deserializelisted

Insecure-deserialization playbook — fingerprint the language/format (Java serialized, .NET BinaryFormatter, Python pickle, PHP unserialize, Node serialize, YAML/JSON-with-types), then build a working gadget chain with ysoserial / ysoserial.net / phpggc / custom pickle. Use when you see serialized blobs (rO0/AC ED, base64 ViewState, PHP O:) or a parameter/cookie that deserializes user input.
Wulan234/agent · ★ 0 · AI & Automation · score 75

Install: claude install-skill Wulan234/agent

# Insecure deserialization playbook You suspect a server is deserializing attacker-influenced data. RCE is on the table — but only if you ship the right gadget chain. Execution rule: use real captured parameters, cookies, keys, and callback hosts before running commands. Never write literal placeholders such as `<KEY>` or `<endpoint>` to files; if key material or a sample blob is missing, ask once. ## 1. Fingerprint the format | Magic | Format | |---|---| | `rO0` (base64 of `\xac\xed`) | **Java serialized** | | `\xac\xed\x00\x05` (raw) | **Java serialized** | | `AAEAAAD/////` (base64) or `\x00\x01\x00\x00\x00\xff\xff\xff\xff` | **.NET BinaryFormatter** | | `__viewstate` / `__VIEWSTATE` cookie or form field | **ASP.NET ViewState** (often `LosFormatter`/`BinaryFormatter` underneath) | | `gASV` (base64 of `\x80\x05\x95`), `gAR`, `gAP` (`\x80\x04`, `\x80\x03`) | **Python pickle** | | `O:` (e.g. `O:8:"stdClass":0:{}`) | **PHP serialize** | | `_$$ND_FUNC$$_` / `IIFE` patterns | **Node `node-serialize`** | | `!!` tags inside YAML / `!!python/object` | **YAML with type resolution** (PyYAML, SnakeYAML) | | `BSON` / `BinData` | **MongoDB BSON** — deserialization paths usually safe; check anyway | Source of the data matters: cookie, form field, file upload, query param, message queue, RPC framing. ## 2. Java Default gadget toolkit: **ysoserial** (https://github.com/frohoff/ysoserial). ```sh # Generate a payload using the CommonsCollections1 chain to run `id` java -jar ysoserial.