java 反序列化漏洞
博客专区 > Oscarfff 的博客 > 博客详情
java 反序列化漏洞
Oscarfff 发表于2年前
java 反序列化漏洞
  • 发表于 2年前
  • 阅读 40
  • 收藏 0
  • 点赞 1
  • 评论 0


漏洞是利用apach commons-collections/

apache 建议升级该jar



Java LOVES sending serialized objects all over the place. For example:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.

  • RMI – The extensively used Java RMI protocol is 100% based on serialization

  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects

  • JMX – Again, relies on serialized objects being shot over the wire

  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

Okay, so what you ask? Well what if we knew of an object that implemented a “readObject” method that did something dangerous? What if instead of appending an exclamation point to a user defined string, it could be massaged into running a user defined command on the operating system? That would be pretty bad.

Suppose such a vulnerable object existed, but wasn’t part of “core” Java, but instead just part of a library. Think about the requirements for exploitation:

  • That library would need to be on the Java “classpath”

  • The application would need to deserialize untrusted user input

We’ve already determined that requirement 2 is very often satisfied. Requirement 1 could be satisfied if we could find such a vulnerability in a commonly used library…

  • 打赏
  • 点赞
  • 收藏
  • 分享
共有 人打赏支持
粉丝 70
博文 802
码字总数 96913
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
* 支付类型