johndekroon / serializekiller Goto Github PK

Hi johndekroon!

I would like to let you know that this is the best tool I've found so far for testing multiple java deserialization bugs :) Since the tool is getting a little old, do you plan to add new features? I have some ideas of other java bugs like JSF/Seam Applications via javax.faces.ViewState.

Thanks,

syrius01

At line 103, of serializekiller.py, it has "t3://us-l-breens:7001" as a substring of the header. I'm thinking that "us-l-breens" substring is a copy / paste error from Stephen Breens' script and that it should be either the host name or IP address that is being scanned for WebLogic Server.

Have managed to patch few weblogics both 11g and 12c and the script still report them as vulnerable. Can you guys confirm if the detection logic is reliable?

It will be funny if the script could run random ips

is this ok?

I applied the security patch for this vulnerability.
When I checked the script - weblogic part, the script is just checking the t3 port and getting a response. How does it mean the server is vulnerable?

Hi,

I know it's a known issue that some SSL libs gets the following error msg;

! WARNING: Your SSL lib isn't supported. Results might be incomplete.

The question would be how to fix our SSL libs to work 100% with serializekiller ?

Thanks for your time,

syrius01