This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
This software is a personal project and not related with any companies, including Project owner and contributors employers.
ysoserial.net is a collection of utilities and property-oriented programming “gadget chains” discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.
+ Visual Studio 2017
+ git and Internet Traffic
git clone https://github.com/pwntester/ysoserial.net && cd ysoserial.net
right click ysoserial.sln open with Visual Studio
ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t