XMLDecoder
Bookmarked!This exercise covers the exploitation of an application using XMLDecoder
This course details the exploitation of a Java application using XMLDecoder
to unserialize arbitrary data, a common vulnerability that can lead to code execution. The exercise is based on a real-world scenario from the NullCon 2016 CTF, where users are allowed to sign and verify documents. By examining the signature generated by the server, you will identify the use of XMLDecoder
and craft a malicious XML payload to gain a shell on the server.
You will transform Java code into the appropriate XML format, leveraging Runtime().exec()
and ProcessBuilder
to achieve remote code execution. The course will guide you through each step, from understanding the vulnerability to creating and injecting the payload, culminating in the successful execution of arbitrary commands on the target server.