JAVA反序列化漏洞

news2024/7/6 18:24:16

JAVA反序列化漏洞

原文资料：xiu–》xiu博客

文章目录

- JAVA反序列化漏洞
- idea
- - 类继承
  - 反序列化漏洞
  - - person类
    - Test类
  - 什么是反序列化漏洞

idea

在这里插入图片描述

类继承

public class Person {
    public int age;
    public String name;
    public void talk(){
    System.out.println("Person 说话了");
}
public class Student extends Person{
    public int score;
    public void talk(){
    System.out.println("Student说话了");
}
public class Test {
    public static void main (String[] args) {
    Student stul = new Student();
    stul.talk();
}

数据前五个字节

rO0AB java序列化base64编码数据

aced 16进制java序列化

序列化：
ObjectOutputStream --> writeObject()
反序列化:　
ObjectInputStream --> readObject()

反序列化漏洞

person类

import java.io.I0Exception;
import java.io.0bjectInputStream;
import java.io.Serializable;

public classPerson implements Serializable {

    public int age;
    public String name;
    private void readobject (ObjectInputStream in)throws IOException, ClassNotFoundException {

    Runtime.getRuntime().exec("calc");
    // 默认的反序列化操作
    in.defaultReadObject();
    }
}

Test类

import java.io.*;

public class Test {
    public static void main (String[] args) throws IOException,  ClassNotFoundException {
   
        Person p=new Person();
        p.age=18;
        p.name="xiu";
        serialize (p,"xiu.bin");
        System.out.println("反序列化结果:"+
        deserialize("xiu.bin"));
     }
     
    public static void serialize (Object obj, string filePath) throws IOException {
    
        try ( FileOutputStream file0ut = new File0utputStream(filePath);
        	  Object0utputStream objectOut = new Object0utputStream(fileOut)
        	){ objectOut.write0bject(obj);}
    }
    
    public static Object deserialize(String filePath) throws IOException, ClassNotFoundException {
    try (FileInputstream fileIn = new FileInputstream(filePath);
        ObjectInputstream objectIn = new ObjectInputstream(fileIn)) {
            return objectIn.read0bject();
        }
    }
}