Msmap
Msmap is a Memory WebShell Generator.
Install / Use
/learn @hosch3n/MsmapREADME
MSMAP
Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, WebShell / Proxy / Killer and Management Clients. 简体中文
The idea behind I, The idea behind II, The idea behind III
Function
- [x] Dynamic Menu
- [x] Automatic Compilation
- [x] Generate Script
- [ ] Lite Mode
- [ ] Graphical Interface
Container
- Java
- [x] Tomcat7
- [x] Tomcat8
- [x] Tomcat9
- [x] Tomcat10
- [x] Resin3
- [x] Resin4
- [ ] WebSphere
- [ ] GlassFish
- [x] WebLogic
- [ ] JBoss
- [x] Spring*
- [ ] Jetty
- [ ] Netty
- [x] JVM*
- .NET
- [ ] IIS
- PHP
- Python
*: SpringHandler only support for JDK8+
*: JVM Default support for Linux Tomcat 8/9, more versions can be adapted according to the advanced guide.
WebShell / Proxy / Killer
-
WebShell
- [x] CMD / SH
- [x] AntSword
- [x] JSPJS
- [x] Behinder
- [x] Godzilla
-
No need for modularity
~~Proxy: Neo-reGeorg, wsproxy~~
~~Killer: java-memshell-scanner, ASP.NET-Memshell-Scanner~~
Decoder / Decryptor / Hasher
- Decoder
- [x] Base64
- [ ] Hex
- Decryptor
- [x] XOR
- [x] RC4
- [x] AES128
- [x] AES256
- [ ] RSA
- Hasher
- [x] MD5
- [x] SHA128
- [x] SHA256
Usage
git clone git@github.com:hosch3n/msmap.git
cd msmap
python generator.py
[Warning] MUST set a unique password, Options are case sensitive.
Advanced
Edit config/environment.py
# Auto Compile
auto_build = True
# Base64 Encode Class File
b64_class = True
# Generate Script File
generate_script = True
# Compiler Absolute Path
java_compiler_path = r"~/jdk1.6.0_04/bin/javac"
dotnet_compiler_path = r"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
Edit gist/java/container/tomcat/servlet.py
// Servlet Path Pattern
private static String pattern = "*.xml";
If an encryption encoder is used in WsFilter, the password needs to be the same as the path (eg /passwd)
gist/java/container/jdk/javax.py with lib/servlet-api.jar can be replaced depending on the target container.
pip3 install pyperclip to support automatic copying to clipboard.
Example
<details> <summary>CMD / SH</summary>Command with Base64 Encoder | Inject Tomcat Valve
python generator.py Java Tomcat Valve Base64 CMD passwd
Type JSP with default Encoder | Inject Tomcat Valve
python generator.py Java Tomcat Valve RAW AntSword passwd
Type JSP with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat Listener
python generator.py Java Tomcat Listener AES128 AntSword passwd
Type JSP with rc_4_sha256 Encoder | Inject Tomcat Servlet
python generator.py Java Tomcat Servlet RC4 AntSword passwd
Type JSP with xor_md5 Encoder | AgentFiless Inject HttpServlet
python generator.py Java JDK JavaX XOR AntSword passwd
Type JSPJS with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat WsFilter
python generator.py Java Tomcat WsFilter AES128 JSPJS passwd
Type JSPJS with xor_md5 Encoder | Inject Spring Handler
python generator.py Java Spring Handler XOR JSPJS passwd
Type default_aes | Inject Tomcat Valve
python generator.py Java Tomcat Valve AES128 Behinder rebeyond
Type default_xor_base64 | Inject Spring Interceptor
python generator.py Java Spring Interceptor XOR Behinder rebeyond
Type JAVA_AES_BASE64 | Inject Tomcat Valve
python generator.py Java Tomcat Valve AES128 Godzilla superidol
Type JAVA_AES_BASE64 | AgentFiless Inject HttpServlet
python generator.py Java JDK JavaX AES128 Godzilla superidol
Type JAVA_AES_BASE64 | Inject Spring Handler
python generator.py Java Spring Handler AES128 Godzilla superidol
</details>
Reference
Behinder | wsMemShell | ysomap
<details> <summary>Extended Reading</summary>利用 intercetor 注入 spring 内存 webshell
基于全局储存的新思路 | Tomcat的一种通用回显方法研究
Java内存马:一种Tomcat全版本获取StandardContext的新方法
</details>