java-deserialization-methodology

该技能的实际用途是让 AI 代理识别并利用 Java 反序列化漏洞，而不是普通开发辅助。虽未见明显凭据窃取、隐蔽外传或恶意安装链，但其 offensive exploit 能力与自动化尝试路径本身就构成高风险，应归类为可疑且高危的攻击型技能，而非良性技能。

The provided content is a highly actionable, attacker-oriented exploit instruction set for Java deserialization (ysoserial gadget chains), including an out-of-band URLDNS vulnerability check and subsequent remote command execution guidance (e.g., reading '/flag.txt') delivered via HTTP cookies/bodies or WebLogic T3. This is consistent with malicious intent and would be unsafe to include as part of a software supply chain.

This fragment is attacker-oriented exploitation material for multiple high-impact Java/JVM vulnerabilities, explicitly describing RCE and sensitive file read payloads with attacker-controlled LDAP/RMI/HTTP callbacks and version-specific Fastjson/Shiro gadget chains, plus delivery to JBoss/Jenkins/WebLogic endpoints. If included in a software supply chain artifact, it would be consistent with malicious tooling or a compromise playbook rather than benign functionality.