search

frohoff / ysoserial

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
http://frohoff.github.io/appseccali-marshalling-pickles/
MIT License
7.65k stars 1.74k forks source link

ysoserial doesn't work with Java 18 #195

Closed noraj closed 1 year ago

noraj commented 1 year ago

With both ysoserial v0.0.5 and v0.0.6 I have this issue if using Java 18 that I don't have with Java 11.

Working environment

ysoserial v0.0.5 and v0.0.6

$ java --version
openjdk 11.0.16.1 2022-08-12
OpenJDK Runtime Environment (build 11.0.16.1+1)
OpenJDK 64-Bit Server VM (build 11.0.16.1+1, mixed mode)

Broken environment

$ java --version
openjdk 18.0.2 2022-07-19
OpenJDK Runtime Environment (build 18.0.2+0)
OpenJDK 64-Bit Server VM (build 18.0.2+0, mixed mode)
$ java -jar ysoserial-v0.0.6.jar Spring1 'id'         
Error while generating or serializing payload
java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x27082746) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x27082746
        at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
        at ysoserial.payloads.Spring1.getObject(Spring1.java:57)
        at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
frohoff commented 1 year ago

This is a duplicate of #176 and is a known issue caused by the Java module system.