找到可以序列化的类
挖掘反序列化漏洞,首先得找到入口。可以反序列化的类首先肯定是实现了接口 Serializable,其次会有一个字段 serialVersionUID,所以我们可以从找字段或者找实现接口 Serializable 入手进行代码分析。
-
TypeSerializable 类,在JDK中声明
-
instanceof 断言
-
fromSource 谓词判断来着项目代码排除JDK自带
-
getASupertype 递归,父类类型
<pre class="prettyprint hljs gradle" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import java /*找到可以序列化类,实现了Serializable接口 */ from Class cl where cl.getASupertype() instanceof TypeSerializable /* 递归判断类是不是实现Serializable接口*/ and cl.fromSource() /* 限制来源 */ select cl
/* 查询语句 */
</pre>
点击查询出来的结果可以看到对应的查询结果源码
找User类实例化代码
使用 RefType.hasQualifiedName(string packageName, string className) 来识别具有给定包名和类名的类,这里使用一个类继承 RefType ,使代码可读性更高点。例如下面两端QL代码是等效的:
<pre class="prettyprint hljs nginx" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import javafrom RefType rwhere r.hasQualifiedName("com.summersec.shiroctf.bean", "User")select r</pre>
<pre class="prettyprint hljs scala" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import java /* 找到实例化User的类 */ class MyUser extends RefType{ MyUser(){ this.hasQualifiedName("com.summersec.shiroctf.bean", "User") } } from ClassInstanceExpr clie where clie.getType() instanceof MyUser
select clie
</pre>
可以发现在 IndexController 类59行处实例化 User 类。
IndexController :
<pre class="prettyprint hlj