1.4.1

ChangeLog

Added

1. Added partial fastjson payload generation capabilities and a Unicode-based WAF bypass technique by
   @xcxmiku. Reference article
2. Display the User-Agent value of incoming HTTPServer requests.
3. Introduced a file upload parameter type to facilitate the customization of binary bytecode files. Refer to the
   corresponding Gadget: BytecodeFromUploadFile.
4. Introduced JmgCustomShellGadget, enabling the injection of custom memory shells.
5. Added support for specifying the listening address through environment variables.

Changed

1. Removed the comparatorType option from the CB chain.
2. Parameter values in log outputs are now displayed with a maximum length of 200 characters.
3. Fixed a concatenation error (#9).
4. Improved the frontend display of "Choice" selection parameters.
5. Fixed an exception related to custom bytecode.
6. Improved the frontend display of preset chains.
7. In download/save mode, the output format is automatically switched to Raw.

中文 CHANGELOG

https://github.com/vulhub/java-chains/blob/main/CHANGELOG.zh-cn.md

Start

Docker

docker run -d \
  --name java-chains \
  --restart=always \
  -p 8011:8011 \
  -p 58080:58080 \
  -p 50389:50389 \
  -p 50388:50388 \
  -p 3308:3308 \
  -p 13999:13999 \
  -p 50000:50000 \
  -p 11527:11527 \
  -e CHAINS_AUTH=true \
  -e CHAINS_PASS= \
  javachains/javachains:1.4.1

Jar

only support JDK8

java -jar java-chains-1.4.1.jar

1.4.0

Added

• Integrated some FastjsonPayload @iSafeBlue
• Added the following Expression Injection Payloads:
  • FreeMarker
  • JXPath @unam4
  • Thymeleaf @unam4
  • Aviator @ReaJason
  • JINJava @ReaJason
  • Velocity @ReaJason
• When exploit modules are generated, they automatically check if the service port is open, and if not, automatically
  start it.

Changed

• java-chains migrated to the vulhub project.
• Project renamed from web-chains to java-chains.
• class-obf obfuscation project updated from v1.4.0 to v1.5.0.
• Removed WriteFile bytecode.
• Removed the "delete" option from DownloadExec and WriteFileExec bytecode gadgets.
• Gadget IP parameter now defaults to 127.0.0.1.

中文 CHANGELOG

https://github.com/vulhub/java-chains/blob/main/CHANGELOG.zh-cn.md

1.3.1

Added

• SpringAopAspectjweaver Chain

Bugfix

• Fixed issue where Payload parameters were ineffective in version 1.3.0
• Fixed parameter setting errors for some Gadgets

Optimization

• Improved generation speed for large packets of overlong UTF8 dirty data
• Added support for obfuscation in secondary deserialization
• Improved descriptions for some chains
• Added extra information to the Context output box
• Frontend display improvements
• i18n

简体中文: https://github.com/Java-Chains/web-chains/blob/main/CHANGELOG.zh-cn.md

v1.3.0

1k Star 达成，感谢大哥们的支持
更新内容：

• [功能] 新增 SerializationDumper 解析Java序列化数据，并自定义修改任意类
  SUID 等功能
• [功能] 开放 Chains 插件编写，参考：https://github.com/Java-Chains/chains-plugin-demo ，前端支持reload重加载插件
• [功能] 新增 Hessian2ToStringPayload，通过 except 可触发toString链
• [功能] 前端提供展示所有 Payload、Gadget 基础信息
• [功能] 新增 CommonsBeanutils5 Gadget，适用于 cb 1.10 版本
• [功能] 新增 FakeMySQLReadPayload 读文件利用，同时兼容 fileread_/etc/passwd 格式 ，参考 https://github.com/4ra1n/mysql-fake-server
• [功能] Generate 生成模块提供 URL Encoding 编码选项
• [功能] gadget 注解中新增 preTags 字段，可用于指定前面的链
• [功能] 同步更新 Class-Obf v1.4.0 版本
• [优化] JNDI、JRMP 等模块若端口未开放则会进行提醒
• [优化] 前端图标展示
• [优化] 整理后端代码
• [Bugfix] 修复Groovy生成Jar的问题。现在可以通过 OtherPayload -> GroovyJarConvert 中生成 Fastjson Groovy Jar

What's new:

• [Feature] Added SerializationDumper for parsing Java serialized data, enabling custom modification of class SUIDs, etc.
• [Feature] Enabled Chains plugin development. See: https://github.com/Java-Chains/chains-plugin-demo. The frontend supports plugin reloading.
• [Feature] Added Hessian2ToStringPayload; a toString chain can be triggered via except.
• [Feature] The frontend now displays basic information for all Payloads and Gadgets.
• [Feature] Added CommonsBeanutils5 Gadget, suitable for cb version 1.10.
• [Feature] Added FakeMySQLReadPayload for file reading exploitation, compatible with fileread_/etc/passwd format. See https://github.com/4ra1n/mysql-fake-server.
• [Feature] The Generate module now offers a URL Encoding option.
• [Feature] Added the preTags field in gadget annotations, which can be used to specify preceding chains.
• [Feature] Synchronously updated Class-Obf to version v1.4.0.
• [Improvement] JNDI, JRMP, etc. modules will now provide a warning if the port is not open.
• [Improvement] Improved frontend icon display.
• [Improvement] Refactored backend code.
• [Bugfix] Fixed the Groovy Jar generation issue. Fastjson Groovy Jars can now be generated through OtherPayload -> GroovyJarConvert.

v1.2.4

更新内容：

• [功能] 同步更新 Class-Obf v1.3.1 版本 (https://github.com/jar-analyzer/class-obf) @4ra1n
• [功能] 同步更新 java-memshell-generator(Jmg) v1.0.9 版本
• [功能] 新增 XmlDeSerPayload @unam4
• [功能] 新增 OpengaussJdbc 链 @guchangan1
• [功能] 支持自定义web登录密码，以及是否关闭鉴权
• [优化] java-memshell-generator(Jmg) 优化报错提示；支持自动生成随机字符串参数，用于减少特征

What's new:

• [Feature] Synchronized update to Class-Obf v1.3.1 (https://github.com/jar-analyzer/class-obf) @4ra1n
• [Feature] Synchronously update java-memshell-generator to version v1.0.9
• [Feature] Added XmlDeSerPayload @unam4
• [Feature] Added OpengaussJdbc chain @guchangan1
• [Feature] Customize web login password, customize whether to disable authentication.
• [Optimization] java-memshell-generator (Jmg) optimizes error message prompts; supports automatically generating random string parameters to reduce signatures.

v1.2.3

更新内容：

• [功能] 支持字节码混淆，集成 https://github.com/jar-analyzer/class-obf 项目 @4ra1n
• [功能] 新增 ExpressionPayload、JDBCPayload，方便生成表达式相关Payload以及JDBC URL相关Payload
• [优化] FakeMySQL日志更详细的输出
• [BUG] 修复前端展开BUG

What's new:

• [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n
• [Feature] Added ExpressionPayload and JDBCPayload for easier generation of expression-related Payloads and JDBC URL-related Payloads
• [Improvement] Enhanced FakeMySQL logging with more detailed output
• [Bugfix] Fixed front-end expansion issue

v1.2.2

更新内容：

• [功能] 支持国际化，页面支持英文切换，登陆页面后右上角可进行切换语言 @Ar3h
• [功能] 新增 OneForAllEcho Gadget，属于字节码类型，可实现Tomcat、WebLogic、Jetty、Spring环境下的一键回显 @4ra1n
• [功能] 新增 XMLDecoder Payload 生成 @4ra1n
• [新链] 新增 HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory 三条hutools相关Getter链 @unam4
• [优化] Java反序列化支持完全 UTF8 Overlong（参考 PPPYSO 项目） @Ar3h
• [优化] 优化前端Gadget选项提示，前端使用青色提醒Gadget存在一些不适用的情况，需要阅读详细说明后自行判断 @Ar3h
• [优化] 拆分出 DNSLogWithInfo 链，专门用于通过DNSLog回显gadget链信息，方便在梭哈链中进行判断可用链 @Ar3h
• [优化] 前端添加缓存，减少请求量，提高速度 @Ar3h
• [BUG] 修复 DNSLog、DNSLogAndHttp 无法正常使用的严重BUG

What's new:

• [Feature] Support internationalization, the page supports English switching, and the language can be switched in the upper right corner after landing on the page @Ar3h
• [Feature] Added 'OneForAllEcho' Gadget, which is a bytecode type, which can realize one-click echo in Tomcat, WebLogic, Jetty, and Spring environments @4ra1n
• [Feature] Added 'XMLDecoder' Payload generation @4ra1n
• [New Chain] Added three Getter chains: HutoolJndiDSFactory、hutoolSimpleDSFactory、hutoolPooledDSFactory @unam4
• [Improve] Java deserialization support for full UTF8 overlong (see PPPYSO project) @Ar3h
• [Optimization] Optimized the prompt of the front-end Gadget option, the front-end uses cyan to remind that Gadget is not applicable to some situations, and you need to read the detailed description and make your own judgment @Ar3h
• [Improve] Split out the DNSLogWithInfo chain, which is specially used to echo the gadget chain information through DNSLog, which is convenient for judging the available chain in the stud chain @Ar3h
• [Improve] Add cache to the front-end to reduce the number of requests and improve the speed @Ar3h
• [BUG] Fixed the serious bug that DNSLog and DNSLogAndHttp could not be used normally

感谢以下用户的贡献:
Thanks to the following users for their contributions:

• Ar3h (https://github.com/Ar3h)
• 4ra1n (https://github.com/4ra1n)
• unam4 (https://github.com/unam4)

v1.2.1

1.2.1

更新内容：

• [功能] 新增 Hessian LazyValueWithSleep 链 @unam4
• [功能] 新增 TomcatEcho 回显 (可在 Jeg 无法使用时使用) @匿名
• [优化] 优化预设链的描述 @Ar3h
• [优化] 优化 JNDI 相关以及部分 Gadget 的描述 @Ar3h

感谢以下用户的贡献:

• Ar3h (https://github.com/Ar3h)
• unam4 (https://github.com/unam4)
• 某匿名安全研究师傅

使用 java -jar java-chains.jar 即可启动

推荐使用 docker 一键启动

v1.2.0

1.2.0

更新内容：

• [重要] 新增预设链功能，常用链可实现一键勾选 @Ar3h
• [重要] 所有选项和配置添加详细的描述提示信息 @Ar3h
• [功能] 支持下载 payload 为文件功能 @Ar3h
• [功能] OtherPayload 新增 JMG 格式的 JSP @Ar3h
• [功能] OtherPayload 新增 Java 两种命令处理 @4ra1n
• [BUG] 修复前端 gadget 参数描述信息显示异常问题 @Ar3h
• [BUG] 修复前端部分 payload 传参错误搭导致无效生成 @Ar3h
• [BUG] 修复 JSP 模板无法正常使用的 BUG @Ar3h
• [BUG] 没有导入 aspectj 依赖导致部分 gadget 错误 @Ar3h
• [优化] 优化部分 gadget 的优先级排序 @Ar3h
• [优化] 支持展示 jmg 的提示输出信息 @Ar3h
• [优化] 登录用户名固定 admin 仅随机登陆密码 @4ra1n
• [优化] 安全方面删除 security path 功能 @4ra1n @ssrsec
• [优化] 前端默认使用更好看的黑色主题 @Ar3h
• [优化] 前端界面 run 和 copy 按钮位置优化 @Ar3h

感谢以下用户的贡献:

• Ar3h (https://github.com/Ar3h)
• 4ra1n (https://github.com/4ra1n)
• 说书人 (https://github.com/ssrsec)

使用 java -jar java-chains.jar 即可启动

推荐使用 docker 一键启动

v1.1.0

v1.1.0

更新内容：

• [重要] 前端大重构和优化 @Ar3h
• [重要] 提供 docker 一键启动命令 @Ar3h @4ra1n
• [重要] 提供了从 jar 文件加载的简易插件系统 @Ar3h
• [重要] 新增 h2 without js 全版本通杀链 @unam4
• [功能] 基于 spring security 的登录功能 @springkill @4ra1n
• [功能] 新增两种 equals 和 c3p0 jndi/jdbc 链 @unam4
• [功能] hessian 新增 groovy 利用链 @Ar3h
• [功能] 字节码可添加 main 静态入口函数 @Ar3h
• [BUG] 无法正确显示 favicon.ico 图标问题 @xcxmiku
• [优化] server 探测新增 netty 框架探测 @Ar3h
• [优化] 高版本 Oralce JDK 可以使用 BCEL 相关 @4ra1n
• [优化] 优化某些仅 unix 类型的 gadget 提示信息 @4ra1n
• [优化] 格式化输出日志，为日志附加颜色 @springkill
• [优化] 启动时检测 java 版本给出警告 @4ra1n
• [优化] 优化拦截器逻辑 @ssrsec
• [优化] 优化 base64 通用性 @ssrsec
• [文档] 编写新版本使用文档 @ssrsec

感谢以下用户的贡献:

• Ar3h (https://github.com/Ar3h)
• 某匿名安全研究师傅
• unam4 (https://github.com/unam4)
• 小晨曦 (https://github.com/xcxmiku)
• 4ra1n (https://github.com/4ra1n)
• springkill (https://github.com/springkill)
• 说书人 (https://github.com/ssrsec)

使用 java -jar web-chains.jar 即可启动（仅支持 java 8 环境）

推荐使用 docker 一键启动（请参考 README 页面）

其中 chains-config.zip 是补充插件，解压后放在 jar 同级目录即可