search

(De)serialization

marshalsecarrow-up-right: Java Unmarshaller Security - Turning your data into code execution.

java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]

ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

ysoserial.netarrow-up-right: Deserialization payload generator for a variety of .NET formatters.

rmiscoutarrow-up-right: RMIScout enables wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.

JNDI-Injection-Exploitarrow-up-right: JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on marshalsarrow-up-right and modified further to link with HTTP server.

beanshooterarrow-up-right: Beanshooter is a command line tool written in Java, which helps to identify common vulnerabilities on JMX endpoints.

mjetarrow-up-right: MJET allows easy exploitation of insecure configured JMX services. Additional background information can be found herearrow-up-right and herearrow-up-right.

PreviousCommand and Control (C&C)NextLateral Movement

Last updated