__sleepis called when an object is serialized and must be returned to array
__wakeupis called when an object is deserialized.
__destructis called when PHP script end and object is destroyed.
__toStringuses object as string but also can be used to read file or more than that based on function call inside it.
__destructare called when the object is deserialized. Note that in several tutorials you will find that the
__toStringfunction is called when trying yo print some attribute, but apparently that's not happening anymore.
phpinfo()of the server and search on the internet (an even on the gadgets of PHPGCC) some possible gadget you could abuse.
_$ND_FUNC$_flag is appended to the serialized object.
node-serialize/lib/serialize.jsyou can find the same flag and how the code is using it.
evalis used to deserialize the function, so basically user input if being used inside the
y.rcein our example and that's highly unlikable. Anyway, you could just modify the serialised object adding some parenthesis in order to auto execute the serialized function when the object is deserialized. In the next chunk of code notice the last parenthesis and how the
unserializefunction will automatically execute the code:
_$ND_FUNC$_and will execute it using
eval. Therefore, in order to auto-execute code you can delete the function creation part and the last parenthesis and just execute a JS oneliner like in the following example:
require(something), Node returns an exception like
"ReferenceError: console is not defined".
evaldirectly. This is the official deserialisation example:
Serializable, the use of
XMLdecoderwith external user defined parameters
fromXMLmethod (xstream version <= v1.46 is vulnerable to the serialization issue)
AC ED 00 05in Hex
Content-typeheader of an HTTP response set to
1F 8B 08 00Hex previously compressed
H4sIABase64 previously compressed
ObjectInputStreamrelated vulnerabilities but also vulns from Json an Yml deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads. You can find more information about Freddy here.
ObjectInputStream. I would start using the "URLDNS" payload before a RCE payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
echo -n "hello world"but you can't do
python2 -c 'print "Hello world"'). In order to encode correctly the payload you could use this webpage.
Serializablecan implement as
transientany object inside the class that shouldn't be serializable. For example:
Serializabledue to their hierarchy. To guarantee that your application objects can't be deserialized, a
readObject()method should be declared (with a
finalmodifier) which always throws an exception:
java.io.ObjectInputStreamclass is used to deserialize objects. It's possible to harden its behavior by subclassing it. This is the best solution if:
readObject()is called, you can be sure that no deserialization activity will occur unless the type is one that you wish to allow.
LookAheadObjectInputStreamclass is guaranteed not to deserialize any other type besides the
java.io.ObjectInputStreamis the best solution. Using this approach you can only Blacklist known malicious types and not whitelist them as you don't know which object are being serialized.
The Java Message Service (JMS) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producer–consumer problem. JMS is a part of the Java Platform, Enterprise Edition (Java EE), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. (From Wikipedia).
--gadgetused to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).
--formatter, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
--outputused to indicate if you want the exploit in raw or base64 encoded. Note that ysoserial.net will encode the payload using UTF-16LE (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some encoding compatibility problems that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work).
--pluginysoserial.net supports plugins to craft exploits for specific frameworks like ViewState
--minifywill provide a smaller payload (if possible)
--raf -f Json.Net -c "anything"This will indicate all the gadgets that can be used with a provided formatter (
Json.Netin this case)
--sf xmlyou can indicate a gadget (
-g)and ysoserial.net will search for formatters containing "xml" (case insensitive)
--testIf you indicates this parameter ysoserial.net will try the exploit locally, so you can test if your payload will work correctly. This parameter is helpful because if you review the code you will find chucks of code like the following one (from ObjectDataProviderGenerator.cs):
--testparameter allows us to understand which chunks of code are vulnerable to the desrialization exploit that ysoserial.net can create.
XmlSerializerif at all possible.
JSON.Netis being used make sure the
TypeNameHandlingis only set to
FileInfoobjects that reference files actually on the server can when deserialized, change the properties of those files e.g. to read-only, creating a potential denial of service attack.
System.ComponentModel.DataAnnotations.ValidationException, for example has a property
Object. if this type is the type allowed for deserialization then an attacker can set the
Valueproperty to any object type they choose.
XmlSerializercan be subverted e.g.
JSON.Netit is possible to create a safer form of white list control using a custom
System.Windows.Data.ObjectDataProviderused in WPF applications is a known gadget that allows arbitrary method invocation. It would be risky to have this a reference to this assembly in a REST service project that deserializes untrusted data.