I'm taking part in a Capture the Flag contest. A question I'm stuck on relates to deserialization of a Java object. I'm interrogating a cookie string which is base64 encoded. When I decode that, I believe it is a Java serialized object which I want to deserialize in order to alter their values and re-encode in base64.
I know nothing about java, I've tried to deserialize the base64 decoded bytes, but I think this is the wrong type.
import java.util.Base64;
import java.util.UUID;
import java.io.UnsupportedEncodingException;
import java.io.ObjectInputStream;
public class decode {
public static void main(String args[]){
try {
// Encode using basic encoder
String base64encodedString = "mybase64encodedstring==";
System.out.println("Base64 encoded string :" + base64encodedString);
// Decode
byte[] base64decodedBytes = Base64.getDecoder().decode(base64encodedString);
ObjectInputStream in = new ObjectInputStream(base64decodedBytes);
System.out.println("Deserialised data: \n" + in.readObject().toString());
System.out.println("Original String: " + new String(base64decodedBytes, "utf-8"));
}catch(UnsupportedEncodingException e){
System.out.println("Error :" + e.getMessage());
}
}
}
The error I get is:
incompatible types: byte[] cannot be converted to InputStream
Any help appreciated!
Use ByteArrayInputStream instead of ObjectInputStream .
So, use this:
InputStream in = new ByteArrayInputStream(base64decodedBytes);
instead this:
ObjectInputStream in = new ObjectInputStream(base64decodedBytes);
@Hrabosch said use ByteArrayInputStream instead . Actually, use ByteArrayInputStream aswell
Also, if the data is a bunch of bytes written by an ObjectOuputStream, then it makes no sense to construct a string from those bytes
Like so
import java.util.Base64;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
public class Decode {
public static void main(String args[]){
try {
// Encode using basic encoder
// I assume you replace this with actual data...
String base64encodedString = "mybase64encodedstring==";
System.out.println("Base64 encoded string :" + base64encodedString);
// Decode
byte[] base64decodedBytes = Base64.getDecoder().decode(base64encodedString);
InputStream in = new ByteArrayInputStream(base64decodedBytes);
ObjectInputStream obin = new ObjectInputStream(in);
Object object = obin.readObject();
System.out.println("Deserialised data: \n" + object.toString());
// You could also try...
System.out.println("Object class is " + object.getClass().toString());
// Don't do this!! The original data was not a string!
//System.out.println("Original String: " + new String(base64decodedBytes, "utf-8"));
}catch(ClassNotFoundException | IOException e){
System.out.println("Error :" + e.getMessage());
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.