pentesterlab &mdash; drsh0's llog https://drsh0.writeas.com/tag:pentesterlab my learning log; notes on cybersec activities, ctfs, and ill-equipped cyber adventures. Consume responsibly. Sun, 26 Apr 2026 18:10:07 +0000 https://i.snap.as/v7Oo2ci6.png pentesterlab &mdash; drsh0's llog https://drsh0.writeas.com/tag:pentesterlab PentesterLab - Serialize Badge https://drsh0.writeas.com/pentesterlab-serialize-badge?pk_campaign=rss-feed <![CDATA[General writeup notes for Pentesterlab's Serialize badge. This post does not contain any spoilers. This is just information collected by me to understand the exercises better. TODO XMLDecoder CVE-2016-0792 ObjectInputStream CVE-2013-0156: Rails Object Injection API to Shell #web #pentesterlab #Serialize !--more-- XMLDecoder Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: Runtime.exec() ProcessBuilder Steps to reproduce: submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. Craft an XML file with actions you want the underlying Java runtime to perform. References: https://find-sec-bugs.github.io/bugs.htm#XMLDECODER https://www.baeldung.com/run-shell-command-in-java CVE-2016-0792 This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution. The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was_ being executed before the application errored out. Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication. ]]> General writeup notes for Pentesterlab's Serialize badge. This post does not contain any spoilers. This is just information collected by me to understand the exercises better.

TODOXMLDecoderCVE-2016-0792 – ObjectInputStream – CVE-2013-0156: Rails Object Injection – API to Shell

#web #pentesterlab #Serialize

XMLDecoder

Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec: * Runtime.exec() * ProcessBuilder

Steps to reproduce: 1. submit an expected file and check output. If XML check for class=.... If it's XMLDecoder you may be able to utilise the above. 2. Craft an XML file with actions you want the underlying Java runtime to perform.

References:

CVE-2016-0792

  • This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution.
  • The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was being executed before the application errored out.
  • Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication.
]]> https://drsh0.writeas.com/pentesterlab-serialize-badge Tue, 02 Feb 2021 09:41:04 +0000