web渗透JAVA反序列化漏洞
xiuJAVA反序列化漏洞
类继承
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| public class Person {
public int age;
public String name;
public void talk(){
System.out.println("Person 说话了");
}
}
public class Student extends Person{
public int score;
public void talk(){
System.out.println("Student 说话了");
}
}
public class Test {
public static void main(String[] args) {
Student stu1 = new Student();
stu1.talk();
}
}
|
数据前五个字节
rO0AB java序列化base64编码数据
aced 16进制java序列化
1
2
3
4
| 序列化:
ObjectOutputStream --> writeObject()
反序列化:
ObjectInputStream --> readObject()
|
反序列化漏洞
person
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
public class Person implements Serializable {
public int age;
public String name;
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
Runtime.getRuntime().exec("calc");
in.defaultReadObject();
}
}
|
Test
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| import java.io.*;
public class Test {
public static void main(String[] args) throws IOException, ClassNotFoundException {
Person p=new Person();
p.age=18;
p.name="xiu";
serialize(p,"xiu.bin");
System.out.println("反序列化结果:" + deserialize("xiu.bin"));
}
public static void serialize(Object obj, String filePath) throws IOException {
try (FileOutputStream fileOut = new FileOutputStream(filePath);
ObjectOutputStream objectOut = new ObjectOutputStream(fileOut)) {
objectOut.writeObject(obj);
}
}
public static Object deserialize(String filePath) throws IOException, ClassNotFoundException {
try (FileInputStream fileIn = new FileInputStream(filePath);
ObjectInputStream objectIn = new ObjectInputStream(fileIn)) {
return objectIn.readObject();
}
}
}
|
什么是反序列化漏洞
PHP的反序列化和java的反序列化是两种不同的类型,序列化和反序列化本身没有漏洞点,只是为了实现数据的完整高效的传输,
PHP反序列漏洞是由于类里面的魔术方法调用了某个函数,该危险函数又调用了别的函数,最终执行到了危险函数的位置
JAVA反序列化漏洞是由于开发者重写了readObject方法,该readObject方法方法调用了别的方法,最终执行到了例如Transfrom方法的危险方法
