Skip to content

自学时写的适合Java安全小白用来学习Java反序列化漏洞的文章和Demo。(随懒狗的学习进度持续更新🐶)。Some articles and demos written during self-study which are suitable for Java Security beginner to learn the Insecure Deserialization.

License

Notifications You must be signed in to change notification settings

chenlvtang/JavaUnserialization

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Language : English | 简中

0x00 Notes


Article-Link: The Demo Files

PS: The Articles only have Chinese Version. But u can still learn from the demo. QAQ

Reflection_RCE&&Serialization

Java反序列化の初见(The first time to use Reflection and Serializtion with Java):

  • Java-Reflection_RCE-Example
  • Java-Serialization-Example

URLDNS-Gadget

Java反序列化之URLDNS(Analyse and learn the URLDNS-Gadget):

  • URLDNS-Gadget

CC1-Gadget

Java反序列化之CC1其一(Analyse and learn the CC1-Gadget of TransformedMap):

  • CommonsCollections1-Gadget

Java反序列化之CC1其二(Analyse and learn the CC1-Gadget of LazyMap):

  • CommonsCollections1-Gadget

CC2-Gadget

Java反序列化之CC2(Analyse and learn the CC2-Gadget):

  • CommonsCollections2-Gadget

CC3-Gadget

Java反序列化之CC3(Analyse and learn the CC3-Gadget):

  • CommonsCollections3-Gadget

CC4-Gadget

Java反序列化之CC4(Analyse and learn the CC4-Gadget):

  • CommonsCollections4-Gadget

CC5&&CC6-Gadget

Java反序列化之CC5与CC6(Analyse and learn the CC5,CC6-Gadget):

  • CommonsCollections5-Gadget
  • CommonsCollections6-Gadget

RMI

关于Java中RMI的个人拙见(The frist time to use RMI):

  • RMI-Example

RMI的利用 (Hack with RMI and CC3-Gadget):

  • RMI-Exp_CC3 (The used payload only suit for JDK7)

JNDI

JNDI注入の个人拙见(What is JNDI && Hack with JNDI):

  • JNDI-Example
  • JNDI-Exp_RMI (No demo for LDAP,but Article has a example)

JDK8u191+等高版本下的JNDI注入(How to hack with JNDI in later verison):

  • JNDI-Exp_BeanFactory

  • JNDI-Exp_LDAPHacker_CC3(Please Use JDK8+,because I used Base64 module in it QAQ)

  • JNDI-Exp_LDAPClient_CC3(Please Use JDK7,because the CC3 payload I used in Server only suit for JDK7. ORZ)

About

自学时写的适合Java安全小白用来学习Java反序列化漏洞的文章和Demo。(随懒狗的学习进度持续更新🐶)。Some articles and demos written during self-study which are suitable for Java Security beginner to learn the Insecure Deserialization.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages