https://github.com/malectricasoftware/balsamic
Insecure deserialization library
https://github.com/malectricasoftware/balsamic
deserialization-library deserialization-vulnerability pickle python security serialization
Last synced: 5 months ago
JSON representation
Insecure deserialization library
- Host: GitHub
- URL: https://github.com/malectricasoftware/balsamic
- Owner: malectricasoftware
- Created: 2024-05-16T20:38:08.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-05-29T02:36:44.000Z (about 2 years ago)
- Last Synced: 2026-01-02T21:48:11.994Z (5 months ago)
- Topics: deserialization-library, deserialization-vulnerability, pickle, python, security, serialization
- Language: Python
- Homepage:
- Size: 70.3 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Balsamic
balsamic is a library for sending malicious pickles to a vunlerable application, via web requests, or a malicious server or client
we will add more payloads but for now we just execute shell commands. via the oscmd payload.
## useage (standalone)
web request mode
```
usage: balsamic.py webreq [-h] [-m METHOD] -u URL [-p PARAMETER] [-co COOKIE] -P PAYLOAD
[-c COMMAND] [-H HEADERS]
options:
-h, --help show this help message and exit
-m METHOD, --method METHOD
-u URL, --url URL
-p PARAMETER, --parameter PARAMETER
-co COOKIE, --cookie COOKIE
-P PAYLOAD, --payload PAYLOAD
-c COMMAND, --command COMMAND
-H HEADERS, --headers HEADERS
```
socksend mode
```
usage: balsamic.py socksend [-h] -rh RHOST -rp RPORT -P PAYLOAD [-c COMMAND] [-s STEPS] [-e]
[--ipv6]
options:
-h, --help show this help message and exit
-rh RHOST, --rhost RHOST
-rp RPORT, --rport RPORT
-P PAYLOAD, --payload PAYLOAD
-c COMMAND, --command COMMAND
-s STEPS, --steps STEPS
-e, --encode
--ipv6 Use IPv6
```
socklisten mode
```
usage: balsamic.py socklisten [-h] -lp LPORT -P PAYLOAD [-c COMMAND] [-s STEPS] [-e] [--ipv6]
options:
-h, --help show this help message and exit
-lp LPORT, --lport LPORT
-P PAYLOAD, --payload PAYLOAD
-c COMMAND, --command COMMAND
-s STEPS, --steps STEPS
-e, --encode
--ipv6 Use IPv6
```
## useage (library)
```
from balsamic import balsamic
balsamic.utility.command="command"
balsamic.webreq("method", "url", "payload", "param", "cookie", custom_headers)
balsamic.socksend("rhost", rport, "payload", enc, steps, use_ipv6)
balsamic.socklisten(lport, "payload", enc, steps, use_ipv6)
```