wh1t3p1g / Ysomap
Licence: apache-2.0
A helpful Java Deserialization exploit framework based on ysoserial
Stars: ✭ 314
Programming Languages
java
68154 projects - #9 most used programming language
Labels
Projects that are alternatives of or similar to Ysomap
Brutus
A Python-powered exploitation framework and botnet.
Stars: ✭ 17 (-94.59%)
Mutual labels: exploitation-framework
Arissploit
Arissploit Framework is a simple framework designed to master penetration testing tools. Arissploit Framework offers simple structure, basic CLI, and useful features for learning and developing penetration testing tools.
Stars: ✭ 114 (-63.69%)
Mutual labels: exploitation-framework
Ghost
Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device. Ghost Framework gives you the power and convenience of remote Android device administration.
Stars: ✭ 992 (+215.92%)
Mutual labels: exploitation-framework
Beef Over Wan
Browser Exploitation Framework is a Open-source penetration testing tool that focuses on browser-based vulnerabilities .This Python Script does the changes Required to make hooked Linked Accessible Over WAN .So anyone can use this framework and Attack Over WAN without Port Forwarding [NGROK or any Localhost to Webhost Service Required ]
Stars: ✭ 82 (-73.89%)
Mutual labels: exploitation-framework
Proton
Proton Framework is a Windows post-exploitation framework similar to other Windows post-exploitation frameworks. The major difference is that the Proton Framework does most of its operations using Windows Script Host, with compatibility in the core to support a default installation of Windows 2000 with no service packs all the way through Windows 10.
Stars: ✭ 142 (-54.78%)
Mutual labels: exploitation-framework
Vulscan
vulscan 扫描系统:最新的poc&exp漏洞扫描,redis未授权、敏感文件、java反序列化、tomcat命令执行及各种未授权扫描等...
Stars: ✭ 486 (+54.78%)
Mutual labels: exploitation-framework
pwnscripts
Very simple script(s) to hasten binary exploit creation
Stars: ✭ 66 (-78.98%)
Mutual labels: exploitation-framework
Cmseek
CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs
Stars: ✭ 1,296 (+312.74%)
Mutual labels: exploitation-framework
Tigershark
Bilingual PhishingKit. TigerShark intergrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Stars: ✭ 212 (-32.48%)
Mutual labels: exploitation-framework
Pentest Tools Framework
Pentest Tools Framework is a database of exploits, Scanners and tools for penetration testing. Pentest is a powerful framework includes a lot of tools for beginners. You can explore kernel vulnerabilities, network vulnerabilities
Stars: ✭ 48 (-84.71%)
Mutual labels: exploitation-framework
Prismatica
Responsive Command and Control System
Stars: ✭ 81 (-74.2%)
Mutual labels: exploitation-framework
Featherduster
An automated, modular cryptanalysis tool; i.e., a Weapon of Math Destruction
Stars: ✭ 876 (+178.98%)
Mutual labels: exploitation-framework
Ghost
Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device.
Stars: ✭ 1,934 (+515.92%)
Mutual labels: exploitation-framework
Exploitpack
Exploit Pack -The next generation exploit framework
Stars: ✭ 728 (+131.85%)
Mutual labels: exploitation-framework
Metasploit Cheat Sheet
Metasploit Cheat Sheet 💣
Stars: ✭ 139 (-55.73%)
Mutual labels: exploitation-framework
ronin-exploits
A Ruby micro-framework for writing and running exploits
Stars: ✭ 36 (-88.54%)
Mutual labels: exploitation-framework
Mouse
Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.
Stars: ✭ 186 (-40.76%)
Mutual labels: exploitation-framework
YSOMAP
Ysomap is A helpful Java Deserialization exploit framework based on ysoserial
#1 起因
在实际分析ysoserial的利用链时,有时候会觉得框架写的太死,有以下几个缺点:
- 同一个利用链如果想改变一下最后的利用效果,如命令执行改成代码执行,我们需要改写这个利用链或者是重新增加一个利用链。这时,我们其实可以看到利用链的前半部分是不变的,变的只是后续的利用效果。
- ysoserial仅实现了常规的序列化利用链,对于类似JSON格式的序列化利用链,以当前的这个框架扩展起来会比较麻烦
所以萌生了开发一个更加灵活的框架来扩展反序列化利用链,也就是当前这个试验品ysomap。
PS:YSOMAP项目为另一个项目的子项目,后续将开源该项目,敬请期待......
#2 原理
我将利用链切分成了两个部分payload和bullet:
- payload:指代利用链的前序部分
- bullet:指代最终利用链可达成的效果
实际案例分析
CommonsCollection1和3,在分析时我们可以看到实际1和3的区别在于1使用的是InvokerTransformer,而3使用的是templatesImpl的方式。那么提取相同的前序payload部分,我们只需写两个不同的bullet即可。而且这两个bullet也同样能被用在其他的payload上。
实际还有就是我在写RMIRegistryExploit时,也有这种可将不变部分重用的地方,而无需2,3之类的出现。
#3 使用方法
生成
使用mvn clean package -DskipTests
生成的jar位于cli/target/ysomap-cli-0.0.1-SNAPSHOT-all.jar
执行java -jar ysomap-0.0.1-SNAPSHOT-all.jar
基础使用方法
#4 当前可用列表
DONE
- [x] 支持CommonsCollections系列payload
- [x] 支持执行效果bullet:远程jar载入、命令执行、代码执行、发起jndi效果、tomcat内存马、延时判断、文件写入
- [x] 支持现有RMI系列攻击包 原理1 原理2 原理3
- [x] 支持现有LDAP系列攻击包 原理
- [x] 支持HTTP服务动态挂载恶意的class文件或jar文件
- [x] 支持URLDNS
- [x] 支持现有JMX系列攻击包 原理
- [x] 支持fastjson JdbcRowSetImpl、TemplatesImpl gadget 原理
- [x] 支持现有XStream系列payload包 原理
TODO
- [ ] 支持weblogic系列攻击包
- [ ] 支持websphere系列攻击包
#5 免责申明
未经授权许可使用YSOMAP攻击目标是非法的。 本程序应仅用于授权的安全测试与研究目的。
#6 致谢
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].