Basic Java Deserialization (ObjectInputStream, readObject)
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
In this POST it's going to be explained an example using java.io.Serializable
.
The Java Serializable
interface (java.io.Serializable
is a marker interface your classes must implement if they are to be serialized and deserialized. Java object serialization (writing) is done with the and deserialization (reading) is done with the .
Lets see an example with a class Person which is serializable. This class overwrites the readObject function, so when any object of this class is deserialized this function is going to be executed.
In the example, the readObject function of the class Person calls the function eat()
of his pet and the function eat()
of a Dog (for some reason) calls a calc.exe. We are going to see how to serialize and deserialize a Person object to execute this calculator:
The following example is from
As you can see in this very basic example, the "vulnerability" here appears because the readObject function is calling other vulnerable functions.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.