项目地址:https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/

Java 反序列化速记小抄。本页面收集了一些关于 Java 反序列化在渗透测试和一些 Java 应用的实例,以及一些利用工具。


A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities

Please, use #javadeser hash tag for tweets.

Table of content

Overview

Main talks & presentations & docs

Marshalling Pickles

by @frohoff & @gebl

Exploiting Deserialization Vulnerabilities in Java

by @matthias_kaiser

Serial Killer: Silently Pwning Your Java Endpoints

by @pwntester & @cschneider4711

Deserialize My Shorts: Or How I Learned To Start Worrying and Hate Java Object Deserialization

by @frohoff & @gebl

Surviving the Java serialization apocalypse

by @cschneider4711 & @pwntester

Java Deserialization Vulnerabilities - The Forgotten Bug Class

by @matthias_kaiser

Pwning Your Java Messaging With Deserialization Vulnerabilities

by @matthias_kaiser

Defending against Java Deserialization Vulnerabilities

by @lucacarettoni

A Journey From JNDI/LDAP Manipulation To Remote Code Execution Dream Land

by @pwntester and O. Mirosh

Payload generators

ysoserial

https://github.com/frohoff/ysoserial

RCE (or smth else) via:

  • Apache Commons Collections <= 3.1
  • Apache Commons Collections <= 4.0
  • Groovy <= 2.3.9
  • Spring Core <= 4.1.4 (?)
  • JDK <=7u21
  • Apache Commons BeanUtils 1.9.2 + Commons Collections <=3.1 + Commons Logging 1.2 (?)
  • BeanShell 2.0
  • Groovy 2.3.9
  • Jython 2.5.2
  • C3P0 0.9.5.2
  • Apache Commons Fileupload <= 1.3.1 (File uploading)
  • ROME 1.0
  • MyFaces
  • JRMPClient/JRMPListener
  • JSON
  • Hibernate

Additional tools (integration ysoserial with Burp Suite): - JavaSerialKiller - Java Deserialization Scanner - Burp-ysoserial

Full shell (pipes, redirects and other stuff): - $@|sh – Or: Getting a shell environment from Runtime.exec - Set String[] for Runtime.exec (patch ysoserial's payloads)

How it works: - https://blog.srcclr.com/commons-collections-deserialization-vulnerability-research-findings/ - http://gursevkalra.blogspot.ro/2016/01/ysoserial-commonscollections1-exploit.html

ACEDcup

https://github.com/GrrrDog/ACEDcup

File uploading via: - Apache Commons FileUpload <= 1.3 (CVE-2013-2186) and Oracle JDK < 7u40

Universal billion-laughs DoS

https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Won't fix DoS via default Java classes

Universal Heap overflows DoS using Arrays and HashMaps

https://github.com/topolik/ois-dos/

How it works: - Java Deserialization DoS - payloads

Won't fix DoS via default Java classes

Exploits

no spec tool - You don't need a special tool (just Burp/ZAP + payload)

RMI
  • Protocol
  • Default - 1099/tcp for rmiregistry

ysoserial (works only against a RMI registry service)

JMX

ysoserial

JNDI/LDAP

https://github.com/zerothoughts/jndipoc

JMS

JMET

JSF ViewState
  • if no encryption or good mac
T3 of Oracle Weblogic
  • Protocol
  • Default - 7001/tcp on localhost interface
  • CVE-2015-4852

loubia (tested on 11g and 12c, supports t3s)

JavaUnserializeExploits (doesn't work for all Weblogic versions)

IBM Websphere 1

JavaUnserializeExploits

serialator

IBM Websphere 2
  • When using custom form authentication
  • WASPostParam cookie
  • Full info

no spec tool

JBoss
  • http://jboss_server/invoker/JMXInvokerServlet
  • Default port - 8080/tcp
  • CVE-2015-7501

JavaUnserializeExploits

https://github.com/njfox/Java-Deserialization-Exploit

serialator

Jenkins

JavaUnserializeExploits

Jenkins 2

ysoserial

Restlet
  • <= 2.1.2
  • When Rest API accepts serialized objects (uses ObjectRepresentation)

no spec tool

RESTEasy
  • *When Rest API accepts serialized objects (uses @Consumes({"*/*"}) or "application/*" )
  • Details and examples

no spec tool

OpenNMS
  • RMI

ysoserial

Progress OpenEdge RDBMS
  • all versions
  • RMI

ysoserial

Commvault Edge Server

no spec tool

Symantec Endpoint Protection Manager

serialator

Oracle MySQL Enterprise Monitor

no spec tool

serialator

PowerFolder Business Enterprise Suite

powerfolder-exploit-poc

Solarwinds Virtualization Manager

ysoserial

Cisco Prime Infrastructure
  • https://[target]/xmp_data_handler_service/xmpDataOperationRequestServlet
  • <= 2.2.3 Update 4
  • <= 3.0.2
  • CVE-2016-1291

CoalfireLabs/java_deserialization_exploits

Apache XML-RPC
  • all version, no fix (the project is not supported)
  • POST XML request with element
  • Details and examples

no spec tool

Apache Archiva

no spec tool

Sun Java Web Console

no spec tool

Apache ActiveMQ - Client lib

JMET

Redhat/Apache HornetQ - Client lib

JMET

Oracle OpenMQ - Client lib

JMET

IBM WebSphereMQ - Client lib

JMET

Oracle Weblogic - Client lib

JMET

Pivotal RabbitMQ - Client lib

JMET

IBM MessageSight - Client lib

JMET

IIT Software SwiftMQ - Client lib

JMET

Apache ActiveMQ Artemis - Client lib

JMET

Apache QPID JMS - Client lib

JMET

Apache QPID - Client lib

JMET

Amazon SQS Java Messaging - Client lib

JMET

Detect

Code review
Traffic
  • Magic bytes 'ac ed 00 05' bytes
  • 'rO0' for Base64
  • 'application/x-java-serialized-object' for Content-Type header
Network
  • Nmap >=7.10 has more java-related probes
  • use nmap --all-version to find JMX/RMI on non-standart ports
Burp plugins

Vulnerable apps (without public sploits/need more info)

Spring Service Invokers (HTTP, JMS, RMI...)
SAP P4
Apache SOLR
  • SOLR-8262
  • 5.1 <= version <=5.4
  • /stream handler uses Java serialization for RPC
Apache Shiro
  • SHIRO-550
  • encrypted cookie (with the hardcoded key)
Apache ActiveMQ (2)
Atlassian Bamboo (1)
Atlassian Bamboo (2)
  • CVE-2015-8360
  • 2.3.1 <= version < 5.9.9
  • Bamboo JMS port (port 54663 by default)
Spring AMPQ
Apache HBase
Apache Camel
Gradle (gui)
  • custom(?) protocol(60024/tcp)
  • article
Oracle Hyperion
Oracle Application Testing Suite
Red Hat JBoss BPM Suite
VMWare vCenter/vRealize (various)
Cisco (various)
Lexmark Markvision Enterprise
McAfee ePolicy Orchestrator
HP Operations Orchestration
HP Asset Manager
HP Service Manager
HP Operations Manager
HP Release Control
HP Continuous Delivery Automation
HP P9000, XP7 Command View Advanced Edition (CVAE) Suite
Adobe Experience Manager
Unify OpenScape (various)
Apache TomEE
IBM Congnos BI
Novell NetIQ Sentinel
ForgeRock OpenAM
  • 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
  • 201505-01
F5 (various)
Hitachi (various)
Apache OFBiz
NetApp (various)
Apache Tomcat
Apache Batchee
Apache JCS
Apache OpenJPA
Apache OpenWebBeans

Protection

For Android

Other serialization types

XMLEncoder
XStream
Kryo

Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/123/