Java Insecure Deserialization II

This one is attacking a Jenkins application.

Used ysoserial to generate a payload. The ping payload is to check if command execution is possible.

java -jar Desktop/tools/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections3 "ping 192.179.75.2 -c 3" > pewpew

Once the payload has been generated, use this tool to send the exploit.

JavaUnserializeExploits/jenkins.py at master · foxglovesec/JavaUnserializeExploitsGitHub

Now that the command execution has been verifired. Generate a reverse shell payload. I used this website to generate a base54 encoded reverse shell.

Runtime.exec Payload GeneraterAresX's Blog

Create a new exploit file and then send the exploit.