Java反序列化漏洞深入分析：JRE8u20 Payload详解<\/h1>

1. 背景知识<\/h2>

1.1 Jdk7u21 Payload回顾<\/h3>

Jdk7u21 Payload是一个经典的Java反序列化漏洞利用链，其核心原理如下：<\/p>

TemplatesImpl类<\/strong>：可序列化，内部__bytecodes<\/code>成员可存储class字节码<\/li>

执行流程<\/strong>：通过TemplatesImpl.getOutputProperties()<\/code>方法触发<\/li> __bytecodes<\/code>存储的字节码会被转换为Class对象(通过ClassLoader.defineClass<\/code>)<\/li> 实例化该Class，执行构造方法中的代码<\/li> <\/ul> <\/li> 触发机制<\/strong>：利用LinkedHashSet<\/code>与AnnotationInvocationHandler<\/code>触发getOutputProperties<\/code><\/li> <\/ol> 1.2 Jdk7u21的修补<\/h3> 在7u21之后的版本中，AnnotationInvocationHandler.readObject<\/code>方法增加了检查：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> var1.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> AnnotationType var2 =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> var2 =<\/span> AnnotationType.<\/span>getInstance<\/span>(<\/span>this<\/span>.<\/span>type<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IllegalArgumentException var9)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> InvalidObjectException(<\/span>"Non-annotation type in annotation serial stream"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 省略后续代码 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> 检查this.type<\/code>是否为注解类型，非注解类型则抛出异常<\/li> 异常抛出前已经通过defaultReadObject()<\/code>还原了对象<\/li> 这使得this.type<\/code>必须为Templates.class<\/code>的7u21 Payload失效<\/li> <\/ul> 2. 绕过思路<\/h2> 2.1 核心发现<\/h3> AnnotationInvocationHandler.readObject<\/code>的执行顺序：<\/p> 先通过var1.defaultReadObject()<\/code>还原对象<\/li> 然后检查this.type<\/code>并可能抛出异常<\/li> <\/ol> 这意味着：<\/p> 对象已经被成功还原<\/li> 异常抛出后对象仍然存在<\/li> 可以通过引用机制在其他地方使用这个对象<\/li> <\/ul> 2.2 关键技术点<\/h3> 2.2.1 Java序列化引用机制<\/h4> Java序列化会为每个对象分配一个handle，重复对象会使用TC_REFERENCE引用已序列化的对象。<\/p> 示例：<\/p> ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>new<\/span> File(<\/span>"\/tmp\/ser"<\/span>)));<\/span> <\/span><\/span>Date d =<\/span> new<\/span> Date();<\/span> <\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>d);<\/span> \/\/ 写入实际对象 <\/span><\/span><\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>d);<\/span> \/\/ 写入引用 <\/span><\/span><\/span><\/span>out.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>序列化结构：<\/p> TC_OBJECT - 第一个Date对象 (分配handle 0x00 7e 00 01) TC_REFERENCE - 引用handle 0x00 7e 00 01 <\/code><\/pre> 2.2.2 异常处理技巧<\/h4> 通过包装类捕获异常，使"非法"对象仍能被创建：<\/p> public<\/span> class<\/span> WrapperClass<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream input)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> input.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> input.<\/span>readObject<\/span>();<\/span> \/\/ 读取可能抛出异常的对象 <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> \/\/ 捕获异常但继续执行 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>序列化结构：<\/p> TC_OBJECT - WrapperClass TC_OBJECT - 非法对象 (分配handle) TC_REFERENCE - 引用非法对象 <\/code><\/pre> 2.2.3 插入假成员<\/h4> 可以在TC_CLASSDESC中添加类中不存在的成员：<\/p> 反序列化时会为假成员分配handle<\/li> 实际对象不会包含这些成员<\/li> 可用于创建需要的引用关系<\/li> <\/ul> 3. JRE8u20 Payload分析<\/h2> 3.1 核心组件<\/h3> BeanContextSupport类<\/strong>：<\/p> 类似WrapperClass，提供try\/catch保护<\/li> 用于安全地创建AnnotationInvocationHandler对象<\/li> <\/ul> <\/li> 假成员技术<\/strong>：<\/p> 在HashSet的TC_CLASSDESC中添加假属性<\/li> 属性值为BeanContextSupport对象<\/li> <\/ul> <\/li> <\/ol> 3.2 执行流程<\/h3> 反序列化开始时创建HashSet<\/li> 读取假成员时创建BeanContextSupport对象<\/li> BeanContextSupport内部读取AnnotationInvocationHandler 虽然会抛出异常但被捕获<\/li> AnnotationInvocationHandler对象已被创建并获得handle<\/li> <\/ul> <\/li> 后续payload通过TC_REFERENCE引用该对象<\/li> 继续Jdk7u21的触发流程<\/li> <\/ol> 3.3 代码实现关键点<\/h3> \/\/ 创建AnnotationInvocationHandler <\/span><\/span><\/span><\/span>TCObject handler =<\/span> new<\/span> TCObject(<\/span>ser)<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> doWrite<\/span>(<\/span>DataOutputStream out,<\/span> HandleContainer handles)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 特殊处理，去掉TC_ENDBLOCKDATA <\/span><\/span><\/span><\/span> \/\/ 因为异常会导致序列化过程不能正常结束 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>};<\/span> <\/span><\/span> <\/span><\/span>\/\/ 创建BeanContextSupport包装器 <\/span><\/span><\/span><\/span>TCObject makeBeanContextSupport<\/span>(<\/span>TCObject handler,<\/span> Serialization ser)<\/span> {<\/span> <\/span><\/span> \/\/ 设置serializable成员 <\/span><\/span><\/span><\/span> \/\/ 添加handler作为子对象 <\/span><\/span><\/span><\/span> \/\/ 设置循环引用 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 主payload构造 <\/span><\/span><\/span><\/span>TCObject linkedHashset =<\/span> new<\/span> TCObject(<\/span>ser);<\/span> <\/span><\/span>\/\/ 添加假成员 <\/span><\/span><\/span><\/span>hashsetDesc.<\/span>addField<\/span>(<\/span>new<\/span> TCClassDesc.<\/span>Field<\/span>(<\/span>"fake"<\/span>,<\/span> BeanContextSupport.<\/span>class<\/span>));<\/span> <\/span><\/span>hashsetData.<\/span>addData<\/span>(<\/span>makeBeanContextSupport(<\/span>handler,<\/span> ser));<\/span> <\/span><\/span>\/\/ 添加其他必要数据 <\/span><\/span><\/span><\/code><\/pre>4. 防御与检测<\/h2> 4.1 防御措施<\/h3> 升级JDK到最新版本<\/li> 使用安全管理器限制反序列化<\/li> 替换默认的ObjectInputStream实现<\/li> 使用白名单控制可反序列化的类<\/li> <\/ol> 4.2 检测方法<\/h3> 监控异常日志中的"Non-annotation type in annotation serial stream"<\/li> 检查序列化数据中的可疑结构：异常的TC_CLASSDESC<\/li> 不匹配的类描述与实际数据<\/li> 可疑的引用关系<\/li> <\/ul> <\/li> <\/ol> 5. 总结<\/h2> JRE8u20 Payload通过以下技术创新绕过限制：<\/p> 利用序列化过程中对象先创建后验证的特性<\/li> 通过包装类捕获异常保持反序列化流程<\/li> 精心构造的引用关系维持对象可用性<\/li> 假成员技术创建必要的对象引用<\/li> <\/ol> 理解这些技术对于防御复杂的反序列化攻击至关重要，也为安全研究人员提供了分析高级payload的方法论。<\/p>