Exserial - Java Untrusted Deserialization Exploits Tools.

Exserial – Java Untrusted Deserialization Exploits Tools.

Disclaimer This tool is for learning and research purposes, not for commercial purposes, if there are any legal disputes therefore, without any relationship with the tool author.
exserial is a Java Untrusted Deserialization Exploits Tools.

Java Untrusted Deserialization Exploits Tools

Java Untrusted Deserialization Exploits Tools Support OS: Mac OSX, Linux and Windows

Scripts Lists:
+ jboss.py Usage: python jboss.py <jboss_host> </path/to/payload>
+ jenkin.py Usage: python jenkin.py <jenkins_url> </path/to/payload>
+ weblogic.py Usage: python weblogic.py <host> <port> </path/to/payload>
+ websphere.py Usage: python websphere.py <websphere_soap_url> </path/to/payload>

Installation and Usage:exserials

2.Classinject
For the target server to dynamically load our package and perform the specified JAR main way to specify the class name. For example, based on the Metasploit Framework msfvenom generate java / meterpreter / reverse_tcp JAR package:

Update Record:
+ 2015-12-12 increase ClassInject Gadget execution chain generates local classes and deserialization test class.
+ 2015-12-10 update the directory structure & repair websphere.py via script bug.
+ 2015-12-07 Based CommonsCollections <= 3.2.1 Gadget generation program exserial.jar (included jboss, jenkins, weblogic, websphere use script

Source: https://github.com/RickGray