Shulou(Shulou.com)06/01 Report--

Java deserialization principle-Demo (1) 0x00 what is java serialization and deserialization?

Java serialization refers to the process of converting Java objects into byte sequences that can be easily saved in memory, files, and databases. The writeObject () method of the ObjectOutputStream class can be serialized.

Java deserialization refers to the process of restoring a byte sequence to a Java object, and the readObject () method of the ObjectInputStream class is used for deserialization.

Analysis of the principle of 0x01 java Anti-sequence vulnerability

First define a user class that inherits Serializable

Package test;import java.io.IOException;import java.io.Serializable;public class user implements Serializable {private String name; public String getName () {return name;} public void setName (String name) {this.name = name;}}

Write a test class, generate a user object, save the serialized bytes on the hard disk, then read the serialized bytes, deserialize them and enter the name attribute of user

Package test;import java.io.FileInputStream;import java.io.FileNotFoundException;import java.io.FileOutputStream;import java.io.IOException;import java.io.ObjectInputStream;import java.io.ObjectOutputStream;public class test1 {public static void main (String [] args) {try {FileOutputStream out = new FileOutputStream ("d:/1.bin"); ObjectOutputStream obj_out = new ObjectOutputStream (out); user u = new user () U.setName ("test"); obj_out.writeObject (u); / / using the readobject method to restore user objects FileInputStream in = new FileInputStream ("d:/1.bin"); ObjectInputStream ins = new ObjectInputStream (in); user U1 = (user) ins.readObject (); System.err.println (u1.getName ()) } catch (FileNotFoundException e) {/ / TODO Auto-generated catch block e.printStackTrace ();} catch (IOException e) {/ / TODO Auto-generated catch block e.printStackTrace ();} catch (ClassNotFoundException e) {/ / TODO Auto-generated catch block e.printStackTrace ();}

Output name attribute after running: test

To construct a deserialization vulnerability, you need to override the readObjec method of user and pop up the calculator in the modified method:

The user class after overriding readObjec:

Package test;import java.io.IOException;import java.io.Serializable;public class user implements Serializable {private String name; public String getName () {return name;} public void setName (String name) {this.name = name;} private void readObject (java.io.ObjectInputStream in) throws ClassNotFoundException, IOException {in.defaultReadObject (); Runtime.getRuntime () .exec ("calc.exe");}

Run the test class again and find that the calculator has popped up:

You can execute arbitrary commands simply by modifying the calc.exe in Runtime.getRuntime (). Exec ("calc.exe");

0x02 summary

The premise of a deserialization vulnerability is that the readObjec method that inherits the Serializable class must be overridden.

Reference connection:

Http://www.freebuf.com/vuls/170344.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.