public Client(int v) {
if (v <= 0) {
throw new RuntimeException("not positive number");
}
value = v;
}
public void writeObject(ObjectOutputStream oos) throws IOException {
int value = 0; //这里该值被改为0。(现实中可以通过调试模式,修改serialize字节码或者class instrument等多种方式修改该值)
oos.defaultWriteObject();
}
}
class Controller {
private ArrayBlockingQueue<Client> queue;
public void receiveState(ObjectInputStream o) throws IOException,> Client s = (Client)o.readObject(); //反序列化不调用构造函数,value的非零检查不会触发
queue.add(s);
}
public Client getClient() throws InterruptedException {
return (Client)queue.take();
}
}
class Server extends Thread {
private Controller controller = new Controller();
private int result = 100;
public void run() {
while (true) {
try {
result = result / controller.getClient().getValue(); // 由于value是0,会导致算数异常,线程结束
Thread.sleep(100);
} catch (InterruptedException e) {}
}
}
}
2. 攻击者可以创建循环对象链,然后序列化。会导致反序列化无法结束, 空耗系统资源。例如:
Set root = new HashSet();
Set s1 = root;
Set s2 = new HashSet();
for (int i = 0; i < 10; i++) {
Set t1 = new HashSet();
Set t2 = new HashSet();
t1.add("foo"); //使t2不等于t1
s1.add(t1);
s1.add(t2);
s2.add(t1);
s2.add(t2);
s1 = t1;
s2 = t2;
try {
var2 = AnnotationType.getInstance(this.type);
} catch (IllegalArgumentException var9) {
throw new InvalidObjectException("Non-annotation type in annotation serial stream");
}