mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
634ff30a8d
This reverts commit 71795de168
.
125 lines
6.1 KiB
Markdown
125 lines
6.1 KiB
Markdown
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|
|
|
|
|
|
# Basic Java Deserialization (ObjectInputStream, readObject)
|
|
|
|
In this POST it's going to be explained an example using java.io.Serializable.
|
|
|
|
## Serializable
|
|
|
|
The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html).
|
|
|
|
Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to b **executed**.\
|
|
In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
|
|
|
|
```java
|
|
import java.io.Serializable;
|
|
import java.io.*;
|
|
|
|
public class TestDeserialization {
|
|
interface Animal {
|
|
public void eat();
|
|
}
|
|
//Class must implements Serializable to be serializable
|
|
public static class Cat implements Animal,Serializable {
|
|
@Override
|
|
public void eat() {
|
|
System.out.println("cat eat fish");
|
|
}
|
|
}
|
|
//Class must implements Serializable to be serializable
|
|
public static class Dog implements Animal,Serializable {
|
|
@Override
|
|
public void eat() {
|
|
try {
|
|
Runtime.getRuntime().exec("calc");
|
|
} catch (IOException e) {
|
|
e.printStackTrace();
|
|
}
|
|
System.out.println("dog eat bone");
|
|
}
|
|
}
|
|
//Class must implements Serializable to be serializable
|
|
public static class Person implements Serializable {
|
|
private Animal pet;
|
|
public Person(Animal pet){
|
|
this.pet = pet;
|
|
}
|
|
//readObject implementation, will call the readObject from ObjectInputStream and then call pet.eat()
|
|
private void readObject(java.io.ObjectInputStream stream)
|
|
throws IOException, ClassNotFoundException {
|
|
pet = (Animal) stream.readObject();
|
|
pet.eat();
|
|
}
|
|
}
|
|
public static void GeneratePayload(Object instance, String file)
|
|
throws Exception {
|
|
//Serialize the constructed payload and write it to the file
|
|
File f = new File(file);
|
|
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
|
|
out.writeObject(instance);
|
|
out.flush();
|
|
out.close();
|
|
}
|
|
public static void payloadTest(String file) throws Exception {
|
|
//Read the written payload and deserialize it
|
|
ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
|
|
Object obj = in.readObject();
|
|
System.out.println(obj);
|
|
in.close();
|
|
}
|
|
public static void main(String[] args) throws Exception {
|
|
// Example to call Person with a Dog
|
|
Animal animal = new Dog();
|
|
Person person = new Person(animal);
|
|
GeneratePayload(person,"test.ser");
|
|
payloadTest("test.ser");
|
|
// Example to call Person with a Cat
|
|
//Animal animal = new Cat();
|
|
//Person person = new Person(animal);
|
|
//GeneratePayload(person,"test.ser");
|
|
//payloadTest("test.ser");
|
|
}
|
|
}
|
|
```
|
|
|
|
This example was taken from [https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649](https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649)
|
|
|
|
### Conclusion
|
|
|
|
As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**.
|
|
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|
|
|
|
|