Shulou(Shulou.com)06/03 Report--

This article shares with you the content of an example analysis of reflection and deserialization vulnerabilities in singleton patterns. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Except for the enumerated singleton pattern, the other four implementations of the singleton pattern mentioned in the singleton pattern have reflection vulnerabilities and deserialization vulnerabilities.

Package singleton;import java.io.FileInputStream;import java.io.FileOutputStream;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Constructor / * * crack singleton pattern by reflection and deserialization * @ author weiyx15 * * / public class SingletonCrack {public static void main (String [] args) throws Exception {/ / normally create singleton object SingletonLazy S1 = SingletonLazy.getInstance (); SingletonLazy S2 = SingletonLazy.getInstance (); System.out.println (S1) System.out.println (S2); / / crack the singleton Class cls = (Class) Class.forName ("singleton.SingletonLazy") with reflection; / / get the SingletonLazy class Constructor cons = cls.getDeclaredConstructor (null) / / get the SingletonLazy constructor cons.setAccessible (true); / / skip the visibility check of the method SingletonLazy S3 = cons.newInstance (); / / call the constructor to generate a new object SingletonLazy S4 = cons.newInstance () / / call constructor to generate new object System.out.println (S3); System.out.println (S4); / / crack singleton FileOutputStream fos = new FileOutputStream ("object.out") with deserialization; / / File output stream ObjectOutputStream oos = new ObjectOutputStream (fos) / / object output stream oos.writeObject (S1); / / serialize object oos.close () to file / / close the object output stream fos.close () / / close the file output stream FileInputStream fis = new FileInputStream ("object.out"); / / File input stream ObjectInputStream ois = new ObjectInputStream (fis) / / object input stream SingletonLazy S5 = (SingletonLazy) ois.readObject (); / / deserialize the object ois.close () from the file / / close the object input stream fis.close () / / close the file input stream System.out.println (S5);}}

Running result

Singleton.SingletonLazy@15db9742 / / s1

Singleton.SingletonLazy@15db9742// s2

Singleton.SingletonLazy@6d06d69c// s3

Singleton.SingletonLazy@7852e922// s4

Singleton.SingletonLazy@3b07d329 / / s5

As you can see from the run results, private constructors can be obtained through reflection to instantiate two different object instances codesingleton.SingletonLazy@6d06d69c} and {@ codesingleton.SingletonLazy@ 7852e922}. By deserialization, you can also get a new object {@ code singleton.SingletonLazy@3b07d329}.

Taking the implementation of the lazy singleton pattern as an example, the solutions to reflection and deserialization vulnerabilities are as follows:

Package singleton;import java.io.ObjectStreamException;import java.io.Serializable;/** * lazy singleton pattern that eliminates reflection and deserialization vulnerabilities * @ author weiyx15 * * / public class SingletonLazySafe implements Serializable {private static SingletonLazySafe instance Private SingletonLazySafe () {/ / prevents reflection vulnerabilities by instantiating the new instance if (instance! = null) {throw new RuntimeException () by calling the private constructor again. / / throw runtime exception} public static synchronized SingletonLazySafe getInstance () {if (instance = = null) / / if not instantiated, instantiate {instance = new SingletonLazySafe () first / / instantiate the object} return instance after calling the getInstance method } / * the readResolve API will be called when reading the object from the Ithrows ObjectStreamException O stream * return the instance object directly in the readResolve interface * avoid re-instantiating the object when deserialization * @ return singleton object * @ throws ObjectStreamException * / private Object readResolve () throws ObjectStreamException {return instance Thank you for your reading! This is the end of the article on "sample analysis of reflection vulnerabilities and deserialization vulnerabilities in singleton mode". I hope the above content can be of some help to you, so that you can learn more knowledge. If you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.