{"id":13495060,"url":"https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet","last_synced_at":"2025-03-28T16:31:16.844Z","repository":{"id":38336439,"uuid":"52396258","full_name":"GrrrDog/Java-Deserialization-Cheat-Sheet","owner":"GrrrDog","description":"The cheat sheet about Java Deserialization vulnerabilities","archived":false,"fork":false,"pushed_at":"2023-05-26T15:18:01.000Z","size":211,"stargazers_count":3023,"open_issues_count":2,"forks_count":596,"subscribers_count":138,"default_branch":"master","last_synced_at":"2024-10-15T11:03:29.949Z","etag":null,"topics":["java-deserialization","javadeser","pentesting"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GrrrDog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-02-23T22:28:57.000Z","updated_at":"2024-10-14T05:46:21.000Z","dependencies_parsed_at":"2022-07-13T18:21:06.254Z","dependency_job_id":"52128a9a-d4b4-4560-b6f9-e4f98d2b0a51","html_url":"https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrrrDog%2FJava-Deserialization-Cheat-Sheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrrrDog%2FJava-Deserialization-Cheat-Sheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrrrDog%2FJava-Deserialization-Cheat-Sheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrrrDog%2FJava-Deserialization-Cheat-Sheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GrrrDog","download_url":"https://codeload.github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222395633,"owners_count":16977595,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java-deserialization","javadeser","pentesting"],"created_at":"2024-07-31T19:01:30.824Z","updated_at":"2024-10-31T10:30:16.517Z","avatar_url":"https://github.com/GrrrDog.png","language":null,"readme":"# Java-Deserialization-Cheat-Sheet\nA cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.\n\nPlease, use **#javadeser** hash tag for tweets.\n\n##  Table of content\n- [Java Native Serialization (binary)](#java-native-serialization-binary)\n\t- [Overview](#overview)\n\t- [Main talks \u0026 presentations \u0026 docs](#main-talks--presentations--docs)\n\t- [Payload generators](#payload-generators)\n\t- [Exploits](#exploits)\n\t- [Detect](#detect)\n\t- [Vulnerable apps (without public sploits/need more info)](#vulnerable-apps-without-public-sploitsneed-more-info)\n\t- [Protection](#protection)\n\t- [For Android](#for-android)\n- [XMLEncoder (XML)](#xmlencoder-xml)\n- [XStream (XML/JSON/various)](#xstream-xmljsonvarious)\n- [Kryo (binary)](#kryo-binary)\n- [Hessian/Burlap (binary/XML)](#hessianburlap-binaryxml)\n- [Castor (XML)](#castor-xml)\n- [json-io (JSON)](#json-io-json)\n- [Jackson (JSON)](#jackson-json)\n- [Fastjson (JSON)](#fastjson-json)\n- [Genson (JSON)](#genson-json)\n- [Flexjson (JSON)](#flexjson-json)\n- [Jodd (JSON)](#jodd-json)\n- [Red5 IO AMF (AMF)](#red5-io-amf-amf)\n- [Apache Flex BlazeDS (AMF)](#apache-flex-blazeds-amf)\n- [Flamingo AMF  (AMF)](#flamingo-amf--amf)\n- [GraniteDS  (AMF)](#graniteds--amf)\n- [WebORB for Java  (AMF)](#weborb-for-java--amf)\n- [SnakeYAML (YAML)](#snakeyaml-yaml)\n- [jYAML (YAML)](#jyaml-yaml)\n- [YamlBeans (YAML)](#yamlbeans-yaml)\n- [\"Safe\" deserialization](#safe-deserialization)\n\n## Java Native Serialization (binary)\n\n### Overview\n- [Java Deserialization Security FAQ](https://christian-schneider.net/JavaDeserializationSecurityFAQ.html)\n- [From Foxgloves Security](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n\n### Main talks \u0026 presentations \u0026 docs\n##### Marshalling Pickles\nby [@frohoff](https://twitter.com/frohoff) \u0026 [@gebl](https://twitter.com/gebl)\n\n- [Video](https://www.youtube.com/watch?v=KSA7vUkXGSg)\n- [Slides](https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles)\n- [Other stuff](https://frohoff.github.io/appseccali-marshalling-pickles/ )\n\n##### Exploiting Deserialization Vulnerabilities in Java\nby [@matthias_kaiser](https://twitter.com/matthias_kaiser)\n\n- [Video](https://www.youtube.com/watch?v=VviY3O-euVQ)\n\n##### Serial Killer: Silently Pwning Your Java Endpoints\nby [@pwntester](https://twitter.com/pwntester) \u0026 [@cschneider4711](https://twitter.com/cschneider4711)\n\n- [Slides](https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf)\n- [White Paper](https://community.hpe.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/722/1/HPE-SR%20whitepaper%20java%20deserialization%20RSA2016.pdf)\n- [Bypass Gadget Collection](https://github.com/pwntester/SerialKillerBypassGadgetCollection)\n\n##### Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization\nby [@frohoff](https://twitter.com/frohoff) \u0026 [@gebl](https://twitter.com/gebl)\n\n- [Slides](https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization)\n\n##### Surviving the Java serialization apocalypse\nby [@cschneider4711](https://twitter.com/cschneider4711) \u0026 [@pwntester](https://twitter.com/pwntester)\n\n- [Slides](https://www.slideshare.net/cschneider4711/surviving-the-java-deserialization-apocalypse-owasp-appseceu-2016)\n- [Video](https://www.youtube.com/watch?v=m1sH240pEfw)\n- [PoC for Scala, Grovy](https://github.com/pwntester/JVMDeserialization)\n\n##### Java Deserialization Vulnerabilities - The Forgotten Bug Class\nby [@matthias_kaiser](https://twitter.com/matthias_kaiser)\n\n- [Slides](https://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class)\n\n##### Pwning Your Java Messaging With Deserialization Vulnerabilities\nby [@matthias_kaiser](https://twitter.com/matthias_kaiser)\n\n- [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)\n- [White Paper](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n- [Tool for jms hacking](https://github.com/matthiaskaiser/jmet)\n\n##### Defending against Java Deserialization Vulnerabilities\nby [@lucacarettoni](https://twitter.com/lucacarettoni)\n\n- [Slides](https://www.slideshare.net/ikkisoft/defending-against-java-deserialization-vulnerabilities)\n\n##### A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land\nby [@pwntester](https://twitter.com/pwntester) and O. Mirosh\n\n- [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf)\n- [White Paper](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\n\n##### Fixing the Java Serialization mess\nby [@e_rnst](https://twitter.com/e_rnst)\n\n- [Slides+Source](https://t.co/zsDnQBgw0Y)\n\n##### Blind Java Deserialization\nby deadcode.me\n\n- [Part I - Commons Gadgets](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)\n- [Part II - exploitation rev 2](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)\n\n##### An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (JVM)\nby [@joaomatosf](https://twitter.com/joaomatosf)\n\n- [Slides](https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017)\n- [Examples](https://github.com/joaomatosf/JavaDeserH2HC)\n\n##### Automated Discovery of Deserialization Gadget Chains\nby [@ianhaken](https://twitter.com/ianhaken)\n\n- [Video](https://youtube.com/watch?v=wPbW6zQ52w8)\n- [Slides](https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Ian-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)\n- [Tool](https://github.com/JackOfMostTrades/gadgetinspector)\n\n##### An Far Sides Of Java Remote Protocols\nby [@_tint0](https://twitter.com/_tint0)\n\n- [Slides](https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf)\n\n### Payload generators\n##### ysoserial\n[https://github.com/frohoff/ysoserial](https://github.com/frohoff/ysoserial)\n\nysoserial 0.6 payloads:\n\npayload | author | dependencies | impact (if not RCE)\n------|--------|------ |------\nAspectJWeaver       |@Jang                       |aspectjweaver:1.9.2, commons-collections:3.2.2\nBeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5\nC3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11\nClick1              |@artsploit                  |click-nodeps:2.3.0, javax.servlet-api:3.1.0\nClojure             |@JackOfMostTrades           |clojure:1.8.0\nCommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2\nCommonsCollections1 |@frohoff                    |commons-collections:3.1\nCommonsCollections2 |@frohoff                    |commons-collections4:4.0\nCommonsCollections3 |@frohoff                    |commons-collections:3.1\nCommonsCollections4 |@frohoff                    |commons-collections4:4.0\nCommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1\nCommonsCollections6 |@matthias_kaiser            |commons-collections:3.1\nCommonsCollections7 |@scristalli, @hanyrax, @EdoardoVignati |commons-collections:3.1\nFileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading\nGroovy1             |@frohoff                    |groovy:2.3.9\nHibernate1          |@mbechler|\nHibernate2          |@mbechler|\nJBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21\nJRMPClient          |@mbechler|\nJRMPListener        |@mbechler|\nJSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1\nJavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21\nJdk7u21             |@frohoff|\nJython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2\nMozillaRhino1       |@matthias_kaiser            |js:1.7R2\nMozillaRhino2       |@_tint0                     |js:1.7R2\nMyfaces1            |@mbechler|\nMyfaces2            |@mbechler|\nROME                |@mbechler                   |rome:1.0\nSpring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE\nSpring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2\nURLDNS              |@gebl|\t\t\t\t\t\t |jre only vuln detect\nVaadin1             |@kai_ullrich                |vaadin-server:7.7.14, vaadin-shared:7.7.14  \nWicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4\n\nPlugins for Burp Suite (detection, ysoserial integration ):\n- [Freddy](https://github.com/nccgroup/freddy)\n- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)\n- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)\n- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)\n- [SuperSerial](https://github.com/DirectDefense/SuperSerial)\n- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)\n\nFull shell (pipes, redirects and other stuff):\n- [$@|sh – Or: Getting a shell environment from Runtime.exec](http://codewhitesec.blogspot.ru/2015/03/sh-or-getting-shell-environment-from.html)\n- Set String[] for Runtime.exec (patch ysoserial's payloads)\n- [Shell Commands Converter](https://ares-x.com/tools/runtime-exec/)\n\nHow it works:\n- [https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/](https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/)\n- [http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html](http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html)\n\n##### ysoserial fork with additional payloads\n[https://github.com/wh1t3p1g/ysoserial](https://github.com/wh1t3p1g/ysoserial)\n\n- CommonsCollection8,9,10\n- RMIRegistryExploit2,3\n- RMIRefListener,RMIRefListener2\n- PayloadHTTPServer\n- Spring3\n\n\n##### JRE8u20_RCE_Gadget\n[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)\n\nPure JRE 8 RCE Deserialization gadget\n\n##### ACEDcup\n[https://github.com/GrrrDog/ACEDcup](https://github.com/GrrrDog/ACEDcup)\n\nFile uploading via:\n- Apache Commons FileUpload \u003c= 1.3 (CVE-2013-2186) and Oracle JDK \u003c 7u40\n\n##### Universal billion-laughs DoS\n[https://gist.github.com/coekie/a27cc406fc9f3dc7a70d](https://gist.github.com/coekie/a27cc406fc9f3dc7a70d)\n\nWon't fix DoS via default Java classes (JRE)\n\n##### Universal Heap overflows DoS using Arrays and HashMaps\n[https://github.com/topolik/ois-dos/](https://github.com/topolik/ois-dos/)\n\nHow it works:\n- [Java Deserialization DoS - payloads](http://topolik-at-work.blogspot.ru/2016/04/java-deserialization-dos-payloads.html)\n\nWon't fix DoS using default Java classes (JRE)\n\n##### DoS against Serialization Filtering (JEP-290)\n- [CVE-2018-2677](https://www.waratek.com/waratek-identifies-two-new-deserialization-vulnerabilities-cve-2018-2677/)\n\n##### Tool to search gadgets in source\n- [Gadget Inspector](https://github.com/JackOfMostTrades/gadgetinspector)\n- [Article about Gadget Inspector](https://paper.seebug.org/1034/)\n\n##### Additional tools to test RMI:\n- [BaRMIe](https://github.com/NickstaDB/BaRMIe)\n- [Barmitza](https://github.com/mogwailabs/rmi-deserialization/blob/master/barmitzwa.groovy)\n- [RMIScout](https://labs.bishopfox.com/tech-blog/rmiscout)\n- [attackRmi](https://github.com/waderwu/attackRmi)\n- [Remote Method Guesser](https://github.com/qtc-de/remote-method-guesser)\n\n##### Remote class detection:\n- [GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath](https://know.bishopfox.com/research/gadgetprobe)\n- [GadgetProbe](https://github.com/BishopFox/GadgetProbe)\n\n- [Remote Java classpath enumeration with EnumJavaLibs](https://www.redtimmy.com/web-application-hacking/remote-java-classpath-enumeration-with-enumjavalibs/)\n- [EnumJavaLibs](https://github.com/redtimmy/EnumJavaLibs)\n\n##### Library for creating Java serialization data\n- [serial-builder](https://github.com/Marcono1234/serial-builder)\n\n### Exploits\n\nno spec tool - You don't need a special tool (just Burp/ZAP + payload)\n\n##### RMI\n- *Protocol*\n- *Default - 1099/tcp for rmiregistry*\n- partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)\n- [Attacking Java RMI services after JEP 290](https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n- [An Trinhs RMI Registry Bypass](https://mogwailabs.de/blog/2020/02/an-trinhs-rmi-registry-bypass/)\n- [RMIScout](https://labs.bishopfox.com/tech-blog/rmiscout)\n\n[ysoserial](#ysoserial) \n\n[Additional tools](#additional-tools-to-test-rmi)\n\n##### JMX\n- *JMX on RMI*\n- + [CVE-2016-3427](http://engineering.pivotal.io/post/java-deserialization-jmx/)\n- partially patched in JRE with JEP290 (JDK 8u121, JDK 7u131, JDK 6u141)\n- [Attacking RMI based JMX services (after JEP 290)](https://mogwailabs.de/blog/2019/04/attacking-rmi-based-jmx-services/)\n\n[ysoserial](#ysoserial)\n\n[mjet](https://github.com/mogwailabs/mjet)\n\n[JexBoss](https://github.com/joaomatosf/jexboss)\n\n##### JMXMP\n- *Special JMX protocol*\n- [The Curse of Old Java Libraries](https://www.acunetix.com/blog/web-security-zone/old-java-libraries/)\n\n##### JNDI/LDAP\n- When we control an address for lookup of JNDI (context.lookup(address) and can have backconnect from a server\n- [Full info](#a-journey-from-jndildap-manipulation-to-remote-code-execution-dream-land)\n- [JNDI remote code injection](http://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection)\n- [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java)\n\n[https://github.com/zerothoughts/jndipoc](https://github.com/zerothoughts/jndipoc)\n\n[https://github.com/welk1n/JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)\n\n##### JMS\n- [Full info](#pwning-your-java-messaging-with-deserialization-vulnerabilities)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### JSF ViewState\n- if no encryption or good mac\n\nno spec tool\n\n[JexBoss](https://github.com/joaomatosf/jexboss)\n\n##### vjdbc\n- JDBC via HTTP library\n- all version are vulnerable\n- [Details](https://www.acunetix.com/blog/web-security-zone/old-java-libraries/)\n\nno spec tool\n\n##### T3 of Oracle Weblogic\n- *Protocol*\n- *Default - 7001/tcp on localhost interface*\n- [CVE-2015-4852](https://www.vulners.com/search?query=CVE-2015-4852)\n- [Blacklist bypass - CVE-2017-3248](https://www.tenable.com/security/research/tra-2017-07)\n- [Blacklist bypass - CVE-2017-3248 PoC](https://github.com/quentinhardy/scriptsAndExploits/blob/master/exploits/weblogic/exploit-CVE-2017-3248-bobsecq.py)\n- [Blacklist bypass - CVE-2018-2628](https://github.com/brianwrf/CVE-2018-2628)\n- [Blacklist bypass - cve-2018-2893](https://github.com/pyn3rd/CVE-2018-2893)\n- [Blacklist bypass - CVE-2018-3245](https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/)\n- [Blacklist bypass - CVE-2018-3191](https://mp.weixin.qq.com/s/ebKHjpbQcszAy_vPocW0Sg)\n- [CVE-2019-2725](https://paper.seebug.org/910/)\n- [CVE-2020-2555](https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server)\n- [CVE-2020-2883](https://github.com/Y4er/CVE-2020-2883)\n- [CVE-2020-2963](https://nvd.nist.gov/vuln/detail/CVE-2020-2963)\n- [CVE-2020-14625](https://www.zerodayinitiative.com/advisories/ZDI-20-885/)\n- [CVE-2020-14644](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc)\n- [CVE-2020-14645](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc)\n- [CVE-2020-14756](https://github.com/Y4er/CVE-2020-14756)\n- [CVE-2020-14825](https://github.com/rufherg/WebLogic_Basic_Poc/tree/master/poc)\n- [CVE-2020-14841](https://www.vulners.com/search?query=CVE-2020-14841)\n- [CVE-2021-2394](https://github.com/BabyTeam1024/CVE-2021-2394)\n- [SSRF JDBC](https://pyn3rd.github.io/2022/06/18/Weblogic-SSRF-Involving-Deserialized-JDBC-Connection/)\n- [CVE-2023-21931](https://github.com/gobysec/Weblogic/blob/main/WebLogic_CVE-2023-21931_en_US.md)\n\n[loubia](https://github.com/metalnas/loubia) (tested on 11g and 12c, supports t3s)\n\n[JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits) (doesn't work for all Weblogic versions)\n\n[WLT3Serial](https://github.com/Bort-Millipede/WLT3Serial) \n\n[CVE-2018-2628 sploit](https://github.com/brianwrf/CVE-2018-2628)\n\n##### IIOP of Oracle Weblogic\n- *Protocol*\n- *Default - 7001/tcp on localhost interface*\n\n- [CVE-2020-2551](https://www.vulners.com/search?query=CVE-2020-2551)\n- [Details](https://paper.seebug.org/1130/)\n\n[CVE-2020-2551 sploit](https://github.com/Y4er/CVE-2020-2551)\n\n##### Oracle Weblogic (1)\n- auth required\n- [How it works](https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/)\n- [CVE-2018-3252](https://www.vulners.com/search?query=CVE-2018-3252)\n\n##### Oracle Weblogic (2)\n- auth required\n- [CVE-2021-2109](https://www.vulners.com/search?query=CVE-2021-2109)\n\n[Exploit](https://packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html)\n\n##### Oracle Access Manager (1)\n- [CVE-2021-35587](https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316)\n\n##### Oracle ADF Faces\n- [CVE-2022–21445](https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2)\n- /appcontext/afr/test/remote/payload/\n\nno spec tool\n\n##### IBM Websphere (1)\n- *wsadmin*\n- *Default port - 8880/tcp*\n- [CVE-2015-7450](https://www.vulners.com/search?query=CVE-2015-7450)\n\n[JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits)\n\n[serialator](https://github.com/roo7break/serialator)\n\n[CoalfireLabs/java_deserialization_exploits](https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/WebSphere)\n\n##### IBM Websphere (2)\n- When using custom form authentication\n- WASPostParam cookie\n- [Full info](https://lab.mediaservice.net/advisory/2016-02-websphere.txt)\n\nno spec tool\n\n##### IBM Websphere (3)\n- IBM WAS DMGR\n- special port \n- [CVE-2019-4279](https://www.vulners.com/search?query=CVE-2019-4279)\n- [ibm10883628](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628)\n- [Exploit](https://vulners.com/exploitdb/EDB-ID:46969?)\n\nMetasploit\n\n##### IIOP of IBM Websphere \n- *Protocol*\n- 2809, 9100, 9402, 9403\n- [CVE-2020-4450](https://www.vulners.com/search?query=CVE-2020-4450)\n- [CVE-2020-4449](https://www.vulners.com/search?query=CVE-2020-4449)\n- [Abusing Java Remote Protocols in IBM WebSphere](https://www.thezdi.com/blog/2020/7/20/abusing-java-remote-protocols-in-ibm-websphere)\n- [Vuln Details](https://www.freebuf.com/vuls/246928.html)\n\n##### Red Hat JBoss (1)\n- *http://jboss_server/invoker/JMXInvokerServlet*\n- *Default port - 8080/tcp*\n- [CVE-2015-7501](https://www.vulners.com/search?query=CVE-2015-7501)\n\n[JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits)\n\n[https://github.com/njfox/Java-Deserialization-Exploit](https://github.com/njfox/Java-Deserialization-Exploit)\n\n[serialator](https://github.com/roo7break/serialator)\n\n[JexBoss](https://github.com/joaomatosf/jexboss)\n\n##### Red Hat JBoss 6.X\n- *http://jboss_server/invoker/readonly*\n- *Default port - 8080/tcp*\n- [CVE-2017-12149](https://www.vulners.com/search?query=CVE-2017-12149)\n- JBoss 6.X and EAP 5.X \n- [Details](https://github.com/joaomatosf/JavaDeserH2HC)\n\nno spec tool\n\n##### Red Hat JBoss 4.x\n- *http://jboss_server/jbossmq-httpil/HTTPServerILServlet/*\n- \u003c= 4.x\n- [CVE-2017-7504](https://www.vulners.com/search?query=CVE-2017-7504)\n\nno spec tool\n\n##### Jenkins (1)\n- *Jenkins CLI*\n- *Default port - High number/tcp*\n- [CVE-2015-8103](https://www.vulners.com/search?query=CVE-2015-8103)\n- [CVE-2015-3253](https://www.vulners.com/search?query=CVE-2015-3253)\n\n[JavaUnserializeExploits](https://github.com/foxglovesec/JavaUnserializeExploits)\n\n[JexBoss](https://github.com/joaomatosf/jexboss)\n\n##### Jenkins (2)\n- patch \"bypass\" for [Jenkins](#jenkins)\n- [CVE-2016-0788](https://www.vulners.com/search?query=CVE-2016-0788)\n- [Details of exploit](https://www.insinuator.net/2016/07/jenkins-remoting-rce-ii-the-return-of-the-ysoserial/)\n\n[ysoserial](#ysoserial)\n\n##### Jenkins (s)\n- *Jenkins CLI LDAP*\n- *Default port - High number/tcp\n- \u003c= 2.32\n- \u003c= 2.19.3 (LTS)\n- [CVE-2016-9299](https://www.vulners.com/search?query=CVE-2016-9299)\n\n##### CloudBees Jenkins\n- \u003c= 2.32.1\n- [CVE-2017-1000353](https://www.vulners.com/search?query=CVE-2017-1000353)\n- [Details](https://blogs.securiteam.com/index.php/archives/3171)\n\n[Sploit](https://blogs.securiteam.com/index.php/archives/3171)\n\n##### JetBrains TeamCity\n- RMI\n\n[ysoserial](#ysoserial)\n\n##### Restlet\n- *\u003c= 2.1.2*\n- *When Rest API accepts serialized objects (uses ObjectRepresentation)*\n\nno spec tool\n\n##### RESTEasy\n- *When Rest API accepts serialized objects (uses @Consumes({\"\\*/\\*\"}) or \"application/\\*\" )\n- [Details and examples](https://0ang3el.blogspot.ru/2016/06/note-about-security-of-resteasy-services.html)\n\nno spec tool\n\n##### OpenNMS (1)\n- RMI\n\n[ysoserial](#ysoserial)\n\n##### OpenNMS (2)\n- [CVE-2020-12760/NMS-12673](https://issues.opennms.org/browse/NMS-12673)\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Progress OpenEdge RDBMS\n- all versions\n- RMI\n\n[ysoserial](#ysoserial)\n\n#####  Commvault Edge Server\n- [CVE-2015-7253](https://www.vulners.com/search?query=CVE-2015-7253)\n- Serialized object in cookie\n\nno spec tool\n\n##### Symantec Endpoint Protection Manager\n- */servlet/ConsoleServlet?ActionType=SendStatPing*\n- [CVE-2015-6555](https://www.vulners.com/search?query=CVE-2015-6555)\n\n[serialator](https://github.com/roo7break/serialator)\n\n##### Oracle MySQL Enterprise Monitor\n- *https://[target]:18443/v3/dataflow/0/0*\n- [CVE-2016-3461](http://www.tenable.com/security/research/tra-2016-11)\n\nno spec tool\n\n[serialator](https://github.com/roo7break/serialator)\n\n##### PowerFolder Business Enterprise Suite\n- custom(?) protocol (1337/tcp)\n- [MSA-2016-01](http://lab.mogwaisecurity.de/advisories/MSA-2016-01/)\n\n[powerfolder-exploit-poc](https://github.com/h0ng10/powerfolder-exploit-poc)\n\n##### Solarwinds Virtualization Manager\n- \u003c= 6.3.1\n- RMI\n- [CVE-2016-3642](https://www.vulners.com/search?query=CVE-2016-3642)\n\n[ysoserial](#ysoserial)\n\n##### Cisco Prime Infrastructure\n- *https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet*\n- \u003c= 2.2.3 Update 4\n- \u003c= 3.0.2\n- [CVE-2016-1291](https://www.vulners.com/search?query=CVE-2016-1291)\n\n[CoalfireLabs/java_deserialization_exploits](https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/CiscoPrime)\n\n##### Cisco ACS\n- \u003c= 5.8.0.32.2\n- RMI (2020 tcp)\n- [CSCux34781](https://quickview.cloudapps.cisco.com/quickview/bug/CSCux34781)\n\n[ysoserial](#ysoserial)\n\n##### Cisco Unity Express\n- RMI (port 1099 tcp)\n- version \u003c 9.0.6\n- [CVE-2018-15381](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue)\n\n[ysoserial](#ysoserial)\n\n##### Cisco Unified CVP\n- RMI (2098 and 2099)\n- [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/)\n\n[ysoserial](#ysoserial)\n\n##### NASDAQ BWISE\n- RMI (port 81 tcp)\n- [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/)\n- [CVE-2018-11247](https://www.vulners.com/search?query=CVE-2018-11247)\n\n[ysoserial](#ysoserial)\n\n##### NICE ENGAGE PLATFORM\n- JMX (port 6338 tcp)\n- [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/)\n- [CVE-2019-7727](https://www.vulners.com/search?query=CVE-2019-7727)\n\n##### Apache Cassandra \n- JMX (port 7199  tcp)\n- [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/)\n- [CVE-2018-8016](https://www.vulners.com/search?query= CVE-2018-8016)\n\n##### Cloudera Zookeeper\n- JMX (port 9010 tcp)\n- [Details](https://www.redtimmy.com/java-hacking/jmx-rmi-multiple-applications-rce/)\n\n##### Apache Olingo\n- version \u003c  4.7.0\n- [CVE-2019-17556](https://www.vulners.com/search?query=CVE-2019-17556)\n- [Details and examples](https://blog.gypsyengineer.com/en/security/cve-2019-17556-unsafe-deserialization-in-apache-olingo.html)\n\nno spec tool\n\n##### Apache Dubbo \n- [CVE-2019-17564](https://www.vulners.com/search?query=CVE-2019-17564)\n- [Details and examples](https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability)\n\nno spec tool\n\n##### Apache XML-RPC\n- all version, no fix (the project is not supported)\n- POST XML request with \u003cex:serializable\u003e element\n- [Details and examples](https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html)\n\nno spec tool\n\n##### Apache Archiva\n- because it uses [Apache XML-RPC](#apache-xml-rpc)\n- [CVE-2016-5004](https://www.vulners.com/search?query=CVE-2016-5004)\n- [Details and examples](https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html)\n\nno spec tool\n\n##### SAP NetWeaver\n- *https://[target]/developmentserver/metadatauploader*\n- [CVE-2017-9844](https://erpscan.com/advisories/erpscan-17-014-sap-netweaver-java-deserialization-untrusted-user-value-metadatauploader/)\n\n[PoC](https://github.com/vah13/SAP_vulnerabilities/tree/5995daf7bac2e01a63dc57dcf5bbab70489bf6bb/CVE-2017-9844)\n\n##### SAP Hybris \n- */virtualjdbc/*\n- [CVE-2019-0344](https://www.vulners.com/search?query=CVE-2019-0344)\n\nno spec tool\n\n#####  Sun Java Web Console\n- admin panel for Solaris\n- \u003c v3.1.\n- [old DoS sploit](https://www.ikkisoft.com/stuff/SJWC_DoS.java)\n\nno spec tool\n\n##### Apache MyFaces Trinidad\n- 1.0.0 \u003c= version \u003c 1.0.13\n- 1.2.1 \u003c= version \u003c 1.2.14\n- 2.0.0 \u003c= version \u003c 2.0.1\n- 2.1.0 \u003c= version \u003c 2.1.1\n- it does not check MAC\n- [CVE-2016-5019](https://www.vulners.com/search?query=CVE-2016-5019)\n\nno spec tool\n\n##### JBoss Richfaces\n- Variation of exploitation CVE-2018-12532\n- [When EL Injection meets Java Deserialization](https://blog.tint0.com/2019/03/when-el-injection-meets-java-deserialization.html)\n\n##### Apache Tomcat JMX\n- JMX\n- [Patch bypass](http://seclists.org/oss-sec/2016/q4/502)\n- [CVE-2016-8735](https://www.vulners.com/search?query=CVE-2016-8735)\n\n[JexBoss](https://github.com/joaomatosf/jexboss)\n\n##### OpenText Documentum D2\n- *version 4.x*\n- [CVE-2017-5586](https://www.vulners.com/search?query=CVE-2017-5586)\n\n[exploit](https://www.exploit-db.com/exploits/41366/)\n\n##### Liferay\n- */api/spring*\n- */api/liferay*\n- \u003c= 7.0-ga3\n- if IP check works incorrectly\n- [Details](https://www.tenable.com/security/research/tra-2017-01)\n\nno spec tool\n\n##### ScrumWorks Pro\n- */UFC*\n- \u003c= 6.7.0\n- [Details](https://blogs.securiteam.com/index.php/archives/3387)\n\n[PoC](https://blogs.securiteam.com/index.php/archives/3387)\n\n##### ManageEngine Applications Manager\n- version \n- RMI\n- [CVE-2016-9498](https://www.vulners.com/search?query=CVE-2016-9498)\n\n[ysoserial](#ysoserial)\n\n##### ManageEngine OpManager\n- version \u003c 12.5.329  \n- [Details with exploit CVE-2020-28653/CVE-2021-3287](https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/)\n\n##### ManageEngine Desktop Central\n- version \u003c 10.0.474\n- [CVE-2020-10189](https://www.vulners.com/search?query=CVE-2020-10189)\n\n[MSF exploit](https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/HTTP/DESKTOPCENTRAL_DESERIALIZATION)\n\n##### Apache Shiro\n- [SHIRO-550](https://issues.apache.org/jira/browse/SHIRO-550)\n- encrypted cookie (with the hardcoded key)\n- [Exploitation (in Chinese)](http://blog.knownsec.com/2016/08/apache-shiro-java/)\n\n##### HP IMC (Intelligent Management Center)\n- WebDMDebugServlet\n- \u003c= 7.3 E0504P2\n- [CVE-2017-12557](https://www.vulners.com/search?query=CVE-2017-12557)\n\n[Metasploit module](https://www.exploit-db.com/exploits/45952)\n\n##### HP IMC (Intelligent Management Center)\n- RMI\n- \u003c= 7.3 E0504P2\n- [CVE-2017-5792](https://www.vulners.com/search?query=CVE-2017-5792)\n\n[ysoserial](#ysoserial)\n\n##### Apache Brooklyn\n- Non default config\n- [JMXMP](#jmxmp)\n\n##### Elassandra\n- Non default config\n- [JMXMP](#jmxmp)\n\n##### Micro Focus\n- [CVE-2020-11853](https://www.vulners.com/search?query=CVE-2020-11853)\n- [Vulnerability analyzis](https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md)\nAffected products:\n- Operations Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions\n- Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 \\\n- Data Center Automation version 2019.11\n- Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11\n- Universal CMDB versions: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30\n- Hybrid Cloud Management version 2020.05\n- Service Management Automation versions 2020.5 and 2020.02\n\n[Metasploit Exploit](https://github.com/rapid7/metasploit-framework/pull/14671)\n\n##### IBM Qradar (1)\n- [CVE-2020-4280](https://www.vulners.com/search?query=CVE-2020-4280)\n- [Exploitation](https://www.securify.nl/advisory/java-deserialization-vulnerability-in-qradar-remotejavascript-servlet)\n\n##### IBM Qradar (2)\n- */console/remoteJavaScript*\n- [CVE-2020-4888](https://www.vulners.com/search?query=CVE-2020-4888)\n\n[Exploit](https://gist.github.com/testanull/e9ba06d0c0c403402f6941fe2dbb868a)\n\n##### IBM InfoSphere JReport\n- RMI\n- port 58611\n- \u003c=8.5.0.0 (all)\n- [Exploitation details](https://n4nj0.github.io/advisories/ibm-infosphere-java-deserialization/)\n\n##### Apache Kafka \n- connect-api\n- [Vulnerbility analyzis](https://www.programmersought.com/article/76446714621/)\n\n##### Zoho ManageEngine ADSelfService Plus\n- [CVE-2020-11518](https://www.vulners.com/search?query=CVE-2020-11518)\n- [Exloitation](https://honoki.net/2020/08/10/cve-2020-11518-how-i-bruteforced-my-way-into-your-active-directory/)\n\n##### Apache ActiveMQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Redhat/Apache HornetQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Oracle OpenMQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### IBM WebSphereMQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Oracle Weblogic - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Pivotal RabbitMQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### IBM MessageSight - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### IIT Software SwiftMQ - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Apache ActiveMQ Artemis - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Apache QPID JMS - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Apache QPID - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Amazon SQS Java Messaging - Client lib\n- [JMS](#jms)\n\n[JMET](https://github.com/matthiaskaiser/jmet)\n\n##### Axis/Axis2 SOAPMonitor\n- All version (this was deemed by design by project maintainer)\n- Binary\n- Default port : 5001\n- Info : https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html\n\n\u003e java -jar ysoserial-*-all.jar CommonsCollections1  'COMMAND_HERE' | nc TARGET_SERVER 5001\n\n[ysoserial](#ysoserial)\n\n##### Apache Synapse\n- \u003c= 3.0.1\n- RMI \n- [Exploit](https://github.com/iBearcat/CVE-2017-15708)\n\n[ysoserial](#ysoserial)\n\n##### Apache Jmeter\n- \u003c= 3.0.1\n- RMI \n- When using Distributed Test only \n- [Exploit](https://github.com/iBearcat/CVE-2018-1297)\n\n[ysoserial](#ysoserial)\n\n##### Jolokia\n- \u003c= 1.4.0\n- JNDI injection \n- /jolokia/ \n- [Exploit](https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html)\n\n##### RichFaces\n- all versions\n- [Poor RichFaces](https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html)\n- [When EL Injection meets Java Deserialization](https://tint0.com/when-el-injection-meets-java-deserialization/)\n \n##### Apache James \n- \u003c 3.0.1 \n- [Analysis of CVE-2017-12628](https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/)\n \n[ysoserial](#ysoserial)\n\n##### Oracle DB \n- \u003c= Oracle 12C\n- [CVE-2018-3004 - Oracle Privilege Escalation via Deserialization](http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html)\n\n##### Zimbra Collaboration\n- \u003c 8.7.0\n- [CVE-2016-3415](https://www.vulners.com/search?query=CVE-2016-3415)\n- \u003c= 8.8.11\n- [A Saga of Code Executions on Zimbra](https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html)\n\n##### Adobe ColdFusion (1)\n- \u003c= 2016 Update 4\n- \u003c= 11 update 12\n- [CVE-2017-11283](https://www.vulners.com/search?query=CVE-2017-11283)\n- [CVE-2017-11284](https://www.vulners.com/search?query=CVE-2017-11284)\n\n##### Adobe ColdFusion (2)\n- RMI\n- \u003c= 2016 Update 5\n- \u003c= 11 update 13\n- [Another ColdFusion RCE – CVE-2018-4939](https://nickbloor.co.uk/2018/06/18/another-coldfusion-rce-cve-2018-4939/)\n- [CVE-2018-4939](https://www.vulners.com/search?query=CVE-2018-4939)\n\n##### Adobe ColdFusion (3) / JNBridge \n- custom protocol in JNBridge \n- port 6093 or 6095\n- \u003c= 2016 Update ?\n- \u003c= 2018 Update ?\n- [APSB19-17](https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html)\n- [CVE-2019-7839: ColdFusion Code Execution Through JNBridge](https://www.zerodayinitiative.com/blog/2019/7/25/cve-2019-7839-coldfusion-code-execution-through-jnbridge)\n\n##### Apache SOLR (1)\n- [SOLR-8262](https://issues.apache.org/jira/browse/SOLR-8262)\n- 5.1 \u003c= version \u003c=5.4\n- /stream handler uses Java serialization for RPC\n\n##### Apache SOLR (2)\n- [SOLR-13301](https://issues.apache.org/jira/browse/SOLR-13301)\n- [CVE-2019-0192](https://www.vulners.com/search?query=CVE-2019-0192)\n- version: 5.0.0 to 5.5.5\n- version: 6.0.0 to 6.6.5\n- Attack via jmx.serviceUrl\n- [Exploit](https://github.com/mpgn/CVE-2019-0192)\n\n##### Adobe Experience Manager AEM\n- 5.5 - 6.1 (?)\n- /lib/dam/cloud/proxy.json parameter `file`\n- [ExternalJobPostServlet](https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=102)\n\n##### MySQL Connector/J\n- version \u003c 5.1.41\n- when \"autoDeserialize\" is set on\n- [CVE-2017-3523](https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt)\n\n\n##### Pitney Bowes Spectrum\n- RMI\n- [Java RMI Server Insecure Default Configuration](https://support.pitneybowes.com/VFP06_KnowledgeWithSidebarTroubleshoot?id=kA280000000PEmXCAW\u0026popup=false\u0026lang=en_US)\n\n##### SmartBear ReadyAPI\n- RMI\n- [SYSS-2019-039](https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt)\n\n##### NEC ESMPRO Manager\n- RMI\n- [CVE-2020-10917](https://www.vulners.com/search?query=CVE-2020-10917)\n- [ZDI-20-684](https://www.zerodayinitiative.com/advisories/ZDI-20-684/)\n\n##### Apache OFBiz\n- RMI\n- [cve-2021-26295](https://www.vulners.com/search?query=cve-2021-26295)\n- [Exploit](https://github.com/zhzyker/exphub/tree/master/ofbiz)\n\n##### NetMotion Mobility \n- \u003c 11.73 \n- \u003c 12.02\n- [NetMotion Mobility Server Multiple Deserialization of Untrusted Data Lead to RCE](https://www.vulners.com/search?query=CVE-2021-26914)\n- [CVE-2021-26914](https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/)\n\n[ysoserial](#ysoserial)\nMetasploit Exploit: exploit/windows/http/netmotion_mobility_mvcutil_deserialization\n\n##### Bonita\n- [Bonita serverAPI](http://mp.weixin.qq.com/s?__biz=Mzg3MTU0MjkwNw==\u0026mid=2247490269\u0026idx=1\u0026sn=78357c8687101d66f11b98e91afac184\u0026chksm=cefda3c9f98a2adfee40ec062470bacd46d6b42ea2069d62f93a3022eb197713668d2580e1bb\u0026mpshare=1\u0026scene=23\u0026srcid=0530bEaTknyeozALkFfAbvgH\u0026sharer_sharetime=1653965254260\u0026sharer_shareid=4ab8b98c0a9c5866b3e90483ff7445f3#rd)\n- /bonita/serverAPI/\n\n[ysoserial](#ysoserial)\n\n##### Neo4j \n- \u003c= 3.4.18 (with the shell server enabled)\n- RMI\n- [Exploit for CVE-2021-34371](https://www.exploit-db.com/exploits/50170)\n\n##### Bitbucket Data Center \n- port 5701 (Hazelcast)\n- similar to CVE-2016-10750\n- [Exploit for CVE-2022-26133](https://github.com/snowyyowl/writeups/tree/main/CVE-2022-26133)\n\n##### Jira Data Center / Jira Service Management Data Center \n- RMI of Ehcache \n- [CVE-2020-36239](https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html)\n\n##### Nomulus \n- patched\n- [Details of exloitation](https://irsl.medium.com/the-nomulus-rift-935a3c4d9300)\n\n### Detect\n##### Code review\n- *ObjectInputStream.readObject*\n- *ObjectInputStream.readUnshared*\n- Tool: [Find Security Bugs](http://find-sec-bugs.github.io/)\n- Tool: [Serianalyzer](https://github.com/mbechler/serianalyzer)\n\n##### Traffic\n- *Magic bytes 'ac ed 00 05' bytes*\n- *'rO0' for Base64*\n- *'application/x-java-serialized-object' for Content-Type header*\n\n##### Network\n- Nmap \u003e=7.10 has more java-related probes\n- use nmap --all-version to find JMX/RMI on non-standart ports\n\n##### Burp plugins\n- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)\n- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)\n- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)\n- [SuperSerial](https://github.com/DirectDefense/SuperSerial)\n- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info)\n\n##### Spring Service Invokers (HTTP, JMS, RMI...)\n- [Details](https://www.tenable.com/security/research/tra-2016-20)\n\n##### SAP P4\n- [info from slides](#java-deserialization-vulnerabilities---the-forgotten-bug-class)\n\n##### Apache ActiveMQ (2)\n- [*CVE-2015-5254*](http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt)\n- *\u003c= 5.12.1*\n- [*Explanation of the vuln*](https://srcclr.com/security/deserialization-untrusted-data/java/s-1893)\n- [CVE-2015-7253](https://www.vulners.com/search?query=CVE-2015-7253)\n\n##### Atlassian Bamboo (1)\n- [CVE-2015-6576](https://confluence.atlassian.com/x/Hw7RLg)\n-  *2.2 \u003c= version \u003c 5.8.5*\n- *5.9.0 \u003c= version \u003c 5.9.7*\n\n##### Atlassian Bamboo (2)\n- [*CVE-2015-8360*](https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html)\n- *2.3.1 \u003c= version \u003c 5.9.9*\n- Bamboo JMS port (port 54663 by default)\n\n##### Atlassian Jira\n- only Jira with a Data Center license\n- RMI (port 40001 by default)\n- [*JRA-46203*](https://jira.atlassian.com/browse/JRA-46203)\n\n##### Akka\n- *version \u003c 2.4.17*\n- \"an ActorSystem exposed via Akka Remote over TCP\"\n- [Official description](http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html)\n\n##### Spring AMPQ\n- [CVE-2016-2173](http://pivotal.io/security/cve-2016-2173)\n- *1.0.0 \u003c= version \u003c 1.5.5*\n\n##### Apache Tika\n- [CVE-2016-6809](https://lists.apache.org/thread.html/93618b15cdf3b38fa1f0bfc0c8c7cf384607e552935bd3db2e322e07@%3Cdev.tika.apache.org%3E)\n- *1.6 \u003c= version \u003c 1.14*\n- Apache Tika’s MATLAB Parser\n\n##### Apache HBase\n- [HBASE-14799](https://issues.apache.org/jira/browse/HBASE-14799)\n\n##### Apache Camel\n- [CVE-2015-5348](https://www.vulners.com/search?query=CVE-2015-5348)\n\n##### Apache Dubbo \n- [CVE-2020-1948](https://www.vulners.com/search?query=CVE-2020-1948)\n- [\u003c=2.7.7](https://lists.apache.org/thread.html/rd4931b5ffc9a2b876431e19a1bffa2b4c14367260a08386a4d461955%40%3Cdev.dubbo.apache.org%3E)\n\n##### Apache Spark\n- [SPARK-20922: Unsafe deserialization in Spark LauncherConnection](https://issues.apache.org/jira/browse/SPARK-20922)\n\n##### Apache Spark\n- [SPARK-11652: Remote code execution with InvokerTransformer](https://issues.apache.org/jira/browse/SPARK-11652)\n\n##### Apache Log4j (1)\n- as server\n- [CVE-2017-5645](https://vulners.com/search?query=CVE-2017-5645)\n\n##### Apache Log4j (2)\n- *\u003c= 1.2.17*\n- [CVE-2019-17571](https://vulners.com/search?query=CVE-2019-17571)\n\n##### Apache Geode\n- [CVE-2017-15692](https://vulners.com/search?query=CVE-2017-15692)\n- [CVE-2017-15693](https://vulners.com/search?query=CVE-2017-15693)\n- [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities)\n\n##### Apache Ignite\n- [CVE-2018-1295](https://vulners.com/search?query=CVE-2018-1295)\n- [CVE-2018-8018](https://vulners.com/search?query=CVE-2018-8018)\n- [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities)\n\n##### Infinispan \n- [CVE-2017-15089](https://vulners.com/search?query=CVE-2017-15089)\n- [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities)\n\n##### Hazelcast \n- [CVE-2016-10750](https://vulners.com/search?query=CVE-2016-10750)\n- [Details](https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities)\n\n##### Gradle (gui)\n- custom(?) protocol(60024/tcp)\n- [article](http://philwantsfish.github.io/security/java-deserialization-github)\n\n##### Oracle Hyperion\n- [from slides](#java-deserialization-vulnerabilities---the-forgotten-bug-class)\n\n##### Oracle Application Testing Suite\n- [CVE-2015-7501](http://www.tenable.com/plugins/index.php?view=single\u0026id=90859)\n\n##### Red Hat JBoss BPM Suite\n- [RHSA-2016-0539](http://rhn.redhat.com/errata/RHSA-2016-0539.html)\n- [CVE-2016-2510](https://www.vulners.com/search?query=CVE-2016-2510)\n\n##### Red Hat Wildfly\n- [CVE-2020-10740](https://www.vulners.com/search?query=CVE-2020-10740)\n\n##### VMWare vRealize Operations\n- 6.0 \u003c= version \u003c 6.4.0\n- REST API\n- [VMSA-2016-0020](http://www.vmware.com/security/advisories/VMSA-2016-0020.html)\n- [CVE-2016-7462](https://www.vulners.com/search?query=CVE-2016-7462)\n\n##### VMWare vCenter/vRealize (various)\n- [CVE-2015-6934](https://www.vulners.com/search?query=CVE-2015-6934)\n- [VMSA-2016-0005](http://www.vmware.com/security/advisories/VMSA-2016-0005.html)\n- JMX\n\n##### Cisco (various)\n- [List of vulnerable products](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization)\n- [CVE-2015-6420](https://www.vulners.com/search?query=CVE-2015-6420)\n\n##### Cisco Security Manager\n- [CVE-2020-27131](https://www.vulners.com/search?query=CVE-2020-27131)\n\n##### Lexmark Markvision Enterprise\n- [CVE-2016-1487](http://support.lexmark.com/index?page=content\u0026id=TE747\u0026locale=en\u0026userlocale=EN_US)\n\n#####  McAfee ePolicy Orchestrator\n- [CVE-2015-8765](https://www.vulners.com/search?query=CVE-2015-8765)\n\n#####  HP IMC PLAT\n- version 7.3 E0506P09 and earlier\n- [several CVE-2019-x](https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03930en_us\u0026withFrame)\n\n#####  HP iMC\n- [CVE-2016-4372](https://www.vulners.com/search?query=CVE-2016-4372)\n\n#####  HP Operations Orchestration\n- [CVE-2016-1997](https://www.vulners.com/search?query=CVE-2016-1997)\n\n#####  HP Asset Manager\n- [CVE-2016-2000](https://www.vulners.com/search?query=CVE-2016-2000)\n\n##### HP Service Manager\n- [CVE-2016-1998](https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05054565)\n\n##### HP Operations Manager\n- [CVE-2016-1985](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result\u0026docId=emr_na-c04953244\u0026docLocale=en_US)\n\n##### HP Release Control\n- [CVE-2016-1999](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result\u0026docId=emr_na-c05063986\u0026docLocale=en_US)\n\n##### HP Continuous Delivery Automation\n- [CVE-2016-1986](https://h20565.www2.hpe.com/hpsc/doc/public/display?calledBy=Search_Result\u0026docId=emr_na-c04958567\u0026docLocale=en_US)\n\n##### HP P9000, XP7 Command View Advanced Edition (CVAE) Suite\n- [CVE-2016-2003](https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085438)\n\n##### HP Network Automation\n- [CVE-2016-4385](https://www.vulners.com/search?query=CVE-2016-4385)\n\n##### Adobe Experience Manager\n- [CVE-2016-0958](https://www.vulners.com/search?query=CVE-2016-0958)\n\n#####  Unify OpenScape (various)\n- [CVE-2015-8237](https://www.vulners.com/search?query=CVE-2015-8237) (CVE ID changed?)\n- RMI (30xx/tcp)\n- [CVE-2015-8238](https://www.vulners.com/search?query=CVE-2015-8238) (CVE ID changed?)\n- js-soc protocol (4711/tcp)\n- [Details](https://networks.unify.com/security/advisories/OBSO-1511-01.pdf)\n\n##### Apache OFBiz (1)\n- [CVE-2016-2170](https://blogs.apache.org/ofbiz/date/20160405)\n  \n##### Apache OFBiz (2)\n- [CVE-2020-9496](https://www.vulners.com/search?query=CVE-2020-9496)\n\n##### Apache Tomcat (1)\n- requires local access\n- [CVE-2016-0714](https://www.vulners.com/search?query=CVE-2016-0714)\n- [Article](http://engineering.pivotal.io/post/java-deserialization-jmx/)\n\n##### Apache Tomcat (2)\n- many requirements\n- [Apache Tomcat Remote Code Execution via session persistence](https://seclists.org/oss-sec/2020/q2/136)\n- [CVE-2020-9484](https://www.vulners.com/search?query=CVE-2020-9484)\n\n##### Apache TomEE\n- [CVE-2016-0779](https://www.vulners.com/search?query=CVE-2016-0779)\n\n##### IBM Congnos BI\n- [CVE-2012-4858](https://www.vulners.com/search?query=CVE-2012-4858)\n\n##### IBM Maximo Asset Management\n- [CVE-2020-4521](https://www.ibm.com/support/pages/node/6332587)\n\n##### Novell NetIQ Sentinel\n- [CVE-2016-1000031](https://www.zerodayinitiative.com/advisories/ZDI-16-570/)\n\n##### ForgeRock OpenAM\n- *9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0*\n- [201505-01](https://forgerock.org/2015/07/openam-security-advisory-201505/)\n\n##### F5 (various)\n- [sol30518307](https://support.f5.com/kb/en-us/solutions/public/k/30/sol30518307.html)\n\n##### Hitachi (various)\n- [HS16-010](http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-010/index.html)\n- [0328_acc](http://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html)\n\n##### NetApp (various)\n- [CVE-2015-8545](https://security.netapp.com/advisory/ntap-20151123-0001/) (CVE ID changed?)\n\n##### Citrix XenMobile Server\n- port 45000 \n- when Clustering is enabled\n- Won't Fix (?)\n- 10.7 and 10.8\n- [Citrix advisory](https://support.citrix.com/article/CTX234879)\n- [CVE-2018-10654](https://www.vulners.com/search?query=CVE-2018-10654)\n\n##### IBM WebSphere (1)\n- SOAP connector\n- \u003c= 9.0.0.9\n- \u003c= 8.5.5.14\n- \u003c= 8.0.0.15\n- \u003c= 7.0.0.45\n- [CVE-2018-1567](https://www.vulners.com/search?query=CVE-2018-1567)\n\n##### IBM WebSphere (2)\n- [CVE-2015-1920](https://nvd.nist.gov/vuln/detail/CVE-2015-1920)\n\n##### IBM WebSphere (3)\n- TCP port 11006\n- [CVE-2020-4448](https://www.vulners.com/search?query=CVE-2020-4448)\n- [Vuln details](https://www.thezdi.com/blog/2020/9/29/exploiting-other-remote-protocols-in-ibm-websphere)\n\n##### IBM WebSphere (4)\n- SOAP connector\n- [CVE-2020-4464](https://www.vulners.com/search?query=CVE-2020-4464)\n- [Vuln details](https://www.thezdi.com/blog/2020/9/29/exploiting-other-remote-protocols-in-ibm-websphere)\n\n##### IBM WebSphere (5)\n- [CVE-2021-20353](https://www.zerodayinitiative.com/advisories/ZDI-21-174/)\n\n##### IBM WebSphere (6)\n- [CVE-2020-4576](https://nvd.nist.gov/vuln/detail/CVE-2020-4576)\n  \n##### IBM WebSphere (7)\n- [CVE-2020-4589](https://nvd.nist.gov/vuln/detail/CVE-2020-4589)\n\n##### Code42 CrashPlan\n- *TCP port 4282*\n- RMI (?)\n- 5.4.x\n- [CVE-2017-9830](https://www.vulners.com/search?query=CVE-2017-9830)\n- [Details](https://blog.radicallyopensecurity.com/CVE-2017-9830.html)\n\n##### Apache OpenJPA\n- [CVE-2013-1768](http://seclists.org/fulldisclosure/2013/Jun/98)\n\n##### Dell EMC VNX Monitoring and Reporting \n- [CVE-2017-8012](https://www.zerodayinitiative.com/advisories/ZDI-17-826/)\n\n##### Taoensso Nippy\n- \u003c2.14.2\n- [CVE-2020-24164](https://github.com/ptaoussanis/nippy/issues/130)\n\n##### CAS\n- v4.1.x \n- v4.2.x\n- [CAS Vulnerability Disclosure from Apereo](https://apereo.github.io/2016/04/08/commonsvulndisc/)\n\n##### SolarWinds Network Performance Monitor\n- [CVE-2021–31474](https://www.vulners.com/search?query=CVE-2021–31474)\n- [Video](https://twitter.com/testanull/status/1397138757673906182)\n\n##### Apache Batchee\n##### Apache JCS\n##### Apache OpenWebBeans\n\n\n### Protection\n- [Look-ahead Java deserialization](http://www.ibm.com/developerworks/library/se-lookahead/ )\n- [NotSoSerial](https://github.com/kantega/notsoserial)\n- [SerialKiller](https://github.com/ikkisoft/SerialKiller)\n- [ValidatingObjectInputStream](https://issues.apache.org/jira/browse/IO-487)\n- [Name Space Layout Randomization](http://www.waratek.com/warateks-name-space-layout-randomization-nslr/)\n- [Some protection bypasses](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md#serial-killer-silently-pwning-your-java-endpoints)\n- Tool: [Serial Whitelist Application Trainer](https://github.com/cschneider4711/SWAT)\n- [JEP 290: Filter Incoming Serialization Data](http://openjdk.java.net/jeps/290) in JDK 6u141, 7u131, 8u121\n  - [A First Look Into Java's New Serialization Filtering](https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin)\n- [AtomicSerial](https://github.com/pfirmstone/JGDMS/wiki)\n\n### For Android\n#### Main talks \u0026 presentations \u0026 examples\n- [One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android](https://www.usenix.org/conference/woot15/workshop-program/presentation/peles)\n- [Android Serialization Vulnerabilities Revisited](https://www.rsaconference.com/events/us16/agenda/sessions/2455/android-serialization-vulnerabilities-revisited)\n- [A brief history of Android deserialization vulnerabilities](https://lgtm.com/blog/android_deserialization)\n- [Exploiting Android trough an Intent with Reflection](https://www.areizen.fr/post/exploiting_android_application_trough_serialized_intent/)\n\n#### Tools\n- [Android Java Deserialization Vulnerability Tester](https://github.com/modzero/modjoda)\n\n## XMLEncoder (XML)\nHow it works:\n\n- [https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html](https://web.archive.org/web/20191007233559/http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html)\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Detect\n##### Code review\n- java.beans.XMLDecoder\n- readObject\n \n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Exploits\n##### Oracle Weblogic\n- \u003c= 10.3.6.0.0\n- \u003c= 12.1.3.0.0\n- \u003c= 12.2.1.2.0\n- \u003c= 12.2.1.1.0\n- *http://weblogic_server/wls-wsat/CoordinatorPortType*\n- [CVE-2017-3506](https://www.vulners.com/search?query=CVE-2017-3506)\n- [CVE-2017-10271](https://www.vulners.com/search?query=CVE-2017-10271)\n- [Details](https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/)\n- [CVE-2019-2729 Details](https://www.buaq.net/go-20897.html)\n\n[Exploit](https://github.com/1337g/CVE-2017-10271/blob/master/CVE-2017-10271.py)\n\n##### Oracle RDBMS\n- priv escalation\n- [Oracle Privilege Escalation via Deserialization](http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html)\n\n## XStream (XML/JSON/various)\nHow it works:\n\n- [http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/](http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/)\n- [http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html)\n- [https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream](https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream)\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n- [https://github.com/chudyPB/XStream-Gadgets](https://github.com/chudyPB/XStream-Gadgets)\n- [CVE-2020-26217](https://github.com/mai-lang-chai/Middleware-Vulnerability-detection/tree/master/XStream) \n- [CVE-2020-26258 - SSRF](http://x-stream.github.io/CVE-2020-26258.html) \n- [CVE-2021-29505](https://github.com/MyBlackManba/CVE-2021-29505) \n- [CVE-2021-39144](https://x-stream.github.io/CVE-2021-39144.html) \n\n### Exploits\n##### Apache Struts (S2-052)\n- \u003c= 2.3.34\n- \u003c= 2.5.13\n- REST plugin\n- [CVE-2017-9805](https://www.vulners.com/search?query=CVE-2017-9805)\n\n[Exploit](https://www.exploit-db.com/exploits/42627/)\n\n### Detect\n##### Code review\n- com.thoughtworks.xstream.XStream\n- xs.fromXML(data)\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info):\n##### Atlassian Bamboo\n- [CVE-2016-5229](https://www.vulners.com/search?query=CVE-2016-5229)\n\n##### Jenkins\n- [CVE-2017-2608](https://www.vulners.com/search?query=CVE-2017-2608)\n\n## Kryo (binary)\n\nHow it works:\n\n- [https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo](https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo)\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n- com.esotericsoftware.kryo.io.Input\n- SomeClass object = (SomeClass)kryo.readClassAndObject(input);\n- SomeClass someObject = kryo.readObjectOrNull(input, SomeClass.class);\n- SomeClass someObject = kryo.readObject(input, SomeClass.class);\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## Hessian/Burlap (binary/XML)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n- [Castor and Hessian java deserialization vulnerabilities](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/)\n- [Recurrence and Analysis of Hessian Deserialization RCE Vulnerability](https://www.freebuf.com/vuls/224280.html)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n- com.caucho.hessian.io\n- AbstractHessianInput\n- com.caucho.burlap.io.BurlapInput;\n- com.caucho.burlap.io.BurlapOutput;\n- BurlapInput in = new BurlapInput(is);\n- Person2 p1 = (Person2) in.readObject();\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info):\n\n##### Apache Camel\n- [CVE-2017-12634](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/)\n\n##### MobileIron MDM\n- [CVE-2020-15505](https://www.vulners.com/search?query=2020-15505)\n- [Metasploit Exploit](https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/HTTP/MOBILEIRON_MDM_HESSIAN_RCE/)\n\n##### Apache Dubbo\n- [Details and examples](https://checkmarx.com/blog/the-0xdabb-of-doom-cve-2021-25641/)\n\n## Castor (XML)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n- [Castor and Hessian java deserialization vulnerabilities](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n- org.codehaus.castor\n- org.exolab.castor.xml.Unmarshaller \n- org.springframework.oxm.Unmarshaller\n- Unmarshaller.unmarshal(Person.class, reader)\n- unmarshaller = context.createUnmarshaller();\n- unmarshaller.unmarshal(new StringReader(data));\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info):\n\n##### OpenNMS\n- [NMS-9100](https://issues.opennms.org/browse/NMS-9100)\n\n##### Apache Camel\n- [CVE-2017-12633](https://blog.semmle.com/hessian-java-deserialization-castor-vulnerabilities/)\n\n## json-io (JSON)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\nExploitation examples:\n\n- [Experiments with JSON-IO, Serialization, Mass Assignment, and General Java Object Wizardry](https://versprite.com/blog/application-security/experiments-with-json-io-serialization-mass-assignment-and-general-java-object-wizardry/)\n- [JSON Deserialization Memory Corruption Vulnerabilities on Android](https://versprite.com/blog/json-deserialization-memory-corruption-vulnerabilities/)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n- com.cedarsoftware.util.io.JsonReader\n- JsonReader.jsonToJava\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## Jackson (JSON)\n*vulnerable in specific configuration*\n\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n- [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Jackson Deserialization Vulnerabilities](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n- [The End of the Blacklist](https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist)\n\n### Payload generators / gadget chains\n\n- [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n- [blacklist bypass - CVE-2017-17485](https://github.com/irsl/jackson-rce-via-spel)\n- [blacklist bypass - CVE-2017-15095](https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095)\n- [CVE-2019-14540](https://github.com/LeadroyaL/cve-2019-14540-exploit/)\n- [Jackson gadgets - Anatomy of a vulnerability](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)\n- [JNDI Injection using Getter Based Deserialization Gadgets](https://srcincite.io/blog/2019/08/07/attacking-unmarshallers-jndi-injection-using-getter-based-deserialization.html)\n- [blacklist bypass - CVE-2020-8840](https://github.com/jas502n/CVE-2020-8840)\n- [blacklist bypass - CVE-2020-10673](https://github.com/0nise/CVE-2020-10673/)\n\n### Detect\n##### Code review\n- com.fasterxml.jackson.databind.ObjectMapper\n- ObjectMapper mapper = new ObjectMapper();  \n- objectMapper.enableDefaultTyping();\n- @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property=\"@class\") \n- public Object message; \n- mapper.readValue(data, Object.class); \n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Exploits\n##### FasterXML\n- [CVE-2019-12384](https://github.com/jas502n/CVE-2019-12384)\n\n##### Liferay \n- [CVE-2019-16891](https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/)\n\n### Vulnerable apps (without public sploits/need more info):\n##### Apache Camel\n- [CVE-2016-8749](https://www.vulners.com/search?query=CVE-2016-8749)\n\n## Fastjson (JSON)\n\nHow it works:\n\n- [https://www.secfree.com/article-590.html](https://www.secfree.com/article-590.html) \n- [Official advisory](https://github.com/alibaba/fastjson/wiki/security_update_20170315)\n- [Fastjson process analysis and RCE analysis](https://paper.seebug.org/994/)\n- [Fastjson Deserialization Vulnerability History](https://paper.seebug.org/1193/)\n- [Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Hao%20Xing%20Zekai%20Wu%20-%20How%20I%20use%20a%20JSON%20Deserialization%200day%20to%20Steal%20Your%20Money%20On%20The%20Blockchain.pdf?utm_source=pocket_mylist)\n\n\n### Detect\n##### Code review\n- com.alibaba.fastjson.JSON\n- JSON.parseObject\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Payload generators\n\n- [fastjson 1.2.24 \u003c=](https://github.com/iBearcat/Fastjson-Payload)\n- [fastjson 1.2.47 \u003c=](https://github.com/jas502n/fastjson-RCE)\n- [fastjson 1.2.66 \u003c=](https://github.com/0nise/CVE-2020-10673/)\n- [blacklisted gadgets](https://github.com/LeadroyaL/fastjson-blacklist)\n- [Fastjson: exceptional deserialization vulnerabilities](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)\n- [Hao Xing Zekai Wu - How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain.pdf](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Hao%20Xing%20Zekai%20Wu%20-%20How%20I%20use%20a%20JSON%20Deserialization%200day%20to%20Steal%20Your%20Money%20On%20The%20Blockchain.pdf?utm_source=pocket_mylist)\n\n## Genson (JSON)\n\nHow it works:\n\n- [Friday the 13th JSON Attacks](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) \n\n### Detect\n##### Code review\n- com.owlike.genson.Genson\n- useRuntimeType\n- genson.deserialize\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## Flexjson (JSON)\n\nHow it works:\n\n- [Friday the 13th JSON Attacks](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) \n\n### Payload generators / gadget chains\n- [PoC](https://github.com/GrrrDog/Sploits)\n\n### Detect\n##### Code review\n- import flexjson.JSONDeserializer\n- JSONDeserializer jsonDeserializer = new JSONDeserializer()\n- jsonDeserializer.deserialize(jsonString);\n\n### Exploits\n##### Liferay \n- [Liferay Portal JSON Web Service RCE Vulnerabilities](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html)\n- [CST-7111](https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/113765197)\n\n\n## Jodd (JSON)\n*vulnerable in a non-default configuration when setClassMetadataName() is set*\n\n- [issues/628](https://github.com/oblac/jodd/issues/628)\n\n### Payload generators / gadget chains\n- [PoC](https://github.com/GrrrDog/Sploits)\n\n### Detect\n##### Code review\n- com.fasterxml.jackson.databind.ObjectMapper\n- JsonParser jsonParser = new JsonParser() \n- jsonParser.setClassMetadataName(\"class\").parse(jsonString, ClassName.class);\n\n## Red5 IO AMF (AMF)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n- org.red5.io\n- Deserializer.deserialize(i, Object.class);\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info):\n##### Apache OpenMeetings\n- [CVE-2017-5878](https://www.vulners.com/search?query=CVE-2017-5878)\n\n## Apache Flex BlazeDS (AMF)\nHow it works:\n\n- [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html)\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n##### Code review\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps:\n\n##### Oracle Business Intelligence\n- *BIRemotingServlet*\n- no auth\n- [CVE-2020-2950](https://www.zerodayinitiative.com/advisories/ZDI-20-505/)\n- [Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild](https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild)\n- [CVE-2020–2950 — Turning AMF Deserialize bug to Java Deserialize bug](https://peterjson.medium.com/cve-2020-2950-turning-amf-deserialize-bug-to-java-deserialize-bug-2984a8542b6f)\n\n##### Adobe ColdFusion\n- [CVE-2017-3066](https://www.vulners.com/search?query=CVE-2017-3066)\n- *\u003c= 2016 Update 3*\n- *\u003c= 11 update 11*\n- *\u003c= 10 Update 22*\n\n- [Exploiting Adobe ColdFusion before CVE-2017-3066](http://codewhitesec.blogspot.ru/2018/03/exploiting-adobe-coldfusion.html)\n- [PoC](https://github.com/depthsecurity/coldfusion_blazeds_des)\n\n##### Draytek VigorACS \n- */ACSServer/messagebroker/amf*\n- at least 2.2.1\n- based on [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641)\n\n- [PoC](https://github.com/pedrib/PoC/blob/master/exploits/acsPwn/acsPwn.rb)\n\n##### Apache BlazeDS\n- [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641)\n\n##### VMWare VCenter\n- based on [CVE-2017-5641](https://www.vulners.com/search?query=CVE-2017-5641)\n\n##### HP Systems Insight Manager\n- */simsearch/messagebroker/amfsecure*\n- 7.6.x\n- [CVE-2020-7200](https://www.vulners.com/search?query=CVE-2020-7200)\n- [Metasploit Exploit](https://github.com/rapid7/metasploit-framework/pull/14846)\n\n##### TIBCO Data Virtualization\n- \u003c  8.3\n- */monitor/messagebroker/amf*\n- [Details](https://github.com/pedrib/PoC/blob/master/advisories/TIBCO/tibco_tdv_rce.md)\n\n## Flamingo AMF  (AMF)\nHow it works:\n\n- [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html)\n\n### Detect\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## GraniteDS  (AMF)\nHow it works:\n\n- [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html)\n\n### Detect\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## WebORB for Java  (AMF)\nHow it works:\n\n- [AMF – Another Malicious Format](http://codewhitesec.blogspot.ru/2017/04/amf.html)\n\n### Detect\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## SnakeYAML (YAML)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n- [Payload Generator for the SnakeYAML deserialization gadget](https://github.com/artsploit/yaml-payload)\n\n### Detect\n##### Code review\n- org.yaml.snakeyaml.Yaml\n- yaml.load\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n### Vulnerable apps (without public sploits/need more info):\n##### Resteasy\n- [CVE-2016-9606](https://www.vulners.com/search?query=CVE-2016-9606)\n\n##### Apache Camel\n- [CVE-2017-3159](https://www.vulners.com/search?query=CVE-2017-3159)\n\n##### Apache Brooklyn\n- [CVE-2016-8744](https://www.vulners.com/search?query=CVE-2016-8744)\n\n##### Apache ShardingSphere\n- [CVE-2020-1947](https://www.vulners.com/search?query=CVE-2020-1947)\n\n## jYAML (YAML)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n- org.ho.yaml.Yaml\n- Yaml.loadType(data, Object.class);\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## YamlBeans (YAML)\nHow it works:\n\n- [Java Unmarshaller Security](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf)\n\n### Payload generators\n\n- [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\n### Detect\n- com.esotericsoftware.yamlbeans\n- YamlReader r = new YamlReader(data, yc);\n\n##### Burp plugins\n- [Freddy](https://github.com/nccgroup/freddy)\n\n## \"Safe\" deserialization\n\nSome serialization libs are safe (or almost safe) [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec)\n\nHowever, it's not a recommendation, but just a list of other libs that has been researched by someone:\n\n- JAXB\n- XmlBeans\n- Jibx\n- Protobuf\n- GSON\n- GWT-RPC\n","funding_links":[],"categories":["Others","Exploitation","Others (1002)","Pentest Methodology"],"sub_categories":["Exploitation"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGrrrDog%2FJava-Deserialization-Cheat-Sheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGrrrDog%2FJava-Deserialization-Cheat-Sheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGrrrDog%2FJava-Deserialization-Cheat-Sheet/lists"}