Home

Awesome

Java-Deserialization-Cheat-Sheet

A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.

Please, use #javadeser hash tag for tweets.

Table of content

Java Native Serialization (binary)

Overview

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

Fixing the Java Serialization mess

by @e_rnst

Blind Java Deserialization

by deadcode.me

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)

by @joaomatosf

Automated Discovery of Deserialization Gadget Chains

by @ianhaken

An Far Sides Of Java Remote Protocols

by @_tint0

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

ysoserial 0.6 payloads:

payloadauthordependenciesimpact (if not RCE)
AspectJWeaver@Jangaspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1@pwntester, @cschneider4711bsh:2.0b5
C3P0@mbechlerc3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1@artsploitclick-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure@JackOfMostTradesclojure:1.8.0
CommonsBeanutils1@frohoffcommons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1@frohoffcommons-collections:3.1
CommonsCollections2@frohoffcommons-collections4:4.0
CommonsCollections3@frohoffcommons-collections:3.1
CommonsCollections4@frohoffcommons-collections4:4.0
CommonsCollections5@matthias_kaiser, @jasinnercommons-collections:3.1
CommonsCollections6@matthias_kaisercommons-collections:3.1
CommonsCollections7@scristalli, @hanyrax, @EdoardoVignaticommons-collections:3.1
FileUpload1@mbechlercommons-fileupload:1.3.1, commons-io:2.4file uploading
Groovy1@frohoffgroovy:2.3.9
Hibernate1@mbechler
Hibernate2@mbechler
JBossInterceptors1@matthias_kaiserjavassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient@mbechler
JRMPListener@mbechler
JSON1@mbechlerjson-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1@matthias_kaiserjavassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21@frohoff
Jython1@pwntester, @cschneider4711jython-standalone:2.5.2
MozillaRhino1@matthias_kaiserjs:1.7R2
MozillaRhino2@_tint0js:1.7R2
Myfaces1@mbechler
Myfaces2@mbechler
ROME@mbechlerrome:1.0
Spring1@frohoffspring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2@mbechlerspring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS@gebljre only vuln detect
Vaadin1@kai_ullrichvaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1@jacob-baineswicket-util:6.23.0, slf4j-api:1.6.4

Plugins for Burp Suite (detection, ysoserial integration ):

Full shell (pipes, redirects and other stuff):

How it works:

ysoserial fork with additional payloads

https://github.com/wh1t3p1g/ysoserial

JRE8u20_RCE_Gadget

https://github.com/pwntester/JRE8u20_RCE_Gadget

Pure JRE 8 RCE Deserialization gadget

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via:

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes (JRE)

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works:

Won't fix DoS using default Java classes (JRE)

DoS against Serialization Filtering (JEP-290)
Tool to search gadgets in source
Additional tools to test RMI:
Remote class detection:
Library for creating Java serialization data

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI

ysoserial

Additional tools

JMX

ysoserial

mjet

JexBoss

JMXMP
JNDI/LDAP

https://github.com/zerothoughts/jndipoc

https://github.com/welk1n/JNDI-Injection-Exploit

JMS

JMET

JSF ViewState

no spec tool

JexBoss

vjdbc

no spec tool

T3 of Oracle Weblogic

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

WLT3Serial

CVE-2018-2628 sploit

IIOP of Oracle Weblogic

CVE-2020-2551 sploit

Oracle Weblogic (1)
Oracle Weblogic (2)

Exploit

Oracle Access Manager (1)
Oracle ADF Faces

no spec tool

IBM Websphere (1)

JavaUnserializeExploits

serialator

CoalfireLabs/java_deserialization_exploits

IBM Websphere (2)

no spec tool

IBM Websphere (3)

Metasploit

IIOP of IBM Websphere
Red Hat JBoss (1)

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

JexBoss

Red Hat JBoss 6.X

no spec tool

Red Hat JBoss 4.x

no spec tool

Jenkins (1)

JavaUnserializeExploits

JexBoss

Jenkins (2)

ysoserial

Jenkins (s)
CloudBees Jenkins

Sploit

JetBrains TeamCity

ysoserial

Restlet

no spec tool

RESTEasy

no spec tool

OpenNMS (1)

ysoserial

OpenNMS (2)

JMET

Progress OpenEdge RDBMS

ysoserial

Commvault Edge Server

no spec tool

Symantec Endpoint Protection Manager

serialator

Oracle MySQL Enterprise Monitor

no spec tool

serialator

PowerFolder Business Enterprise Suite

powerfolder-exploit-poc

Solarwinds Virtualization Manager

ysoserial

Cisco Prime Infrastructure

CoalfireLabs/java_deserialization_exploits

Cisco ACS

ysoserial

Cisco Unity Express

ysoserial

Cisco Unified CVP

ysoserial

NASDAQ BWISE

ysoserial

NICE ENGAGE PLATFORM
Apache Cassandra
Cloudera Zookeeper
Apache Olingo

no spec tool

Apache Dubbo

no spec tool

Apache XML-RPC

no spec tool

Apache Archiva

no spec tool

SAP NetWeaver

PoC

SAP Hybris

no spec tool

Sun Java Web Console

no spec tool

Apache MyFaces Trinidad

no spec tool

JBoss Richfaces
Apache Tomcat JMX

JexBoss

OpenText Documentum D2

exploit

Liferay

no spec tool

ScrumWorks Pro

PoC

ManageEngine Applications Manager

ysoserial

ManageEngine OpManager
ManageEngine Desktop Central

MSF exploit

Apache Shiro
HP IMC (Intelligent Management Center)

Metasploit module

HP IMC (Intelligent Management Center)

ysoserial

Apache Brooklyn
Elassandra
Micro Focus

Metasploit Exploit

IBM Qradar (1)
IBM Qradar (2)

Exploit

IBM InfoSphere JReport
Apache Kafka
Zoho ManageEngine ADSelfService Plus
Apache ActiveMQ - Client lib

JMET

Redhat/Apache HornetQ - Client lib

JMET

Oracle OpenMQ - Client lib

JMET

IBM WebSphereMQ - Client lib

JMET

Oracle Weblogic - Client lib

JMET

Pivotal RabbitMQ - Client lib

JMET

IBM MessageSight - Client lib

JMET

IIT Software SwiftMQ - Client lib

JMET

Apache ActiveMQ Artemis - Client lib

JMET

Apache QPID JMS - Client lib

JMET

Apache QPID - Client lib

JMET

Amazon SQS Java Messaging - Client lib

JMET

Axis/Axis2 SOAPMonitor

java -jar ysoserial-*-all.jar CommonsCollections1 'COMMAND_HERE' | nc TARGET_SERVER 5001

ysoserial

Apache Synapse

ysoserial

Apache Jmeter

ysoserial

Jolokia
RichFaces
Apache James

ysoserial

Oracle DB
Zimbra Collaboration
Adobe ColdFusion (1)
Adobe ColdFusion (2)
Adobe ColdFusion (3) / JNBridge
Apache SOLR (1)
Apache SOLR (2)
Adobe Experience Manager AEM
MySQL Connector/J
Pitney Bowes Spectrum
SmartBear ReadyAPI
NEC ESMPRO Manager
Apache OFBiz
NetMotion Mobility

ysoserial Metasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization

Bonita

ysoserial

Neo4j
Bitbucket Data Center
Jira Data Center / Jira Service Management Data Center
Nomulus

Detect

Code review
Traffic
Network
Burp plugins

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)
SAP P4
Apache ActiveMQ (2)
Atlassian Bamboo (1)
Atlassian Bamboo (2)
Atlassian Jira
Akka
Spring AMPQ
Apache Tika
Apache HBase
Apache Camel
Apache Dubbo
Apache Spark
Apache Spark
Apache Log4j (1)
Apache Log4j (2)
Apache Geode
Apache Ignite
Infinispan
Hazelcast
Gradle (gui)
Oracle Hyperion
Oracle Application Testing Suite
Red Hat JBoss BPM Suite
Red Hat Wildfly
VMWare vRealize Operations
VMWare vCenter/vRealize (various)
Cisco (various)
Cisco Security Manager
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP IMC PLAT
HP iMC
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
HP Network Automation
Adobe Experience Manager
Unify OpenScape (various)
Apache OFBiz (1)
Apache OFBiz (2)
Apache Tomcat (1)
Apache Tomcat (2)
Apache TomEE
IBM Congnos BI
IBM Maximo Asset Management
Novell NetIQ Sentinel
ForgeRock OpenAM
F5 (various)
Hitachi (various)
NetApp (various)
Citrix XenMobile Server
IBM WebSphere (1)
IBM WebSphere (2)
IBM WebSphere (3)
IBM WebSphere (4)
IBM WebSphere (5)
IBM WebSphere (6)
IBM WebSphere (7)
Code42 CrashPlan
Apache OpenJPA
Dell EMC VNX Monitoring and Reporting
Taoensso Nippy
CAS
SolarWinds Network Performance Monitor
Apache Batchee
Apache JCS
Apache OpenWebBeans

Protection

For Android

Main talks & presentations & examples

Tools

XMLEncoder (XML)

How it works:

Detect

Code review
Burp plugins

Exploits

Oracle Weblogic

Exploit

Oracle RDBMS

XStream (XML/JSON/various)

How it works:

Payload generators

Exploits

Apache Struts (S2-052)

Exploit

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

Atlassian Bamboo
Jenkins

Kryo (binary)

How it works:

Payload generators

Detect

Code review
Burp plugins

Hessian/Burlap (binary/XML)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

Apache Camel
MobileIron MDM
Apache Dubbo

Castor (XML)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

OpenNMS
Apache Camel

json-io (JSON)

How it works:

Exploitation examples:

Payload generators

Detect

Code review
Burp plugins

Jackson (JSON)

vulnerable in specific configuration

How it works:

Payload generators / gadget chains

Detect

Code review
Burp plugins

Exploits

FasterXML
Liferay

Vulnerable apps (without public sploits/need more info):

Apache Camel

Fastjson (JSON)

How it works:

Detect

Code review
Burp plugins

Payload generators

Genson (JSON)

How it works:

Detect

Code review
Burp plugins

Flexjson (JSON)

How it works:

Payload generators / gadget chains

Detect

Code review

Exploits

Liferay

Jodd (JSON)

vulnerable in a non-default configuration when setClassMetadataName() is set

Payload generators / gadget chains

Detect

Code review

Red5 IO AMF (AMF)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

Apache OpenMeetings

Apache Flex BlazeDS (AMF)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps:

Oracle Business Intelligence
Adobe ColdFusion
Draytek VigorACS
Apache BlazeDS
VMWare VCenter
HP Systems Insight Manager
TIBCO Data Virtualization

Flamingo AMF (AMF)

How it works:

Detect

Burp plugins

GraniteDS (AMF)

How it works:

Detect

Burp plugins

WebORB for Java (AMF)

How it works:

Detect

Burp plugins

SnakeYAML (YAML)

How it works:

Payload generators

Detect

Code review
Burp plugins

Vulnerable apps (without public sploits/need more info):

Resteasy
Apache Camel
Apache Brooklyn
Apache ShardingSphere

jYAML (YAML)

How it works:

Payload generators

Detect

Burp plugins

YamlBeans (YAML)

How it works:

Payload generators

Detect

Burp plugins

"Safe" deserialization

Some serialization libs are safe (or almost safe) https://github.com/mbechler/marshalsec

However, it's not a recommendation, but just a list of other libs that has been researched by someone: