Basic Java Deserialization (ObjectInputStream, readObject)

从零开始学习AWS黑客技术,成为 htARTE(HackTricks AWS红队专家)

支持HackTricks的其他方式:

在这篇文章中,将通过使用java.io.Serializable来解释一个示例。

Serializable

Java Serializable接口(java.io.Serializable是一个标记接口,如果要对类进行序列化反序列化,则必须实现该接口。Java对象序列化(写入)使用ObjectOutputStream,反序列化(读取)使用ObjectInputStream

让我们看一个具有可序列化Person类的示例。该类重写了readObject函数,因此当该类任何对象反序列化时,将执行此函数。 在示例中,Person类的readObject函数调用其宠物的eat()函数,而Dog的eat()函数(出于某种原因)调用calc.exe我们将看到如何将Person对象序列化和反序列化以执行此计算器:

以下示例来自https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649

import java.io.Serializable;
import java.io.*;

public class TestDeserialization {
interface Animal {
public void eat();
}
//Class must implements Serializable to be serializable
public static class Cat implements Animal,Serializable {
@Override
public void eat() {
System.out.println("cat eat fish");
}
}
//Class must implements Serializable to be serializable
public static class Dog implements Animal,Serializable {
@Override
public void eat() {
try {
Runtime.getRuntime().exec("calc");
} catch (IOException e) {
e.printStackTrace();
}
System.out.println("dog eat bone");
}
}
//Class must implements Serializable to be serializable
public static class Person implements Serializable {
private Animal pet;
public Person(Animal pet){
this.pet = pet;
}
//readObject implementation, will call the readObject from ObjectInputStream  and then call pet.eat()
private void readObject(java.io.ObjectInputStream stream)
throws IOException, ClassNotFoundException {
pet = (Animal) stream.readObject();
pet.eat();
}
}
public static void GeneratePayload(Object instance, String file)
throws Exception {
//Serialize the constructed payload and write it to the file
File f = new File(file);
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
out.writeObject(instance);
out.flush();
out.close();
}
public static void payloadTest(String file) throws Exception {
//Read the written payload and deserialize it
ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
Object obj = in.readObject();
System.out.println(obj);
in.close();
}
public static void main(String[] args) throws Exception {
// Example to call Person with a Dog
Animal animal = new Dog();
Person person = new Person(animal);
GeneratePayload(person,"test.ser");
payloadTest("test.ser");
// Example to call Person with a Cat
//Animal animal = new Cat();
//Person person = new Person(animal);
//GeneratePayload(person,"test.ser");
//payloadTest("test.ser");
}
}

结论

正如您在这个非常基本的示例中所看到的,这里的“漏洞”出现是因为readObject函数正在调用其他易受攻击的函数

从零开始学习AWS黑客技术 htARTE(HackTricks AWS红队专家)

支持HackTricks的其他方式:

最后更新于