webPromedium

DecisionForge

hackadvisor

Task: Java enterprise app (DecisionForge) using JSF 1.2 with Apache MyFaces 1.1.10 storing unsigned/unencrypted serialized ViewState. Solution: Exploited Java deserialization via CommonsCollections6 gadget chain in ViewState to achieve blind RCE, copied flag to web-accessible uploads directory.

$ ls tags/ techniques/

blind_rce tomcat honeypot_flag jsf java_deserialization viewstate myfaces commons_collections

honeypot_flag_identificationjsf_viewstate_deserializationcommons_collections_gadget_chainblind_rce_via_file_writejava_serialization_analysis

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 364 — PulseRelay — Path Traversal to RCE via Plugin Upload— hackadvisor
[web][Pro]Lab 58 — ReportForge — SSRF via PDF Export Logo URL— hackadvisor
[web][Pro]BillForge— hackadvisor
[web][Pro]SendForge— hackadvisor
[web][Pro]Lab 38 — PipelineForge — XXE in XML Pipeline Import— hackadvisor