RCEvil.NET - BSidesIowa 2019
At a BSidesIowa 2019 talk, Illuminopi members NoppyByNature and Msnyo shared how to abuse a .NET deserialziation ‘feature’ to gain remote code execution in Microsoft IIS. Check out the slide deck from the talk “RCEvil.NET - A Super Serial Story”. You can also check out the accompanying C# project released during the conference.
https://illuminopi.com/talks/2019/04/20/rcevil-first-post.html
#dotnet #iis #deserialization
At a BSidesIowa 2019 talk, Illuminopi members NoppyByNature and Msnyo shared how to abuse a .NET deserialziation ‘feature’ to gain remote code execution in Microsoft IIS. Check out the slide deck from the talk “RCEvil.NET - A Super Serial Story”. You can also check out the accompanying C# project released during the conference.
https://illuminopi.com/talks/2019/04/20/rcevil-first-post.html
#dotnet #iis #deserialization
Illuminopi
RCEvil.NET - BSidesIowa 2019
At a BSidesIowa 2019 talk, Illuminopi members NoppyByNature and Msnyo shared how to abuse a .NET deserialziation ‘feature’ to gain remote code execution in Microsoft IIS. Check out the slide deck from the talk “RCEvil.NET - A Super Serial Story”. You can…
Blind Java Deserialization Vulnerability - Commons Gadgets
TL;DR: Exploitation of Java Deserialization vulnerability in restricted environments (firewalled system, updated Java). Technique similar to blind SQL injection enables to extract data from the target system (read files, properties, env vars).
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
#java #deserialization
TL;DR: Exploitation of Java Deserialization vulnerability in restricted environments (firewalled system, updated Java). Technique similar to blind SQL injection enables to extract data from the target system (read files, properties, env vars).
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
#java #deserialization