在反序列化时设置类的黑名单来防御反序列化漏洞利用及攻击,这个做法在源代码修复的时候并不是推荐的方法,因为你不能保证能覆盖所有可能的类,而且有新的利用payload出来时也需要随之更新黑名单,但有一种场景下可能黑名单是一个不错的选择。写代码的时候总会把一些经常用到的方法封装到公共类,这样其它工程中用到只需要导入jar包即可,此前已经见到很多提供反序列化操作的公共接口,使用第三方库反序列化接口就不好用白名单的方式来修复了。这个时候作为第三方库也不知道谁会调用接口,会反序列化什么类,所以这个时候可以使用黑名单的方式来禁止一些已知危险的类被反序列化。
常见的反序列化修复方案:
更新fastjson、xtream、commons-collections、commons-io等第三方组件;
业务需要使用反序列化时,尽量避免反序列化数据可被用户控制,如无法避免建议尽量使用白名单或者黑名单的形式进行拦截或者校验;
常见的反序列化防护组件如:serialkiller,但是该组件已经好多年未更新,拦截原理是没问题的,如果使用,建议及时更新新发现的危险方法到配置文件当中;
以下表格主要从SerialKiller整理而来,还有部分是博主自行整理的,如果有不足,请及时斧正。
反序列化危险对象
来源
bsh.XThis$
ysoserial's BeanShell1 payload
bsh.Interpreter$
ysoserial's BeanShell1 payload
com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase$
ysoserial's C3P0 payload
com.mchange.v2.c3p0.PoolBackedDataSource$
ysoserial's C3P0 payload
org.apache.commons.beanutils.BeanComparator$
ysoserial's CommonsBeanutils1 payload
org.apache.commons.collections.Transformer$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.functors.InvokerTransformer$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.functors.ChainedTransformer$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.functors.ConstantTransformer$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.functors.InstantiateTransformer$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.map.LazyMap$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections.keyvalue.TiedMapEntry$
ysoserial's CommonsCollections1,3,5,6 payload
org.apache.commons.collections4.functors.InvokerTransformer$
ysoserial's CommonsCollections2,4 payload
org.apache.commons.collections4.functors.ChainedTransformer$
ysoserial's CommonsCollections2,4 payload
org.apache.commons.collections4.functors.ConstantTransformer$
ysoserial's CommonsCollections2,4 payload
org.apache.commons.collections4.functors.InstantiateTransformer$
ysoserial's CommonsCollections2,4 payload
org.apache.commons.collections4.comparators.TransformingComparator$
ysoserial's CommonsCollections2,4 payload
org.apache.commons.fileupload.disk.DiskFileItem$
ysoserial's FileUpload1,Wicket1 payload
org.apache.wicket.util.upload.DiskFileItem$
ysoserial's FileUpload1,Wicket1 payload
org.apache.commons.io.output.DeferredFileOutputStream$
ysoserial's FileUpload1,Wicket1 payload
org.apache.commons.io.output.ThresholdingOutputStream$
ysoserial's FileUpload1,Wicket1 payload
org.codehaus.groovy.runtime.ConvertedClosure$
ysoserial's Groovy payload
org.codehaus.groovy.runtime.MethodClosure$
ysoserial's Groovy payload
org.hibernate.engine.spi.TypedValue$
ysoserial's Hibernate1,2 payload
org.hibernate.tuple.component.AbstractComponentTuplizer$
ysoserial's Hibernate1,2 payload
org.hibernate.tuple.component.PojoComponentTuplizer$
ysoserial's Hibernate1,2 payload
org.hibernate.type.AbstractType$
ysoserial's Hibernate1,2 payload
org.hibernate.type.ComponentType$
ysoserial's Hibernate1,2 payload
org.hibernate.type.Type$
ysoserial's Hibernate1,2 payload
com.sun.rowset.JdbcRowSetImpl$
ysoserial's Hibernate1,2 payload
org.jboss.(weld.)?interceptor.builder.InterceptionModelBuilder$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.builder.MethodReference$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.proxy.DefaultInvocationContextFactory$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.proxy.InterceptorMethodHandler$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.reader.ClassMetadataInterceptorReference$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.reader.DefaultMethodMetadata$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.reader.ReflectiveClassMetadata$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.reader.SimpleInterceptorMetadata$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.spi.instance.InterceptorInstantiator$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.spi.metadata.InterceptorReference$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.spi.metadata.MethodMetadata$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.spi.model.InterceptionModel$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
org.jboss.(weld.)?interceptor.spi.model.InterceptionType$
ysoserial's JBossInterceptors1, JavassistWeld1 payload
java.rmi.registry.Registry$
ysoserial's JRMPClient payload
java.rmi.server.ObjID$
ysoserial's JRMPClient payload
java.rmi.server.RemoteObjectInvocationHandler$
ysoserial's JRMPClient payload
java.rmi.server.RemoteObject$
ysoserial's JRMPClient payload
java.rmi.server.RemoteRef$
ysoserial's JRMPClient payload
java.rmi.server.UnicastRemoteObject$
ysoserial's JRMPClient payload
net.sf.json.JSONObject$
ysoserial's JSON1 payload
javax.xml.transform.Templates$
ysoserial's Jdk7u21 payload
org.python.core.PyObject$
ysoserial's Jython1 payload
org.python.core.PyBytecode$
ysoserial's Jython1 payload
org.python.core.PyFunction$
ysoserial's Jython1 payload
org.mozilla.javascript..*$
ysoserial's MozillaRhino1 payload
org.apache.myfaces.context.servlet.FacesContextImpl$
ysoserial's Myfaces1,2 payload
org.apache.myfaces.context.servlet.FacesContextImplBase$
ysoserial's Myfaces1,2 payload
org.apache.myfaces.el.CompositeELResolver$
ysoserial's Myfaces1,2 payload
org.apache.myfaces.el.unified.FacesELContext$
ysoserial's Myfaces1,2 payload
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression$
ysoserial's Myfaces1,2 payload
com.sun.syndication.feed.impl.ObjectBean$
ysoserial's ROME payload
org.springframework.beans.factory.ObjectFactory$
ysoserial's Spring1,2 payload
org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider$
ysoserial's Spring1,2 payload
org.springframework.aop.framework.AdvisedSupport$
ysoserial's Spring1,2 payload
org.springframework.aop.target.SingletonTargetSource$
ysoserial's Spring1,2 payload
org.springframework.aop.framework.JdkDynamicAopProxy$
ysoserial's Spring1,2 payload
org.springframework.core.SerializableTypeWrapper$TypeProvider$
ysoserial's Spring1,2 payload
java.util.PriorityQueue$
other trigger gadgets or payloads
java.lang.reflect.Proxy$
other trigger gadgets or payloads
javax.management.MBeanServerInvocationHandler$
other trigger gadgets or payloads
javax.management.openmbean.CompositeDataInvocationHandler$
other trigger gadgets or payloads
org.springframework.aop.framework.JdkDynamicAopProxy$
other trigger gadgets or payloads
java.beans.EventHandler$
other trigger gadgets or payloads
java.util.Comparator$
other trigger gadgets or payloads
org.reflections.Reflections$
other trigger gadgets or payloads
clojure.lang.PersistentArrayMap
other trigger gadgets or payloads
clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
other trigger gadgets or payloads
sun.rmi.server.UnicastRef$
other trigger gadgets or payloads
sun.rmi.transport.LiveRef$
other trigger gadgets or payloads
sun.rmi.transport.tcp.TCPEndpoint$
other trigger gadgets or payloads
sun.rmi.server.ActivationGroupImpl$
other trigger gadgets or payloads
sun.rmi.server.UnicastServerRef$
other trigger gadgets or payloads
net.sf.json.JSONObject$
other trigger gadgets or payloads
org.mozilla.javascript.$
other trigger gadgets or payloads
com.sun.syndication.feed.impl.ObjectBean$
other trigger gadgets or payloads
com.vaadin.data.util.NestedMethodProperty$
other trigger gadgets or payloads
com.vaadin.data.util.PropertysetItem$
other trigger gadgets or payloads
org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap
other trigger gadgets or payloads
参考: