Looking for quick & easy deserialization exploits for Java or .NET? ysoserial is for you!

The main thing to remember with both editions of ysoserial is experimentation. For java if you can identify a likely library based on a previous stacktrace, great! Otherwise, just try some of the different payloads with some form of a basic, observable RCE command, such as curl http://10.10.10.10/rce

Java

Repo: GitHub

The Java edition is pretty straight-forward. There is a list of different payloads to choose from, and you select the payload that aligns with a library on the classpath. If you don’t know, try a few!

Some payloads do have limited command support (e.g. FileUpload1), and if you get an error message check the plugin source code to see what’s supported.

.NET

Repo: GitHub

The .NET edition is slightly more complicated than the Java edition, but it’s not the end of the world.

Start by identifying the formatter that aligns with your use case. Hopefully something in prior enumeration phases provides clues here, or potentially new errors when trying different formatters will help.

Once a formatter is known (or maybe just for each), try the different Gadgets. A quick way to do this is with the --raf flag, which will run all gadgets with the provided formatter.

Each of the plugins are a little more use-case-specific, so don’t forget to look at those and see if they apply to the app you’re trying to crack.