4 Repos
Exploits that trigger arbitrary code execution by manipulating serialized data objects during reconstruction.
Distinct from Code Execution Engines: Focuses on offensive deserialization attacks rather than secure sandboxes or general execution runtimes.
Explore 4 awesome GitHub repositories matching security & cryptography · Deserialization Exploits. Refine with filters or upvote what's useful.
Exphub ist eine Bibliothek für CVE-Exploit-Skripte und eine Suite für Unternehmenssoftware-Schwachstellen, die darauf ausgelegt ist, bekannte Sicherheitslücken in Serverumgebungen wie WebLogic, Struts2, Tomcat und JBoss zu verifizieren und auszunutzen. Es fungiert als Toolkit für Remote Code Execution und als Framework für die Bereitstellung von Web-Shells, um unbefugte Befehlsausführungen auszulösen und persistenten Zugriff auf entfernte Systeme zu etablieren. Das Projekt enthält spezialisierte Dienstprogramme für interne Netzwerkaufklärung, insbesondere durch Server-Side Request Forgery, um offene Ports und Dienste zu scannen. Zudem bietet es Mechanismen zur Umgehung von Zugriffskontrollen sowie für unbefugte Dateizugriffe und Uploads. Die Suite deckt breite Einsatzbereiche ab, darunter Schwachstellenanalyse, Penetrationstests und die Ausführung von Proof-of-Concept-Skripten zur Bestätigung von Sicherheitslücken.
Implements attacks that execute arbitrary commands via serialized object reconstruction in server environments.
phpggc is a security assessment utility and command-line tool designed for the automated generation, obfuscation, and wrapping of serialized object chains. It functions as a gadget chain framework used to identify and verify remote code execution vectors by testing for PHP object injection vulnerabilities. The project provides a modular system for constructing complex serialized object sequences and includes a dedicated payload obfuscator to transform byte streams for bypassing web application firewalls and security filters. It also features a generator for wrapping serialized data into archi
Functions as a command-line tool for generating serialized object gadget chains to exploit PHP deserialization flaws.
ysoserial.net is a payload generator for .NET deserialization, designed to create malicious serialized objects and structured gadget chains. It serves as a tool for generating command execution strings and security testing suites used to assess vulnerabilities in .NET formatters. The tool enables the creation of sequences of object calls that trigger remote code execution during the reconstruction of serialized data. It produces specialized payloads for executing system commands, loading remote libraries, and accessing local file systems. The project includes capabilities for optimizing payl
Provides a tool for creating malicious serialized objects to exploit unsafe deserialization in .NET applications.
Marshalsec is a toolkit designed for generating malicious serialized Java objects to achieve remote code execution during the unmarshalling process. It functions as a Java deserialization exploit tool and a framework for triggering Java Naming and Directory Interface lookups to remote servers. The project provides a JNDI redirector service that intercepts lookups and points targets toward a remote codebase. It includes utilities for crafting payloads that force Java applications to download and execute arbitrary classes from a remote URL. The toolset covers security analysis activities inclu
Provides a toolkit for generating exploits that trigger arbitrary code execution via manipulated serialized data objects.