dubbo学习demo,之前删了,重新上传。
工具仅用于安全研究以及内部自查,禁止使用工具发起非法攻击,造成的后果使用者负责 Dubbo反序列化测试工具 零、编译&构建 mvn assembly:single 一、使用帮助 usage: java -jar expjar [OPTION] - -h --help 帮助信息 - -l --list 输出所有gadget信息
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions prior to 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache dubbo |