PentesterLab – Serialize Badge

General writeup notes for Pentesterlab's Serialize badge. This post does not contain any spoilers. This is just information collected by me to understand the exercises better.

TODOXMLDecoderCVE-2016-0792 – ObjectInputStream – CVE-2013-0156: Rails Object Injection – API to Shell

#web #pentesterlab #Serialize

XMLDecoder

Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: * Runtime.exec() * ProcessBuilder

Steps to reproduce: 1. submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. 2. Craft an XML file with actions you want the underlying Java runtime to perform.

References:

CVE-2016-0792