JAVA serialization and deserialization and vulnerability remediation-vulnerability warning-the black bar safety net

ID MYHACK58:62201570503
Type myhack58
Reporter 佚名
Modified 2015-12-29T00:00:00


Last week, the network security personnel once again in the Black production before being tumbled, Joomla exposure to high-risk 0Day vulnerabilities, without requiring a user login will be able to trigger. Joomla vulnerability in the official release of the upgrade version and before the patch, it has been in a variety of underground black industry chain spread over a period of time, I'm afraid and there have been quite a few websites are hacker scored. This malicious code entry point is the user-agent string, which is every browser in the advertisement: to let the browser know that the user of the technical structure in order for the site to provide the best or most suitable version. Obviously this string is stored in the Joomla database, but has not been cleaned to detect the malicious code. An attacker is able to by being able to broadcast a false user agent string use the special app and script tension to easily develop a customized string and the malicious code attached, this security risk is in the php session through the sequence of storage.

Want to learn about PHP-related remote code execution vulnerability analysis, may refer to: vBulletin5 remote code execution vulnerability analysis

The JAVA serialization and deserialization is?

In many existing applications, the need for some object to be serialized, so they leave the memory space in the physical hard disk, so that you can long-term preservation, of which the most common is theWeb serverin the Session object. Object serialization there are two General uses: the object is a sequence of bytes stored permanently to the hard disk, usually stored in a designated file; or transmitted on the network object's byte sequence.

While the sequence of bytes to recover for the object of the process is called object deserialization. When two processes on remote communication, each other can send various types of data, and regardless of the type of data will be in binary sequence of the form transmitted on the network. The sender needs to put this Java object is converted to a sequence of bytes, to be transmitted on the network; receiving party is required to take a sequence of bytes and then restored to a Java object.

! 1

In fact, in different computer languages, data structures, objects, and the binary string representation is not the same. For like Java which is completely object-oriented language, the programmer of the operation everything is an object, from a class instantiation.

The JAVA serialization and deserialization of instances

In the Java language is closest to the data structure concept is the POJO(Plain Old Java Object or Javabean in. Features more familiar with the Java language, or as an example to explain serialization and deserialization.











1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

2 8

2 9

3 0

3 1

3 2

3 3

3 4

3 5

3 6

3 7

3 8

3 9

4 0

4 1

4 2

4 3

4 4

4 5


public static void main(String[] args) throws Exception {

SerializeObject(); //serialize the object

Object o = DeserializeObject(); //reverse the sequence object

System. out. println(the MessageFormat. format("name={0},age={1},

sex={2}", o. getName(),o. getSex(),o. getAge(),o. getHobby()));



  • MethodName: SerializeObject

  • Description: serialize the object

  • @author Haom

  • @throws FileNotFoundException

  • @throws IOException


private static void SerializeObject() throws FileNotFoundException,

IOException {

Object Object = new Object();

object. setName("haom");

object. setSex("Female");

object. setAge(1 8);

object. setHobby("Taekwondo");

// For the ObjectOutputStream object output stream, the Object object is stored in the M disc object. txt file, done for object serialization operation

ObjectOutputStream oo = new ObjectOutputStream(new

FileOutputStream(new File("M:/object.txt")));

oo. writeObject(object);

System. out. println("Object Serialization success!");

oo. close();



  • MethodName: DeserializeObject

  • Description: anti-sequence object

  • @author Haom

  • @throws Exception

  • @throws IOException


private static Object DeserializeObject() throws Exception,

IOException {

ObjectInputStream ois = new ObjectInputStream(new FileInputStream(

new File("M:/object.txt")));

Object Object = (Object) ois. the readObject();

System. out. println("Object deserialization success!");

return Object;



[1] [2] [3] [4] next