hunt-deserialization

Community

Hunt critical deserialization RCE flaws across all stacks.

Authoruphiago
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Insecure deserialization vulnerabilities across Java, PHP, Python, .NET, Ruby, and JNDI/Log4Shell stacks enable unauthenticated remote code execution, which is almost always rated as critical severity and is frequently missed during standard reconnaissance and vulnerability scanning.

Core Features & Use Cases

  • Multi-stack coverage: Includes detection patterns, exploitation workflows, and gadget chain references for 6 major deserialization vectors: Java ysoserial chains, PHP object injection, Python pickle RCE, .NET BinaryFormatter, Ruby Marshal.load, and JNDI/Log4Shell.
  • End-to-end hunting workflow: Provides step-by-step guidance for identifying vulnerable endpoints, generating payloads, confirming RCE via out-of-band callbacks, and mapping post-exploitation chains.
  • Use case: During a penetration test of a Java-based enterprise application, use this skill to detect Apache Shiro rememberMe cookies, generate ysoserial CommonsCollections6 payloads, and confirm critical-severity RCE via DNS callbacks to an out-of-band listener.

Quick Start

Use the hunt-deserialization skill to test a target's User-Agent header for Log4Shell JNDI injection and confirm RCE via an out-of-band DNS callback.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: hunt-deserialization
Download link: https://github.com/uphiago/recon-skills/archive/main.zip#hunt-deserialization

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.