v1.2.4

Java-Chains · Jan 4, 2025 · 2b6811b · 2b6811b
1 parent 544b09c
commit 2b6811b
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 1.2.4
+
+- [功能] 同步更新 Class-Obf v1.3.1 版本 (https://github.com/jar-analyzer/class-obf) @4ra1n
+- [功能] 同步更新 java-memshell-generator(Jmg) v1.0.9 版本
+- [功能] 新增 XmlDeSerPayload @unam4
+- [功能] 新增 OpengaussJdbc 链 @guchangan1
+- [功能] 自定义web登录密码，自定义是否关闭鉴权
+- [优化] java-memshell-generator(Jmg) 优化报错提示；支持自动生成随机字符串参数，用于减少特征
+
 ## 1.2.3
 
 - [功能] 支持字节码混淆，集成 Class-Obf(https://github.com/jar-analyzer/class-obf)项目 @4ra1n

diff --git a/CHANGELOG_EN.md b/CHANGELOG_EN.md
@@ -1,3 +1,13 @@
+## 1.2.4
+
+- [Feature] Synchronized update to Class-Obf v1.3.1 (https://github.com/jar-analyzer/class-obf) @4ra1n
+- [Feature] Synchronously update java-memshell-generator to version v1.0.9
+- [Feature] Added XmlDeSerPayload @unam4
+- [Feature] Added OpengaussJdbc chain @guchangan1
+- [Feature] Customize web login password, customize whether to disable authentication.
+- [Optimization] java-memshell-generator (Jmg) optimizes error message prompts; supports automatically generating random string parameters to reduce signatures.
+
+
 ## 1.2.3
 
 - [Feature] Support for bytecode obfuscation, integrated with the Class-Obf project by @4ra1n

diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@
         - 支持生成 `JavaWrapper` 格式
         - 支持生成 `charsets.jar` 格式
         - 支持增强魔改版 `JMG/JEG` 格式 （java echo generator, java memshell generator)
-2. JNDI: JNDI 注入利用模块
+2. `JNDI`: JNDI 注入利用模块
     - `JndiBasicPayload`: LDAP 远程加载字节码
     - `JndiDeserializationPayload`: LDAP 中基于 javaSerializedData 字段实现的反序列化
     - `JndiResourceRefPayload`: LDAP 基于 BeanFactory 的 Tomcat EL、Groovy等利用
@@ -85,12 +85,18 @@ docker run -d \
   -p 3308:3308 \
   -p 11527:11527 \
   -p 50000:50000 \
-  javachains/webchains:1.2.3
+  -e CHAINS_AUTH=true \
+  -e CHAINS_PASS= \
+  javachains/webchains:1.2.4
 ```
 
-生成功能仅使用 `8011` 端口即可，其他端口为 `exploit` 模块使用
+可通过环境变量配置鉴权或密码；
+**CHAINS_AUTH**: true为开启鉴权，false为关闭鉴权，默认开启鉴权
+**CHAINS_PASS**: 指定web密码，若该变量为空则随机生成密码，默认随机生成密码
 
-请使用以下命令获得随机生成的强密码
+备注：生成功能仅使用 `8011` 端口即可，其他端口为 `exploit` 模块使用
+
+使用以下命令从docker中获取随机生成的强密码
 
 ```shell
 docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'
@@ -104,9 +110,24 @@ docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -
 
 访问 `http://your-ip:8011` 即可（使用这里的用户名密码登录）
 
+
 ### 方式二：Jar包启动
 
-使用 `java -jar web-chains-v1.2.3.jar` 即可启动
+使用 `java -jar web-chains.jar` 即可启动，每次启动后会打印出随机生成的密码
+
+默认监听 0.0.0.0 ，访问 `http://your-ip:8011` 即可（使用这里的用户名密码登录）
+
+可通过环境变量设置web登录密码，例如：
+
+Linux：
+```bash
+export CHAINS_PASS=[your_password] && java -jar web-chains.jar
+```
+
+Windows：
+```cmd
+set CHAINS_PASS=[your_password] && java -jar web-chains.jar
+```
 
 ## 详细使用
 
@@ -130,6 +151,7 @@ docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -
 - https://github.com/Whoopsunix/PPPYSO
 - https://github.com/jar-analyzer/class-obf
 - https://github.com/4ra1n/mysql-fake-server
+- https://github.com/jar-analyzer/class-obf
 - https://github.com/mbechler/marshalsec
 - https://github.com/frohoff/ysoserial
 - https://github.com/H4cking2theGate/ysogate
@@ -142,14 +164,6 @@ docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -
 - https://xz.aliyun.com/t/5381
 - http://rui0.cn/archives/1408
 
-## 交流
-
-交流群请扫码
-
-<p align="center">
-  <img src="img/group.png" width="300px">
-</p>
-
 ## Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=java-chains/web-chains&type=Date)](https://star-history.com/#java-chains/web-chains&Date)
diff --git a/README_EN.md b/README_EN.md
@@ -88,12 +88,15 @@ docker run -d \
   -p 3308:3308 \
   -p 11527:11527 \
   -p 50000:50000 \
-  javachains/webchains:1.2.3
+  -e CHAINS_AUTH=true \
+  -e CHAINS_PASS= \
+  javachains/webchains:1.2.4
 ```
 
-The build function only uses the `8011` port, and the other ports are used by the `exploit` module
+Authentication and password can be configured via environment variables:
 
-Please use the following command to get a randomly generated strong password
+**CHAINS_AUTH**: Set to true to enable authentication, false to disable it. Authentication is enabled by default.
+**CHAINS_PASS**: Specifies the web password. If this variable is empty, a password will be generated randomly. By default, a password is generated randomly.
 
 ```shell
 docker logs $(docker ps | grep javachains/webchains | awk '{print $1}') | grep -E 'password'
@@ -109,7 +112,21 @@ Just visit `http://your-ip:8011` (log in with your username and password here)
 
 ### Method 2: Start the JAR package
 
-Use `java -jar web-chains-v1.2.3.jar` to get started
+You can start it by using java -jar web-chains.jar. After each startup, a randomly generated password will be printed.
+
+It listens on 0.0.0.0 by default. You can access it by visiting http://your-ip:8011 (use the username and password printed earlier to log in).
+
+You can set the web login password via environment variables, for example:
+
+Linux:
+```bash
+export CHAINS_PASS=[your_password] && java -jar web-chains.jar
+```
+
+Windows:
+```cmd
+set CHAINS_PASS=[your_password] && java -jar web-chains.jar
+```
 
 ## Detailed use