URLDNS的gadget

调用过程：
java\util\HashMap#readObject(java.io.ObjectInputStream s)

java\util\HashMap#hash(Object key)

获取key（这里是URL）的hashCode
java\net\URL#hashCode

java\net\URLStreamHandler#hashCode(URL u)

调用栈：

<init>:102, Inet4Address (java.net)
lookupAllHostAddr:-1, Inet6AddressImpl (java.net)
lookupAllHostAddr:928, InetAddress$2 (java.net)
getAddressesFromNameService:1323, InetAddress (java.net)
getAllByName0:1276, InetAddress (java.net)
getAllByName:1192, InetAddress (java.net)
getAllByName:1126, InetAddress (java.net)
getByName:1076, InetAddress (java.net)
getHostAddress:442, URLStreamHandler (java.net)
hashCode:359, URLStreamHandler (java.net)
hashCode:885, URL (java.net)
hash:339, HashMap (java.util)
readObject:1410, HashMap (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1158, ObjectStreamClass (java.io)
readSerialData:2176, ObjectInputStream (java.io)
readOrdinaryObject:2067, ObjectInputStream (java.io)
readObject0:1571, ObjectInputStream (java.io)
readObject:431, ObjectInputStream (java.io)
main:36, URLDNSPoC (marshalsec)

参考

• 你知ysoserial-Gadget-URLDNS多少？
• 通过HashMap触发DNS检测Java反序列化漏洞