Insecure Deserialization
** base64 encoding with delimiters \00 can also be used?
PHP
O:<char-length>:"<classname>":n:{s:n:"s":s:n:"s";s:n:"s":b:1} - methods serialize() unserialize() 0 == "passwordAbcd" 'True' Checks only the first character as integer. If no integer, 0 is considered the value. 9 == "a9sbv6bk2d9naeeoch2yffy2fp6zfz13" 'false' - Anatomy of a serialize()'ed value:
- Magic methods __construct __destruct __sleep (during serialization) __wakeup (during deserialization) - Gadget chain for Apache Commons java -jar ysoserial.jar CommonsCollections2 '<command>' | base64 | tr -d "\n" - Check stack trace for php framework versions {"token":"=","sig_hmac_sha1":""}
Java
starts with rO0 when object/string is converted to Base64 - class and methods java.io.Serializable writeObject() readObject() - Magic methods ObjectInputStream.readObject() - Universal Detection in any java version URLDNS chain triggers a DNS lookup - if the target JRE is not patched with JEP290 exploitation of RMI Registries - JRMPClient and JRMPListener - The transient keyword in Java is used to avoid serialization. If any object of a data structure is defined as a transient , then it will not be serialized. - The package name of the gadget class is present in the binary serialized object. - Postgresql Injection SELECT * FROM products WHERE id = '%s' LIMIT 1", id java PortswiggerGenericSD "' UNION SELECT '1','2','3',CAST((SELECT concat(username,':',password) from users LIMIT 1) as int),'5','6','7','8' --"
Python
Ruby
- Ruby on Rails framework Rails will automagically deserialize incoming requests that contain JSON or XML parameters. It does not do this for YAML, because it would be unsafe. However, the XML parser interprets elements in the form <foo type=“yaml”>…</foo> as YAML documents. - ROR Deserialization [ruby 2.0 - 2.5] https://www.elttam.com/blog/ruby-deserialization/#:~:text=GENERATING%20THE%20PAYLOAD 1. replace "id" in the above payload generating code. 2. ruby code.rb and copy the base64 code. 3. echo "<base64 code>" | tr -d "\n" 4. copy this code and url encode (or urlencode_not_plus) before placing in the serialized object - Marshal object # Run the below commands in terminal
Last updated