ysoserial
ysoserial copied to clipboard
Enhancement serialVersionUID + prefix to payload options
- Implements #182 by overwriting final payload bytes.
Attempts to implement a cleaner override using Unsafe or Reflection failed on Object with undefined serial.
Usage
-s org.apache.commons.beanutils.BeanComparator=-3490850999041592962
- Adding feature for prepending arbitrary data to payload.
Example payload generated with
-p writeUTF=foo -p writeBoolean=true
will reach gadget chain deserialization on following code:
String componentId = ois.readUTF();
boolean cancelAction = ois.readBoolean();
ComponentAction action = (ComponentAction) ois.readObject();