ysoserial | concept tool for generating payloads | Hacking library

by frohoff Java Version: v0.0.6 License: MIT

X-Ray Key Features Code Snippets Community Discussions(1)Vulnerabilities Install Support

kandi X-RAY | ysoserial Summary

ysoserial is a Java library typically used in Security, Hacking applications. ysoserial has no bugs, it has no vulnerabilities, it has build file available, it has a Permissive License and it has medium support. You can download it from GitHub.

Originally released as part of AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day" with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later updated to include additional gadget chains for JRE <= 1.7u21 and several other libraries. ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host. It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Support

Quality

Security

License

Reuse

Support

ysoserial has a medium active ecosystem.

It has 6393 star(s) with 1641 fork(s). There are 218 watchers for this library.

It had no major release in the last 12 months.

There are 22 open issues and 69 have been closed. On average issues are closed in 204 days. There are 25 open pull requests and 0 closed requests.

It has a neutral sentiment in the developer community.

The latest version of ysoserial is v0.0.6

Quality

ysoserial has 0 bugs and 0 code smells.

Security

ysoserial has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

ysoserial code analysis shows 0 unresolved vulnerabilities.

There are 0 security hotspots that need review.

License

ysoserial is licensed under the MIT License. This license is Permissive.

Permissive licenses have the least restrictions, and you can use them in most projects.

Reuse

ysoserial releases are available to install and integrate.

Build file is available. You can build the component from source.

Installation instructions, examples and code snippets are available.

ysoserial saves you 2237 person hours of effort in developing the same functionality from scratch.

It has 4905 lines of code, 358 functions and 82 files.

It has low code complexity. Code complexity directly impacts maintainability of the code.

Top functions reviewed by kandi - BETA

kandi has reviewed ysoserial and discovered the below as its top functions. This is intended to give you an instant insight into ysoserial implemented functionality, and help decide if they suit your requirements.

Entry point for the command
Prints the usage
Formats a list of strings to a list of strings
Main entry point
Get a RemoteObject object from a remote object
Waits for a connection
Create an object
Creates a proxy for the given interface
Execute an object
Joins the given strings with the given prefix
Execute a command on an object
Create the object for the command
Gets the object associated with the given command
Create a queue of objects
Gets the commands for the command
Construct an object from a command string
Main method
Converts a command into an object
Returns a priority queue
Retrieves a queue of templates
Get a priority queue
Executes the interaction model
Main entry point for the view
Executes a command and returns the object
Gets the idScriptable object
Executes a command on the console

Get all kandi verified functions for this library.

ysoserial Key Features

No Key Features are available at this moment for ysoserial.

ysoserial Examples and Code Snippets

No Code Snippets are available at this moment for ysoserial.

Community Discussions

Trending Discussions on ysoserial

Java Deserialization gadget - Why is this ysoserial payload using reflection to set the TiedMapEntry?

QUESTION

Java Deserialization gadget - Why is this ysoserial payload using reflection to set the TiedMapEntry?

Asked 2021-Jun-22 at 08:33

I started studying Java deserialization gadgets. I started with the famous Apache Common Collections gadget and was looking at @matthias_kaiser's gadget chain.

https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections6.java#L65-L100

Could someone please explain the following?

Why is the TiedMapEntry set via Java reflection vs just using the HashSet#add() method? For example,
...

ANSWER

Answered 2021-Jun-22 at 08:33

If you add a TiedMapEntry to a HashSet, hashCode() is called which triggers TiedMapEntry.getValue() which calls get() on the LazyMap. This will trigger the Transformers to execute which is not something you want at that point.
Side-effect of 1)
Use a debugger and set a breakpoint on method org.apache.commons.collections.map.LazyMap.get(Object)
By reading the implementation code and debugging with a proper IDE (IDEA, Eclipse)

Source https://stackoverflow.com/questions/68052529

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install ysoserial

Note that GitHub-hosted releases were removed in compliance with the GitHub Community Guidelines.
Download the latest jar from JitPack

Support

Fork itCreate your feature branch (git checkout -b my-new-feature)Commit your changes (git commit -am 'Add some feature')Push to the branch (git push origin my-new-feature)Create new Pull Request

Find more information at: