Ysoserial-0.0.4-all.jar Download Page

When a user downloads ysoserial-0.0.4-all.jar within an enterprise:

https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

Instructions:

wget https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

Or with curl:

curl -LO https://github.com/frohoff/ysoserial/releases/download/v0.0.4/ysoserial-0.0.4-all.jar

On Windows, you can also download directly via browser by pasting the URL. ysoserial-0.0.4-all.jar download

Run the tool with no arguments to list all chains:

java -jar ysoserial-0.0.4-all.jar

Popular chains include:

| Gadget Chain | Vulnerable Library | |--------------|---------------------| | CommonsCollections1 | Apache Commons Collections 3.1 | | CommonsCollections2 | Apache Commons Collections 4.0 | | Groovy1 | Groovy 1.7 - 2.4.3 | | Spring1 | Spring Core 3.0.5 - 4.1.4 | | JRMPClient | Java RMI | | MozillaRhino1 | Rhino JS engine | When a user downloads ysoserial-0

Each chain works under specific library versions. Use -h for advanced options like raw payload output or RMI registry binding.

Once you've downloaded ysoserial-0.0.4-all.jar, you can use it to generate payloads for various Java deserialization vulnerabilities. A basic usage example:

java -jar ysoserial-0.0.4-all.jar "command" CommonsCollections2

Replace "command" with the command you wish to execute on the vulnerable system, and adjust the gadget (in this case, CommonsCollections2) according to the target application's dependencies and the vulnerability. Instructions:

Use with local test servers or instrumented VMs to observe behavior.

The syntax is straightforward:

java -jar ysoserial-0.0.4-all.jar [gadget_chain] '[command]'

The 0.0.4 release includes a subset of today’s common gadget chains. Key payloads available in this version:

The build should produce an executable jar (often named ysoserial--all.jar). Building from source lets you inspect the code, remove dangerous gadgets you don’t need, and control the environment.