Java deserialization principle-demo (i)

Java deserialization principle-demo (a) 0x00 What is Java serialization and deserialization?

Java serialization refers to the process of converting a Java object into a sequence of bytes that is easy to store in memory, files, and databases, and the WriteObject () method of the ObjectOutputStream class can be serialized.
Java deserialization refers to the process of reverting a sequence of bytes to a Java object, and the ReadObject () method of the ObjectInputStream class is used for deserialization.

0x01 Java Anti-Sequence Vulnerability principle analysis

First define a user class to inherit serializable

package test;import java.io.IOException;import java.io.Serializable;public class user implements Serializable {    private String name;    public String getName() {        return name;    }    public void setName(String name) {        this.name = name;    }}   

Write a test class, generate a user object, save its serialized bytes on the hard disk, and then read the serialized bytes, and then deserialize it into the name of user familiar

Package Test;import Java.io.fileinputstream;import Java.io.filenotfoundexception;import java.io.FileOutputStream;    Import Java.io.ioexception;import Java.io.objectinputstream;import Java.io.objectoutputstream;public class Test1 {            public static void Main (string[] args) {try {fileoutputstream out =new fileoutputstream ("D:/1.bin");            ObjectOutputStream obj_out = new ObjectOutputStream (out);            User U = new user ();            U.setname ("test");            Obj_out.writeobject (U);            Use the ReadObject method to restore the user object FileInputStream in = new FileInputStream ("D:/1.bin");            ObjectInputStream ins = new ObjectInputStream (in);             User U1 = (user) ins.readobject ();        System.err.println (U1.getname ());        } catch (FileNotFoundException e) {//TODO auto-generated catch block E.printstacktrace (); } catch (IOException e) {//TODO auto-generated catch block E.printstacktrace();        } catch (ClassNotFoundException e) {//TODO auto-generated catch block E.printstacktrace (); }    }}

Post-run Output Name property: Test

In order to construct a deserialization vulnerability, the user's Readobjec method needs to be rewritten, and the calculator will be popped in the change method:
Rewrite the user class after Readobjec:

package test;import java.io.IOException;import java.io.Serializable;public class user implements Serializable {    private String name;    public String getName() {        return name;    }    public void setName(String name) {        this.name = name;    }    private void readObject(java.io.ObjectInputStream in) throws ClassNotFoundException, IOException {        in.defaultReadObject();        Runtime.getRuntime().exec("calc.exe");    }}   

Run the test class again and find that the calculator has popped up:

You only need to modify Runtime.getruntime (). EXEC ("Calc.exe"), and calc.exe in can execute arbitrary commands

0x02 Summary

The prerequisite for a deserialization vulnerability is that the Readobjec method inheriting the serializable class must be overridden

Reference connection:
Http://www.freebuf.com/vuls/170344.html

Java deserialization principle-demo (i)