exploiting tab will not generate the payload

[ecrsecurity]

entering the command Hibernate1 "sleep 5" in the exploiting tab results in ERROR IN YSOSERIAL COMMAND. Entering the same command directly to ysoserial "java -jar /usr/share/java/ysoserial-v0.0.5.jar Hibernate1 "sleep 5" " works perfectly.

[phra]

+1

ERROR
Error while generating or serializing payload
java.lang.ClassNotFoundException: org.hibernate.property.access.spi.Getter
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:582)
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:190)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:499)
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:291)
    at ysoserial.payloads.Hibernate1.makeHibernate5Getter(Hibernate1.java:92)
    at ysoserial.payloads.Hibernate1.makeGetter(Hibernate1.java:64)
    at ysoserial.payloads.Hibernate2.getObject(Hibernate2.java:55)
    at ysoserial.GeneratePayload.main(GeneratePayload.java:34)

[mcgyver5]

I got this same error until I compiled ysoserial myself with this command: mvn clean package -DskipTests -Dhibernate5

[phra]

@ecrsecurity @mcgyver5 see https://medium.com/abn-amro-red-team/java-deserialization-from-discovery-to-reverse-shell-on-limited-environments-2e7b4e14fbef

[federicodotta]

In the new version of the plugin I added a flag to add/remove hibernate5 flag to the ysoserial command in the exploitation tab. Remember that you have to compile ysoserial with -Dhibernate5 option.

[MarioVilas]

Same error, with extension installed from BApp, no manual compilation of any kind.

[Splint3r7]

Working with jdk-11

openjdk 11.0.9 2020-10-20
OpenJDK Runtime Environment (build 11.0.9+11-post-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.9+11-post-Debian-1, mixed mode, sharing)