MCPcopy Index your code
hub / github.com/BishopFox/GadgetProbe

github.com/BishopFox/GadgetProbe @v1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0 ↗ · + Follow
112 symbols 181 edges 16 files 3 documented · 3% updated 5y agov1.0 · 2020-01-21★ 619
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

License Python version

Description

You just found a Java deserialization bug, you ran all your ysoserial payloads, and.... you got nothing. What now? How can you debug or build a gadget chain if you're totally blind?

Introducing GadgetProbe, a tool that shines a light on remote classpaths and raises bug severity for all!

GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.

Burp Extension Usage

The Burp extension automatically integrates with Burp Collaborator to handle DNS callbacks. The extension also includes signatures and an analyzer to identify library versions of popular sources for gadgets.

Download the release or follow the build instructions below.

After loading the Burp extension:

  1. Send the vulnerable request to intruder, highlighting the vulnerable parameter.

gif

2. Add a list of Java classes (see included wordlists)

gif

3. Add the GadgetProbe payload processor, and any other required processors in your chain (e.g., Base64 encode).

gif

4. Run the intruder attack and watch the results come back in the GadgetProbe Burp Tab.

gif

GadgetProbe Java Library Usage

GadgetProbe can also be used as a Java library or CLI for specialized attacks.

import com.bishopfox.gadgetprobe.GadgetProbe
...
// Call the GadgetProbe constructor with your authoritative nameserver (or use Burp collaborator).
GadgetProbe gp = new GadgetProbe("dnscallback.burpcollaborator.net");
// The crafted object "obj" is now ready to be sent using any custom implementation :)
Object obj = gp.getObject("org.apache.commons.collections.functors.invokertransformer");

Building from Source

# Build JAR (run first)
./gradlew shadowJar

# Build wordlists
./generate_wordlists.sh

How it works

See my write-up on the Bishop Fox blog.

Author

Twitter: @BumbleSec

GitHub: the-bumble

Core symbols most depended-on inside this repo

equals
called by 15
src/main/java/burp/Signatures/Signature.java
consolePrintln
called by 6
src/main/java/burp/BurpGui.java
getName
called by 5
src/main/java/burp/Signatures/Signature.java
reset
called by 3
src/main/java/burp/BurpGui.java
getVersion
called by 3
src/main/java/burp/Signatures/Signature.java
greaterThan
called by 3
src/main/java/burp/Signatures/Signature.java
lessThan
called by 3
src/main/java/burp/Signatures/Signature.java
initializeCurrentCollaboratorVariables
called by 2
src/main/java/burp/BurpExtender.java

Shape

Method 92
Class 20

Languages

Java100%

Modules by API surface

src/main/java/burp/BurpGui.java27 symbols
src/main/java/burp/BurpExtender.java13 symbols
src/main/java/burp/InteractionServer.java11 symbols
src/main/java/burp/Signatures/Signature.java10 symbols
src/main/java/com/bishopfox/gadgetprobe/GadgetProbe.java8 symbols
src/main/java/burp/Signatures/SpringCore.java4 symbols
src/main/java/burp/Signatures/Javassist.java4 symbols
src/main/java/burp/Signatures/HibernateCore.java4 symbols
src/main/java/burp/Signatures/Groovy239.java4 symbols
src/main/java/burp/Signatures/CommonsIO2.java4 symbols
src/main/java/burp/Signatures/CommonsCollections4.java4 symbols
src/main/java/burp/Signatures/CommonsCollections3.java4 symbols

For agents

$ claude mcp add GadgetProbe \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page