Add configurable Java path in the Exploitation pane beacuse recent Java major versions do not allow to run ysoserial properly

Author: federicodotta

README.md

@@ -1,5 +1,5 @@
 # Java Deserialization Scanner
-Java Deserialization Scanner is a Burp Suite plugin aimed at detect and exploit Java deserialization vulnerabilities. It was written by Federico Dotta, a Security Advisor at @ Mediaservice.net. 
+Java Deserialization Scanner is a Burp Suite plugin aimed at detect and exploit Java deserialization vulnerabilities. It was written by Federico Dotta, Principal Security Analyst at HN Security.
 
 The plugin is made up of three different components:
 
@@ -8,15 +8,15 @@ The plugin is made up of three different components:
 3.	Exploiter, that allow to actively exploit Java deserialization vulnerabilies, using frohoff ysoserial (https://github.com/frohoff/ysoserial)
 
 # Author
-- Federico Dotta, Security Advisor at @ Mediaservice.net
+- Federico Dotta, Principal Security Analyst at HN Security
 
 # Contributors
 - Jeremy Goldstein
 - Andras Veres-Szentkiralyi
 
 # Mini walkthrough (24/05/17)
 A brief article containing a mini walkthrough on how to use the various components of the plugin can be found at the following URL:
-https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/
+https://web.archive.org/web/20201130104913/https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/
 
 # Integration with Burp Suite active and passive scanner
 Java Deserialization Scanner uses custom payloads generated with a modified version of "ysoserial", tool created by frohoff and gebl, to detect Java deserialization vulnerabilities. The original tool (https://github.com/frohoff/ysoserial) generate payloads for the execution of commands on the system, using the Runtime.exec function. Usually, however, it is not possible to see the output of the command and consequently it is not simple to write a scanner based on this kind of function. For this reason, a modified version of ysoserial is used to generate different types of payloads, usefull for the detection of the issue instead of the exploitation:
@@ -40,7 +40,7 @@ Currently, the passive checks of the Java Deserialiation Scanner reported the pr
 12.	Mozilla Rhino (two different chains)
 13.	Vaadin
 
-Furthermore, **URLSNDS payload has been introduced** to actively **detect Java deserialization without any vulnerable libraris**. If the plugin find only the URLDNS issue (and no vulnerable libraries), the attacker probably can execute DoS attacks but to achieve Remote Code Execution it is necessary more effort. Refer to [this link](https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/) for more details.
+Furthermore, **URLSNDS payload has been introduced** to actively **detect Java deserialization without any vulnerable libraris**. If the plugin find only the URLDNS issue (and no vulnerable libraries), the attacker probably can execute DoS attacks but to achieve Remote Code Execution it is necessary more effort. Refer to [this link](https://web.archive.org/web/20210312114921/https://techblog.mediaservice.net/2020/04/java-deserialization-scanner-0-6-is-out/) for more details.
 
 All the components of the plugin supports the following encodings:
 

pom.xml

@@ -4,16 +4,18 @@
 
   <groupId>org.fd</groupId>
   <artifactId>JavaDeserializationScanner</artifactId>
-  <version>0.6</version>
+  <version>0.7</version>
   <packaging>jar</packaging>
 
   <name>JavaDeserializationScanner</name>
   <url>http://maven.apache.org</url>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.8</maven.compiler.source>
+     <maven.compiler.target>1.8</maven.compiler.target>
   </properties>
-
+  
   <build>
 	<plugins>
 		<plugin>
@@ -77,13 +79,6 @@
 	    <artifactId>commons-codec</artifactId>
 	    <version>1.14</version>
 	</dependency>	
-	  
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>3.8.1</version>
-      <scope>test</scope>
-    </dependency>
 
   </dependencies>
 </project>

src/main/java/burp/BurpExtender.java

@@ -149,8 +149,9 @@ public class BurpExtender implements IBurpExtender, IScannerCheck, ITab, ActionL
 
     private JTabbedPane mainPanel;
 
+    private JTextField javaPath;
     private JTextField ysoserialPath;
-    
+        
     private String dialogTitle;
     private String dialogMessage;
     private String[] dialogButtonsMessages;
@@ -390,7 +391,7 @@ public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks)
 
         urlBodyAlreadyScanned = new ArrayList<String>();
 
-        stdout.println("Java Deserialization Scanner v0.5 - The all-in-one plugin for the detection and the exploitation of Java deserialization vulnerabilities");
+        stdout.println("Java Deserialization Scanner v0.7 - The all-in-one plugin for the detection and the exploitation of Java deserialization vulnerabilities");
         stdout.println("Created by: Federico Dotta");
         stdout.println("Contributors: Jeremy Goldstein, Andras Veres-Szentkiralyi");
         stdout.println("");
@@ -802,12 +803,22 @@ public void run()
                 configurationTitleExploiting.setFont(new Font("Nimbus", Font.BOLD, 16));
                 configurationTitleExploiting.setAlignmentX(Component.LEFT_ALIGNMENT); 
 
+                JPanel javaPathJPanel = new JPanel();
+                javaPathJPanel.setLayout(new BoxLayout(javaPathJPanel, BoxLayout.X_AXIS));
+                javaPathJPanel.setAlignmentX(Component.LEFT_ALIGNMENT); 
+                JLabel labelJavaPath = new JLabel("Java path (recent Java major versions do not allow to run ysoserial properly): ");
+                javaPath = new JTextField(200);                
+                javaPath.setText("java");
+                javaPath.setMaximumSize( javaPath.getPreferredSize() );
+                javaPathJPanel.add(labelJavaPath);
+                javaPathJPanel.add(javaPath);
+                
                 JPanel configurationPaneButtonJPanel = new JPanel();
                 configurationPaneButtonJPanel.setLayout(new BoxLayout(configurationPaneButtonJPanel, BoxLayout.X_AXIS));
                 configurationPaneButtonJPanel.setAlignmentX(Component.LEFT_ALIGNMENT); 
                 JLabel labelConfigurationPaneYsoserialPath = new JLabel("Ysoserial path: ");
                 ysoserialPath = new JTextField(200);                
-                ysoserialPath.setText("ysoserial-0.0.4-all.jar");
+                ysoserialPath.setText("ysoserial.jar");
                 ysoserialPath.setMaximumSize( ysoserialPath.getPreferredSize() );
                 configurationPaneButtonJPanel.add(labelConfigurationPaneYsoserialPath);
                 configurationPaneButtonJPanel.add(ysoserialPath);
@@ -828,7 +839,8 @@ public void run()
                 mainPanelConfiguration.add(addManualIssueToScannerResultManualTesting);                
                 mainPanelConfiguration.add(verboseModeManualTesting);
                 mainPanelConfiguration.add(separatorConfigurationManualTesting);
-                mainPanelConfiguration.add(configurationTitleExploiting);    
+                mainPanelConfiguration.add(configurationTitleExploiting);  
+                mainPanelConfiguration.add(javaPathJPanel);                
                 mainPanelConfiguration.add(configurationPaneButtonJPanel);
                 mainPanelConfiguration.add(enableExploitationHibernate5);   
 
@@ -1837,6 +1849,7 @@ public void insertInjectionCharacters(JTextArea requestArea) {
 
 	public byte[] generateYsoserialPayload() {
 
+		String pathJava = javaPath.getText().trim();
 		String pathYsoserial = ysoserialPath.getText().trim();
 
 		try {
@@ -1847,10 +1860,10 @@ public byte[] generateYsoserialPayload() {
 
 			String[] commands;
 			if(enableExploitationHibernate5.isSelected()) {
-				String[] temp = {"java","-Dhibernate5","-jar",pathYsoserial};
+				String[] temp = {pathJava,"-Dhibernate5","-jar",pathYsoserial};
 				commands = temp;
 			} else {
-				String[] temp = {"java","-jar",pathYsoserial};
+				String[] temp = {pathJava,"-jar",pathYsoserial};
 				commands = temp;
 			}
 			String[] fullCommands = ArrayUtils.addAll(commands, commandParts);