{"id":13577974,"url":"https://github.com/hosch3n/msmap","last_synced_at":"2025-04-05T15:32:02.805Z","repository":{"id":54527070,"uuid":"522375453","full_name":"hosch3n/msmap","owner":"hosch3n","description":"Msmap is a Memory WebShell Generator.","archived":false,"fork":false,"pushed_at":"2023-04-22T13:26:31.000Z","size":5115,"stargazers_count":557,"open_issues_count":0,"forks_count":88,"subscribers_count":13,"default_branch":"main","last_synced_at":"2024-11-05T15:48:32.255Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hosch3n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-08-08T02:06:40.000Z","updated_at":"2024-11-05T14:44:16.000Z","dependencies_parsed_at":"2024-01-16T20:28:52.089Z","dependency_job_id":"a80d4429-7f11-4521-aaa4-24596267f60f","html_url":"https://github.com/hosch3n/msmap","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hosch3n%2Fmsmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hosch3n%2Fmsmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hosch3n%2Fmsmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hosch3n%2Fmsmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hosch3n","download_url":"https://codeload.github.com/hosch3n/msmap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247359078,"owners_count":20926357,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:01:25.898Z","updated_at":"2025-04-05T15:31:57.787Z","avatar_url":"https://github.com/hosch3n.png","language":"Python","funding_links":[],"categories":["Python","web shell、shellcode"],"sub_categories":["网络服务_其他"],"readme":"# MSMAP\n\nMsmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, *WebShell / Proxy / Killer* and Management Clients. [简体中文](README_CN.md)\n\n[The idea behind I](https://hosch3n.github.io/2022/08/08/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%B8%80%EF%BC%89/), [The idea behind II](https://hosch3n.github.io/2022/08/09/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%BA%8C%EF%BC%89/), [The idea behind III](https://hosch3n.github.io/2022/10/29/Msmap%E5%86%85%E5%AD%98%E9%A9%AC%E7%94%9F%E6%88%90%E6%A1%86%E6%9E%B6%EF%BC%88%E4%B8%89%EF%BC%89/)\n\n![](img/a.png)\n\n![](img/b.png)\n\n![](img/c.png)\n\n\u003cdetails\u003e\n\u003csummary\u003eFeature [WIP]\u003c/summary\u003e\n\n### Function\n\n- [x] Dynamic Menu\n- [x] Automatic Compilation\n- [x] Generate Script\n- [ ] Lite Mode\n- [ ] Graphical Interface\n\n### Container\n\n- Java\n  - [x] Tomcat7\n  - [x] Tomcat8\n  - [x] Tomcat9\n  - [x] Tomcat10\n  - [x] Resin3\n  - [x] Resin4\n  - [ ] WebSphere\n  - [ ] GlassFish\n  - [x] WebLogic\n  - [ ] JBoss\n  - [x] Spring*\n  - [ ] Jetty\n  - [ ] Netty\n  - [x] JVM*\n- .NET\n  - [ ] IIS\n- PHP\n- Python\n\n*: SpringHandler only support for JDK8+\n\n*: JVM Default support for `Linux Tomcat 8/9`, more versions can be adapted according to the advanced guide.\n\n### WebShell / Proxy / Killer\n\n- WebShell\n  - [x] CMD / SH\n  - [x] AntSword\n  - [x] JSPJS\n  - [x] Behinder\n  - [x] Godzilla\n\n- No need for modularity\n\n~~Proxy: Neo-reGeorg, wsproxy~~\n\n~~Killer: java-memshell-scanner, ASP.NET-Memshell-Scanner~~\n\n### Decoder / Decryptor / Hasher\n\n- Decoder\n  - [x] Base64\n  - [ ] Hex\n- Decryptor\n  - [x] XOR\n  - [x] RC4\n  - [x] AES128\n  - [x] AES256\n  - [ ] RSA\n- Hasher\n  - [x] MD5\n  - [x] SHA128\n  - [x] SHA256\n\n\u003c/details\u003e\n\n## Usage\n\n``` bash\ngit clone git@github.com:hosch3n/msmap.git\ncd msmap\npython generator.py\n```\n\n\u003e [Warning] MUST set a unique password, Options are case sensitive.\n\n### Advanced\n\nEdit `config/environment.py`\n\n``` python\n# Auto Compile\nauto_build = True\n\n# Base64 Encode Class File\nb64_class = True\n\n# Generate Script File\ngenerate_script = True\n\n# Compiler Absolute Path\njava_compiler_path = r\"~/jdk1.6.0_04/bin/javac\"\ndotnet_compiler_path = r\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe\"\n```\n\nEdit `gist/java/container/tomcat/servlet.py`\n\n``` java\n// Servlet Path Pattern\nprivate static String pattern = \"*.xml\";\n```\n\nIf an encryption encoder is used in WsFilter, the password needs to be the same as the path (eg `/passwd`)\n\n`gist/java/container/jdk/javax.py` with `lib/servlet-api.jar` can be replaced depending on the target container.\n\n`pip3 install pyperclip` to support automatic copying to clipboard.\n\n## Example\n\n\u003cdetails\u003e\n\u003csummary\u003eCMD / SH\u003c/summary\u003e\n\n**Command** with **Base64** Encoder | Inject Tomcat Valve\n\n`python generator.py Java Tomcat Valve Base64 CMD passwd`\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eAntSword\u003c/summary\u003e\n\nType **JSP** with **default** Encoder | Inject Tomcat Valve\n\n`python generator.py Java Tomcat Valve RAW AntSword passwd`\n\nType **JSP** with **[aes_128_ecb_pkcs7_padding_md5](extend/AntSword/encoder/aes_128_ecb_pkcs7_padding_md5.js)** Encoder | Inject Tomcat Listener\n\n`python generator.py Java Tomcat Listener AES128 AntSword passwd`\n\nType **JSP** with **[rc_4_sha256](extend/AntSword/encoder/rc_4_sha256.js)** Encoder | Inject Tomcat Servlet\n\n`python generator.py Java Tomcat Servlet RC4 AntSword passwd`\n\nType **JSP**  with **[xor_md5](extend/AntSword/encoder/xor_md5.js)** Encoder | AgentFiless Inject HttpServlet\n\n`python generator.py Java JDK JavaX XOR AntSword passwd`\n\nType **JSPJS** with **[aes_128_ecb_pkcs7_padding_md5](extend/AntSword/encoder/aes_128_ecb_pkcs7_padding_md5.js)** Encoder | Inject Tomcat WsFilter\n\n`python generator.py Java Tomcat WsFilter AES128 JSPJS passwd`\n\nType **JSPJS** with **[xor_md5](extend/AntSword/encoder/xor_md5.js)** Encoder | Inject Spring Handler\n\n`python generator.py Java Spring Handler XOR JSPJS passwd`\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eBehinder\u003c/summary\u003e\n\nType **default_aes** | Inject Tomcat Valve\n\n`python generator.py Java Tomcat Valve AES128 Behinder rebeyond`\n\nType **default_xor_base64** | Inject Spring Interceptor\n\n`python generator.py Java Spring Interceptor XOR Behinder rebeyond`\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eGodzilla\u003c/summary\u003e\n\nType **JAVA_AES_BASE64** | Inject Tomcat Valve\n\n`python generator.py Java Tomcat Valve AES128 Godzilla superidol`\n\nType **JAVA_AES_BASE64** | AgentFiless Inject HttpServlet\n\n`python generator.py Java JDK JavaX AES128 Godzilla superidol`\n\nType **JAVA_AES_BASE64** | Inject Spring Handler\n\n`python generator.py Java Spring Handler AES128 Godzilla superidol`\n\n\u003e [Known issue](https://github.com/BeichenDream/Godzilla/issues/76)\n\n\u003c/details\u003e\n\n## Reference\n\n[GodzillaMemoryShellProject](https://github.com/BeichenDream/GodzillaMemoryShellProject)\n\n[AntSword-JSP-Template](https://github.com/AntSwordProject/AntSword-JSP-Template)\n\n[As-Exploits memshell_manage](https://github.com/yzddmr6/As-Exploits/tree/master/core/memshell_manage)\n\n[Behinder](https://github.com/rebeyond/Behinder) | [wsMemShell](https://github.com/veo/wsMemShell) | [ysomap](https://github.com/wh1t3p1g/ysomap)\n\n\u003cdetails\u003e\n\u003csummary\u003eExtended Reading\u003c/summary\u003e\n\n[利用“进程注入”实现无文件复活 WebShell](https://www.freebuf.com/articles/web/172753.html)\n\n[基于内存 Webshell 的无文件攻击技术研究](https://landgrey.me/blog/12/)\n\n[利用 intercetor 注入 spring 内存 webshell](https://landgrey.me/blog/19/)\n\n[linux下java反序列化通杀回显方法的低配版实现](https://xz.aliyun.com/t/7307)\n\n[Tomcat中一种半通用回显方法](https://xz.aliyun.com/t/7348)\n\n[基于tomcat的内存 Webshell 无文件攻击技术](https://xz.aliyun.com/t/7388)\n\n[基于全局储存的新思路 | Tomcat的一种通用回显方法研究](https://mp.weixin.qq.com/s?__biz=MzIwNDA2NDk5OQ==\u0026amp;mid=2651374294\u0026amp;idx=3\u0026amp;sn=82d050ca7268bdb7bcf7ff7ff293d7b3)\n\n[tomcat不出网回显连续剧第六集](https://xz.aliyun.com/t/7535)\n\n[中间件内存马注入\u0026冰蝎连接](https://paper.seebug.org/1441/#2mbeancontext)\n\n[Java内存马：一种Tomcat全版本获取StandardContext的新方法](https://xz.aliyun.com/t/9914)\n\n[Java内存攻击技术漫谈](https://xz.aliyun.com/t/10075)\n\n[Linux下内存马进阶植入技术](https://xz.aliyun.com/t/10186)\n\n[Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/)\n\n[CVE-2022-22947 注入哥斯拉内存马](https://blog.wanghw.cn/tech-share/cve-2022-22947-inject-godzilla-memshell.html)\n\n[Linux下无文件Java agent探究](https://tttang.com/archive/1525/)\n\n[论如何优雅的注入Java Agent内存马](https://xz.aliyun.com/t/11640)\n\n\u003c/details\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhosch3n%2Fmsmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhosch3n%2Fmsmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhosch3n%2Fmsmap/lists"}