PHP Serialization - phpggc

Java Deserialization/README.md

@@ -1,5 +1,12 @@
 # Java Deserialization
 
+## Detection
+
+- "AC ED 00 05" in Hex
+- "rO0" in Base64
+- Content-type = "application/x-java-serialized-object"
+- "H4sIAAAAAAAAAJ" in gzip(base64)
+
 ## Exploit
 
 [ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
@@ -54,8 +61,12 @@ Additional tools (integration ysoserial with Burp Suite):
 JRE8u20_RCE_Gadget
 [https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
 
+JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
+
 ## Thanks to
 
 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
+- [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
+- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -151,12 +151,19 @@ lua: os.execute('/bin/sh')
 ```
 
 Access shortcuts, su, nano and autocomplete in a partially tty shell
-/!\ OhMyZSH might break this trick
+/!\ OhMyZSH might break this trick, a simple `sh` is recommended
 
 ```powershell
+# in host
 ctrl+z
 stty raw -echo
 fg
+
+# in reverse shell
+reset
+export SHELL=bash
+export TERM=xterm-256color
+stty rows <num> columns <cols>
 ```
 
 (From within vi)

PHP serialization/README.md

@@ -130,8 +130,25 @@ echo urlencode(serialize(new PHPObjectInjection));
 //'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
 ```
 
+## Finding and using gadgets
+
+[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
+
+- Laravel
+- Symfony
+- SwiftMailer
+- Monolog
+- SlimPHP
+- Doctrine
+- Guzzle
+
+```powershell
+phpggc monolog/rce1 'phpinfo();' -s
+```
+
 ## Thanks to
 
-* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
-* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
-* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
+- [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
+- [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
+- [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
+- [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)