Table of contents
1. Serialization and deserialization
2. Java deserialization vulnerability
3. Java serialization and deserialization demonstration
4. Shooting Range Demonstration
1. Serialization and deserialization
Serialization
The process of converting a Java object into a sequence of bytes (byte stream).
deserialization
The process of restoring a sequence of bytes (byte stream) to a Java object.
use
- Permanently save the byte sequence of the object to the hard disk, usually in a file (persistent object).
- Sequence of bytes to transfer an object over the network (network transfer object)
2. Java deserialization vulnerability
data appears
functional interface
Vulnerability discovery
1. Black box analysis:
Where the database appears --- observe the data characteristics.
2. White box analysis:
Component Security & Function Search & Function Modules.
exploit
The integrated jar package of Ysoserial is co-generated, and the special professional exploit tool is provided.
3. Java serialization and deserialization demonstration
<Part 1>
2. Execute the code of the serialization part, and you can see that the specified file is generated under the specified path, and the file contains the serialized content.
3. Use tools to view the serialized content, and you can see that the header content is ACED .
4. Execute the code of the deserialization part, and you can see that the deserialization is successful and the original content is returned.
5. So far, we can think that if the content of the deserialized target file is modified to an offensive code, then certain offensive behaviors can be achieved.
<Part 2>
1. A tool is used here that supports the generation of some pyloads.
2. Open the tool.
3. The one behind is empty, no other packages are needed, only the native classes of java are needed.
4. First come to the following website to get an address.
5. Execute the following command in the tool.
6. When you come to the target path, you can see the generated file and the serialized content in the file.
7. Use the tool to check, the header content is ACED .
8. Put a.txt in the directory just deserialized.
9. Change the normal deserialized file to the file we just generated using the tool.
10. Execute the serializer.
11. You can see that the data has been successfully obtained in the website.
12. What happened here?
Here we change its original code data into a code data for accessing http. When the other party is deserializing, it will execute our changed code data and access http.
4. Shooting Range Demonstration
1. Start the shooting range.
2. Enter the shooting range and select the corresponding level.
3. You can see that the given serialization code starts with rO0AB , which is the base64 encrypted data serialized by JAVA .
4. Use tools to generate pyload.
5. You can see the generated files in the directory again.
6. The generated content is as follows.
7. Because the source code will base64 decrypt the serialized content, we also need to encrypt it once, and use the following code to remember the encryption.
8. The encrypted content is as follows.
9. Paste the code into the range.
10. After clicking Submit, you can see that the command to call the calculator has been successfully specified.