mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			123 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			123 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| 
 | |
| 
 | |
| {% hint style="success" %}
 | |
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | |
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | |
| 
 | |
| <details>
 | |
| 
 | |
| <summary>Support HackTricks</summary>
 | |
| 
 | |
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | |
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | |
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | |
| 
 | |
| </details>
 | |
| {% endhint %}
 | |
| 
 | |
| 
 | |
| In this POST it's going to be explained an example using `java.io.Serializable`.
 | |
| 
 | |
| # Serializable
 | |
| 
 | |
| The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html).
 | |
| 
 | |
| Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to be **executed**.\
 | |
| In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
 | |
| 
 | |
| **The following example is from [https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649](https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649)**
 | |
| 
 | |
| ```java
 | |
| import java.io.Serializable;
 | |
| import java.io.*;
 | |
| 
 | |
| public class TestDeserialization {
 | |
|     interface Animal {
 | |
|         public void eat();
 | |
|     }
 | |
|     //Class must implements Serializable to be serializable
 | |
|     public static class Cat implements Animal,Serializable {
 | |
|         @Override
 | |
|         public void eat() {
 | |
|             System.out.println("cat eat fish");
 | |
|         }
 | |
|     }
 | |
|     //Class must implements Serializable to be serializable
 | |
|     public static class Dog implements Animal,Serializable {
 | |
|         @Override
 | |
|         public void eat() {
 | |
|             try {
 | |
|                 Runtime.getRuntime().exec("calc");
 | |
|             } catch (IOException e) {
 | |
|                 e.printStackTrace();
 | |
|             }
 | |
|             System.out.println("dog eat bone");
 | |
|         }
 | |
|     }
 | |
|     //Class must implements Serializable to be serializable
 | |
|     public static class Person implements Serializable {
 | |
|         private Animal pet;
 | |
|         public Person(Animal pet){
 | |
|             this.pet = pet;
 | |
|         }
 | |
|         //readObject implementation, will call the readObject from ObjectInputStream  and then call pet.eat()
 | |
|         private void readObject(java.io.ObjectInputStream stream)
 | |
|                 throws IOException, ClassNotFoundException {
 | |
|             pet = (Animal) stream.readObject();
 | |
|             pet.eat();
 | |
|         }
 | |
|     }
 | |
|     public static void GeneratePayload(Object instance, String file)
 | |
|             throws Exception {
 | |
|         //Serialize the constructed payload and write it to the file
 | |
|         File f = new File(file);
 | |
|         ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
 | |
|         out.writeObject(instance);
 | |
|         out.flush();
 | |
|         out.close();
 | |
|     }
 | |
|     public static void payloadTest(String file) throws Exception {
 | |
|         //Read the written payload and deserialize it
 | |
|         ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
 | |
|         Object obj = in.readObject();
 | |
|         System.out.println(obj);
 | |
|         in.close();
 | |
|     }
 | |
|     public static void main(String[] args) throws Exception {
 | |
|         // Example to call Person with a Dog
 | |
|         Animal animal = new Dog();
 | |
|         Person person = new Person(animal);
 | |
|         GeneratePayload(person,"test.ser");
 | |
|         payloadTest("test.ser");
 | |
|         // Example to call Person with a Cat
 | |
|         //Animal animal = new Cat();
 | |
|         //Person person = new Person(animal);
 | |
|         //GeneratePayload(person,"test.ser");
 | |
|         //payloadTest("test.ser");
 | |
|     }
 | |
| }
 | |
| ```
 | |
| 
 | |
| ## Conclusion
 | |
| 
 | |
| As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**.
 | |
| 
 | |
| 
 | |
| {% hint style="success" %}
 | |
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | |
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | |
| 
 | |
| <details>
 | |
| 
 | |
| <summary>Support HackTricks</summary>
 | |
| 
 | |
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | |
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | |
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | |
| 
 | |
| </details>
 | |
| {% endhint %}
 | |
| 
 | |
| 
 | |
| 
 |