Java 反序列化基础：序列化、反序列化与反射<\/h1>

1. 序列化与反序列化基础概念<\/h2>

1.1 核心定义<\/h3>

Java序列化(Serialization)<\/strong>：将Java对象转换为字节序列的过程<\/p>

用途：对象状态保存到文件\/数据库、网络传输对象、JVM间传递对象<\/li> <\/ul>
反序列化(Deserialization)<\/strong>：将字节序列重新构造成Java对象的逆过程<\/p>
1.2 实现要求<\/h3>

必须实现 Serializable<\/code> 接口<\/li>
序列化使用 ObjectOutputStream<\/code> 和 writeObject()<\/code> 方法<\/li>
反序列化使用 ObjectInputStream<\/code> 和 readObject()<\/code> 方法<\/li> <\/ul> 2. 序列化技术实现<\/h2> 2.1 基础序列化类定义<\/h3> import<\/span> java.io.Serializable;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> User<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> private<\/span> static<\/span> final<\/span> long<\/span> serialVersionUID =<\/span> 8813939971390125541L<\/span>;<\/span> <\/span><\/span> private<\/span> int<\/span> age;<\/span> <\/span><\/span> private<\/span> String name;<\/span> <\/span><\/span> public<\/span> String nickName;<\/span> <\/span><\/span> <\/span><\/span> \/\/ Getter和Setter方法 <\/span><\/span><\/span><\/span> public<\/span> int<\/span> getAge<\/span>()<\/span> {<\/span> return<\/span> age;<\/span> }<\/span> <\/span><\/span> public<\/span> void<\/span> setAge<\/span>(<\/span>int<\/span> age)<\/span> {<\/span> this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span> }<\/span> <\/span><\/span> public<\/span> String getName<\/span>()<\/span> {<\/span> return<\/span> name;<\/span> }<\/span> <\/span><\/span> public<\/span> void<\/span> setName<\/span>(<\/span>String name)<\/span> {<\/span> this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String toString<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> "User{"<\/span> +<\/span> "age="<\/span> +<\/span> age +<\/span> <\/span><\/span> ", name='"<\/span> +<\/span> name +<\/span> '\''<\/span> +<\/span> <\/span><\/span> ", nickName='"<\/span> +<\/span> nickName +<\/span> '\''<\/span> +<\/span> '}'<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.2 序列化操作实现<\/h3> import<\/span> java.io.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> SerializationExample<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> User user =<\/span> new<\/span> User();<\/span> <\/span><\/span> user.<\/span>setAge<\/span>(<\/span>99<\/span>);<\/span> <\/span><\/span> user.<\/span>nickName<\/span> =<\/span> "嘿"<\/span>;<\/span> <\/span><\/span> user.<\/span>setName<\/span>(<\/span>"Now"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 方式1：文件序列化 <\/span><\/span><\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span> <\/span><\/span> new<\/span> FileOutputStream(<\/span>"user.ser"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>user);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 方式2：字节流序列化（网络传输用） <\/span><\/span><\/span><\/span> ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oosB =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span> <\/span><\/span> oosB.<\/span>writeObject<\/span>(<\/span>user);<\/span> <\/span><\/span> byte<\/span>[]<\/span> byteArray =<\/span> baos.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 输出字节序列 <\/span><\/span><\/span><\/span> for<\/span> (<\/span>byte<\/span> b :<\/span> byteArray)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>print<\/span>(<\/span>b +<\/span> " "<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.3 反序列化操作实现<\/h3> import<\/span> java.io.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> DeserializationExample<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> <\/span><\/span> \/\/ 从文件反序列化 <\/span><\/span><\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span> <\/span><\/span> new<\/span> FileInputStream(<\/span>"user.ser"<\/span>));<\/span> <\/span><\/span> Object o =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"文件反序列化: "<\/span> +<\/span> o.<\/span>toString<\/span>());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 从字节数组反序列化 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> bytes =<\/span> {-<\/span>84<\/span>,-<\/span>19<\/span>,<\/span>0<\/span>,<\/span>5<\/span>,<\/span>115<\/span>,<\/span>114<\/span>,<\/span>0<\/span>,<\/span>4<\/span>,<\/span>85<\/span>,<\/span>115<\/span>,<\/span>101<\/span>,<\/span>114<\/span>,<\/span>122<\/span>,<\/span>81<\/span>,<\/span>103<\/span>,-<\/span>76<\/span>,<\/span> <\/span><\/span> -<\/span>86<\/span>,<\/span>83<\/span>,<\/span>53<\/span>,-<\/span>27<\/span>,<\/span>2<\/span>,<\/span>0<\/span>,<\/span>3<\/span>,<\/span>73<\/span>,<\/span>0<\/span>,<\/span>3<\/span>,<\/span>97<\/span>,<\/span>103<\/span>,<\/span>101<\/span>,<\/span>76<\/span>,<\/span>0<\/span>,<\/span>4<\/span>,<\/span>110<\/span>,<\/span>97<\/span>,<\/span>109<\/span>,<\/span> <\/span><\/span> 101<\/span>,<\/span>116<\/span>,<\/span>0<\/span>,<\/span>18<\/span>,<\/span>76<\/span>,<\/span>106<\/span>,<\/span>97<\/span>,<\/span>118<\/span>,<\/span>97<\/span>,<\/span>47<\/span>,<\/span>108<\/span>,<\/span>97<\/span>,<\/span>110<\/span>,<\/span>103<\/span>,<\/span>47<\/span>,<\/span>83<\/span>,<\/span> <\/span><\/span> 116<\/span>,<\/span>114<\/span>,<\/span>105<\/span>,<\/span>110<\/span>,<\/span>103<\/span>,<\/span>59<\/span>,<\/span>76<\/span>,<\/span>0<\/span>,<\/span>8<\/span>,<\/span>110<\/span>,<\/span>105<\/span>,<\/span>99<\/span>,<\/span>107<\/span>,<\/span>78<\/span>,<\/span>97<\/span>,<\/span>109<\/span>,<\/span> <\/span><\/span> 101<\/span>,<\/span>113<\/span>,<\/span>0<\/span>,<\/span>126<\/span>,<\/span>0<\/span>,<\/span>1<\/span>,<\/span>120<\/span>,<\/span>112<\/span>,<\/span>0<\/span>,<\/span>0<\/span>,<\/span>0<\/span>,<\/span>99<\/span>,<\/span>116<\/span>,<\/span>0<\/span>,<\/span>3<\/span>,<\/span>78<\/span>,<\/span>111<\/span>,<\/span>119<\/span>,<\/span> <\/span><\/span> 116<\/span>,<\/span>0<\/span>,<\/span>3<\/span>,-<\/span>27<\/span>,-<\/span>104<\/span>,-<\/span>65<\/span>};<\/span> <\/span><\/span> <\/span><\/span> ObjectInputStream oisByte =<\/span> new<\/span> ObjectInputStream(<\/span> <\/span><\/span> new<\/span> ByteArrayInputStream(<\/span>bytes));<\/span> <\/span><\/span> Object oByte =<\/span> oisByte.<\/span>readObject<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"字节流反序列化: "<\/span> +<\/span> oByte.<\/span>toString<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 自定义序列化与安全风险<\/h2> 3.1 重写readObject方法<\/h3> import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span> <\/span><\/span>import<\/span> java.io.Serializable;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> User<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> \/\/ ... 其他代码同上 ... <\/span><\/span><\/span><\/span> <\/span><\/span> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream in)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> in.<\/span>defaultReadObject<\/span>();<\/span> \/\/ 调用默认反序列化 <\/span><\/span><\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"User重写方法调用！"<\/span>);<\/span> <\/span><\/span> \/\/ 这里可能执行危险操作！ <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2 安全风险说明<\/h3> 漏洞根源<\/strong>：自定义的 readObject()<\/code> 方法中执行了非预期操作<\/li> 攻击向量<\/strong>：攻击者构造恶意序列化数据，在反序列化时执行危险代码<\/li> 常见场景<\/strong>：执行系统命令、文件操作、网络连接等<\/li> <\/ul> 4. Java反射机制<\/h2> 4.1 反射核心概念<\/h3> 反射允许程序在运行时检查、访问和修改类、方法、字段等元信息<\/p> 4.2 获取Class对象的三种方式<\/h3> \/\/ 方式1：通过类名.class <\/span><\/span><\/span><\/span>Class<?><\/span> clazz1 =<\/span> User.<\/span>class<\/span>;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 方式2：通过对象.getClass() <\/span><\/span><\/span><\/span>User user =<\/span> new<\/span> User();<\/span> <\/span><\/span>Class<?><\/span> clazz2 =<\/span> user.<\/span>getClass<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 方式3：通过Class.forName() <\/span><\/span><\/span><\/span>Class<?><\/span> clazz3 =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.example.User"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>4.3 反射核心类（java.lang.reflect包）<\/h3> Class<\/code>：代表类和接口<\/li> Field<\/code>：提供类字段的信息和访问权限<\/li> Method<\/code>：提供类方法的信息和访问权限<\/li> Constructor<\/code>：提供类的构造方法信息<\/li> <\/ul> 4.4 反射操作示例<\/h3> import<\/span> java.lang.reflect.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ReflectionExample<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 获取Class对象 <\/span><\/span><\/span><\/span> Class<?><\/span> userClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"User"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建实例 <\/span><\/span><\/span><\/span> Object userInstance =<\/span> userClass.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取并调用方法 <\/span><\/span><\/span><\/span> Method setNameMethod =<\/span> userClass.<\/span>getMethod<\/span>(<\/span>"setName"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span> <\/span><\/span> setNameMethod.<\/span>invoke<\/span>(<\/span>userInstance,<\/span> "ReflectionTest"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 访问字段（包括私有字段） <\/span><\/span><\/span><\/span> Field ageField =<\/span> userClass.<\/span>getDeclaredField<\/span>(<\/span>"age"<\/span>);<\/span> <\/span><\/span> ageField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 突破私有限制 <\/span><\/span><\/span><\/span> ageField.<\/span>set<\/span>(<\/span>userInstance,<\/span> 25<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 调用toString查看结果 <\/span><\/span><\/span><\/span> Method toStringMethod =<\/span> userClass.<\/span>getMethod<\/span>(<\/span>"toString"<\/span>);<\/span> <\/span><\/span> String result =<\/span> (<\/span>String)<\/span> toStringMethod.<\/span>invoke<\/span>(<\/span>userInstance);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>result);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 反序列化漏洞模拟<\/h2> 5.1 漏洞形成机制<\/h3> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream in)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> in.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> \/\/ 危险操作：执行系统命令 <\/span><\/span><\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2 攻击流程<\/h3> 攻击者构造恶意序列化数据<\/li> 数据通过网络或文件传输到目标系统<\/li> 目标系统执行反序列化操作<\/li> 恶意代码在 readObject()<\/code> 方法中执行<\/li> <\/ol> 5.3 防御措施<\/h3> 避免反序列化不可信数据<\/li> 使用白名单验证反序列化对象<\/li> 使用安全框架提供的安全反序列化方法<\/li> 对 readObject()<\/code> 方法进行安全审计<\/li> <\/ul> 6. 关键知识点总结<\/h2> 序列化必要条件<\/strong>：实现 Serializable<\/code> 接口<\/li> 核心类<\/strong>：ObjectOutputStream<\/code> \/ ObjectInputStream<\/code><\/li> 核心方法<\/strong>：writeObject()<\/code> \/ readObject()<\/code><\/li> 安全风险<\/strong>：自定义 readObject()<\/code> 中的恶意代码执行<\/li> 反射机制<\/strong>：运行时动态访问和操作类信息<\/li> 攻击组合<\/strong>：反序列化 + 反射 = 远程代码执行<\/li> <\/ol> 7. 实际应用注意事项<\/h2> 性能考虑<\/strong>：反射操作比直接调用慢，应谨慎使用<\/li> 安全考虑<\/strong>：禁用不必要的序列化功能，验证输入数据<\/li> 版本兼容<\/strong>：使用 serialVersionUID<\/code> 保持序列化版本一致性<\/li> 敏感数据<\/strong>：使用 transient<\/code> 关键字保护敏感字段不被序列化<\/li> <\/ol> 通过深入理解序列化、反序列化和反射机制，以及它们之间的相互作用，能够更好地理解和防御Java反序列化漏洞，提高应用程序的安全性。<\/p>