-
更新fastjson、xtream、commons-collections、commons-io等第三方组件; -
业务需要使用反序列化时,尽量避免反序列化数据可被用户控制,如无法避免建议尽量使用白名单或者黑名单的形式进行拦截或者校验; -
常见的反序列化防护组件如:serialkiller,但是该组件已经好多年未更新,拦截原理是没问题的,如果使用,建议及时更新新发现的危险方法到配置文件当中;
| 反序列化危险对象 | 来源 |
| bsh.XThis$ | ysoserial's BeanShell1 payload |
| bsh.Interpreter$ | ysoserial's BeanShell1 payload |
| com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase$ | ysoserial's C3P0 payload |
| com.mchange.v2.c3p0.PoolBackedDataSource$ | ysoserial's C3P0 payload |
| org.apache.commons.beanutils.BeanComparator$ | ysoserial's CommonsBeanutils1 payload |
| org.apache.commons.collections.Transformer$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.functors.InvokerTransformer$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.functors.ChainedTransformer$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.functors.ConstantTransformer$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.functors.InstantiateTransformer$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.map.LazyMap$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections.keyvalue.TiedMapEntry$ | ysoserial's CommonsCollections1,3,5,6 payload |
| org.apache.commons.collections4.functors.InvokerTransformer$ | ysoserial's CommonsCollections2,4 payload |
| org.apache.commons.collections4.functors.ChainedTransformer$ | ysoserial's CommonsCollections2,4 payload |
| org.apache.commons.collections4.functors.ConstantTransformer$ | ysoserial's CommonsCollections2,4 payload |
| org.apache.commons.collections4.functors.InstantiateTransformer$ | ysoserial's CommonsCollections2,4 payload |
| org.apache.commons.collections4.comparators.TransformingComparator$ | ysoserial's CommonsCollections2,4 payload |
| org.apache.commons.fileupload.disk.DiskFileItem$ | ysoserial's FileUpload1,Wicket1 payload |
| org.apache.wicket.util.upload.DiskFileItem$ | ysoserial's FileUpload1,Wicket1 payload |
| org.apache.commons.io.output.DeferredFileOutputStream$ | |
| ysoserial's FileUpload1,Wicket1 payload | |
| org.apache.commons.io.output.ThresholdingOutputStream$ | ysoserial's FileUpload1,Wicket1 payload |
| org.codehaus.groovy.runtime.ConvertedClosure$ | ysoserial's Groovy payload |
| org.codehaus.groovy.runtime.MethodClosure$ | ysoserial's Groovy payload |
| org.hibernate.engine.spi.TypedValue$ | ysoserial's Hibernate1,2 payload |
| org.hibernate.tuple.component.AbstractComponentTuplizer$ | ysoserial's Hibernate1,2 payload |
| org.hibernate.tuple.component.PojoComponentTuplizer$ | ysoserial's Hibernate1,2 payload |
| org.hibernate.type.AbstractType$ | ysoserial's Hibernate1,2 payload |
| org.hibernate.type.ComponentType$ | ysoserial's Hibernate1,2 payload |
| org.hibernate.type.Type$ | ysoserial's Hibernate1,2 payload |
| com.sun.rowset.JdbcRowSetImpl$ | ysoserial's Hibernate1,2 payload |
| org.jboss.(weld.)?interceptor.builder.InterceptionModelBuilder$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.builder.MethodReference$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.proxy.DefaultInvocationContextFactory$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.proxy.InterceptorMethodHandler$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.reader.ClassMetadataInterceptorReference$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.reader.DefaultMethodMetadata$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.reader.ReflectiveClassMetadata$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.reader.SimpleInterceptorMetadata$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.spi.instance.InterceptorInstantiator$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.spi.metadata.InterceptorReference$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.spi.metadata.MethodMetadata$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.spi.model.InterceptionModel$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| org.jboss.(weld.)?interceptor.spi.model.InterceptionType$ | ysoserial's JBossInterceptors1, JavassistWeld1 payload |
| java.rmi.registry.Registry$ | ysoserial's JRMPClient payload |
| java.rmi.server.ObjID$ | ysoserial's JRMPClient payload |
| java.rmi.server.RemoteObjectInvocationHandler$ | ysoserial's JRMPClient payload |
| java.rmi.server.RemoteObject$ | ysoserial's JRMPClient payload |
| java.rmi.server.RemoteRef$ | ysoserial's JRMPClient payload |
| java.rmi.server.UnicastRemoteObject$ | ysoserial's JRMPClient payload |
| net.sf.json.JSONObject$ | ysoserial's JSON1 payload |
| javax.xml.transform.Templates$ | ysoserial's Jdk7u21 payload |
| org.python.core.PyObject$ | ysoserial's Jython1 payload |
| org.python.core.PyBytecode$ | ysoserial's Jython1 payload |
| org.python.core.PyFunction$ | ysoserial's Jython1 payload |
| org.mozilla.javascript..*$ | ysoserial's MozillaRhino1 payload |
| org.apache.myfaces.context.servlet.FacesContextImpl$ | ysoserial's Myfaces1,2 payload |
| org.apache.myfaces.context.servlet.FacesContextImplBase$ | ysoserial's Myfaces1,2 payload |
| org.apache.myfaces.el.CompositeELResolver$ | ysoserial's Myfaces1,2 payload |
| org.apache.myfaces.el.unified.FacesELContext$ | ysoserial's Myfaces1,2 payload |
| org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression$ | ysoserial's Myfaces1,2 payload |
| com.sun.syndication.feed.impl.ObjectBean$ | ysoserial's ROME payload |
| org.springframework.beans.factory.ObjectFactory$ | ysoserial's Spring1,2 payload |
| org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider$ | ysoserial's Spring1,2 payload |
| org.springframework.aop.framework.AdvisedSupport$ | ysoserial's Spring1,2 payload |
| org.springframework.aop.target.SingletonTargetSource$ | ysoserial's Spring1,2 payload |
| org.springframework.aop.framework.JdkDynamicAopProxy$ | ysoserial's Spring1,2 payload |
| org.springframework.core.SerializableTypeWrapper$TypeProvider$ | ysoserial's Spring1,2 payload |
| java.util.PriorityQueue$ | other trigger gadgets or payloads |
| java.lang.reflect.Proxy$ | other trigger gadgets or payloads |
| javax.management.MBeanServerInvocationHandler$ | other trigger gadgets or payloads |
| javax.management.openmbean.CompositeDataInvocationHandler$ | other trigger gadgets or payloads |
| org.springframework.aop.framework.JdkDynamicAopProxy$ | other trigger gadgets or payloads |
| java.beans.EventHandler$ | other trigger gadgets or payloads |
| java.util.Comparator$ | other trigger gadgets or payloads |
| org.reflections.Reflections$ | other trigger gadgets or payloads |
| clojure.lang.PersistentArrayMap | other trigger gadgets or payloads |
| clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a | other trigger gadgets or payloads |
| sun.rmi.server.UnicastRef$ | other trigger gadgets or payloads |
| sun.rmi.transport.LiveRef$ | other trigger gadgets or payloads |
| sun.rmi.transport.tcp.TCPEndpoint$ | other trigger gadgets or payloads |
| sun.rmi.server.ActivationGroupImpl$ | other trigger gadgets or payloads |
| sun.rmi.server.UnicastServerRef$ | other trigger gadgets or payloads |
| net.sf.json.JSONObject$ | other trigger gadgets or payloads |
| org.mozilla.javascript.$ | other trigger gadgets or payloads |
| com.sun.syndication.feed.impl.ObjectBean$ | other trigger gadgets or payloads |
| com.vaadin.data.util.NestedMethodProperty$ | other trigger gadgets or payloads |
| com.vaadin.data.util.PropertysetItem$ | other trigger gadgets or payloads |
| org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap | other trigger gadgets or payloads |
参考:
https://github.com/ikkisoft/SerialKiller
https://zhuanlan.zhihu.com/p/597910634
原文始发于微信公众号(代码审计SDL):常见JAVA反序列化危险对象列表
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论