This tool may be used for legal purposes only.
Users take full responsibility for any actions performed using this tool.
The author accepts no liability for damage caused by this tool.
If these terms are not acceptable to you, then do not use this tool.
Serial Spray is a tool that generates all the libraries in ysoserial with RCE capabilities and generates input payload for each library with corresponding compression/encoding process specified in the output chain. If the target is vulnerable to RCE Java serialization attack with common ysoserial library, this tool helps automating crafting payload lists that can be fuzzed with the Burp Suite Intruder.
The program is licensed under GNU Public License v3.0
Start by running the venv and packages installation script:
python3 setup.py venv
Once installed, the venv can be activated from project root with:
cd venv/bin; source activate; cd ../..
python3 serial_spray.py --out_file=/tmp/serial_wordlist.txt ./ysoserial.jar 'dig <collaborator_domain>' 'gzip|base64-url'
Note: --out_file is an optional argument and if not used the default wordlist named "ss_wordlist.txt" will be generated in same directory
Libraries to potentially add later (https://blog.afine.com/testing-and-exploiting-java-deserialization-in-2021-e762f3e43ca2)
- AspectJWeaver
- C3P0
- Clojure
- FileUpload1
- Jython1
- JRMPClient
- JRMPListener
- MyFaces2
- JSON1
- URLDNS
- Wicket