wr0ld

wr0ld / YsoGUI

Public

基于 Y4er/ysoserial 与 marshalsec 的 Java 反序列化利用 GUI 工具,集成 Payload 生成、JNDI Reference、LDAP 反序列化与调用图编辑。

github.comwr0ldYsoGUI
10
1
100% credibility
Found May 06, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Java
AI Summary

A user-friendly desktop tool for generating payloads, viewing gadget chains, and running exploits to test Java deserialization security.

How It Works

1
🔍 Discover the tool

You hear about a helpful desktop app for testing Java app security and download it from a trusted source.

2
🚀 Launch the app

Double-click to open the friendly window with lists, graphs, and buttons that make everything simple.

3
🧠 Add the brains

Point the app to two special files it needs, like giving it the smarts to understand security tricks.

4
📋 Pick a chain

Browse the colorful list of ready-made tricks, tap one that fits your test, and see its inner workings in a pretty diagram.

5
Create your test

Type a simple command or pick a template, choose how to format it, and hit generate to watch it build your custom security probe.

6
Run an exploit

Switch to test mode, set addresses and commands, and launch a live simulation to see results pour in.

🎉 Get your results

Copy the ready payload, save files, or watch logs light up with success—your Java security test is complete and insights are yours.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is YsoGUI?

YsoGUI is a Java desktop GUI for generating and delivering ysoserial payloads against Java deserialization vulnerabilities. It wraps Y4er/ysoserial and marshalsec into one tool, letting you scan chains, output payloads in formats like Base64 or Hex, spin up RMI/JNDI/LDAP exploit servers, and edit gadget call graphs visually. Load the required JARs on startup, and you're testing deserialization chains without CLI hassle.

Why is it gaining traction?

Unlike raw ysoserial CLI, this GUI unifies payload generation, exploit runners, and graph editing in a single window—perfect for quick local validation. Standout bits include smart CLASS: memshell support, custom chain imports, and one-click JNDI servers that auto-generate lookup strings. Developers skip scripting exploits or sketching graphs by hand.

Who should use this?

Pentesters probing Java apps like Tomcat or Spring for deserialization flaws during red team engagements. Security researchers chaining ysoserial gadgets for PoCs or debugging why a payload fails. Local vuln hunters validating CVEs without firing up multiple terminals.

Verdict

Grab it for deserialization workflow streamlining, especially if you're deep in Java pentesting—early features deliver real value. With just 10 stars and 1.0% credibility, it's raw and lacks polish (docs are README-only, no tests), so treat as a personal testing aid, not production tool.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.