新系统并安装必要的依赖,包括 libc6、wget
-RUN apt-get update && \
- apt-get install -y libc6 wget && \
- rm -rf /var/lib/apt/lists/*
-
-# 下载、解压 Java 安装目录
-RUN wget https://download.java.net/openjdk/jdk8u44/ri/openjdk-8u44-linux-x64.tar.gz && \
- tar -zxvf openjdk-8u44-linux-x64.tar.gz
-
-# 创建应用目录
-RUN mkdir /app && \
- mkdir /opt/java
-
-RUN mv java-se-8u44-ri /opt/java/
-
-# 设置 JAVA_HOME 环境变量
-ENV JAVA_HOME=/opt/java/java-se-8u44-ri
-ENV PATH=$JAVA_HOME/bin:$PATH
-
-
-# 设置工作目录
-WORKDIR /app
-
-# 复制 JAR 文件到容器中的 /app 目录
-COPY web-chains-1.0.0-SNAPSHOT.jar /app/
-
-# 复制配置文件目录
-COPY chains-config /app/chains-config
-
-# 暴露应用端口
-EXPOSE 8011
-
-# 启动命令,后台运行 Java 应用并输出日志
-CMD nohup java -jar /app/web-chains-1.0.0-SNAPSHOT.jar > output.log 2>&1 & \
- tail -f output.log
diff --git a/old/README.md b/old/README.md
deleted file mode 100644
index 77ee58f..0000000
--- a/old/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-## README
-
-历史的一些脚本,弃用,但保留备份
\ No newline at end of file
diff --git a/old/docker-compose.yml b/old/docker-compose.yml
deleted file mode 100644
index 41e9685..0000000
--- a/old/docker-compose.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# docker-compose.yml
-version: '3'
-
-services:
- web-chains:
- build: ..
- ports:
- - "8011:8011"
- volumes:
- - ./chains-config:/app/chains-config
- - ./web-chains-1.0.0-SNAPSHOT.jar:/app/web-chains-1.0.0-SNAPSHOT.jar
\ No newline at end of file
-
-
+
+
+
+ 
+
+
+ 