This exercise covers the exploitation of an application using XMLDecoder

< 1 Hr.


This course details the exploitation of a Java application using `XMLDecoder` to unserialize arbitrary data, a common vulnerability that can lead to code execution. The exercise is based on a real-world scenario from the NullCon 2016 CTF, where users are allowed to sign and verify documents. By examining the signature generated by the server, you will identify the use of `XMLDecoder` and craft a malicious XML payload to gain a shell on the server.

You will transform Java code into the appropriate XML format, leveraging `Runtime().exec()` and `ProcessBuilder` to achieve remote code execution. The course will guide you through each step, from understanding the vulnerability to creating and injecting the payload, culminating in the successful execution of arbitrary commands on the target server.

Want to learn more? Get started with PentesterLab Pro! GO PRO