Weblogic反序列化在各大论坛的讨论一直是轰轰烈烈的,引发本漏洞其实并不能怪java的反序列化机制.
测试漏洞存在,应朋友的要求帮忙做个补救,翻遍网上大牛们的技术贴,有两种临时补救的方法,但是尝试过之后对应用有影响,放弃!
今天找到某牛写的贴子,里面提到可以自己禁止JVM 执行系统命令,经过一番研究,写了个servlet 放在系统里面跑了一下,成功防御,直接贴出代码:
import java.io.FilePermission; import java.io.IOException; import java.io.PrintWriter; import java.security.Permission; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class KriSecurityServlet extends HttpServlet { /** * Constructoroftheobject. */ public KriSecurityServlet() { super(); } public void destroy() { super.destroy(); // Justputs"destroy"stringinlog // Putyourcodehere } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { this.doPost(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">"); out.println("<HTML>"); out.println(" <HEAD><TITLE>Errot</TITLE></HEAD>"); out.println(" <BODY>"); out.println("Security denied!!!"); out.println(" </BODY>"); out.println("</HTML>"); out.flush(); out.close(); } public void init() throws ServletException { SecurityManager originalSecurityManager = System.getSecurityManager(); if (originalSecurityManager == null) { // 创建自己SecurityManager SecurityManager sm = new SecurityManager() { private void check(Permission perm) { // 禁止exec if (perm instanceof FilePermission) { String actions = perm.getActions(); if (actions != null && actions.contains("execute")) { System.out.println("警告:>>检测到 weblogic 反序列化***..."); throw new SecurityException("execute denied!"); } } // 禁止设置新的SecurityManager,保护自己 if (perm instanceof java.lang.RuntimePermission) { String name = perm.getName(); if (name != null && name.contains("setSecurityManager")) { System.out.println("警告:<<检测到 weblogic 反序列化***..."); throw new SecurityException("System.setSecurityManager denied!"); } } } public void checkPermission(Permission perm) { check(perm); } public void checkPermission(Permission perm, Object context) { check(perm); } }; System.setSecurityManager(sm); } } }
//web.xml 配置文件中添加如下内容: <servlet> <servlet-name>MySecurityServlet</servlet-name> <servlet-class>MySecurityServlet</servlet-class> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>MySecurityServlet</servlet-name> <url-pattern>/servlet/MySecurityServlet</url-pattern> </servlet-mapping>