Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/BishopFox/GadgetProbe
Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
https://github.com/BishopFox/GadgetProbe
burp-extensions java java-deserialization javassist pentest-tools pentesting security-tools
Last synced: about 1 month ago
JSON representation
Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
- Host: GitHub
- URL: https://github.com/BishopFox/GadgetProbe
- Owner: BishopFox
- License: mit
- Created: 2020-01-21T19:45:18.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2021-03-04T21:32:45.000Z (almost 4 years ago)
- Last Synced: 2024-08-01T10:16:56.733Z (4 months ago)
- Topics: burp-extensions, java, java-deserialization, javassist, pentest-tools, pentesting, security-tools
- Language: Java
- Homepage: https://labs.bishopfox.com/tech-blog/gadgetprobe
- Size: 1.97 MB
- Stars: 578
- Watchers: 17
- Forks: 94
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths. (Exploitation / Insecure Deserialization)
- WebHackersWeapons - GadgetProbe
- awesome-burp-extensions - GadgetProbe - This extension augments Intruder to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths. (Vulnerability Specific Extensions / Deserialization)
- awesome-hacking-lists - BishopFox/GadgetProbe - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths. (Java)
README
#
## Description
You just found a Java deserialization bug, you ran all your ysoserial payloads, and.... you got nothing. What now? How can you debug or build a gadget chain if you're totally blind?
Introducing GadgetProbe, a tool that shines a light on remote classpaths and raises bug severity for all!
GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
### Burp Extension Usage
The Burp extension automatically integrates with Burp Collaborator to handle DNS callbacks. The extension also includes signatures and an analyzer to identify library versions of popular sources for gadgets.
Download the [release](https://github.com/BishopFox/GadgetProbe/releases/) or follow the [build instructions](#building-from-source) below.
After loading the Burp extension:
1. Send the vulnerable request to intruder, highlighting the vulnerable parameter.
2\. Add a list of Java classes (see included wordlists)
3\. Add the GadgetProbe payload processor, and any other required processors in your chain (e.g., Base64 encode).
4\. Run the intruder attack and watch the results come back in the GadgetProbe Burp Tab.
### GadgetProbe Java Library Usage
GadgetProbe can also be used as a Java library or CLI for specialized attacks.
```java
import com.bishopfox.gadgetprobe.GadgetProbe
...
// Call the GadgetProbe constructor with your authoritative nameserver (or use Burp collaborator).
GadgetProbe gp = new GadgetProbe("dnscallback.burpcollaborator.net");
// The crafted object "obj" is now ready to be sent using any custom implementation :)
Object obj = gp.getObject("org.apache.commons.collections.functors.invokertransformer");
```
### Building from Source
```bash
# Build JAR (run first)
./gradlew shadowJar
# Build wordlists
./generate_wordlists.sh
```
### How it works
See my [write-up](https://labs.bishopfox.com/tech-blog/gadgetprobe) on the Bishop Fox blog.
### Author
Twitter: [@theBumbleSec](https://twitter.com/theBumbleSec)
GitHub: [the-bumble](https://github.com/the-bumble/)