Java反序列化绕WAF技巧及工具使用指南<\/h1>

一、Java与PHP反序列化差异<\/h2>

序列化流格式差异<\/strong>：<\/p>

Java序列化流格式比PHP复杂，包含大量二进制数据和复杂结构<\/li>
Java序列化性能优于PHP，特别是在传输大数据类型对象时<\/li> <\/ul> <\/li>

漏洞点差异<\/strong>：<\/p>

PHP反序列化漏洞多发生在处理反序列化的方法上（如__wakeup<\/code>绕过、fast destruct）<\/li>
Java反序列化漏洞多由复杂数据结构导致，常通过修改数据流绕过防御机制<\/li> <\/ul> <\/li> <\/ol> 二、Java反序列化绕WAF技巧<\/h2> Trick 1: 插入脏数据绕WAF<\/h3> 原理<\/strong>：利用WAF为性能考虑可能限制检测数据长度的特点，通过增加载荷长度绕过检测<\/p> 1.1 利用可序列化类包裹脏数据和恶意类<\/h4> 实现方式<\/strong>：<\/p> class<\/span> A<\/span> {<\/span> <\/span><\/span> public<\/span> String var1 =<\/span> "aaaaaaaaaaaaaa..."<\/span>;<\/span> \/\/ 垃圾数据 <\/span><\/span><\/span><\/span> public<\/span> Object var2 =<\/span> evil_object;<\/span> \/\/ 恶意对象 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>常用集合类<\/strong>：<\/p> ArrayList<\/li> LinkedList<\/li> HashMap<\/li> LinkedHashMap<\/li> TreeMap<\/li> <\/ul> 示例代码<\/strong>：<\/p> List<<\/span>Object><\/span> arrayList =<\/span> new<\/span> ArrayList<<\/span>Object>();<\/span> <\/span><\/span>arrayList.<\/span>add<\/span>(<\/span>dirtyData);<\/span> <\/span><\/span>arrayList.<\/span>add<\/span>(<\/span>gadget);<\/span> <\/span><\/span>new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"bypass.ser"<\/span>)).<\/span>writeObject<\/span>(<\/span>arrayList);<\/span> <\/span><\/span><\/code><\/pre>优点<\/strong>：可插入任意字符缺点<\/strong>：需要多反序列化两个对象，不够"优雅"<\/p> 1.2 利用序列化流结构-填充TC_RESET<\/h4> 序列化流结构<\/strong>：<\/p> stream: magic version contents contents: content contents content content: object blockdata object: newObject newClass newArray newString newEnum newClassDesc prevObject nullReference exception TC_RESET <\/code><\/pre> TC_RESET<\/strong>：<\/p> 定义为一个byte<\/li> 作用：标识byte，用于反序列化时重置handle表<\/li> handle表存储序列化流中"newHandle"结构<\/li> <\/ul> Java处理逻辑<\/strong>：<\/p> private<\/span> Object readObject0<\/span>(<\/span>boolean<\/span> unshared)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> while<\/span> ((<\/span>tc =<\/span> bin.<\/span>peekByte<\/span>())<\/span> ==<\/span> TC_RESET)<\/span> {<\/span> <\/span><\/span> bin.<\/span>readByte<\/span>();<\/span> <\/span><\/span> handleReset();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>工具使用（SerializeJava）<\/strong>：<\/p> 输入序列化流base64编码或文件路径<\/li> 进入"Modify STREAM Data"模块<\/li> 勾选第一个功能，输入要插入的TC_RESET数量<\/li> 点击"change"生成新的序列化流base64编码<\/li> <\/ol> 优点<\/strong>：简单有效缺点<\/strong>：只能插入TC_RESET，可能被针对性防御<\/p> 1.3 利用序列化结构-array包裹<\/h4> 实现原理<\/strong>：<\/p> 读取classDesc中的长度，根据长度读取相应数据作为数组<\/li> 添加TC_ARRAY头，恶意对象放在数组最后，前面填充脏数据<\/li> <\/ul> 优点<\/strong>：插入数据任意，特征性不强工具支持<\/strong>：SerializeJava也支持这种填充方式<\/p> 1.4 其他序列化结构处理<\/h4> 参考文章：Java序列化中的脏数据策略:绕过WAF的战术分析-CSDN博客<\/a><\/p> Trick 2: 反序列化UTF解码导致的OverLong Encoding绕过<\/h3> 前置知识<\/h4> UTF编码<\/strong>：<\/p> UTF是Unicode的编码形式<\/li> Java内部使用UTF-16存储字符<\/li> 序列化\/反序列化使用修改版UTF-8<\/li> <\/ul> <\/li> 修改版UTF-8特点<\/strong>：<\/p> 空字符(U+0000)：标准UTF-8为1字节，修改版为2字节(0xC0 0x80)<\/li> 补充字符(U+10000及以上)：标准UTF-8用4字节，修改版用两个3字节编码(代理对)<\/li> <\/ul> <\/li> <\/ol> Java UTF解码实现<\/h4> private<\/span> long<\/span> readUTFSpan<\/span>(<\/span>StringBuilder sbuf,<\/span> long<\/span> utflen)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> while<\/span> (<\/span>pos <<\/span> stop)<\/span> {<\/span> <\/span><\/span> int<\/span> b1,<\/span> b2,<\/span> b3;<\/span> <\/span><\/span> b1 =<\/span> buf[<\/span>pos++]<\/span> &<\/span> 0xFF<\/span>;<\/span> <\/span><\/span> switch<\/span> (<\/span>b1 >><\/span> 4<\/span>)<\/span> {<\/span> <\/span><\/span> case<\/span> 0<\/span>:<\/span> case<\/span> 1<\/span>:<\/span> case<\/span> 2<\/span>:<\/span> case<\/span> 3<\/span>:<\/span> case<\/span> 4<\/span>:<\/span> case<\/span> 5<\/span>:<\/span> case<\/span> 6<\/span>:<\/span> case<\/span> 7<\/span>:<\/span> <\/span><\/span> \/\/ 1 byte format: 0xxxxxxx <\/span><\/span><\/span><\/span> cbuf[<\/span>cpos++]<\/span> =<\/span> (<\/span>char<\/span>)<\/span> b1;<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> case<\/span> 12<\/span>:<\/span> case<\/span> 13<\/span>:<\/span> <\/span><\/span> \/\/ 2 byte format: 110xxxxx 10xxxxxx <\/span><\/span><\/span><\/span> b2 =<\/span> buf[<\/span>pos++];<\/span> <\/span><\/span> if<\/span> ((<\/span>b2 &<\/span> 0xC0<\/span>)<\/span> !=<\/span> 0x80<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> UTFDataFormatException();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> cbuf[<\/span>cpos++]<\/span> =<\/span> (<\/span>char<\/span>)<\/span> (((<\/span>b1 &<\/span> 0x1F<\/span>)<\/span> <<<\/span> 6<\/span>)<\/span> |<\/span> ((<\/span>b2 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 0<\/span>));<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> case<\/span> 14<\/span>:<\/span> <\/span><\/span> \/\/ 3 byte format: 1110xxxx 10xxxxxx 10xxxxxx <\/span><\/span><\/span><\/span> b3 =<\/span> buf[<\/span>pos +<\/span> 1<\/span>];<\/span> <\/span><\/span> b2 =<\/span> buf[<\/span>pos +<\/span> 0<\/span>];<\/span> <\/span><\/span> pos +=<\/span> 2<\/span>;<\/span> <\/span><\/span> if<\/span> ((<\/span>b2 &<\/span> 0xC0<\/span>)<\/span> !=<\/span> 0x80<\/span> ||<\/span> (<\/span>b3 &<\/span> 0xC0<\/span>)<\/span> !=<\/span> 0x80<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> UTFDataFormatException();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> cbuf[<\/span>cpos++]<\/span> =<\/span> (<\/span>char<\/span>)<\/span> (((<\/span>b1 &<\/span> 0x0F<\/span>)<\/span> <<<\/span> 12<\/span>)<\/span> |<\/span> <\/span><\/span> ((<\/span>b2 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 6<\/span>)<\/span> |<\/span> <\/span><\/span> ((<\/span>b3 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 0<\/span>));<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> default<\/span>:<\/span> <\/span><\/span> throw<\/span> new<\/span> UTFDataFormatException();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>实现方式<\/h4> 生成字符组合表<\/strong>：<\/li> <\/ol> \/\/ 两个byte组合 <\/span><\/span><\/span><\/span>for<\/span> (<\/span>int<\/span> ch =<\/span> 0x20<\/span>;<\/span> ch <=<\/span> 0x7E<\/span>;<\/span> ch++)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> b1 =<\/span> 0xC0<\/span>;<\/span> b1 <=<\/span> 0xCF<\/span>;<\/span> b1++)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> b2 =<\/span> 0x80<\/span>;<\/span> b2 <=<\/span> 0xFF<\/span>;<\/span> b2++)<\/span> {<\/span> <\/span><\/span> char<\/span> generatedChar =<\/span> (<\/span>char<\/span>)<\/span> (((<\/span>b1 &<\/span> 0x1F<\/span>)<\/span> <<<\/span> 6<\/span>)<\/span> |<\/span> ((<\/span>b2 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 0<\/span>));<\/span> <\/span><\/span> if<\/span> (<\/span>generatedChar ==<\/span> ch)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>printf<\/span>(<\/span>"\"%c\": {%#x, %#x},%n"<\/span>,<\/span> ch,<\/span> b1,<\/span> b2);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 三个byte组合 <\/span><\/span><\/span><\/span>for<\/span> (<\/span>int<\/span> ch =<\/span> 0x20<\/span>;<\/span> ch <=<\/span> 0x7E<\/span>;<\/span> ch++)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> b1 =<\/span> 0xE0<\/span>;<\/span> b1 <=<\/span> 0xEF<\/span>;<\/span> b1++)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> b2 =<\/span> 0x80<\/span>;<\/span> b2 <=<\/span> 0xFF<\/span>;<\/span> b2++)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> b3 =<\/span> 0x80<\/span>;<\/span> b3 <=<\/span> 0xFF<\/span>;<\/span> b3++)<\/span> {<\/span> <\/span><\/span> char<\/span> generatedChar =<\/span> (<\/span>char<\/span>)<\/span> (((<\/span>b1 &<\/span> 0x0F<\/span>)<\/span> <<<\/span> 12<\/span>)<\/span> |<\/span> <\/span><\/span> ((<\/span>b2 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 6<\/span>)<\/span> |<\/span> <\/span><\/span> ((<\/span>b3 &<\/span> 0x3F<\/span>)<\/span> <<<\/span> 0<\/span>));<\/span> <\/span><\/span> if<\/span> (<\/span>generatedChar ==<\/span> ch)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>printf<\/span>(<\/span>"\"%c\": {%#x, %#x, %#x},%n"<\/span>,<\/span> ch,<\/span> b1,<\/span> b2,<\/span> b3);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 工具使用（SerializeJava）<\/strong>：在"UTF OverLong Encoding"模块勾选<\/li> 选择用2字符或3字符OverLong Encoding模式<\/li> 点击"change"生成<\/li> <\/ul> <\/li> <\/ol> 效果<\/strong>：将可读字符转变为不可读的字符流，有效绕过过滤可读字符的WAF<\/p> RFC 3629标准问题<\/strong>：<\/p> 标准中不允许某些byte出现<\/li> Java的2 byte编码以C0或C1开头，不符合标准<\/li> 但即使最新JDK(23.0.1)仍支持2 byte和3 byte的过长编码<\/li> <\/ul> Trick 3: 修改serialVersionUID<\/h3> 原理<\/strong>：<\/p> Java序列化要求类的serialVersionUID一致<\/li> 服务端必须使用同一版本对象的序列化流才能成功反序列化<\/li> <\/ul> 工具使用（SerializeJava）<\/strong>：<\/p> 输入序列化流<\/li> 点击"Change Class SerialVerionUID"的check按钮<\/li> 工具自动解析数据流结构，展示类名及其SerialVerionUID<\/li> 修改值后点击"change"生成新数据流<\/li> <\/ol> 示例<\/strong>：将BeanComparator的serialVersionUID从-3490850999041592962<\/code>改为-2044202215314119608<\/code>，使其兼容commons-beanutils1.9.2<\/p> 三、SerializeJava工具介绍<\/h2> 功能概述<\/h3> 集成展示JAVA序列化流结构<\/strong><\/li> 一键插入脏数据<\/strong><\/li> UTF过长编码绕WAF(Utf OverLoad Encoding)<\/strong><\/li> 修改类SerializeVersionUID功能<\/strong><\/li> <\/ol> 项目信息<\/h3> 项目地址：https:\/\/github.com\/byname66\/SerializeJava<\/a><\/li> 开发语言：Go<\/li> 借鉴项目：P神的Zkar<\/a><\/li> 特点：自写底层代码，增加功能并图形化<\/li> <\/ul> 四、总结<\/h2> 本文总结了Java语言"通用性"的绕WAF技巧<\/li> 针对特定组件、框架、CMS的Trick需要进一步探索<\/li> 工具SerializeJava持续维护，欢迎提出问题和建议<\/li> <\/ol> 注意<\/strong>：这些技术仅用于安全研究和授权测试，未经授权使用可能违反法律。<\/p>