低漏报检测Java反序列化漏洞方法
1、不需要目标系统存在漏洞的第三方库,直接使用JDK自带的URL类发起dns请求,dns请求一般可以出网,所以漏报应该很低。
- https://github.com/frohoff/ysoserial/blob/ca38b7371130f92d7457146a393f9e1d8a02d4ed/src/main/java/ysoserial/payloads/URLDNS.java
- https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/
2、工具break-fast-serial,需要自己改造下把URLDNS的payload加到里面,启动dnschef
- https://github.com/GoSecure/break-fast-serial
- http://gosecure.net/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/
3、DNS解析设置
4、测试
5、检测到存在反序列化漏洞的点在具体进行绕过
[...]http://www.polaris-lab.com/index.php/archives/331/[...]
[...]http://www.polaris-lab.com/index.php/archives/331/[...]
咋没看懂呢?求再详细一点
http://gosecure.net/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/