## https://sploitus.com/exploit?id=8264B9DA-73CD-529F-97E9-837121535537
This is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool, called ysoserial, is a collection of utilities and property-oriented programming "gadget chains" discovered in common Java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
The tool is not intended to be used to attack systems except where explicitly authorized, and the project maintainers are not responsible or liable for misuse of the software. The tool is designed for academic research and development of effective defensive techniques.
The tool can be used to generate payloads for various gadget chains, including Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). The tool can also be used to generate payloads for JRE <= 1.7u21 and several other libraries.
The tool can be used in the following ways:
Using the command