Java反序列化基础教学文档<\/h1>

一、Java反序列化概念<\/h2>

1. 序列化与反序列化定义<\/h3>

序列化<\/strong>：将对象转换为字节序列的过程

目的：将数据转化成字节流，以便存储在文件中或在网络上传输<\/li> <\/ul> <\/li>
反序列化<\/strong>：把字节序列恢复为对象的过程

目的：打开字节流并重构对象<\/li> <\/ul> <\/li> <\/ul>
2. 为什么需要序列化\/反序列化<\/h3>
当两个Java进程进行通信时，需要实现进程间的对象传输，这时就需要：<\/p>

发送方将对象序列化为字节流<\/li>
通过网络传输字节流<\/li>
接收方将字节流反序列化为对象<\/li> <\/ol>
二、序列化实现基础<\/h2>
1. 可序列化条件<\/h3>

类必须实现java.io.Serializable<\/code>接口 Serializable<\/code>是一个标记接口（空接口，无抽象方法）<\/li> 未实现该接口的类尝试序列化会抛出java.io.NotSerializableException<\/code><\/li> <\/ul> <\/li> <\/ul> 2. 阻止序列化的方法<\/h3> 使用transient<\/code>关键字修饰属性被transient<\/code>修饰的属性不会被序列化<\/li> 反序列化时，transient<\/code>字段会被设为默认值（如String为null，int为0）<\/li> <\/ul> <\/li> <\/ul> 三、代码实现详解<\/h2> 1. 基础类定义（Person.java）<\/h3> import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span> <\/span><\/span>import<\/span> java.io.Serializable;<\/span> <\/span><\/span>import<\/span> java.lang.Runtime;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Person<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> private<\/span> String name;<\/span> <\/span><\/span> private<\/span> int<\/span> age;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> Person<\/span>(){}<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造函数 <\/span><\/span><\/span><\/span> public<\/span> Person<\/span>(<\/span>String name,<\/span> int<\/span> age){<\/span> <\/span><\/span> this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span> <\/span><\/span> this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String toString<\/span>(){<\/span> <\/span><\/span> return<\/span> "Person{"<\/span> +<\/span> "name='"<\/span> +<\/span> name +<\/span> "', age="<\/span> +<\/span> age +<\/span> '}'<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 序列化示例（SerializationTest.java）<\/h3> import<\/span> java.io.FileNotFoundException;<\/span> <\/span><\/span>import<\/span> java.io.FileOutputStream;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> SerializationTest<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span> <\/span><\/span> new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>oos);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span> <\/span><\/span> Person person =<\/span> new<\/span> Person(<\/span>"aa"<\/span>,<\/span>22<\/span>);<\/span> <\/span><\/span> serialize(<\/span>person);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键代码解析：<\/p> ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));<\/code> 创建ObjectOutputStream<\/code>对象，用于将对象序列化成字节流<\/li> 写入名为"ser.bin"的文件（不存在则创建）<\/li> <\/ul> <\/li> oos.writeObject(obj);<\/code> 将传入的对象写入输出流，实现序列化<\/li> <\/ul> <\/li> <\/ul> 3. 反序列化示例（UnserializeTest.java）<\/h3> import<\/span> java.io.FileInputStream;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> UnserializeTest<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> Object unserialize<\/span>(<\/span>String Filename)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span> <\/span><\/span> new<\/span> FileInputStream(<\/span>Filename));<\/span> <\/span><\/span> Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> return<\/span> obj;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span> <\/span><\/span> Person person =<\/span> (<\/span>Person)<\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>person);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键代码解析：<\/p> ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));<\/code> 创建ObjectInputStream<\/code>对象，用于从文件读取字节流并反序列化<\/li> <\/ul> <\/li> Object obj = ois.readObject();<\/code> 从输入流中读取对象字节流并反序列化为Java对象<\/li> <\/ul> <\/li> <\/ul> 四、安全风险与漏洞原理<\/h2> 1. 漏洞根源<\/h3> Java反序列化漏洞的根本原因与readObject<\/code>方法有关<\/li> 在反序列化过程中，readObject<\/code>方法中的代码会自动执行<\/li> <\/ul> 2. 危险示例<\/h3> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> \/\/ 默认反序列化逻辑 <\/span><\/span><\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> \/\/ 恶意代码 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 当反序列化包含上述readObject<\/code>方法的对象时：先执行默认反序列化逻辑（defaultReadObject<\/code>）<\/li> 然后执行Runtime.getRuntime().exec("calc")<\/code>，启动计算器<\/li> <\/ol> <\/li> <\/ul> 3. 漏洞利用条件<\/h3> 攻击者能够控制反序列化的数据源<\/li> 目标应用中存在可被利用的类（包含危险方法的类）<\/li> 这些类在应用的classpath中<\/li> <\/ol> 五、防御措施<\/h2> 输入验证<\/strong>：不要反序列化不受信任的数据<\/li> 使用白名单<\/strong>：限制可反序列化的类<\/li> 使用替代方案<\/strong>：使用JSON、XML等更安全的序列化格式<\/li> 使用第三方安全库如SerialKiller<\/li> <\/ul> <\/li> 更新依赖<\/strong>：及时修复已知漏洞的库（如Apache Commons Collections）<\/li> 安全管理器<\/strong>：配置适当的安全策略<\/li> <\/ol> 六、审计要点<\/h2> 查找反序列化入口点<\/strong>：<\/p> ObjectInputStream.readObject()<\/code>调用<\/li> 网络通信、文件读取等可能接收外部输入的地方<\/li> <\/ul> <\/li> 检查可序列化类<\/strong>：<\/p> 检查readObject<\/code>、readResolve<\/code>等方法实现<\/li> 检查是否有危险操作（如命令执行、文件操作等）<\/li> <\/ul> <\/li> 检查依赖库<\/strong>：<\/p> 检查是否使用了已知存在漏洞的库版本<\/li> 如Apache Commons Collections、XStream等<\/li> <\/ul> <\/li> <\/ol> 七、实验验证<\/h2> 验证Serializable<\/code>接口必要性<\/p> 移除implements Serializable<\/code>观察序列化失败<\/li> <\/ul> <\/li> 验证transient<\/code>关键字效果<\/p> 添加transient<\/code>修饰符观察字段不被序列化<\/li> <\/ul> <\/li> 验证恶意readObject<\/code>方法<\/p> 添加命令执行代码观察反序列化时执行<\/li> <\/ul> <\/li> <\/ol> 八、总结<\/h2> Java反序列化漏洞是Java安全中的重要议题，其核心在于：<\/p> 反序列化过程会自动执行readObject<\/code>方法<\/li> 攻击者可通过构造恶意序列化数据触发危险操作<\/li> 防御需要从输入控制、类限制、安全编码等多方面入手<\/li> <\/ul> 理解这些基础知识是进行Java代码审计和漏洞挖掘的重要前提。<\/p>