Lab: Developing a custom gadget chain for Java deserialization
This lab uses a serialization-based session mechanism. If you can construct a suitable gadget chain, you can exploit this lab's insecure deserialization to obtain the administrator's password.
To solve the lab, gain access to the source code and use it to construct a gadget chain to obtain the administrator's password. Then, log in as the
administrator and delete Carlos's account.
You can log in to your own account using the following credentials:
Note that solving this lab requires basic familiarity with another topic that we've covered on the Web Security Academy.
To save you some of the effort, we've provided a generic Java program for serializing objects. You can adapt this to generate a suitable object for your exploit. If you don't already have a Java environment set up, you can compile and execute the program using a browser-based IDE, such as
Identify the vulnerability
- Log in to your own account and notice the session cookie contains a serialized Java object.
From the site map, notice that the website references the file
/backup/AccessTokenUser.java. You can successfully request this file in Burp Repeater.
Navigate upward to the
/backupdirectory and notice that it also contains a
Notice that the
ProductTemplate.readObject()method passes the template's
idattribute into a SQL statement.
Based on the leaked source code, write a small Java program that instantiates a
ProductTemplatewith an arbitrary ID, serializes it, and then Base64-encodes it.
In case you get stuck, we've also provided a ready-to-use program that you can run instead. If you're using our program, all you need to change is the
"your-payload-here"string in the
Main.javafile. This instantiates and serializes a new
idset to whatever payload you enter here. The object is then Base64-encoded and output to the console ready for you to copy.
Use your Java program to create a
idset to a single apostrophe. Copy the Base64 string and submit it in a request as your session cookie. The error message confirms that the website is vulnerable to Postgres-based SQL injection via this deserialized object.
Extract the password
Having identified this vulnerability, you now need to find a way to exploit it to extract the administrator's password. At this point, you have the following options for testing different payloads:
- Make changes in your Java file like you did in the previous step, recompile it, and run it again before pasting the new value into your session cookie. This can be time-consuming as you'll have to repeat all of these steps for each payload you want to test.
- Alternatively, you can use the Hackvertor extension. You can then paste the raw serialized object into Burp Repeater and add tags that will update the offsets and Base64-encode the object automatically. This makes it much quicker to test a large number of payloads, and is even compatible with Burp Intruder.
In case you've not used Hackvertor before, we've provided the following template. Note that this is Base64-encoded here to avoid copy/paste issues:
To use this template:
- Copy and paste it into your session cookie in Burp Repeater.
Base64-decode it to reveal something that looks like this:
Replace both occurrences of
YOUR-PAYLOAD-HEREwith the payload that you want to test. Leave everything else as it is.
- Send the request. If you want to check the output that Hackvertor generated, you can look at the request on the "Logger" tab.
There are several ways to extract the password, but for this solution, we'll perform a simple, error-based
- Enumerate the number of columns in the table (8).
- Determine the data type of the columns and identify that columns 4, 5, and 6 do not expect values of the type string. Importantly, notice that the error message reflects the string input that you entered.
List the contents of the database and identify that there is a table called
userswith a column called
Use a suitable SQL injection payload to extract the password from the
userstable. For example, the following payload will trigger an exception that displays the password in the error message:
' UNION SELECT NULL, NULL, NULL, CAST(password AS numeric), NULL, NULL, NULL, NULL FROM users--
To solve the lab, log in as
administratorusing the extracted password, open the admin panel, and delete Carlos's account.