drsh0's llog

General writeup notes for Pentesterlab's Serialize badge. This post does not contain any spoilers. This is just information collected by me to understand the exercises better.

TODO – XMLDecoder – CVE-2016-0792 – ObjectInputStream – CVE-2013-0156: Rails Object Injection – API to Shell

#web #pentesterlab #Serialize

XMLDecoder

Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: * Runtime.exec() * ProcessBuilder

Steps to reproduce: 1. submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. 2. Craft an XML file with actions you want the underlying Java runtime to perform.

References:

• https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
• https://www.baeldung.com/run-shell-command-in-java

CVE-2016-0792

• This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution.
• The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was being executed before the application errored out.
• Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication.