|
1 | 1 | ## 1.3.0 |
2 | 2 |
|
3 | | -- [功能] 新增 [SerializationDumper](https://github.com/NickstaDB/SerializationDumper) 解析Java序列化数据,并自定义修改任意类 |
4 | | - SUID 等功能 |
5 | | -- [功能] 开放 Chains 插件编写,参考:https://github.com/Java-Chains/chains-plugin-demo ,前端支持reload重加载插件 |
6 | | -- [功能] 新增 Hessian2ToStringPayload,通过 except 可触发toString链 |
7 | | -- [功能] 前端提供展示所有 Payload、Gadget 基础信息 |
8 | | -- [功能] 新增 CommonsBeanutils5 Gadget,适用于 cb 1.10 版本 |
9 | | -- [功能] 新增 FakeMySQLReadPayload 读文件利用,同时兼容 fileread_/etc/passwd 格式 ,参考 https://github.com/4ra1n/mysql-fake-server |
10 | | -- [功能] Generate 生成模块提供 URL Encoding 编码选项 |
11 | | -- [功能] gadget 注解中新增 preTags 字段,可用于指定前面的链 |
12 | | -- [功能] 同步更新 [Class-Obf](https://github.com/jar-analyzer/class-obf) v1.4.0 版本 |
13 | | -- [优化] JNDI、JRMP 等模块若端口未开放则会进行提醒 |
14 | | -- [优化] 前端图标展示 |
15 | | -- [优化] 整理后端代码 |
16 | | -- [Bugfix] 修复Groovy生成Jar的问题。现在可以通过 OtherPayload -> GroovyJarConvert 中生成 Fastjson Groovy Jar |
| 3 | +- [Feature] Added [SerializationDumper](https://github.com/NickstaDB/SerializationDumper) for parsing Java serialized |
| 4 | + data, enabling custom modification of class SUIDs, etc. |
| 5 | +- [Feature] Enabled Chains plugin development. See: https://github.com/Java-Chains/chains-plugin-demo. The frontend |
| 6 | + supports plugin reloading. |
| 7 | +- [Feature] Added Hessian2ToStringPayload; a toString chain can be triggered via `except`. |
| 8 | +- [Feature] The frontend now displays basic information for all Payloads and Gadgets. |
| 9 | +- [Feature] Added CommonsBeanutils5 Gadget, suitable for cb version 1.10. |
| 10 | +- [Feature] Added FakeMySQLReadPayload for file reading exploitation, compatible with `fileread_/etc/passwd` format. |
| 11 | + See https://github.com/4ra1n/mysql-fake-server. |
| 12 | +- [Feature] The Generate module now offers a URL Encoding option. |
| 13 | +- [Feature] Added the `preTags` field in gadget annotations, which can be used to specify preceding chains. |
| 14 | +- [Feature] Synchronously updated [Class-Obf](https://github.com/jar-analyzer/class-obf) to version v1.4.0. |
| 15 | +- [Improvement] JNDI, JRMP, etc. modules will now provide a warning if the port is not open. |
| 16 | +- [Improvement] Improved frontend icon display. |
| 17 | +- [Improvement] Refactored backend code. |
| 18 | +- [Bugfix] Fixed the Groovy Jar generation issue. Fastjson Groovy Jars can now be generated through OtherPayload -> |
| 19 | + GroovyJarConvert. |
17 | 20 |
|
18 | 21 | ## 1.2.4 |
19 | 22 |
|
20 | | -- [功能] 同步更新 Class-Obf v1.3.1 版本 (https://github.com/jar-analyzer/class-obf) @4ra1n |
21 | | -- [功能] 同步更新 java-memshell-generator(Jmg) v1.0.9 版本 |
22 | | -- [功能] 新增 XmlDeSerPayload @unam4 |
23 | | -- [功能] 新增 OpengaussJdbc 链 @guchangan1 |
24 | | -- [功能] 自定义web登录密码,自定义是否关闭鉴权 |
25 | | -- [优化] java-memshell-generator(Jmg) 优化报错提示;支持自动生成随机字符串参数,用于减少特征 |
| 23 | +- [Feature] Synchronized update to Class-Obf v1.3.1 (https://github.com/jar-analyzer/class-obf) @4ra1n |
| 24 | +- [Feature] Synchronously update java-memshell-generator to version v1.0.9 |
| 25 | +- [Feature] Added XmlDeSerPayload @unam4 |
| 26 | +- [Feature] Added OpengaussJdbc chain @guchangan1 |
| 27 | +- [Feature] Customize web login password, customize whether to disable authentication. |
| 28 | +- [Optimization] java-memshell-generator (Jmg) optimizes error message prompts; supports automatically generating random |
| 29 | + string parameters to reduce signatures. |
26 | 30 |
|
27 | 31 | ## 1.2.3 |
28 | 32 |
|
29 | | -- [功能] 支持字节码混淆,集成 Class-Obf(https://github.com/jar-analyzer/class-obf)项目 @4ra1n |
30 | | -- [功能] 新增 ExpressionPayload、JDBCPayload,方便生成表达式相关Payload以及JDBC URL相关Payload @Ar3h |
31 | | -- [优化] FakeMySQL日志更详细的输出 @Ar3h |
32 | | -- [BUG] 修复前端展开BUG @Ar3h |
33 | | - |
| 33 | +- [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n |
| 34 | +- [Feature] Added ExpressionPayload and JDBCPayload for easier generation of expression-related Payloads and JDBC |
| 35 | + URL-related Payloads by @Ar3h |
| 36 | +- [Improvement] Enhanced FakeMySQL logging with more detailed output by @Ar3h |
| 37 | +- [Bugfix] Fixed front-end expansion issue by @Ar3h |
34 | 38 |
|
35 | 39 | ## 1.2.2 |
36 | 40 |
|
37 | | -更新内容: |
38 | | - |
39 | | -- [功能] 支持国际化,页面支持英文切换,登陆页面后右上角可进行切换语言 @Ar3h |
40 | | -- [功能] 新增 `OneForAllEcho` Gadget,属于字节码类型,可实现Tomcat、WebLogic、Jetty、Spring环境下的一键回显 @4ra1n |
41 | | -- [功能] 新增 `XMLDecoder` Payload 生成 @4ra1n |
42 | | -- [新链] 新增 HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory 三条hutools相关Getter链 @unam4 |
43 | | -- [优化] Java反序列化支持完全 UTF8 Overlong(参考 PPPYSO 项目) @Ar3h |
44 | | -- [优化] 优化前端Gadget选项提示,前端使用青色提醒Gadget存在一些不适用的情况,需要阅读详细说明后自行判断 @Ar3h |
45 | | -- [优化] 拆分出 DNSLogWithInfo 链,专门用于通过DNSLog回显gadget链信息,方便在梭哈链中进行判断可用链 @Ar3h |
46 | | -- [优化] 前端添加缓存,减少请求量,提高速度 @Ar3h |
47 | | -- [BUG] 修复 DNSLog、DNSLogAndHttp 无法正常使用的严重BUG |
48 | | - |
49 | | -感谢以下用户的贡献: |
50 | | - |
51 | | -- Ar3h (https://github.com/Ar3h) |
52 | | -- 4ra1n (https://github.com/4ra1n) |
53 | | -- unam4 (https://github.com/unam4) |
54 | | - |
55 | | -推荐使用 Docker 一键启动 |
56 | | - |
57 | | -## 1.2.1 |
58 | | - |
59 | | -更新内容: |
60 | | - |
61 | | -- [功能] 新增 `Hessian LazyValueWithSleep` 链 @unam4 |
62 | | -- [功能] 新增 `TomcatEcho` 回显 (可在 `Jeg` 无法使用时使用) @匿名 |
63 | | -- [优化] 优化预设链的描述 @Ar3h |
64 | | -- [优化] 优化 `JNDI` 相关以及部分 `Gadget` 的描述 @Ar3h |
65 | | - |
66 | | -感谢以下用户的贡献: |
67 | | - |
68 | | -- Ar3h (https://github.com/Ar3h) |
69 | | -- unam4 (https://github.com/unam4) |
70 | | -- 某匿名安全研究师傅 |
71 | | - |
72 | | -使用 `java -jar java-chains.jar` 即可启动 |
73 | | - |
74 | | -推荐使用 `docker` 一键启动 |
75 | | - |
76 | | -## 1.2.0 |
77 | | - |
78 | | -更新内容: |
79 | | - |
80 | | -- [重要] 新增预设链功能,常用链可实现一键勾选 @Ar3h |
81 | | -- [重要] 所有选项和配置添加详细的描述提示信息 @Ar3h |
82 | | -- [功能] 支持下载 `payload` 为文件功能 @Ar3h |
83 | | -- [功能] `OtherPayload` 新增 `JMG` 格式的 `JSP` @Ar3h |
84 | | -- [功能] `OtherPayload` 新增 `Java` 两种命令处理 @4ra1n |
85 | | -- [BUG] 修复前端 `gadget` 参数描述信息显示异常问题 @Ar3h |
86 | | -- [BUG] 修复前端部分 `payload` 传参错误搭导致无效生成 @Ar3h |
87 | | -- [BUG] 修复 `JSP` 模板无法正常使用的 `BUG` @Ar3h |
88 | | -- [BUG] 没有导入 `aspectj` 依赖导致部分 `gadget` 错误 @Ar3h |
89 | | -- [优化] 优化部分 `gadget` 的优先级排序 @Ar3h |
90 | | -- [优化] 支持展示 `jmg` 的提示输出信息 @Ar3h |
91 | | -- [优化] 登录用户名固定 `admin` 仅随机登陆密码 @4ra1n |
92 | | -- [优化] 安全方面删除 `security path` 功能 @4ra1n @ssrsec |
93 | | -- [优化] 前端默认使用更好看的黑色主题 @Ar3h |
94 | | -- [优化] 前端界面 `run` 和 `copy` 按钮位置优化 @Ar3h |
95 | | - |
96 | | -感谢以下用户的贡献: |
97 | | - |
98 | | -- Ar3h (https://github.com/Ar3h) |
99 | | -- 4ra1n (https://github.com/4ra1n) |
100 | | -- 说书人 (https://github.com/ssrsec) |
101 | | - |
102 | | -使用 `java -jar java-chains.jar` 即可启动 |
103 | | - |
104 | | -推荐使用 `docker` 一键启动 |
105 | | - |
106 | | -## 1.1.0 |
107 | | - |
108 | | -更新内容: |
109 | | - |
110 | | -- [重要] 前端大重构和优化 @Ar3h |
111 | | -- [重要] 提供 `docker` 一键启动命令 @Ar3h @4ra1n |
112 | | -- [重要] 提供了从 `jar` 文件加载的简易插件系统 @Ar3h |
113 | | -- [重要] 新增 `h2 without js` 全版本通杀链 @unam4 |
114 | | -- [功能] 基于 `spring security` 的登录功能 @springkill @4ra1n |
115 | | -- [功能] 新增两种 `equals` 和 `c3p0 jndi/jdbc` 链 @unam4 |
116 | | -- [功能] `hessian` 新增 `groovy` 利用链 @Ar3h |
117 | | -- [功能] 字节码可添加 `main` 静态入口函数 @Ar3h |
118 | | -- [BUG] 无法正确显示 `favicon.ico` 图标问题 @xcxmiku |
119 | | -- [优化] `server` 探测新增 `netty` 框架探测 @Ar3h |
120 | | -- [优化] 高版本 `Oralce JDK` 可以使用 `BCEL` 相关 @4ra1n |
121 | | -- [优化] 优化某些仅 `unix` 类型的 `gadget` 提示信息 @4ra1n |
122 | | -- [优化] 格式化输出日志,为日志附加颜色 @springkill |
123 | | -- [优化] 启动时检测 `java` 版本给出警告 @4ra1n |
124 | | -- [优化] 优化拦截器逻辑 @ssrsec |
125 | | -- [优化] 优化 `base64` 通用性 @ssrsec |
126 | | -- [文档] 编写新版本使用文档 @ssrsec |
127 | | - |
128 | | -感谢以下用户的贡献: |
129 | | - |
130 | | -- Ar3h (https://github.com/Ar3h) |
131 | | -- 某匿名安全研究师傅 |
132 | | -- unam4 (https://github.com/unam4) |
133 | | -- 小晨曦 (https://github.com/xcxmiku) |
134 | | -- 4ra1n (https://github.com/4ra1n) |
135 | | -- springkill (https://github.com/springkill) |
136 | | -- 说书人 (https://github.com/ssrsec) |
137 | | - |
138 | | -使用 `java -jar java-chains.jar` 即可启动(仅支持 `java 8` 环境) |
139 | | - |
140 | | -推荐使用 `docker` 一键启动(请参考 `README` 页面) |
141 | | - |
142 | | -其中 `chains-config.zip` 是补充插件,解压后放在 `jar` 同级目录即可 |
143 | | - |
144 | | -## 1.0.0 |
| 41 | +What's new: |
| 42 | + |
| 43 | +- [Feature] Support internationalization, the page supports English switching, and the language can be switched in the |
| 44 | + upper right corner after landing on the page @Ar3h |
| 45 | +- [Feature] Added 'OneForAllEcho' Gadget, which is a bytecode type, which can realize one-click echo in Tomcat, |
| 46 | + WebLogic, Jetty, and Spring environments @4ra1n |
| 47 | +- [Feature] Added 'XMLDecoder' Payload generation @4ra1n |
| 48 | +- [New Chain] Added three Getter chains: HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory @unam4 |
| 49 | +- [Improve] Java deserialization support for full UTF8 overlong (see PPPYSO project) @Ar3h |
| 50 | +- [Optimization] Optimized the prompt of the front-end Gadget option, the front-end uses cyan to remind that Gadget is |
| 51 | + not applicable to some situations, and you need to read the detailed description and make your own judgment @Ar3h |
| 52 | +- [Improve] Split out the DNSLogWithInfo chain, which is specially used to echo the gadget chain information through |
| 53 | + DNSLog, which is convenient for judging the available chain in the stud chain @Ar3h |
| 54 | +- [Improve] Add cache to the front-end to reduce the number of requests and improve the speed @Ar3h |
| 55 | +- [BUG] Fixed the serious bug that DNSLog and DNSLogAndHttp could not be used normally |
145 | 56 |
|
146 | | -初始开源版本 |
0 commit comments