中文 | English
Web-Chains is a Java Payload generation and vulnerability exploitation web platform, designed to facilitate security
researchers in quickly generating Java Payloads and conveniently and rapidly testing vulnerabilities such as JNDI
injection, MySQL JDBC deserialization, and JRMP deserialization. It aims to improve testing efficiency to a certain
extent.
Web-Chains comprises the following six major modules:
JavaNativePayload: Java Native Deserialization Payload Generation
HessianPayload: Hessian1 Deserialization Payload Generation, supporting HessianServlet format deserialized data
Hessian2Payload: Hessian2 Deserialization Payload Generation
ShiroPayload: Shiro Payload Generation, facilitating manual generation and testing in specific environments
- Supports custom AES KEY
- Supports AES GCM mode
- Supports inserting Base64 obfuscation characters
OtherPayload
-
CharsetJarConvet: Generates charsets.jar package, suitable for file upload RCE scenarios under SpringBoot -
GroovyJarConvert: Generates fastjson-groovy.jar package, suitable for achieving RCE in high versions of Fastjson by loading specific format Jar packages via Groovy chains. -
SnakeyamlJarConvert: Generates snakeyaml.jar package, suitable for achieving RCE in SnakeYaml by loading specific format Jar packages via SPI. -
JDBCPayload: JDBC Payload Generation- H2 JDBC
- PostgresSQL
- ...
ExpressionPayload: Expression Payload Generation, essentially replacing the bytecode part in the bytecode template
with the expression. Manual implementation is recommended.
BcelConvert: BCEL format bytecode generationJsConvert: Oracle Nashorn JS expression loading bytecodeVelocityConvert: Velocity loading bytecode via bcel- ...
BytecodePayload: Bytecode Generation
- For example, can generate bytecode for command execution, Sleep, DNSLog, in-memory webshell injection, echo, middleware detection, file writing, and file downloading.
- Supports custom bytecode version
- Supports custom bytecode class name
- Supports generating TemplatesImpl bytecode format - implementing the AbstractTranslet interface
- Supports bytecode obfuscation using Class-Obf
XStreamPayload: XStream data generation, not fully tested yet, some Payloads may not be usable.
The Payloads generated by this platform support the following obfuscation scenarios:
| JavaNativePayload | HessianPayload | Hessian2Payload | |
|---|---|---|---|
| Random Collection Dirty Data Padding | ✅ | ✅ | ✅ |
| Garbage Class Padding | ✅ | ✅ | ✅ |
| UTF-8 Overlong Encoding | ✅ | ✅ | ✅ |
| TC_RESET Padding | ✅ | ❌ | ❌ |
Note: If you want to use UserCustomByteArrayFromXXX to provide custom Java serialized byte stream data for
obfuscation, currently it does not support random collection and garbage class insertion obfuscation. This is related to
the implementation of obfuscation. The specific support is as follows:
| JavaNativePayload (Custom Serialization Scenario) | |
|---|---|
| Random Collection Obfuscation | ❌ |
| Garbage Class Insertion | ❌ |
| UTF-8 Overlong Encoding | ✅ |
| TC_RESET Padding | ✅ |
Supports six exploitation techniques, plus a ShowHand chain for easy one-click testing of common chains.
JndiBasicPayload: LDAP remote bytecode loading
JndiDeserializationPayload: Deserialization based on the javaSerializedData field in LDAP
JndiResourceRefPayload: LDAP exploitation based on BeanFactory Tomcat EL, Groovy, etc.
JndiReferencePayload: LDAP Reference exploitation based on other ObjectFactories, such as various DataSource JDBC
exploits.
JndiRMIDeserializePayload: RMI deserialization to bypass high version JDK in LDAP
JndiRefBypassPayload: ReferenceBypass to bypass high version JDK in LDAP
JndiShowHandPayload: JNDI ShowHand Chain, one-click testing of common exploitation chains to improve testing
efficiency.
FakeMySQLPayload: MySQL JDBC deserialization exploitation technique
FakeMySQLReadPayload: MySQL JDBC client file read exploitation technique
FakeMySQLSHPayload: FakeMySQL deserialization ShowHand Chain, one-click testing of common deserialization chains to
improve testing efficiency.
Can be used with JRMPClient deserialization chain to bypass low versions of RMI.
A simple TCP Server that can mount generated Payload files to a TCP port. Accessing this port will return the specified content.
Suitable for Derby deserialization RCE scenarios, can directly obtain deserialization data through the TCP port.
A simple HTTP server that mounts generated Payload files to an HTTP port. Accessing the specified port will return the specified content.
Suitable for scenarios such as PostgreSQL remote loading of SpringBeanXML files.
Underlyingly calls SerializationDumper, which can parse serialized data and manually modify the serialVersionUID field of classes.
Special Note: We only provide random password login protection for port 8011 by default. Other ports may have the risk of being counter-exploited. Please remember to close the corresponding ports after using the relevant functions.
You can start the web-chains project with a single docker command (recommended approach).
docker run -d \
--name web-chains \
--restart=always \
-p 8011:8011 \
-p 58080:58080 \
-p 50389:50389 \
-p 50388:50388 \
-p 13999:13999 \
-p 3308:3308 \
-p 11527:11527 \
-p 50000:50000 \
-e CHAINS_AUTH=true \
-e CHAINS_PASS= \
javachains/webchains:1.3.0Authentication or password can be configured through environment variables;
CHAINS_AUTH: true to enable authentication, false to disable authentication. Authentication is enabled by
default.
CHAINS_PASS: Specify the web password. If this variable is empty, a random password will be generated. Random password generation is the default.
Note: Only port 8011 is required for the generation function. Other ports are used by the exploit module.
Use the following command to retrieve the randomly generated strong password from Docker:
docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'Output example:
11-12 06:59:53.301 INFO [main] c.a.c.w.c.SecurityConfig | | password: XSsWerJFGcCjB8FU
Login page: http://your-ip:8011
Use java -jar web-chains.jar to start. A randomly generated password will be printed after each startup.
Default listening address is 0.0.0.0. Login page: http://your-ip:8011 (Use the username and password here to log in).
You can set the web login password through environment variables, for example:
Linux:
export CHAINS_PASS=[your_password] && java -jar web-chains.jarWindows:
set CHAINS_PASS=[your_password] && java -jar web-chains.jarDetailed Documentation: https://www.yuque.com/shenjingwa-leuvd/wpqdhf/war0zkzgzg3c4bzg
Advantages of this tool:
- Compared to command-line tools, web interface operations are simpler and easier to use, making it convenient to generate JNDI injection, MySQL JDBC, and other test Payloads.
- Decouples and reuses various Payloads, with dynamically rendered parameter input boxes on the frontend, facilitating expansion and maintenance.
- Collects and organizes a comprehensive range of Java, Hessian, and other deserialization Payloads, integrating various tricks and obfuscation techniques.
Disadvantages (also points to be improved):
- Some less common Payload combinations may not work properly. Due to decoupling, the complexity of combinations increases, and it is currently impossible to cover and test all Payload combinations. To mitigate this, the platform provides a [Preset Chain] dropdown option above the Payload output box, offering tested chain combinations for reference. It is recommended to test less common Payload combinations in advance. If you find Payloads that do not run properly, you can submit Issues for feedback.
- Due to the need for various dependencies to generate Payloads, the project's jar package is relatively large ( 200+MB).
- Less common Payloads and Payloads with low practical value are not yet integrated.
Common questions:
Q: Why use Web instead of Java GUI?
A: Both have advantages, but I believe Web has a wider range of application scenarios. The main reason is that it is very convenient to operate on the server to generate JNDI injection and other Payloads.
It only supports personal research and learning, and should never be used for illegal and criminal activities.
The developers, providers and maintainers of the project are not responsible for the actions and consequences of the user's use of the tool, and the user of the tool shall do so at their own risk.
Acknowledgments:
- https://github.com/wh1t3p1g/ysomap
- https://github.com/qi4L/JYso
- https://github.com/X1r0z/JNDIMap
- https://github.com/Whoopsunix/PPPYSO
- https://github.com/jar-analyzer/class-obf
- https://github.com/4ra1n/mysql-fake-server
- https://github.com/mbechler/marshalsec
- https://github.com/frohoff/ysoserial
- https://github.com/H4cking2theGate/ysogate
- https://github.com/Bl0omZ/JNDIEXP
- https://github.com/kezibei/Urldns
- https://github.com/rebeyond/JNDInjector
- https://github.dev/LxxxSec/CTF-Java-Gadget
- https://github.com/pen4uin/java-memshell-generator
- https://github.com/pen4uin/java-echo-generator
- https://github.com/NickstaDB/SerializationDumper
- https://xz.aliyun.com/t/5381
- http://rui0.cn/archives/1408
If you have any questions, please feel free to send issus