Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-13 14:52:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #311 from lanjelot/deser

Browse source 
Add tool gadgetprobe
This commit is contained in:
Swissky 2020-12-18 15:25:26 +01:00 committed by GitHub
commit 66a0fd1cbe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Insecure Deserialization/Java.md
View file

@ -50,7 +50,7 @@ Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spr
URLDNS |@gebl| | jre only vuln detect URLDNS |@gebl| | jre only vuln detect
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
Additional tools (integration ysoserial with Burp Suite): ## Burp extensions using ysoserial
- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
@ -58,14 +58,13 @@ Additional tools (integration ysoserial with Burp Suite):
- [SuperSerial](https://github.com/DirectDefense/SuperSerial) - [SuperSerial](https://github.com/DirectDefense/SuperSerial)
- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)
JRE8u20_RCE_Gadget ## Other tools
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) - [JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
- [JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified) - [ysoserial-modified](https://github.com/pimps/ysoserial-modified)
- [gadgetprobe](https://labs.bishopfox.com/gadgetprobe)
Java Unmarshaller Security: Turning your data into code execution - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
```java ```java
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]] java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]