Rapid7 Vulnerability & Exploit Database

AjaxPro Deserialization Remote Code Execution

Back to Search

AjaxPro Deserialization Remote Code Execution

Disclosed
12/03/2021
Created
11/02/2023

Description

This module leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro. To achieve code execution, the module will construct some JSON data which will be sent to the target. This data will be deserialized by the AjaxPro JsonDeserializer and will trigger the execution of the payload. All AjaxPro versions prior to 21.10.30.1 are vulnerable to this issue, and a vulnerable method which can be used to trigger the deserialization exists in the default AjaxPro namespace. AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom method that accepts a parameter of type that is assignable from `ObjectDataProvider` (e.g. `object`) exists, the vulnerability can still be exploited. This module has been tested successfully against official AjaxPro on version 7.7.31.1 without any modification, and on version 21.10.30.1 with a custom vulnerable method added.

Author(s)

  • Hans-Martin Münch (MOGWAI LABS)
  • Jemmy Wang

Platform

Windows

Architectures

cmd, x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/ajaxpro_deserialization_rce
msf exploit(ajaxpro_deserialization_rce) > show targets
    ...targets...
msf exploit(ajaxpro_deserialization_rce) > set TARGET < target-id >
msf exploit(ajaxpro_deserialization_rce) > show options
    ...show and set options...
msf exploit(ajaxpro_deserialization_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;