A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
@matthiaskaiser thanks for the suggestion. I am able to invoke getMBeansFromURL(String)
but I get a java.lang.IllegalStateException: This MLet MBean is not registered with an MBeanServer.
. I see that the first line of the getMBeansFromURL
function has the following check:if (server == null) {
throw new IllegalStateException("This MLet MBean is not registered with an MBeanServer.");
I am unable to bypass this check without calling preRegister(MBeanServer server, ObjectName name)
first, which I am unable to do with my current limitations. I would really appreciate any other ideas.
ysoserial.exploit.JRMPListener
.
URLDNS
. URLDNS works and triggers a Burp Collaborator lookup.
mvn package -DskipTests 出错了
...
[INFO] --- maven-compiler-plugin:3.5.1:compile (default-compile) @ ysoserial ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 59 source files to /root/ysoserial/target/classes
[WARNING] Unable to autodetect 'javac' path, using 'javac' from the environment.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.846 s
[INFO] Finished at: 2019-10-30T02:03:39-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project ysoserial: Compilation failure -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Hi guys, I would like to ask some questions. In some clients, I always find flaws in the Java deserialization, but sometimes the environment is very restricted, the client has no DNS, ICMP, HTTP output. What I like to do to explore not so restricted environments is to send a list of payloads [1], with the command nslookup or ping to my domain. In some cases, it works very well. But recently I found two cases in particular:
1º When sending the list of loads to the destination, he returned only the GadgetChain (JRMPClient), how could he have obtained RCE?
2º In this case, it is more restricted, I sent all the payloads and returned absolutely nothing, as the client had no output for ICMP, DNS, HTTP. how can i explore this second case?
[1] I use the script shown in Petre's article(https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/)