Java Serialized Payloads

This extension generates various Java serialized payloads designed to execute OS commands. There are three ways to use the extension:

• Generate a payload from the Java Serialized Payloads Tab. You can then copy and paste it into other tabs in Burp.
  
  
• Generate a payload from the Java Serialized Payloads Tab. In another tab you can select the text you want to replace and right click. You have three encoding options:
  
  
  • Raw - This will replace your selected text with a raw unencoded version of the payload.
  • B64 - This will replace your selected text with a Base64 encoded version.
  • URLEnc - This will replace your selected text with a URL-encoded and base64 encoded payload.
    
    
• You can use inline commands to replace your text with a payload that contains your command. For example you can enter text in Repeater like:
  
  $(CC1|ping -c1 8.8.8.8)
  
  Select the above text and right click any of the Java Serialized Payload Options and it will replace your command with a payload containing that command.
  
  The first parameter before the pipe in the above statement is the version of the exploit. You can enter any of the following:
  
  
  • CC1 or CollectionCommons1
  • CC2 or CollectionCommons2
  • GV1 or Groovy1
  • SP1 or Spring1
  
  TThe second parameter is the OS command you wish to run.