(De)serialization
Last updated
Last updated
marshalsec: Java Unmarshaller Security - Turning your data into code execution.
ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
ysoserial.net: Deserialization payload generator for a variety of .NET formatters.
rmiscout: RMIScout enables wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.
JNDI-Injection-Exploit: JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on marshals and modified further to link with HTTP server.
beanshooter: Beanshooter is a command line tool written in Java, which helps to identify common vulnerabilities on JMX endpoints.
mjet: MJET allows easy exploitation of insecure configured JMX services. Additional background information can be found here and here.
