Lab: Developing a custom gadget chain for Java deserialization

EXPERT

This lab uses a serialization-based session mechanism. If you can construct a suitable gadget chain, you can exploit this lab's insecure deserialization to obtain the administrator's password.

To solve the lab, gain access to the source code and use it to construct a gadget chain to obtain the administrator's password. Then, log in as the administrator and delete Carlos's account.

You can log in to your own account using the following credentials: wiener:peter

Note that solving this lab requires basic familiarity with another topic that we've covered on the Web Security Academy.

Hint

To save you some of the effort, we've provided a generic Java program for serializing objects. You can adapt this to generate a suitable object for your exploit. If you don't already have a Java environment set up, you can compile and execute the program using a browser-based IDE, such as repl.it.

Access the lab

Solution

Identify the vulnerability

Log in to your own account and notice the session cookie contains a serialized Java object.
From the site map, notice that the website references the file /backup/AccessTokenUser.java. You can successfully request this file in Burp Repeater.
Navigate upward to the /backup directory and notice that it also contains a ProductTemplate.java file.
Notice that the ProductTemplate.readObject() method passes the template's id attribute into a SQL statement.
Based on the leaked source code, write a small Java program that instantiates a ProductTemplate with an arbitrary ID, serializes it, and then Base64-encodes it.

Template

In case you get stuck, we've also provided a ready-to-use program that you can run instead. If you're using our program, all you need to change is the "your-payload-here" string in the Main.java file. This instantiates and serializes a new ProductTemplate with its id set to whatever payload you enter here. The object is then Base64-encoded and output to the console ready for you to copy.
Use your Java program to create a ProductTemplate with the id set to a single apostrophe. Copy the Base64 string and submit it in a request as your session cookie. The error message confirms that the website is vulnerable to Postgres-based SQL injection via this deserialized object.

Extract the password

Having identified this vulnerability, you now need to find a way to exploit it to extract the administrator's password. At this point, you have the following options for testing different payloads:

Make changes in your Java file like you did in the previous step, recompile it, and run it again before pasting the new value into your session cookie. This can be time-consuming as you'll have to repeat all of these steps for each payload you want to test.
Alternatively, you can use the Hackvertor extension. You can then paste the raw serialized object into Burp Repeater and add tags that will update the offsets and Base64-encode the object automatically. This makes it much quicker to test a large number of payloads, and is even compatible with Burp Intruder.

Template

In case you've not used Hackvertor before, we've provided the following template. Note that this is Base64-encoded here to avoid copy/paste issues:

PEBiYXNlNjRfND6s7QAFc3IAI2RhdGEucHJvZHVjdGNhdGFsb2cuUHJvZHVjdFRlbXBsYXRlAAAAAAAAAAECAAFMAAJpZHQAEkxqYXZhL2xhbmcvU3RyaW5nO3hwdAA8QGZyb21fY2hhcmNvZGVfMz48QGdldF9sZW4gLz48QC9mcm9tX2NoYXJjb2RlXzM+WU9VUi1QQVlMT0FELUhFUkU8QHNldF9sZW4+PEBsZW5ndGhfMD5ZT1VSLVBBWUxPQUQtSEVSRTxAL2xlbmd0aF8wPjxAL3NldF9sZW4+PEAvYmFzZTY0XzQ+

To use this template:

Copy and paste it into your session cookie in Burp Repeater.
Base64-decode it to reveal something that looks like this:
<@base64_4>¬ísr#data.productcatalog.ProductTemplateLidtLjava/lang/String;xpt<@from_charcode_3><@get_len /><@/from_charcode_3>YOUR-PAYLOAD-HERE<@set_len><@length_0>YOUR-PAYLOAD-HERE<@/length_0><@/set_len><@/base64_4>
Replace both occurrences of YOUR-PAYLOAD-HERE with the payload that you want to test. Leave everything else as it is.
Send the request. If you want to check the output that Hackvertor generated, you can look at the request on the "Logger" tab.

There are several ways to extract the password, but for this solution, we'll perform a simple, error-based UNION attack.

Enumerate the number of columns in the table (8).
Determine the data type of the columns and identify that columns 4, 5, and 6 do not expect values of the type string. Importantly, notice that the error message reflects the string input that you entered.
List the contents of the database and identify that there is a table called users with a column called password.
Use a suitable SQL injection payload to extract the password from the users table. For example, the following payload will trigger an exception that displays the password in the error message:
' UNION SELECT NULL, NULL, NULL, CAST(password AS numeric), NULL, NULL, NULL, NULL FROM users--
To solve the lab, log in as administrator using the extracted password, open the admin panel, and delete Carlos's account.