ysoserial

ysoserial is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. It contains a collection of gadget chains for various Java libraries that can be used to execute arbitrary commands when deserialized by a vulnerable application.

How It Works

ysoserial generates serialized Java objects containing gadget chains. When a vulnerable application deserializes these objects, the gadget chain executes, typically resulting in command execution on the server.

Usage Example

# Generate payload using CommonsCollections1 gadget
java -jar ysoserial.jar CommonsCollections1 "whoami" > payload.ser

# Generate base64-encoded payload
java -jar ysoserial.jar CommonsCollections5 "id" | base64

# Common gadget chains:
# - CommonsCollections1-7 (Apache Commons Collections)
# - CommonsBeanutils1
# - Spring1-2
# - Groovy1
# - JRMPClient/JRMPListener

Available Gadget Chains

• CommonsCollections: Multiple variants for different library versions
• CommonsBeanutils: Uses BeanComparator class
• Spring: Spring framework specific chains
• Hibernate: Hibernate ORM gadgets
• JDK: Built-in JDK class chains

Detection Indicators

• Java serialized data (magic bytes: AC ED 00 05)
• Base64-encoded serialized objects in requests
• Known gadget class names in traffic

See Also

• Insecure Deserialization
• Gadget Chain