长亭百川云 - 文章详情

常见JAVA反序列化危险对象列表

代码审计SDL

87

2024-07-13

在反序列化时设置类的黑名单来防御反序列化漏洞利用及攻击,这个做法在源代码修复的时候并不是推荐的方法,因为你不能保证能覆盖所有可能的类,而且有新的利用payload出来时也需要随之更新黑名单,但有一种场景下可能黑名单是一个不错的选择。写代码的时候总会把一些经常用到的方法封装到公共类,这样其它工程中用到只需要导入jar包即可,此前已经见到很多提供反序列化操作的公共接口,使用第三方库反序列化接口就不好用白名单的方式来修复了。这个时候作为第三方库也不知道谁会调用接口,会反序列化什么类,所以这个时候可以使用黑名单的方式来禁止一些已知危险的类被反序列化。

常见的反序列化修复方案:

  • 更新fastjson、xtream、commons-collections、commons-io等第三方组件;

  • 业务需要使用反序列化时,尽量避免反序列化数据可被用户控制,如无法避免建议尽量使用白名单或者黑名单的形式进行拦截或者校验;

  • 常见的反序列化防护组件如:serialkiller,但是该组件已经好多年未更新,拦截原理是没问题的,如果使用,建议及时更新新发现的危险方法到配置文件当中;

以下表格主要从SerialKiller整理而来,还有部分是博主自行整理的,如果有不足,请及时斧正。

反序列化危险对象

来源

bsh.XThis$

ysoserial's BeanShell1 payload

bsh.Interpreter$

ysoserial's BeanShell1 payload

com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase$

ysoserial's C3P0 payload

com.mchange.v2.c3p0.PoolBackedDataSource$

ysoserial's C3P0 payload

org.apache.commons.beanutils.BeanComparator$

ysoserial's CommonsBeanutils1 payload

org.apache.commons.collections.Transformer$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.functors.InvokerTransformer$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.functors.ChainedTransformer$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.functors.ConstantTransformer$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.functors.InstantiateTransformer$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.map.LazyMap$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections.keyvalue.TiedMapEntry$

ysoserial's CommonsCollections1,3,5,6 payload

org.apache.commons.collections4.functors.InvokerTransformer$

ysoserial's CommonsCollections2,4 payload

org.apache.commons.collections4.functors.ChainedTransformer$

ysoserial's CommonsCollections2,4 payload

org.apache.commons.collections4.functors.ConstantTransformer$

ysoserial's CommonsCollections2,4 payload

org.apache.commons.collections4.functors.InstantiateTransformer$

ysoserial's CommonsCollections2,4 payload

org.apache.commons.collections4.comparators.TransformingComparator$

ysoserial's CommonsCollections2,4 payload

org.apache.commons.fileupload.disk.DiskFileItem$

ysoserial's FileUpload1,Wicket1 payload

org.apache.wicket.util.upload.DiskFileItem$

ysoserial's FileUpload1,Wicket1 payload

org.apache.commons.io.output.DeferredFileOutputStream$

ysoserial's FileUpload1,Wicket1 payload

org.apache.commons.io.output.ThresholdingOutputStream$

ysoserial's FileUpload1,Wicket1 payload

org.codehaus.groovy.runtime.ConvertedClosure$

ysoserial's Groovy payload

org.codehaus.groovy.runtime.MethodClosure$

ysoserial's Groovy payload

org.hibernate.engine.spi.TypedValue$

ysoserial's Hibernate1,2 payload

org.hibernate.tuple.component.AbstractComponentTuplizer$

ysoserial's Hibernate1,2 payload

org.hibernate.tuple.component.PojoComponentTuplizer$

ysoserial's Hibernate1,2 payload

org.hibernate.type.AbstractType$

ysoserial's Hibernate1,2 payload

org.hibernate.type.ComponentType$

ysoserial's Hibernate1,2 payload

org.hibernate.type.Type$

ysoserial's Hibernate1,2 payload

com.sun.rowset.JdbcRowSetImpl$

ysoserial's Hibernate1,2 payload

org.jboss.(weld.)?interceptor.builder.InterceptionModelBuilder$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.builder.MethodReference$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.proxy.DefaultInvocationContextFactory$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.proxy.InterceptorMethodHandler$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.reader.ClassMetadataInterceptorReference$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.reader.DefaultMethodMetadata$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.reader.ReflectiveClassMetadata$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.reader.SimpleInterceptorMetadata$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.spi.instance.InterceptorInstantiator$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.spi.metadata.InterceptorReference$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.spi.metadata.MethodMetadata$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.spi.model.InterceptionModel$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

org.jboss.(weld.)?interceptor.spi.model.InterceptionType$

ysoserial's JBossInterceptors1, JavassistWeld1 payload

java.rmi.registry.Registry$

ysoserial's JRMPClient payload

java.rmi.server.ObjID$

ysoserial's JRMPClient payload

java.rmi.server.RemoteObjectInvocationHandler$

ysoserial's JRMPClient payload

java.rmi.server.RemoteObject$

ysoserial's JRMPClient payload

java.rmi.server.RemoteRef$

ysoserial's JRMPClient payload

java.rmi.server.UnicastRemoteObject$

ysoserial's JRMPClient payload

net.sf.json.JSONObject$

ysoserial's JSON1 payload

javax.xml.transform.Templates$

ysoserial's Jdk7u21 payload

org.python.core.PyObject$

ysoserial's Jython1 payload

org.python.core.PyBytecode$

ysoserial's Jython1 payload

org.python.core.PyFunction$

ysoserial's Jython1 payload

org.mozilla.javascript..*$

ysoserial's MozillaRhino1 payload

org.apache.myfaces.context.servlet.FacesContextImpl$

ysoserial's Myfaces1,2 payload

org.apache.myfaces.context.servlet.FacesContextImplBase$

ysoserial's Myfaces1,2 payload

org.apache.myfaces.el.CompositeELResolver$

ysoserial's Myfaces1,2 payload

org.apache.myfaces.el.unified.FacesELContext$

ysoserial's Myfaces1,2 payload

org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression$

ysoserial's Myfaces1,2 payload

com.sun.syndication.feed.impl.ObjectBean$

ysoserial's ROME payload

org.springframework.beans.factory.ObjectFactory$

ysoserial's Spring1,2 payload

org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider$

ysoserial's Spring1,2 payload

org.springframework.aop.framework.AdvisedSupport$

ysoserial's Spring1,2 payload

org.springframework.aop.target.SingletonTargetSource$

ysoserial's Spring1,2 payload

org.springframework.aop.framework.JdkDynamicAopProxy$

ysoserial's Spring1,2 payload

org.springframework.core.SerializableTypeWrapper$TypeProvider$

ysoserial's Spring1,2 payload

java.util.PriorityQueue$

other trigger gadgets or payloads

java.lang.reflect.Proxy$

other trigger gadgets or payloads

javax.management.MBeanServerInvocationHandler$

other trigger gadgets or payloads

javax.management.openmbean.CompositeDataInvocationHandler$

other trigger gadgets or payloads

org.springframework.aop.framework.JdkDynamicAopProxy$

other trigger gadgets or payloads

java.beans.EventHandler$

other trigger gadgets or payloads

java.util.Comparator$

other trigger gadgets or payloads

org.reflections.Reflections$

other trigger gadgets or payloads

clojure.lang.PersistentArrayMap

other trigger gadgets or payloads

clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a

other trigger gadgets or payloads

sun.rmi.server.UnicastRef$

other trigger gadgets or payloads

sun.rmi.transport.LiveRef$

other trigger gadgets or payloads

sun.rmi.transport.tcp.TCPEndpoint$

other trigger gadgets or payloads

sun.rmi.server.ActivationGroupImpl$

other trigger gadgets or payloads

sun.rmi.server.UnicastServerRef$

other trigger gadgets or payloads

net.sf.json.JSONObject$

other trigger gadgets or payloads

org.mozilla.javascript.$

other trigger gadgets or payloads

com.sun.syndication.feed.impl.ObjectBean$

other trigger gadgets or payloads

com.vaadin.data.util.NestedMethodProperty$

other trigger gadgets or payloads

com.vaadin.data.util.PropertysetItem$

other trigger gadgets or payloads

org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap

other trigger gadgets or payloads

参考:

https://github.com/ikkisoft/SerialKiller

https://zhuanlan.zhihu.com/p/597910634

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2