module
AjaxPro Deserialization Remote Code Execution
| Disclosed | Created |
|---|---|
| 2021-12-03 | 2023-11-02 |
Disclosed
2021-12-03
Created
2023-11-02
Description
This module leverages an insecure deserialization of data to get
remote code execution on the target OS in the context of the user
running the website which utilized AjaxPro.
To achieve code execution, the module will construct some JSON data
which will be sent to the target. This data will be deserialized by
the AjaxPro JsonDeserializer and will trigger the execution of the
payload.
All AjaxPro versions prior to 21.10.30.1 are vulnerable to this
issue, and a vulnerable method which can be used to trigger the
deserialization exists in the default AjaxPro namespace.
AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom
method that accepts a parameter of type that is assignable from
`ObjectDataProvider` (e.g. `object`) exists, the vulnerability can
still be exploited.
This module has been tested successfully against official AjaxPro on
version 7.7.31.1 without any modification, and on version 21.10.30.1
with a custom vulnerable method added.
remote code execution on the target OS in the context of the user
running the website which utilized AjaxPro.
To achieve code execution, the module will construct some JSON data
which will be sent to the target. This data will be deserialized by
the AjaxPro JsonDeserializer and will trigger the execution of the
payload.
All AjaxPro versions prior to 21.10.30.1 are vulnerable to this
issue, and a vulnerable method which can be used to trigger the
deserialization exists in the default AjaxPro namespace.
AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom
method that accepts a parameter of type that is assignable from
`ObjectDataProvider` (e.g. `object`) exists, the vulnerability can
still be exploited.
This module has been tested successfully against official AjaxPro on
version 7.7.31.1 without any modification, and on version 21.10.30.1
with a custom vulnerable method added.
Authors
Hans-Martin Münch (MOGWAI LABS)
Jemmy Wang
Jemmy Wang
Platform
Windows
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.