福建农林大学攻防一队wp
justDeserialize
com.example.ezjav.utils.User下有反射调用为恶意类
重写输入流将该类加入黑名单
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
package com.example.ezjav.controller;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.HashSet;
import java.util.Set;*
public class NewObjectInputStream extends ObjectInputStream {
private static final Set<String> BLACKLISTED_CLASSES = new HashSet();
static {
BLACKLISTED_CLASSES.add("com.example.ezjav.utils.User");
BLACKLISTED_CLASSES.add("java.lang.Runtime");
BLACKLISTED_CLASSES.add("java.lang.ProcessBuilder");
BLACKLISTED_CLASSES.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
BLACKLISTED_CLASSES.add("java.security.SignedObject");
}
public NewObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (BLACKLISTED_CLASSES.contains(desc.getName())) {
throw new SecurityException("");
}
return super.resolveClass(desc);
}
}
|
更改代码中的输入流为新添加的输入流类
