Java deserialization vulnerability the principles of the analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201890131
Type myhack58
Reporter 佚名
Modified 2018-05-04T00:00:00


In the world there are three things most difficult: Put someone else's money stuffed into their own pockets Put their ideas put into someone else's head. To let own code run on someone else's server Foreword Java deserialization vulnerability is nearly a period of time has been focused on the vulnerability, since Apache Commons-collections broke the first vulnerabilities start around Java deserialization vulnerability event after another, in order to learn more about Java deserialization vulnerability the causes and the principles, this article will be to ysoserial project as the basis, to the ordinary Java engineer's angle to gradually explain such vulnerability in principle. This article relates to a lot of source code, as far as possible to ensure developers are able to quickly set up an experimental environment for vulnerability reproduction. Java de-serialization vulnerabilities involving a large number of Java-based, and exploit the complexity of the process smartly, in order to articulate which principle, the paste a lot of code snippets. Core elements Java deserialized with ObjectInputStream In Java,use the ObjectInputStream's readObject method of the object when read, when the target object has been to rewrite the readObject method, the target object the readObject method. The following code shows public class ReadObject implements Serializable { private void readObject(java. io. ObjectInputStream stream) throws IOException, ClassNotFoundException{ System. out. println("read object in ReadObject"); } public static void main(String[] args) throws IOException, ClassNotFoundException { byte[] serializeData=serialize(new ReadObject()); deserialize(serializeData); } public static byte[] serialize(final Object obj) throws IOException { ByteArrayOutputStream out = new ByteArrayOutputStream(); ObjectOutputStream objOut = new ObjectOutputStream(out); objOut. writeObject(obj); return out. toByteArray(); } public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { ByteArrayInputStream in = new ByteArrayInputStream(serialized); ObjectInputStream objIn = new ObjectInputStream(in); return objIn. the readObject(); } } The above code will output read object in ReadObject Visible in the deserialization process,if the target object readObject were some of the more complex operations,then the most likely to malicious code provided. The use of java reflection to execute code The Java reflection mechanism for Java engineers developers provides quite a lot of convenience, also brings potential security risks. Reflecting the existence of mechanisms so that we can cross the Java itself, the static checking and type constraints at run-time to directly access and modify the target object's properties and state. Java reflection of the four core Class, Constructor, Field, Method, as the following code shown. We will use Java reflection mechanism to manipulate the code to call a local calculator public static void main(String[] args) throws Exception { Object runtime=Class. forName("java. lang. Runtime") . getMethod("getRuntime",new Class[]{}) . invoke(null); Class. forName("java. lang. Runtime") . getMethod("exec", String.class) . invoke(runtime,"calc.exe"); } In the code above,we use the Java reflection mechanism to our code intended use of the string form of the manifestation, so that was supposed to be a string attribute into the code execution logic, and this mechanism also for our follow-up the vulnerability to use the the premise. Start from zero In order to as much as possible to the Java deserialization vulnerability the principle tells the story clearly, in the present Chapter, we will be standing in an attacker and exploit perspective to observe how to use the Java deserialization vulnerability. Environment To complete the experiment you need to add the following version of the library dependency> groupId>org. apache. commonsgroupId> artifactId>commons-collections4artifactId> version>4.0 version> dependency> dependency> groupId>commons-collectionsgroupId> artifactId>commons-collectionsartifactId> version>3.1 version> dependency>

dependency> groupId>org. javassistgroupId> artifactId>javassistartifactId> version>3.22.0-GAversion> dependency> Target In attack,we need to simulate a target, the target code is as follows, and its main function is listening on a local port, and the port the data is deserialized. public static void main(String[] args) throws IOException { ServerSocket server = new ServerSocket(10000); while (true) { Socket socket = server. accept(); execute(socket); }

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [[13]] (<90131_13.htm>) [14] next