ysoserial v-0.0.1 released : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

ysoserial v-0.0.1 released : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries.

ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries.

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Usage:

Example output:

Disclaimer:

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Download : ysoserial-0.0.1.zip
Or Clone Url here :
Source : https://github.com/frohoff