search

qi4L / JYso

JNDIExploit or a ysoserial.
GNU General Public License v3.0
1.57k stars 188 forks source link

大哥你好,使用反序列化链的时候报错了,请问怎么解决,感谢 #6

Closed homelanmder closed 1 year ago

homelanmder commented 1 year ago

image

homelanmder commented 1 year ago

大哥,麻烦你回复后不要删的那么快,感谢

homelanmder commented 1 year ago

image za在使用这个链的时候,ldap服务也会报错

homelanmder commented 1 year ago

还有jackson链 image CommonsBeanutilsObjectToStringComparator183链 image CommonsBeanutilsAttrCompare183链 image C3P04链 image AspectJWeaver2链 image AspectJWeaver链

qi4L commented 1 year ago

OK,在修了

homelanmder commented 1 year ago

谢谢大佬

qi4L commented 1 year ago

C3P0没问题,你看下我写的使用说明。

homelanmder commented 1 year ago

不好意思,看到了,那个是用来加载jar包的

homelanmder commented 1 year ago

大佬,使用urlDNs all探测的时候回显如下 image 但是使用这两个链去打的时候,也报错了 image image

qi4L commented 1 year ago

因为我没写,要的话,等我修好BUG一起加上去吧

homelanmder commented 1 year ago

哈哈哈,感谢大佬

qi4L commented 1 year ago

CommonsBeanutilsAttrCompare183 CommonsBeanutilsObjectToStringComparator183 这两条应该是没问题的,可能套娃了,第二次加载报错,不影响成功

qi4L commented 1 year ago

jackson应该也是这个情况,测试好几遍了

qi4L commented 1 year ago

BCEL可以看说明文档,关键词:BC :BCEL Classloader - 通过 ..bcel...ClassLoader.loadClass().newInstan 没有定义winlinux和bcel的类

homelanmder commented 1 year ago

好的大佬,我看看

homelanmder commented 1 year ago

这个BC-$BCEL$xxx 中,xxx是以16进制的形式吗

qi4L commented 1 year ago

BCEL字节码

homelanmder commented 1 year ago

谢谢

qi4L commented 1 year ago

那窗口我关了

homelanmder commented 1 year ago

嗯嗯