开源软件名称：

开源软件地址：

开源编程语言：

开源软件介绍：

Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table of content

• Java Native Serialization (binary)
  • Overview
  • Main talks & presentations & docs
  • Payload generators
  • Exploits
  • Detect
  • Vulnerable apps (without public sploits/need more info)
  • Protection
  • For Android
• XMLEncoder (XML)
• XStream (XML/JSON/various)
• Kryo (binary)
• Hessian/Burlap (binary/XML)
• Castor (XML)
• json-io (JSON)
• Jackson (JSON)
• Fastjson (JSON)
• Genson (JSON)
• Flexjson (JSON)
• Jodd (JSON)
• Red5 IO AMF (AMF)
• Apache Flex BlazeDS (AMF)
• Flamingo AMF (AMF)
• GraniteDS (AMF)
• WebORB for Java (AMF)
• SnakeYAML (YAML)
• jYAML (YAML)
• YamlBeans (YAML)
• "Safe" deserialization

Java Native Serialization (binary)

Overview

• Java Deserialization Security FAQ
• From Foxgloves Security

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

• Video
• Slides
• Other stuff

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

• Video

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

• Slides
• White Paper
• Bypass Gadget Collection

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

• Slides

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

• Slides
• Video
• PoC for Scala, Grovy

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

• Slides

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

• Slides
• White Paper
• Tool for jms hacking

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

• Slides

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

• Slides
• White Paper

Fixing the Java Serialization mess

by @e_rnst

• Slides+Source

Blind Java Deserialization

by deadcode.me

• Part I - Commons Gadgets
• Part II - exploitation rev 2

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

by @joaomatosf

• Slides
• Examples

Automated Discovery of Deserialization Gadget Chains

by @ianhaken

• Video
• Slides
• Tool

An Far Sides Of Java Remote Protocols

by @_tint0

• Slides

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

Plugins for Burp Suite (detection, ysoserial integration ):

• Freddy
• JavaSerialKiller
• Java Deserialization Scanner
• Burp-ysoserial
• SuperSerial
• SuperSerial-Active

Full shell (pipes, redirects and other stuff):

• $@|sh – Or: Getting a shell environment from Runtime.exec
• Set String[] for Runtime.exec (patch ysoserial's payloads)
• Shell Commands Converter

How it works:

• https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/
• http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

ysoserial fork with additional payloads

https://github.com/wh1t3p1g/ysoserial

• CommonsCollection8,9,10
• RMIRegistryExploit2,3
• RMIRefListener,RMIRefListener2
• PayloadHTTPServer
• Spring3

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

• Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

• Java Deserialization DoS - payloads

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)

• CVE-2018-2677

Tool to search gadgets in source

• Gadget Inspector
• Article about Gadget Inspector

Additional tools to test RMI:

• BaRMIe
• Barmitza
• RMIScout
• attackRmi
• [Remote Method Guesser][https://github.com/qtc-de/remote-method-guesser]

Remote class detection:

• GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

• GadgetProbe

• Remote Java classpath enumeration with EnumJavaLibs

• EnumJavaLibs

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

• Protocol
• Default - 1099/tcp for rmiregistry
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking Java RMI services after JEP 290
• An Trinhs RMI Registry Bypass
• RMIScout

ysoserial

Additional tools

JMX

• JMX on RMI
• • CVE-2016-3427
• partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)
• Attacking RMI based JMX services (after JEP 290)

ysoserial

mjet

JexBoss

JMXMP

• Special JMX protocol
• The Curse of Old Java Libraries

JNDI/LDAP

• When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server
• Full info
• JNDI remote code injection
• Exploiting JNDI Injections in Java

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

JMS

• Full info

JMET

JSF ViewState

• if no encryption or good mac

no spec tool

JexBoss

vjdbc

• JDBC via HTTP library
• all version are vulnerable
• Details

no spec tool

T3 of Oracle Weblogic

• Protocol
• Default - 7001/tcp on localhost interface
• CVE-2015-4852
• Blacklist bypass - CVE-2017-3248
• Blacklist bypass - CVE-2017-3248 PoC
• Blacklist bypass - CVE-2018-2628
• Blacklist bypass - cve-2018-2893
• Blacklist bypass - CVE-2018-3245
• Blacklist bypass - CVE-2018-3191
• CVE-2019-2725
• CVE-2020-2555
• CVE-2020-2883
• CVE-2020-2963
• CVE-2020-14625
• CVE-2020-14644
• CVE-2020-14645
• CVE-2020-14756
• CVE-2020-14825
• CVE-2020-14841

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

IIOP of Oracle Weblogic

• Protocol

• Default - 7001/tcp on localhost interface

• CVE-2020-2551

• Details

CVE-2020-2551 sploit

Oracle Weblogic (1)

• auth required
• How it works
• CVE-2018-3252

Oracle Weblogic (2)

• auth required
• CVE-2021-2109

Exploit

IBM Websphere (1)

• wsadmin
• Default port - 8880/tcp
• CVE-2015-7450

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)

• When using custom form authentication
• WASPostParam cookie
• Full info

no spec tool

IBM Websphere (3)

• IBM WAS DMGR
• special port
• CVE-2019-4279
• ibm10883628
• Exploit

Metasploit

IIOP of IBM Websphere

• Protocol
• 2809, 9100, 9402, 9403
• CVE-2020-4450
• CVE-2020-4449
• Abusing Java Remote Protocols in IBM WebSphere
• Vuln Details

Red Hat JBoss (1)

• http://jboss_server/invoker/JMXInvokerServlet
• Default port - 8080/tcp
• CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X

• http://jboss_server/invoker/readonly
• Default port - 8080/tcp
• CVE-2017-12149
• JBoss 6.X and EAP 5.X
• Details

no spec tool

Red Hat JBoss 4.x

• http://jboss_server/jbossmq-httpil/HTTPServerILServlet/
• <= 4.x
• CVE-2017-7504

no spec tool

Jenkins (1)

• Jenkins CLI
• Default port - High number/tcp
• CVE-2015-8103
• CVE-2015-3253

JavaUnserializeExploits

JexBoss

Jenkins (2)

• patch "bypass" for Jenkins
• CVE-2016-0788
• Details of exploit

ysoserial

Jenkins (s)

• Jenkins CLI LDAP
• *Default port - High number/tcp
• <= 2.32
• <= 2.19.3 (LTS)
• CVE-2016-9299

CloudBees Jenkins

• <= 2.32.1
• CVE-2017-1000353
• Details

Sploit

JetBrains TeamCity

• RMI

ysoserial

Restlet

• <= 2.1.2
• When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy

• *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )