Java反序列化梳理
作者:互联网
0x01 Java反序列化梳理
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
| 序号 | 类型 | 格式 | 说明 |
| 01 | Java Native Serialization | Binary | 通用利用,原生,ysoserial为工具 |
| 02 | XMLEncoder | XML | |
| 03 | XStream | XML/JSON/various | |
| 04 | Kryo | Binary | |
| 05 | Hessian/Burlap | Binary/XML | |
| 06 | Castor | XML | |
| 07 | json-io | JSON | |
| 08 | Jackson | JSON | |
| 09 | Fastjson | JSON | |
| 10 | Genson | JSON | |
| 11 | Flexjson | JSON | |
| 12 | Jodd | JSON | |
| 13 | Red5 IO AMF | AMF | |
| 14 | Apache Flex BlazeDS | AMF | |
| 15 | Flamingo AMF | AMF | |
| 16 | GraniteDS | AMF | |
| 17 | WebORB for Java | AMF | |
| 18 | SnakeYAML | YAML | |
| 19 | jYAML | YAML | |
| 20 | YamlBeans | YAML | |
| 21 | "Safe" deserialization | JAXB XmlBeans Jibx Protobuf GSON GWT-RPC |
0x02 CVEs总结
https://github.com/PalindromeLabs/Java-Deserialization-CVEs
0xA0 参考
Java-Deserialization-Cheat-Sheet
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Java-Deserialization-CVEs
https://github.com/PalindromeLabs/Java-Deserialization-CVEs
标签:github,Java,Deserialization,https,序列化,com,梳理,CVEs 来源: https://blog.csdn.net/zirandu/article/details/120147585