JavaThings

"Java Security Talk" is an essay I am writing related to Java learning. It is not very rigorous and not high-tech. This Repository is mainly for recording and organizing, and attaching some code.

• Java security talk - 01. Java's dynamic characteristics - reflection
• Java Security Talk - 02. Simple use of reflection
• Java Security Talk - 03. Several advanced techniques of reflection
• Java Security Talk - 04.RMI communication process analysis
• Java Security Talk - 05. Using codebase to attack RMI Registry
• Java Security Talk - 06. In-depth understanding of RMI protocol and serialized objects
• Java Security Talk - 07. Deserialization vulnerabilities in different languages
• Java Security Talk- 08. Get to know the simplest Gadget——URLDNS
• Java Security Talk - 09. First introduction to CommonsCollections
• Java Security Talk - 10. Use TransformedMap to write a real POC
• Java Security Talk - 11. Detailed explanation of LazyMap
• Java Security Talk - 12. Simplified version CommonsCollections6
• Java Security Talk - Extra Chapter 1. Where is BCEL ClassLoader?
• Java Security Talk - 13. Methods for dynamically loading bytecode in Java
• Java Security Talk - 14. Why CommonsCollections3 is needed
• Java Security Talk - 15. Utilization of TemplatesImpl in Shiro
• Java Security Talk - 16.commons-collections4 and vulnerability fixes
• Java Security Talk - 17. CommonsBeanutils and Shiro deserialization utilization without commons-collections
• Java Security Talk - 18. Native deserialization exploit chain JDK7u21
• Java Security Talk - 19. Java deserialization protocol construction and analysis

Bytecode:

• Remote bytecode loading Demo: HelloClassLoader
• The system defaults to defineClass loading bytecode Demo: HelloDefineClass
• Use TemplatesImpl to load bytecode Demo: HelloTemplatesImpl
• Using BCEL to load bytecode Demo: HelloBCEL

Deserialization:

• The simplest Transformer Demo: CommonsCollectionsIntro.java
• My simplified CommonsCollections6 is easier for everyone to understand
• Transformer Demo constructed using TemplatesImpl: CommonsCollectionsIntro2.java
• Transformer Demo without InvokerTransformer: CommonsCollectionsIntro3.java
• My simplified CommonsCollections3
• CommonsCollections6 executes multiple commands at once: CommonsCollections6Multiple
• CommonsCollections6 exploit chain that supports commons-collections4.0 version: CommonsCollections6For4
• My simplified CommonsBeanutils1 exploit chain: CommonsBeanutils1
• Simplified version of Java native utilization chain JDK7u21

Shiro deserialization:

• One of the simplest Shiro Web applications: shirodemo
• Use CommonsCollections6 and Shiro default Key to construct Payload: Client0.java, CommonsCollections6.java, which may not be successfully deserialized in Tomcat.
• Use CommonsCollections, TemplatesImpl and Shiro default Key to construct Payload: Client.java, CommonsCollectionsShiro.java to solve the above problems
• Deserialization utilization chain constructed using commons-beanutils that comes with Shiro by default: CommonsBeanutils1Shiro.java

Self-developed deserialization analysis tool:

• zkar: https://github.com/phith0n/zkar
• How to use zkar to fix SerialVersionUID mismatch problem: https://t.zsxq.com/Yz3B6yJ