PentesterLab – Serialize Badge
General writeup notes for Pentesterlab's Serialize badge. This post does not contain any spoilers. This is just information collected by me to understand the exercises better.
– CVE-2013-0156: Rails Object Injection
– API to Shell
Java's XMLDecoder can be used to unserliaize data. There are two common methods that can be used to perform code exec:
Steps to reproduce:
1. submit an expected file and check output. If XML check for
class=.... If it's
XMLDecoder you may be able to utilise the above.
2. Craft an XML file with actions you want the underlying Java runtime to perform.
- This exploit relied on libraries within java applications that handled unexpected data badly and allowed code execution.
- The key here would have been to test requests to servers by throwing in some unexpected data and then observing the error messages. In this case, error messages would have shown that the command being embedded in the XML was being executed before the application errored out.
- Doing a simple ping or curl on a server you controlled would have shown that the exploit worked and could achieve remote communication.