Exploiting Java deserialisation with Apache Commons


This lab uses a serialisation-based session mechanism and loads the Apache Commons Collections library.


  1. Log in with wiener:peter. The session cookie is URL and base64 encoded and contains a serialised Java object (the first two bytes are aced). Send a request containing the session cookie to Burp Repeater.

  2. Download the Ysoserial tool, if need be, make the on kali necessary changes to run it.

  3. Execute the command to generate a Base64-encoded serialised object containing an RCE payload. The application uses Apache Commons Collections library, so use a CommonsCollections payload:

$ java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
  1. In Burp Repeater, replace the session cookie with the malicious one just created. Select the entire cookie and then URL-encode it.

  2. Send the request to solve the lab.


Screencast PoC Exploiting Java deserialisation with Apache Commons


Although attackers do not have source code access, they can still exploit this lab using pre-built gadget chains. An attacker will need to log in; use a third-party tool to generate a malicious serialised object containing a remote code execution payload; and pass this object into the website to delete the morale.txt file from Carlos’s home directory.