Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 5 pages modified

Browse source
This commit is contained in:
CPol 2020-11-26 13:46:19 +00:00 committed by gitbook-bot
parent bfe7618195
commit a636878e7a
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 17 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -302,7 +302,7 @@
* [CSRF \(Cross Site Request Forgery\)](pentesting-web/csrf-cross-site-request-forgery.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
* [Deserialization](pentesting-web/deserialization/README.md)
* [NodeJS deserialization \_\_proto\_\_ abuse](pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md)
* [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution.md)
* [Java JSF ViewState \(.faces\) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
* [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
* [Basic Java Deserialization \(ObjectInputStream, readObject\)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md)
@ -447,5 +447,4 @@
* [Phising Documents](phising-documents.md)
* [Reset/Forgoten Password Bypass](reset-password.md)
* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
* [NodeJS - Prototype Pollution](nodejs-prototype-pollution.md)

8
pentesting-web/deserialization/README.md
View file

@ -94,6 +94,12 @@ print(base64.b64encode(cPickle.dumps(P())))
## NodeJS
### `__proto__` and `prototype` pollution
If you want to learn about this technique **take a look to the following tutorial**:
{% page-ref page="nodejs-proto-prototype-pollution.md" %}
### [node-serialize](https://www.npmjs.com/package/node-serialize)
This library allows to serialise functions. Example:
@ -210,7 +216,7 @@ Ive found a nice example [package Cryo](https://www.npmjs.com/package/cry
Here a code for serialization and deserialization of an object:
```javascript
cvar Cryo = require('cryo');
var Cryo = require('cryo');
var obj = {
testFunc : function() {return 1111;}
};

66
pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md
View file

@ -1,66 +0,0 @@
# NodeJS deserialization \_\_proto\_\_ abuse
This information was copied from this research: [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
While I was researching packages, I stumbled upon the idea to look at other approaches of attacks on deserialization, which are used in other languages. To achieve code execution we leverage functions with attackers controlled data which are called automatically during the deserialization process or after when an application interacts with a newly created object. Something similar to “magic methods” in other languages.
Actually, there are a lot of packages which work completely differently, still after some experiments I came to an interesting semi-universal attack. It is based on two facts.
Firstly, many packages use the next approach in the deserialization process. They create an empty object and then set its properties using square brackets notations:
```text
obj[key]=value
```
where **key** and **value** are taken from JSON
Therefore we as attackers are able to control practically any property of a new object. If we look through the list of properties, our attention comes to the [cool \_\_proto\_\_ property ](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto). The property is used to access and change a prototype of an object. This means that we can change the objects behavior and add/change its methods.
Secondly, a call of some function leads to the invoking of the function arguments methods. For example, when an object is converted to a string, then methods valueOf, toString of the object are called automatically \(more details [here](http://2ality.com/2012/03/converting-to-string.html)\). So, `console.log(obj)` leads to invocation of `obj.toString()`. Another example, `JSON.stringify(obj)` internally invokes obj.toJSON\(\).
Using both of these features, we can get remote code execution in process of interaction between an application `(node.js)` and an object.
Ive found a nice example [package Cryo](https://www.npmjs.com/package/cryo), which supports both function serialization and square bracket notation for object reconstruction, but which isnt vulnerable to IIFE, because it properly manages object \(without using `eval&co`\).
Here a code for serialization and deserialization of an object:
```text
cvar Cryo = require('cryo');
var obj = {
testFunc : function() {return 1111;}
};
var frozen = Cryo.stringify(obj);
console.log(frozen)
var hydrated = Cryo.parse(frozen);
console.log(hydrated);
```
Serialized JSON looks like that. Pretty tangled:
```text
{"root":"_CRYO_REF_1","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {return 1111;}"},{"contents":{"testFunc":"_CRYO_REF_0"},"value":"_CRYO_OBJECT_"}]}
```
For our attack we can create a serialized JSON object with a `custom __proto__`. We can create our object with our own methods for the objects prototype, but as a small trick, we can set an incorrect name for `__proto__` \(because we dont want to rewrite a prototype of the object in our application\) and serialize it.
```text
var obj = {
__proto: {
toString: function() {console.log("defconrussia"); return 1111;},
valueOf: function() {console.log("defconrussia"); return 2222;}
}
};
```
So we get serialized object and rename from `__proto` to `__proto__` in it:
```text
{"root":"CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\"defconrussia\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function () {return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT"},{"contents":{"proto":"CRYO_REF_2"},"value":"_CRYO_OBJECT"}]}
```
When we send that JSON payload to an application, the package Cryo deserializes the payload in an object, but also changes the objects prototype to our value. Therefore, if the application interacts with the object somehow, converts it to a sting, for example, then the prototypes method will be called and our code will be executed. So, its RCE.
I tried to find packages with similar issues, but most of them didnt support serialization of function. I didnt find any other way to reconstruct `functions in __proto__`. Nevertheless, as many packages use square bracket notation, we can rewrite `__proto__` for them too and spoil prototypes of newly created objects. What happens when an application calls any prototype method of such objects? It may crash due to an unhandled TypeError exception.
In addition, I should mention that the whole idea potentially works for deserialization from any format \(not only JSON\). Once both features are in place, a package is potentially vulnerable. Another thing is that `JSON.parse` is not “vulnerable” to `__proto__ rewriting`.

18
nodejs-prototype-pollution.md → pentesting-web/deserialization/nodejs-proto-prototype-pollution.md
View file

@ -1,10 +1,10 @@
# NodeJS - Prototype Pollution
# NodeJS - \_\_proto\_\_ & prototype Pollution
## Objects in JavaScript <a id="053a"></a>
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
![](.gitbook/assets/image%20%28398%29.png)
![](../../.gitbook/assets/image%20%28398%29.png)
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.
@ -12,7 +12,7 @@ In Javascript, `Object`is a basic object, the template for all newly created obj
console.log(Object.create(null)); // prints an empty object
```
![](.gitbook/assets/image%20%28393%29.png)
![](../../.gitbook/assets/image%20%28393%29.png)
Previously we learned that an Object in javascript is collection of keys and values, so it makes sense that a `null` object is just an empty dictionary: `{}`
@ -30,25 +30,25 @@ function person(fullName, age) {
}
```
![](.gitbook/assets/image%20%28400%29.png)
![](../../.gitbook/assets/image%20%28400%29.png)
```javascript
var person1 = new person("Satoshi", 70);
```
![](.gitbook/assets/image%20%28397%29.png)
![](../../.gitbook/assets/image%20%28397%29.png)
## Prototypes in JavaScript <a id="3843"></a>
One thing to note is that the prototype attribute can be changed/modified/deleted when executing the code. For example functions to the class can be dynamically added:
![](.gitbook/assets/image%20%28394%29.png)
![](../../.gitbook/assets/image%20%28394%29.png)
Functions of the class can also be modified \(like `toString` or `valueOf` the following cases\):
![](.gitbook/assets/image%20%28399%29.png)
![](../../.gitbook/assets/image%20%28399%29.png)
![](.gitbook/assets/image%20%28396%29.png)
![](../../.gitbook/assets/image%20%28396%29.png)
## Inheritance
@ -56,7 +56,7 @@ In a prototype-based program, objects inherit properties/methods from classes. T
Note that, if you add a property to an object that is used as the prototype for a set of objects \(like the myPersonObj\), the objects for which it is the prototype also get the new property, but that property is not printed unless specifically called on.
![](.gitbook/assets/image%20%28395%29.png)
![](../../.gitbook/assets/image%20%28395%29.png)
## \_\_proto\_\_ pollution <a id="0d0a"></a>