Insecure deserialization audit plugin #16280
Comments
|
Arachni doesn't implement detection for this vulnerability https://github.com/Arachni/arachni/tree/master/components/checks |
|
These are good sources of inspiration: https://github.com/federicodotta/Java-Deserialization-Scanner Where I can generate my payloads:
I believe the best way to detect these vulnerabilities is to use time delays. The payloads I generate should call the operating system |
|
All payloads should be stored in files, base64 encoded. The commands used to create the payloads should be un README.md files next to the payload files, so that I can re-generate them if needed. Detecting which parameters should be injected is difficult, but I believe these rules could apply:
Also, if the parameter is base64 encoded, send our payload base64 encoded. |
Still a lot of work in my TODO list, but the tests PASS and the plugin structure was created
…created a new grep plugin that will detect when the application is sending serialized objects and warn the user to perform manual analysis. This is related with: Insecure deserialization audit plugin #16280 Created grep plugin and unittests. Also moved the base64 functions from the audit.deserialization plugin to utils lib and improved the regular expression it was using.
|
Asked question to the ysoserial.net guys pwntester/ysoserial.net#10 |
|
Since ~95% of .net applications are going to be running on Windows, and that OS doesn't have the Remember that if I want to sleep for 1 second I have to send 2 to the command. |
|
Add the corresponding
|
Doesn't make sense in the Now we're sending pickled object when the original value matched a java object. We want to only send the right payloads!
|
|
The ysoserial output shows the following gadgets and formatters: @pwntester recommends:
So we have the following potential combinations:
@pwntester also says:
That leaves us with: So we have the following potential combinations:
In the |
|
When creating the This issue is breaking the offset detection in the generator script, and even if I fix that, it won't work with the code I already created for creating the payloads. I'm trying to find different ways to get around this, by forcing encodings on the string, writing the delay in byte arrays, etc. |
|
I was unable to make this work. The closer I got was using a char as follows: When compiled that char showed The code for the using System;
using System.Text;
using System.Windows.Forms;
namespace ysoserial
{
class ExploitClass
{
public ExploitClass()
{
try
{
// Payload code to be executed
char[] delay = new char[2];
delay[0] = '\x3737';
string command = "'/C FOR /L %A in (0,1," + delay + ") DO ping localhost -n 2'";
MessageBox.Show(command, command, MessageBoxButtons.OK, MessageBoxIcon.Error);
System.Diagnostics.Process process = new System.Diagnostics.Process();
//process.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = command;
process.Start();
}
catch (Exception)
{
}
}
}
}Since I'm only missing one of the payloads, I'll just merge this into develop and come back to this issue when I have time / interest. |
Task
Write a plugin to test for insecure serialization issues
Research
Development
These languages don't seem to have generic payloads which we can send and get our code to execute:
For the later, we need to create a grep plugin that will let the w3af user know that the parameter contains serialized objects and that it might be possible to exploit them.
Time estimate
16h
The text was updated successfully, but these errors were encountered: