GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → phith0n → zkar

phith0n / zkar

Licence: MIT license
ZKar is a Java serialization protocol analysis tool implement in Go.

Programming Languages

go
31211 projects - #10 most used programming language
python
139335 projects - #7 most used programming language

Labels

serializationysoserial

Projects that are alternatives of or similar to zkar

Thorsserializer
C++ Serialization library for JSON
Stars: ✭ 241 (-44.6%)
Mutual labels:  serialization
iris
Lightweight Component Model and Messaging Framework based on ØMQ
Stars: ✭ 50 (-88.51%)
Mutual labels:  serialization
avro-serde-php
Avro Serialisation/Deserialisation (SerDe) library for PHP 7.3+ & 8.0 with a Symfony Serializer integration
Stars: ✭ 43 (-90.11%)
Mutual labels:  serialization
Depot.js
📦 depot.js is a storage library with a simple API
Stars: ✭ 247 (-43.22%)
Mutual labels:  serialization
json to cpp
Generate C++ class from JSON data
Stars: ✭ 42 (-90.34%)
Mutual labels:  serialization
FlexBuffersSwift
Swift implementation of FlexBuffers - a sub project of FlatBuffers
Stars: ✭ 24 (-94.48%)
Mutual labels:  serialization
Hprose Html5
Hprose is a cross-language RPC. This project is Hprose 2.0 Client for HTML5
Stars: ✭ 237 (-45.52%)
Mutual labels:  serialization
Bytes
Swift Library for working with sequences of Bytes (aka [UInt8])
Stars: ✭ 35 (-91.95%)
Mutual labels:  serialization
roswasm suite
Libraries for compiling C++ ROS nodes to Webassembly using Emscripten
Stars: ✭ 62 (-85.75%)
Mutual labels:  serialization
pony-capnp
Cap’n Proto plugin for generating serializable Pony classes. 🐴 - 🎩'n 🅿️
Stars: ✭ 19 (-95.63%)
Mutual labels:  serialization
Cbor
CBOR RFC 7049 (Go/Golang) - safe & fast with standard API + toarray & keyasint, CBOR tags, float64/32/16, fuzz tested.
Stars: ✭ 250 (-42.53%)
Mutual labels:  serialization
Cereal
A C++11 library for serialization
Stars: ✭ 2,986 (+586.44%)
Mutual labels:  serialization
SafeParcel
Helper library and format description for SafeParcel, a version-agnostic parcelable serializer
Stars: ✭ 29 (-93.33%)
Mutual labels:  serialization
Jsonapi Rails
Rails gem for fast jsonapi-compliant APIs.
Stars: ✭ 242 (-44.37%)
Mutual labels:  serialization
ZFFramework
cross-platform C++ application framework, do 80% work at 20% cost
Stars: ✭ 65 (-85.06%)
Mutual labels:  serialization
Parse5
HTML parsing/serialization toolset for Node.js. WHATWG HTML Living Standard (aka HTML5)-compliant.
Stars: ✭ 2,778 (+538.62%)
Mutual labels:  serialization
dubbo-hessian-lite
Hessian Lite for Apache Dubbo
Stars: ✭ 45 (-89.66%)
Mutual labels:  serialization
sqlathanor
Serialization / De-serialization support for the SQLAlchemy Declarative ORM
Stars: ✭ 105 (-75.86%)
Mutual labels:  serialization
serialization-parcelable
Android Parcelable support for the Kotlinx Serialization library.
Stars: ✭ 53 (-87.82%)
Mutual labels:  serialization
serdepp
c++ serialize and deserialize adaptor library like rust serde.rs
Stars: ✭ 70 (-83.91%)
Mutual labels:  serialization
View All Similar Projects ➔

ZKar

ZKar is a Java serialization protocol analysis tool implement in Go. This tool is still work in progress, so no complete API document and contribution guide.

ZKar provides:

  • A Java serialization payloads parser and viewer in pure Go, no CGO or JDK is required
  • From the Java serialization protocol to a Go struct
  • A Go library that can manipulate the Java serialization data
  • WIP: ysoserial implement in Go
  • WIP: Java class bytecodes parser, viewer and manipulation
  • WIP: An implementation of RMI/LDAP in Go

📦 Installing

Using ZKar is easy. use go get to install the ZKar along with the library and its dependencies:

go get -u github.com/phith0n/zkar

Next, use github.com/phith0n/zkar/* in your application:

package main

import (
	"fmt"
	"github.com/phith0n/zkar/serz"
	"io/ioutil"
	"log"
)

func main() {
	data, _ := ioutil.ReadFile("./testcases/ysoserial/CommonsCollections6.ser")
	serialization, err := serz.FromBytes(data)
	if err != nil {
		log.Fatal("parse error")
	}

	fmt.Println(serialization.ToString())
}

💻 Command line utility tool

ZKar also provides a command line utility tool that you can use it directly:

$ go run main.go
NAME:
   zkar - A Java serz tool

USAGE:
   main [global options] command [command options] [arguments...]

COMMANDS:
   generate  generate Java serz attack payloads
   dump      parse the Java serz streams and dump the struct
   help, h   Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h  show help (default: false)

For example, you are able to dump the payload CommonsBeanutils3 from ysoserial like:

$ go run main.go dump -f "$(pwd)/testcases/ysoserial/CommonsBeanutils3.ser"

asciicast

🛠 Tests

ZKar is a well-tested tool that passed all ysoserial generated gadgets parsing and rebuilding tests. It means that gadget generating by ysoserial can be parsed by ZKar, and parsed struts can be converted back into bytes string which is equal to the original one.

Gadget Package Parse Rebuild Parse Time
AspectJWeaver ysoserial 80.334µs
BeanShell1 ysoserial 782.613µs
C3P0 ysoserial 98.321µs
Click1 ysoserial 573.298µs
Clojure ysoserial 72.415µs
CommonsBeanutils1 ysoserial 461.15µs
CommonsCollections1 ysoserial 64.484µs
CommonsCollections2 ysoserial 508.918µs
CommonsCollections3 ysoserial 564.071µs
CommonsCollections4 ysoserial 535.449µs
CommonsCollections5 ysoserial 137.609µs
CommonsCollections6 ysoserial 68.753µs
CommonsCollections7 ysoserial 178.549µs
FileUpload1 ysoserial 35.39µs
Groovy1 ysoserial 150.991µs
Hibernate1 ysoserial 789.674µs
Hibernate2 ysoserial 168.624µs
JBossInterceptors1 ysoserial 632.581µs
JRMPClient ysoserial 32.967µs
JRMPListener ysoserial 38.263µs
JSON1 ysoserial 2.157225ms
JavassistWeld1 ysoserial 468.596µs
Jdk7u21 ysoserial 355.01µs
Jython1 ysoserial 216.862µs
MozillaRhino1 ysoserial 1.775193ms
MozillaRhino2 ysoserial 409.124µs
Myfaces1 ysoserial 22.997µs
Myfaces2 ysoserial 38.131µs
ROME ysoserial 485.804µs
Spring1 ysoserial 797.469µs
Spring2 ysoserial 358.041µs
URLDNS ysoserial 21.502µs
Vaadin1 ysoserial 438.729µs
Wicket1 ysoserial 23.509µs
JDK8u20* pwntester 529.3µs

Notice: For parsing JDK8u20 payload, you should add --jdk8u20 flag to dump command. As the payload is not a valid serialized data stream, it's necessary to tell ZKar patches the data through this flag.

📝 TODO

  • Java bytecodes parser and generator
  • JDK/JRE 8u20 Gadget supporting
  • Serialization payloads generator
  • An implementation of RMI/LDAP in Go

⚖️ License

ZKar is released under the MIT license. See LICENSE

👀 See Also

  • SerializationDumper: A tool to dump and rebuild Java serialization streams and Java RMI packet contents in a more human readable form.
  • ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
  • Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].