JDK7u21 反序列化漏洞 Gadget 原理分析<\/h1>

0x00 漏洞概述<\/h2>
JDK7u21 反序列化漏洞是一个经典的 Java 反序列化安全问题，利用 Java 序列化机制中的特定类组合（Gadget Chain）实现远程代码执行。该漏洞的核心在于利用 Java 动态代理机制和哈希碰撞技巧，通过精心构造的序列化数据触发恶意代码执行。<\/p>

0x01 前置知识<\/h2>

1. Java 动态代理机制<\/h3>

动态代理类实现了 InvocationHandler 接口<\/li>
代理对象方法调用会被转发到 InvocationHandler 的 invoke 方法<\/li>

本例中使用的是 AnnotationInvocationHandler 作为 InvocationHandler<\/li> <\/ul>

2. TemplatesImpl 类<\/h3>

位于 javax.xml.transform 包中<\/li>
可以加载字节码并执行<\/li>

通过 getOutputProperties() 方法可以触发字节码执行<\/li> <\/ul>

3. Java 序列化机制<\/h3>

反序列化时会调用对象的 readObject 方法<\/li>

HashSet\/LinkedHashSet 反序列化时会重新计算哈希值并比较元素<\/li> <\/ul>

0x02 Gadget 组成<\/h2>

整个利用链由以下几个关键部分组成：<\/p>

LinkedHashSet<\/strong>：作为反序列化的入口点<\/li>
TemplatesImpl 对象<\/strong>：包含恶意字节码<\/li>

代理对象<\/strong>：

实现 Templates 接口<\/li>
使用 AnnotationInvocationHandler 作为 InvocationHandler<\/li>
memberValues 设置为特殊构造的 Map<\/li> <\/ul> <\/li> <\/ol>
0x03 利用链详细分析<\/h2>
1. 构造恶意序列化数据<\/h3>
LinkedHashSet set =<\/span> new<\/span> LinkedHashSet();<\/span> <\/span><\/span>\/\/ 1. 添加包含恶意代码的 TemplatesImpl 对象 <\/span><\/span><\/span><\/span>set.<\/span>add<\/span>(<\/span>templatesImpl);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 创建代理对象 <\/span><\/span><\/span><\/span>Map map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"f5a5a608"<\/span>,<\/span> templatesImpl);<\/span> <\/span><\/span>InvocationHandler handler =<\/span> new<\/span> AnnotationInvocationHandler(<\/span>Templates.<\/span>class<\/span>,<\/span> map);<\/span> <\/span><\/span>Templates proxy =<\/span> (<\/span>Templates)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Templates.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> <\/span><\/span> handler <\/span><\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 添加代理对象到集合 <\/span><\/span><\/span><\/span>set.<\/span>add<\/span>(<\/span>proxy);<\/span> <\/span><\/span><\/code><\/pre>2. 反序列化触发流程<\/h3> LinkedHashSet.readObject()<\/strong>：<\/p> 反序列化时调用 HashSet 的 readObject 方法<\/li> 创建 HashMap 来存储 Set 中的元素<\/li> 调用 HashMap.put() 方法添加元素<\/li> <\/ul> <\/li> HashMap.put()<\/strong> 关键逻辑：<\/p> for<\/span> (<\/span>Entry<<\/span>K,<\/span>V><\/span> e =<\/span> table[<\/span>i];<\/span> e !=<\/span> null<\/span>;<\/span> e =<\/span> e.<\/span>next<\/span>)<\/span> {<\/span> <\/span><\/span> Object k;<\/span> <\/span><\/span> if<\/span> (<\/span>e.<\/span>hash<\/span> ==<\/span> hash &&<\/span> ((<\/span>k =<\/span> e.<\/span>key<\/span>)<\/span> ==<\/span> key ||<\/span> key.<\/span>equals<\/span>(<\/span>k)))<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 需要满足两个条件： e.hash == hash<\/code>：哈希值相等<\/li> key.equals(k)<\/code>：对象相等或 equals 方法返回 true<\/li> <\/ol> <\/li> <\/ul> <\/li> 哈希碰撞技巧<\/strong>：<\/p> 代理对象的 hashCode() 会调用 AnnotationInvocationHandler.invoke()<\/li> invoke() 调用 hashCodeImpl() 方法： private<\/span> int<\/span> hashCodeImpl<\/span>()<\/span> {<\/span> <\/span><\/span> int<\/span> result =<\/span> 0<\/span>;<\/span> <\/span><\/span> for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> e :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span> <\/span><\/span> result +=<\/span> (<\/span>127<\/span> *<\/span> e.<\/span>getKey<\/span>().<\/span>hashCode<\/span>())<\/span> ^<\/span> memberValueHashCode(<\/span>e.<\/span>getValue<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> result;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> "f5a5a608".hashCode() 为 0，因此： result =<\/span> (<\/span>127<\/span> *<\/span> 0<\/span>)<\/span> ^<\/span> templatesImpl.<\/span>hashCode<\/span>()<\/span> =<\/span> templatesImpl.<\/span>hashCode<\/span>()<\/span> <\/span><\/span><\/code><\/pre><\/li> 这样就实现了 proxy.hashCode() == templatesImpl.hashCode()<\/code><\/li> <\/ul> <\/li> equals 方法触发恶意代码<\/strong>：<\/p> 当 e.hash == hash<\/code> 条件满足后，会调用 key.equals(k)<\/code><\/li> 代理对象的 equals 方法会调用 AnnotationInvocationHandler.invoke()<\/li> invoke() 调用 equalsImpl() 方法： private<\/span> Boolean equalsImpl<\/span>(<\/span>Object proxy,<\/span> Object other)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>Method method :<\/span> getMemberMethods())<\/span> {<\/span> <\/span><\/span> Object thisVal =<\/span> method.<\/span>invoke<\/span>(<\/span>proxy);<\/span> <\/span><\/span> Object otherVal =<\/span> method.<\/span>invoke<\/span>(<\/span>other);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 这会触发 TemplatesImpl 的 getOutputProperties() 方法，执行恶意字节码<\/li> <\/ul> <\/li> <\/ol> 0x04 关键点总结<\/h2> AnnotationInvocationHandler 的核心作用<\/strong>：<\/p> 作为动态代理的 InvocationHandler<\/li> 通过 invoke 方法控制代理对象的行为<\/li> 提供了 equalsImpl 和 hashCodeImpl 的关键实现<\/li> <\/ul> <\/li> 哈希碰撞技巧<\/strong>：<\/p> 精心选择 "f5a5a608" 作为 key，其 hashCode() 为 0<\/li> 使得 proxy.hashCode() == templatesImpl.hashCode()<\/li> 绕过 HashMap.put() 的第一个条件检查<\/li> <\/ul> <\/li> 执行链触发点<\/strong>：<\/p> LinkedHashSet\/HashSet 反序列化 → HashMap.put() → equals 比较 → 代理对象方法调用 → AnnotationInvocationHandler.invoke() → equalsImpl() → TemplatesImpl.getOutputProperties() → 恶意代码执行<\/li> <\/ul> <\/li> <\/ol> 0x05 防御措施<\/h2> 升级 JDK 到最新版本<\/li> 使用安全管理器限制反序列化操作<\/li> 使用白名单机制控制可反序列化的类<\/li> 替换默认的序列化机制（如使用 JSON 等替代）<\/li> <\/ol> 0x06 参考实现<\/h2> 完整 PoC 通常包含以下组件：<\/p> 生成恶意字节码的工具（如 ASM、javassist）<\/li> 构造 TemplatesImpl 对象的代码<\/li> 创建代理对象和 AnnotationInvocationHandler 的代码<\/li> 序列化 LinkedHashSet 的代码<\/li> <\/ol> 注意：本文仅用于技术研究，请勿用于非法用途。<\/p>