ysoserial URLDNS分析

ysoserial 是java反序列化中必备gadget神器，笔记主要记录对URLDNS利用链进行分析，URLDNS是拿来进行探测反序列化是否存在的，简单来说就是个dns请求链

URLDNS 利用链条 HashMap.readObject() HashMap.putVal() HashMap.hash() URL.hashCode()

载入ysoserial源码，对URLDNS类进行分析
srcmainjavaysoserialpayloadsURLDNS.java

URLDNS类中调用了ObjectPayload接口（该接口主要作用是返回要序列化的有效负载对象）

向下看声明了一个公有的属性getObject，返回值为object类型

URLStreamHandler类主要是实现URL协议扩展
URLStreamHandler handler = new SilentURLStreamHandler();
跟进HashMap类（该类包含调用网址的哈希表）

跟到readObject方法中，java.io.ObjectInputStream接口是来实现反序化的，这里主要分析如下41行，这里调用了putVal与hash方法

private void readObject(java.io.ObjectInputStream s)
    throws IOException, ClassNotFoundException {
    // Read in the threshold (ignored), loadfactor, and any hidden stuff
    s.defaultReadObject();
    reinitialize();
    if (loadFactor <= 0 || Float.isNaN(loadFactor))
        throw new InvalidObjectException("Illegal load factor: " +
                                         loadFactor);
    s.readInt();                // Read and ignore number of buckets
    int mappings = s.readInt(); // Read number of mappings (size)
    if (mappings < 0)
        throw new InvalidObjectException("Illegal mappings count: " +
                                         mappings);
    else if (mappings > 0) { // (if zero, use defaults)
        // Size the table using given load factor only if within
        // range of 0.25...4.0
        float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
        float fc = (float)mappings / lf + 1.0f;
        int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
                   DEFAULT_INITIAL_CAPACITY :
                   (fc >= MAXIMUM_CAPACITY) ?
                   MAXIMUM_CAPACITY :
                   tableSizeFor((int)fc));
        float ft = (float)cap * lf;
        threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                     (int)ft : Integer.MAX_VALUE);

        // Check Map.Entry[].class since it's the nearest public type to
        // what we're actually creating.
        SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
        @SuppressWarnings({"rawtypes","unchecked"})
        Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
        table = tab;

        // Read the keys and values, and put the mappings in the HashMap
        for (int i = 0; i < mappings; i++) {
            @SuppressWarnings("unchecked")
                K key = (K) s.readObject();
            @SuppressWarnings("unchecked")
                V value = (V) s.readObject();
            putVal(hash(key), key, value, false, false);
        }
    }
}

跟进putVal方法，本方法主要实现Map.put和相关方法

继续跟进hash方法，定义的Key带入hashCode

static final int hash(Object key) {
    int h;
    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}

这里我们重点跟进hashCode方法，这里主要判断hashCode值

public synchronized int hashCode() {
    if (hashCode != -1)
        return hashCode;

    hashCode = handler.hashCode(this);
    return hashCode;
}

继续跟进hashCode方法，这里可以注意到u对象调用到getHostAddress方法，跟进getHostAddress

protected int hashCode(URL u) {
    int h = 0;

    // Generate the protocol part.
    String protocol = u.getProtocol();
    if (protocol != null)
        h += protocol.hashCode();

    // Generate the host part.
    InetAddress addr = getHostAddress(u);
    if (addr != null) {
        h += addr.hashCode();
    } else {
        String host = u.getHost();
        if (host != null)
            h += host.toLowerCase().hashCode();
    }

    // Generate the file part.
    String file = u.getFile();
    if (file != null)
        h += file.hashCode();

    // Generate the port part.
    if (u.getPort() == -1)
        h += getDefaultPort();
    else
        h += u.getPort();

    // Generate the ref part.
    String ref = u.getRef();
    if (ref != null)
        h += ref.hashCode();

    return h;
}

跟getHostAddress方法后就可以很明显的看到，URLDNS它主要调用触发URL请求的方法主要是调用了InetAddress.getByName(在给定主机名的情况下确定主机的IP地址)

这里我们再次跟入InetAddress类接口

在这里就可以很明显的看到直接引入了Serializable反序列化接口

到这里基本已经分析完成，现在我们来用一个外部的DNSLOG请求地址来进行请求测试