Java deserialization vulnerabilities and detailed examples

Enterprise 2023-05-05 20:28:44 views: null

Table of contents

1. Serialization and deserialization

Serialization

use

2. Java deserialization vulnerability

data appears

functional interface

Vulnerability discovery

exploit

3. Java serialization and deserialization demonstration

4. Shooting Range Demonstration

1. Serialization and deserialization

Serialization

        The process of converting a Java object into a sequence of bytes (byte stream).

deserialization

        The process of restoring a sequence of bytes (byte stream) to a Java object.

use

  • Permanently save the byte sequence of the object to the hard disk, usually in a file (persistent object).
  • Sequence of bytes to transfer an object over the network (network transfer object)

2. Java deserialization vulnerability

data appears

1. Features:
        Deserialization operations are generally used in importing template files, network communication, data transmission, log formatted storage, and object counting.
Business scenarios such as data storage on disk or DB storage. Therefore, the audit process focused on these functional areas.
2. Data characteristics:
        A piece of data starts with rO0AB , you can basically be sure that this string is the data encrypted by JAVA serialization base64 ;
        Or if it starts with ACED , then he is the hexadecimal of this java serialization .
3. Specific:
        http parameters, cookie , session , storage method may be base64(rO0 ), compressed base64(H4s), MII and other Servlets http,Sockets,Session manager, the included protocols include: JMX, RMI, JMS, JND1, etc. (/xac/Xed) xm IXstream/XmldEcoder etc. (http Body: Content-type: application/xml) json (jackson, fastjson) included in the http request.

functional interface

1、Java:
        Serializable Externalizable 接口、 fastjson jackson gson 、ObjectInputStream.read、 ObjectObjectInputStream.readUnshared 、 XMLDecoder.read、 ObjectYaml.loadXStream.fromXML 、ObjectMapper.readValue、 JSON.parseObject 等。
2、PHP
        serialize() unserialize()。
3、Python
         pickle。

Vulnerability discovery

1. Black box analysis:

        Where the database appears --- observe the data characteristics.

2. White box analysis:

        Component Security & Function Search & Function Modules.

exploit

        The integrated jar package of Ysoserial is co-generated, and the special professional exploit tool is provided.

3. Java serialization and deserialization demonstration

<Part 1>

1. Demonstrate the code that needs to be used.

2. Execute the code of the serialization part, and you can see that the specified file is generated under the specified path, and the file contains the serialized content.

3. Use tools to view the serialized content, and you can see that the header content is ACED .

4. Execute the code of the deserialization part, and you can see that the deserialization is successful and the original content is returned.

5. So far, we can think that if the content of the deserialized target file is modified to an offensive code, then certain offensive behaviors can be achieved.

<Part 2>

1. A tool is used here that supports the generation of some pyloads.

2. Open the tool.

3. The one behind is empty, no other packages are needed, only the native classes of java are needed.

4. First come to the following website to get an address.

5. Execute the following command in the tool.

6. When you come to the target path, you can see the generated file and the serialized content in the file.

7. Use the tool to check, the header content is ACED .

8. Put a.txt in the directory just deserialized. 

9. Change the normal deserialized file to the file we just generated using the tool.

10. Execute the serializer.

11. You can see that the data has been successfully obtained in the website.

12. What happened here?

        Here we change its original code data into a code data for accessing http. When the other party is deserializing, it will execute our changed code data and access http.

4. Shooting Range Demonstration

1. Start the shooting range.

2. Enter the shooting range and select the corresponding level.

3. You can see that the given serialization code starts with rO0AB , which is the base64 encrypted data serialized by JAVA .

4. Use tools to generate pyload.

5. You can see the generated files in the directory again.

6. The generated content is as follows.

7. Because the source code will base64 decrypt the serialized content, we also need to encrypt it once, and use the following code to remember the encryption. 

8. The encrypted content is as follows.

9. Paste the code into the range.

10. After clicking Submit, you can see that the command to call the calculator has been successfully specified.

Guess you like

Origin blog.csdn.net/weixin_62808713/article/details/130042758
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com