Any class that implements the interface java.io.Serializable can be serialized and deserialized. If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream.
The native methods for PHP serialization are serialize() and unserialize(). If you have source code access, you should start by looking for unserialize().
Basic Serialization - look for cookies with base64 encoded or some kind of searialzed you can update the admin;b:0 to admin;B:1 --> which makes us admin
PHP - Exploiting Data Types - Look for cookies and any other serialized values - Update the user value or the username to any user - if required update the access token, serialize it and try to access unauthorized data Example Update the data from O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"msai659yp7cfu0magd7vm3siq9ls2cld";} to O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;} - Always try to update the content in the serialized object Update the object from O:4:"User":3:{s:8:"username";s:5:"gregg";s:12:"access_token";s:32:"favhu4mwxv64b6mz5x6ga79wxs5k95op";s:11:"avatar_link";s:18:"users/gregg/avatar"; TO O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"zp46h5h7j8dbk07k04e57dgu67ayxsy7";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
Magic Methods Magic methods are a special subset of methods that you do not have to explicitly invoke. Instead, they are invoked automatically whenever a particular event or scenario occurs __construct(), which is invoked whenever an object of the class is instantiated, similar to Python's __init__. some languages have magic methods that are invoked automatically during the deserialization process. For example, PHP's unserialize() method looks for and invokes an object's __wakeup() magic method. In Java deserialization, the same applies to the ObjectInputStream.readObject() method, which is used to read data from the initial byte stream and essentially acts like a constructor for "re-initializing" a serialized object. However, Serializable classes can also declare their own readObject() method as follows: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { // implementation } A readObject() method declared in exactly this way acts as a magic method that is invoked during deserialization. This allows the class to control the deserialization of its own fields more closely. You should pay close attention to any classes that contain these types of magic methods. They allow you to pass data from a serialized object into the website's code before the object is fully deserialized. This is the starting point for creating more advanced exploits.
Comments
Post a Comment