Zkar – A Java Serialization Protocol Analysis Tool Implement In Go
Tests
ZKar is a well-tested tool that passed all ysoserial generated gadgets parsing and rebuilding tests. It means that gadget generating by ysoserial can be parsed by ZKar, and parsed struts can be converted back into bytes string which is equal to the original one.
| Gadget | Package | Parse | Rebuild | Parse Time |
|---|---|---|---|---|
| AspectJWeaver | ysoserial |
✅
|
✅
|
80.334µs |
| BeanShell1 | ysoserial |
✅
|
✅
|
782.613µs |
| C3P0 | ysoserial |
✅
|
✅
|
98.321µs |
| Click1 | ysoserial |
✅
|
✅
|
573.298µs |
| Clojure | ysoserial |
✅
|
✅
|
72.415µs |
| CommonsBeanutils1 | ysoserial |
✅
|
✅
|
461.15µs |
| CommonsCollections1 | ysoserial |
✅
|
✅
|
64.484µs |
| CommonsCollections2 | ysoserial |
✅
|
✅
|
508.918µs |
| CommonsCollections3 | ysoserial |
✅
|
✅
|
564.071µs |
| CommonsCollections4 | ysoserial |
✅
|
✅
|
535.449µs |
| CommonsCollections5 | ysoserial |
✅
|
✅
|
137.609µs |
| CommonsCollections6 | ysoserial |
✅
|
✅
|
68.753µs |
| CommonsCollections7 | ysoserial |
✅
|
✅
|
178.549µs |
| FileUpload1 | ysoserial |
✅
|
✅
|
35.39µs |
| Groovy1 | ysoserial |
✅
|
✅
|
150.991µs |
| Hibernate1 | ysoserial |
✅
|
✅
|
789.674µs |
| Hibernate2 | ysoserial |
✅
|
✅
|
168.624µs |
| JBossInterceptors1 | ysoserial |
✅
|
✅
|
632.581µs |
| JRMPClient | ysoserial |
✅
|
✅
|
32.967µs |
| JRMPListener | ysoserial |
✅
|
✅
|
38.263µs |
| JSON1 | ysoserial |
✅
|
✅
|
2.157225ms |
| JavassistWeld1 | ysoserial |
✅
|
✅
|
468.596µs |
| Jdk7u21 | ysoserial |
✅
|
✅
|
355.01µs |
| Jython1 | ysoserial |
✅
|
✅
|
216.862µs |
| MozillaRhino1 | ysoserial |
✅
|
✅
|
1.775193ms |
| MozillaRhino2 | ysoserial |
✅
|
✅
|
409.124µs |
| Myfaces1 | ysoserial |
✅
|
✅
|
22.997µs |
| Myfaces2 | ysoserial |
✅
|
✅
|
38.131µs |
| ROME | ysoserial |
✅
|
✅
|
485.804µs |
| Spring1 | ysoserial |
✅
|
✅
|
797.469µs |
| Spring2 | ysoserial |
✅
|
✅
|
358.041µs |
| URLDNS | ysoserial |
✅
|
✅
|
21.502µs |
| Vaadin1 | ysoserial |
✅
|
✅
|
438.729µs |
| Wicket1 | ysoserial |
✅
|
✅
|
23.509µs |
| Jdk8u20 | pwntester |
❌
|
❌
|
312.882µs |
JDK/JRE 8u20 gadget is not supported now, I am current working on it.
TODO
- Java bytecodes parser and generator
- JDK/JRE 8u20 Gadget supporting
- Serialization payloads generator
- An implementation of RMI/LDAP in Go
License
ZKar is released under the MIT license. See LICENSE
See Also
- SerializationDumper: A tool to dump and rebuild Java serialization streams and Java RMI packet contents in a more human readable form.
- ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
- Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities
Download Zkar
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
