From 4dc5777c3329cb9d025bcbbb6c6637cd9569c9d3 Mon Sep 17 00:00:00 2001 From: lanjelot Date: Fri, 18 Dec 2020 23:03:25 +1100 Subject: [PATCH] Add gadgetprobe tool --- Insecure Deserialization/Java.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 8a0b39c..0f029e1 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -50,7 +50,7 @@ Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spr URLDNS |@gebl| | jre only vuln detect Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 -Additional tools (integration ysoserial with Burp Suite): +## Burp extensions using ysoserial - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) @@ -58,14 +58,13 @@ Additional tools (integration ysoserial with Burp Suite): - [SuperSerial](https://github.com/DirectDefense/SuperSerial) - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) -JRE8u20_RCE_Gadget -[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) +## Other tools -JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) - -ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified) - -Java Unmarshaller Security: Turning your data into code execution - [https://github.com/mbechler/marshalsec](https://github.com/mbechler/marshalsec) +- [JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) +- [JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool +- [ysoserial-modified](https://github.com/pimps/ysoserial-modified) +- [gadgetprobe](https://labs.bishopfox.com/gadgetprobe) +- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution ```java java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []]