ysoserial
ysoserial copied to clipboard
frohoff
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
1. Implements #182 by overwriting final payload bytes. Attempts to implement a cleaner override using Unsafe or Reflection failed on Object with undefined serial. Usage `-s org.apache.commons.beanutils.BeanComparator=-3490850999041592962` 2. Adding feature...
The PoolBackedDataSource class within this payload is not nesscessary, and it does not declare a static serialVersionUID, that may get different serialVersionUID from various versions of C3P0. But the PoolBackedDataSourceBase...
https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
Docs with common troubleshooting steps. https://afinepl.medium.com/testing-and-exploiting-java-deserialization-in-2021-e762f3e43ca2 https://rhinosecuritylabs.com/research/java-deserializationusing-ysoserial/ Topics: - Encoding issues - JDK version issues - Dependency version mismatch issues - ObjectInputFilter issues - Command tokenization issues - Exceptions on...
Provide CLI parameters to allow override of serialVersionUID on a per-class basis. `java -jar ysoserial.jar -s BeanComparator=-3490850999041592962 ...` Probably fairly easy to implement by extending `ObjectOutputStream` and `ObjectStreamClass`.
use java.rmi.MarshalledObject to replace com.sun.org.apache.xalan for bypass weblogic blacklist
I found a new gadget in Wildfly, it's in the wildfly-connector component. The gadget is really simple, it performs a JNDI connection: ``` File: WildFlyDataSource.java 113: private void readObject(java.io.ObjectInputStream in)...
When running ysoserial in docker the option --tty=false should be used to avoid \0d being added before any \0a in the payload.
While I'm catching up on old additions, adding in some jython gadget chains that have been sitting around in my repo.
