Release 1.4.3

🇨🇳 中文更新日志

🚀 新增特性

• 新增命令行工具：引入了全新的 cli-chains 命令行工具。
• CMD 颜色支持：Windows CMD 环境下现在支持多颜色输出 (@xcxmiku)。

⬆️ 优化与改进

• 依赖升级：升级 class-obf 至 1.9.1 版本，支持配置文件自定义解析 (@4ra1n)。
• 体验优化：优化了 Hessian Payload 的描述信息。
• 版本修正：修正了项目版本号。

🐛 问题修复

• JRMP 修复：修复了 1.4.2 版本中 JRMP 模块无法使用的 Bug #26 (@unam4)。
• 字节码修复：修复了 Docbase 字节码输出问题 #25。

❤️ 致谢

• 感谢 @ViCrack @m0s30 提出 Bug。

---

English Changelog

🚀 New Features

• New CLI Tool: Introduced cli-chains command-line tool.
• CMD Color Support: Added multi-color output support for Windows CMD (@xcxmiku).

⬆️ Improvements

• Dependency Upgrade: Upgraded class-obf to v1.9.1, supporting custom configuration file parsing (@4ra1n).
• Optimization: Optimized Hessian Payload descriptions.
• Version Correction: Fixed version numbering.

🐛 Bug Fixes

• JRMP Fix: Fixed JRMP module usability issue in v1.4.2 #26 (@unam4).
• Bytecode Fix: Fixed Docbase bytecode output issue #25.

❤️ Acknowledgements

• Thanks to @ViCrack @m0s30 for reporting bugs.

---

Docker：

docker run -d \
  --name java-chains \
  --restart=always \
  -p 8011:8011 \
  -p 58080:58080 \
  -p 50389:50389 \
  -p 50388:50388 \
  -p 3308:3308 \
  -p 13999:13999 \
  -p 50000:50000 \
  -p 11527:11527 \
  -e CHAINS_AUTH=true \
  -e CHAINS_PASS= \
  javachains/javachains:1.4.3

Release 1.4.2

🇨🇳 中文更新日志

🚀 新增功能

• 新增 Echo 回显支持：集成了多种新的 Echo 利用方式 @ReaJason
• 高版本 JDK 支持：新增多个支持 JDK 17+ 的利用链（Gadget 名称后缀带有 HighJDK 或 HighVersion） @n1ght (https://www.n1ght.cn/)
• 内嵌 JDK 支持：支持发布包内嵌 JDK 环境，开箱即用。
• Payload 生成扩展：
  • 新增 FakeMySQLPipeFile 生成功能 @unam4
  • 新增 JSF 加密 Payload 生成功能 @B0T1eR
  • 新增 FileUpload1 上传利用链 @B0T1eR
  • 新增 Hutool MapProxy 二次反序列化利用 @unam4
  • 新增 FastjsonPostgreSQLJdbc 利用链 @xcxmiku
  • 支持生成 Tomcat-DocBase 所需字节码（可通过 Fastjson 触发） @xcxmiku
  • 新增 XsltOnlyJdk2（使用 HashMap 包装 SwingLazyValue，适配 JNDI2Hessian OnlyJDK 字节码加载） @unam4
• 环境探测：新增 javax_servlet 与 jakarta_servlet 环境探测功能 @B0T1eR
• SpringBeanXmlClassLoader：提供多种 Base64 解码选项 @xcxmiku

🛠 优化改进

• JRMPListener 增强：优化了 JRMP 监听器，防止泄漏本地 Lib 库信息，提高安全性 @unam4
• 依赖区分：明确区分了 MchangeC3p0Reference (com.mchange:c3p0) 与 C3p0_C3p0Reference (c3p0:c3p0) 两种依赖，避免混淆。
• UI 体验：优化了前端登录界面的 UI 设计。
• 操作系统探测优化：改为使用 java.io.UnixFileSystem 和 java.io.WinNTFileSystem，不受 JDK 模块化影响 @xcxmiku
• FakeMySQLPipeFile 增强：支持自定义连接用户名 @unam4
• Hessian 协议支持：
  • 加入 HessianServlet 时的 Hessian 协议头 @unam4
  • 兼容 JNDI 到 Hessian 的协议头，以及 Hessian 强制报错触发点（toString）的 Payload 生成 @unam4
• 类加载优化：去掉 LazyValueWithUrIClassLoader 过期标记，解决 MethodInvokingFactoryBean 在某些 Hessian 版本不可用导致加载 JAR 失败的问题 @unam4

🐛 问题修复

• 修复了端口冲突导致服务无法启动的问题。
• 修复了在 Windows 环境下触发 Security Manager（安全管理器）异常的问题。
• 修复 Hessian Utf8OverlongEncoding 报错 @xcxmiku
• 修复 HessianServlet 和 JNDI2Hessian 时的协议头冲突 @unam4

❤️ 致谢

感谢以下用户反馈 Bug 并帮助改进项目：
@Catherines77 @1diot9 @yuxianzi @Skay @jlkl @Ckmount @4ra1n @springkill

---

English Release Notes

🚀 New Features

• New Echo Modules: Added multiple Echo chains/gadgets. Contributed by @ReaJason.
• High JDK Support: Added support for multiple gadgets compatible with JDK 17+ (identified by HighJDK or HighVersion suffix). Contributed by @n1ght (https://www.n1ght.cn/).
• Embedded JDK: Support for bundled JDK in the release, allowing out-of-the-box usage.
• Payload Generation:
  • Added FakeMySQLPipeFile generation. Contributed by @unam4.
  • Added JSF encrypted Payload generation. Contributed by @B0T1eR.
  • Added FileUpload1 gadget. Contributed by @B0T1eR.
  • Added Hutool MapProxy secondary deserialization gadget. Contributed by @unam4.
  • Added FastjsonPostgreSQLJdbc gadget. Contributed by @xcxmiku.
  • Added support for generating bytecode required for Tomcat-DocBase (triggerable via Fastjson). Contributed by @xcxmiku.
  • Added XsltOnlyJdk2 (wraps SwingLazyValue with HashMap to adapt to JNDI2Hessian OnlyJDK bytecode loading). Contributed by @unam4.
• Environment Detection: Added detection for javax_servlet and jakarta_servlet. Contributed by @B0T1eR.
• SpringBeanXmlClassLoader: Added multiple Base64 decoding options. Contributed by @xcxmiku.

🛠 Improvements

• JRMPListener Optimization: Improved JRMPListener to prevent leaking local library information. Contributed by @unam4.
• Dependency Clarification: Clearly distinguished between MchangeC3p0Reference (com.mchange:c3p0) and C3p0_C3p0Reference (c3p0:c3p0).
• UI Update: Optimized the frontend login user interface.
• OS Detection Update: Switched to java.io.UnixFileSystem / java.io.WinNTFileSystem to bypass JDK modularization restrictions. Contributed by @xcxmiku.
• FakeMySQLPipeFile Update: Added support for custom connection usernames. Contributed by @unam4.
• Hessian Support:
  • Added Hessian protocol header when using HessianServlet. Contributed by @unam4.
  • Added compatibility for JNDI -> Hessian protocol headers, and payload generation for Hessian forced error triggers (via toString). Contributed by @unam4.
• Class Loading Optimization: Removed deprecated status for LazyValueWithUrIClassLoader to resolve JAR loading failures caused by MethodInvokingFactoryBean unavailability in certain Hessian versions. Contributed by @unam4.

🐛 Bug Fixes

• Fixed an issue causing port conflicts.
• Fixed an issue triggering the Security Manager on Windows environments.
• Fixed Hessian Utf8OverlongEncoding error. Contributed by @xcxmiku.
• Fixed protocol header conflict between HessianServlet and JNDI2Hessian. Contributed by @unam4.

❤️ Acknowledgments

Special thanks to the following users for reporting bugs and helping improve the project:
@Catherines77 @1diot9 @yuxianzi @Skay @jlkl @Ckmount @4ra1n @springkill

1.4.1

ChangeLog

Added

1. Added partial fastjson payload generation capabilities and a Unicode-based WAF bypass technique by
   @xcxmiku. Reference article
2. Display the User-Agent value of incoming HTTPServer requests.
3. Introduced a file upload parameter type to facilitate the customization of binary bytecode files. Refer to the
   corresponding Gadget: BytecodeFromUploadFile.
4. Introduced JmgCustomShellGadget, enabling the injection of custom memory shells.
5. Added support for specifying the listening address through environment variables.

Changed

1. Removed the comparatorType option from the CB chain.
2. Parameter values in log outputs are now displayed with a maximum length of 200 characters.
3. Fixed a concatenation error (#9).
4. Improved the frontend display of "Choice" selection parameters.
5. Fixed an exception related to custom bytecode.
6. Improved the frontend display of preset chains.
7. In download/save mode, the output format is automatically switched to Raw.

中文 CHANGELOG

https://github.com/vulhub/java-chains/blob/main/CHANGELOG.zh-cn.md

Start

Docker

docker run -d \
  --name java-chains \
  --restart=always \
  -p 8011:8011 \
  -p 58080:58080 \
  -p 50389:50389 \
  -p 50388:50388 \
  -p 3308:3308 \
  -p 13999:13999 \
  -p 50000:50000 \
  -p 11527:11527 \
  -e CHAINS_AUTH=true \
  -e CHAINS_PASS= \
  javachains/javachains:1.4.1

Jar

only support JDK8

java -jar java-chains-1.4.1.jar

1.4.0

Added

• Integrated some FastjsonPayload @iSafeBlue
• Added the following Expression Injection Payloads:
  • FreeMarker
  • JXPath @unam4
  • Thymeleaf @unam4
  • Aviator @ReaJason
  • JINJava @ReaJason
  • Velocity @ReaJason
• When exploit modules are generated, they automatically check if the service port is open, and if not, automatically
  start it.

Changed

• java-chains migrated to the vulhub project.
• Project renamed from web-chains to java-chains.
• class-obf obfuscation project updated from v1.4.0 to v1.5.0.
• Removed WriteFile bytecode.
• Removed the "delete" option from DownloadExec and WriteFileExec bytecode gadgets.
• Gadget IP parameter now defaults to 127.0.0.1.

中文 CHANGELOG

https://github.com/vulhub/java-chains/blob/main/CHANGELOG.zh-cn.md

1.3.1

Added

• SpringAopAspectjweaver Chain

Bugfix

• Fixed issue where Payload parameters were ineffective in version 1.3.0
• Fixed parameter setting errors for some Gadgets

Optimization

• Improved generation speed for large packets of overlong UTF8 dirty data
• Added support for obfuscation in secondary deserialization
• Improved descriptions for some chains
• Added extra information to the Context output box
• Frontend display improvements
• i18n

简体中文: https://github.com/Java-Chains/web-chains/blob/main/CHANGELOG.zh-cn.md

v1.3.0

1k Star 达成，感谢大哥们的支持
更新内容：

• [功能] 新增 SerializationDumper 解析Java序列化数据，并自定义修改任意类
  SUID 等功能
• [功能] 开放 Chains 插件编写，参考：https://github.com/Java-Chains/chains-plugin-demo ，前端支持reload重加载插件
• [功能] 新增 Hessian2ToStringPayload，通过 except 可触发toString链
• [功能] 前端提供展示所有 Payload、Gadget 基础信息
• [功能] 新增 CommonsBeanutils5 Gadget，适用于 cb 1.10 版本
• [功能] 新增 FakeMySQLReadPayload 读文件利用，同时兼容 fileread_/etc/passwd 格式 ，参考 https://github.com/4ra1n/mysql-fake-server
• [功能] Generate 生成模块提供 URL Encoding 编码选项
• [功能] gadget 注解中新增 preTags 字段，可用于指定前面的链
• [功能] 同步更新 Class-Obf v1.4.0 版本
• [优化] JNDI、JRMP 等模块若端口未开放则会进行提醒
• [优化] 前端图标展示
• [优化] 整理后端代码
• [Bugfix] 修复Groovy生成Jar的问题。现在可以通过 OtherPayload -> GroovyJarConvert 中生成 Fastjson Groovy Jar

What's new:

• [Feature] Added SerializationDumper for parsing Java serialized data, enabling custom modification of class SUIDs, etc.
• [Feature] Enabled Chains plugin development. See: https://github.com/Java-Chains/chains-plugin-demo. The frontend supports plugin reloading.
• [Feature] Added Hessian2ToStringPayload; a toString chain can be triggered via except.
• [Feature] The frontend now displays basic information for all Payloads and Gadgets.
• [Feature] Added CommonsBeanutils5 Gadget, suitable for cb version 1.10.
• [Feature] Added FakeMySQLReadPayload for file reading exploitation, compatible with fileread_/etc/passwd format. See https://github.com/4ra1n/mysql-fake-server.
• [Feature] The Generate module now offers a URL Encoding option.
• [Feature] Added the preTags field in gadget annotations, which can be used to specify preceding chains.
• [Feature] Synchronously updated Class-Obf to version v1.4.0.
• [Improvement] JNDI, JRMP, etc. modules will now provide a warning if the port is not open.
• [Improvement] Improved frontend icon display.
• [Improvement] Refactored backend code.
• [Bugfix] Fixed the Groovy Jar generation issue. Fastjson Groovy Jars can now be generated through OtherPayload -> GroovyJarConvert.

v1.2.4

更新内容：

• [功能] 同步更新 Class-Obf v1.3.1 版本 (https://github.com/jar-analyzer/class-obf) @4ra1n
• [功能] 同步更新 java-memshell-generator(Jmg) v1.0.9 版本
• [功能] 新增 XmlDeSerPayload @unam4
• [功能] 新增 OpengaussJdbc 链 @guchangan1
• [功能] 支持自定义web登录密码，以及是否关闭鉴权
• [优化] java-memshell-generator(Jmg) 优化报错提示；支持自动生成随机字符串参数，用于减少特征

What's new:

• [Feature] Synchronized update to Class-Obf v1.3.1 (https://github.com/jar-analyzer/class-obf) @4ra1n
• [Feature] Synchronously update java-memshell-generator to version v1.0.9
• [Feature] Added XmlDeSerPayload @unam4
• [Feature] Added OpengaussJdbc chain @guchangan1
• [Feature] Customize web login password, customize whether to disable authentication.
• [Optimization] java-memshell-generator (Jmg) optimizes error message prompts; supports automatically generating random string parameters to reduce signatures.

v1.2.3

更新内容：

• [功能] 支持字节码混淆，集成 https://github.com/jar-analyzer/class-obf 项目 @4ra1n
• [功能] 新增 ExpressionPayload、JDBCPayload，方便生成表达式相关Payload以及JDBC URL相关Payload
• [优化] FakeMySQL日志更详细的输出
• [BUG] 修复前端展开BUG

What's new:

• [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n
• [Feature] Added ExpressionPayload and JDBCPayload for easier generation of expression-related Payloads and JDBC URL-related Payloads
• [Improvement] Enhanced FakeMySQL logging with more detailed output
• [Bugfix] Fixed front-end expansion issue

v1.2.2

更新内容：

• [功能] 支持国际化，页面支持英文切换，登陆页面后右上角可进行切换语言 @Ar3h
• [功能] 新增 OneForAllEcho Gadget，属于字节码类型，可实现Tomcat、WebLogic、Jetty、Spring环境下的一键回显 @4ra1n
• [功能] 新增 XMLDecoder Payload 生成 @4ra1n
• [新链] 新增 HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory 三条hutools相关Getter链 @unam4
• [优化] Java反序列化支持完全 UTF8 Overlong（参考 PPPYSO 项目） @Ar3h
• [优化] 优化前端Gadget选项提示，前端使用青色提醒Gadget存在一些不适用的情况，需要阅读详细说明后自行判断 @Ar3h
• [优化] 拆分出 DNSLogWithInfo 链，专门用于通过DNSLog回显gadget链信息，方便在梭哈链中进行判断可用链 @Ar3h
• [优化] 前端添加缓存，减少请求量，提高速度 @Ar3h
• [BUG] 修复 DNSLog、DNSLogAndHttp 无法正常使用的严重BUG

What's new:

• [Feature] Support internationalization, the page supports English switching, and the language can be switched in the upper right corner after landing on the page @Ar3h
• [Feature] Added 'OneForAllEcho' Gadget, which is a bytecode type, which can realize one-click echo in Tomcat, WebLogic, Jetty, and Spring environments @4ra1n
• [Feature] Added 'XMLDecoder' Payload generation @4ra1n
• [New Chain] Added three Getter chains: HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory @unam4
• [Improve] Java deserialization support for full UTF8 overlong (see PPPYSO project) @Ar3h
• [Optimization] Optimized the prompt of the front-end Gadget option, the front-end uses cyan to remind that Gadget is not applicable to some situations, and you need to read the detailed description and make your own judgment @Ar3h
• [Improve] Split out the DNSLogWithInfo chain, which is specially used to echo the gadget chain information through DNSLog, which is convenient for judging the available chain in the stud chain @Ar3h
• [Improve] Add cache to the front-end to reduce the number of requests and improve the speed @Ar3h
• [BUG] Fixed the serious bug that DNSLog and DNSLogAndHttp could not be used normally

感谢以下用户的贡献:
Thanks to the following users for their contributions:

• Ar3h (https://github.com/Ar3h)
• 4ra1n (https://github.com/4ra1n)
• unam4 (https://github.com/unam4)

v1.2.1

1.2.1

更新内容：

• [功能] 新增 Hessian LazyValueWithSleep 链 @unam4
• [功能] 新增 TomcatEcho 回显 (可在 Jeg 无法使用时使用) @匿名
• [优化] 优化预设链的描述 @Ar3h
• [优化] 优化 JNDI 相关以及部分 Gadget 的描述 @Ar3h

感谢以下用户的贡献:

• Ar3h (https://github.com/Ar3h)
• unam4 (https://github.com/unam4)
• 某匿名安全研究师傅

使用 java -jar java-chains.jar 即可启动

推荐使用 docker 一键启动