grrrdog / java-deserialization-cheat-sheet Goto Github PK

Jexboss makes automated exploitation of various deserialization problems, including: JMXInvokerServlet (since 2013), javax.faces.ViewState (and any HTTP POST parameters), RMI, Jenkins, etc.

Link: https://github.com/joaomatosf/jexboss

Videos:
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss
https://www.youtube.com/watch?v=VaLSYzEWgVE
Exploiting JBOSS with JexBoss
https://www.youtube.com/watch?v=yI54sRqFOyI

Can you consider including it in cheat-Sheet?

Thanks

If you're interested, I've published a preso focused on defense techniques for identifying and fixing Java deserialization bugs

http://blog.nibblesec.org/2016/10/defending-against-java-deserialization.html

Also, there's an example (with exploit - https://www.ikkisoft.com/stuff/SJWC_DoS.java) for JSF ViewState

Add WLT3Serial tool under Exploits->"T3 of Oracle Weblogic" section

https://github.com/Bort-Millipede/WLT3Serial

Hi, I am an information security professional from China and are following the Java tutorial to learn Java deserialization vulnerabilities. First of all thank you for your summary of this cheat sheet. This is a good work, but unfortunately only a few people noticed it. So I'd like to translate it briefly and add comments that I deem necessary, then post it on my blog so that more Chinese security researchers can see it. I will declare the original address in the article. Of course, all this needs your approval. Thanks, look forward to your response

Here's a tool to exploit java unserialize on t3 that you can reference (tested on 11g and 12c) https://github.com/metalnas/loubia

I have read through all the README. There are two parts where contain CVEs for java deserialization - Exploits and Vulnerable apps.
Why do you separate them info two parts? I think we can combine them into one part which is based on CVE, or vulnerable app name. It may be a long list with more 30 items, but it is more clear.
Additionally, how do you collect all those vulnerabilities in the README? It is a heavy but meaningful work. I think it's best if we can collect all the CVEs about java deserialization.

I recently compiled a very large list of Java Deserialization CVEs (which are located at this repo https://github.com/PalindromeLabs/Java-Deserialization-CVEs) and I thought you might be interested in incorporating the list or parts of the list into this cheat sheet. Maybe you would prefer to keep the cheat list as it is, maybe you want to just add a link to this list if anyone wants a more comprehensive CVE list, or maybe you would prefer the notable/important CVEs be added individually to this cheat sheet with descriptions. If you have a preference for one of these options, let me know if I can help incorporate this CVE info into this excellent cheat sheet repo.