Git Product home page Git Product logo

serializekiller's Introduction

#SerializeKiller After the article published about the deserilization vulnerability we needed to scan all of our servers to verify if it's vulnerable. So we wrote this script, and decided to share it. This script enables you to scan a lot of servers in a short time for the infamous Java deserialization vulnerability. It currently detects WebLogic, WebSphere, JBOSS and Jenkins.

##What is the vulnerability? It is bad. The bug enables attackers to take over the the server, even without credentials. If you use Websphere, Weblogic, JBoss, Jenkins or OpenNMS you are probably vulnerable.

You can read more about the bug here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

##How do I use it? You need to install Python 2, Curl and NMAP first. Also Python needs the requests library. With that installed it's pretty ease, just: ./serializekiller.py targets.txt or ./serializekiller.py --url example.com

In the scanfile you can put IP adresses and hosts. It's also possible to scan specific ports. Please see the scanfile.

Note: on my Mac I had to call the script with: python2.7 serializekiller.py targets.txt. It might be specific for my installation. On Linux we experienced no problems.

##Is it dangerous to use?

No, it shouldn't do any damage, no exploit code is used. If you have doubts, keep in mind that being vulnerable is much worse ;)

##How fast is it?

We scanned over a 1000 servers in less than 2 minutes. Edit: We noticed that in some cases it can be slower.

##Help, we are vulnerable! My colleague hacker Sijmen Ruwhof made a nice write-up what to do next. You can find it here

##Pfeew! We are not vulnerable! Congratz! But keep in mind that this script only scans some default ports. E.g. If you have a vulnerable Jenkins server on port 80, the SerializeKiller won't find it. If you want to scan non-default ports, you can specify those ports in the targets file.

##I want to contribute Please send your pull request.

serializekiller's People

Contributors

johndekroon avatar schinkelg avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.