ysoserial

JNDIExploit or a ysoserial.

80+ Gadgets(30 More than ysoserial). JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.

ZKar is a Java serialization protocol analysis tool implement in Go.

翻译 - ZKar 是 Go 中的 Java 序列化协议分析工具。

JMX enumeration and attacking tool.

proof-of-concept for generating Java deserialization payload | Proxy MemShell

Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types

Some codes for bypassing Oracle WebLogic CVE-2018-2628 patch

RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.

Java反序列化/JNDI注入/恶意类生成工具，支持多种高版本bypass，支持回显/内存马等多种扩展利用。

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

🌊 Dockerfiles for apps I use. Also take a look at https://github.com/security-dockerfiles

🌊 Dockerfiles for apps I use. Also take a look at https://github.com/security-dockerfiles

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

ResourcesPayload

Python wrapper for ysoserial

ysoserial A collection of works by various masters