ROME反序列化链分析与利用指南<\/h1>

1. 分析环境与工具<\/h2>

ROME版本<\/strong>: 1.7<\/li>
JDK版本<\/strong>: 8<\/li>

分析工具<\/strong>: Tabby 2.0<\/li> <\/ul>
2. ROME反序列化链概述<\/h2>
ROME库中存在多个反序列化利用链，主要包括以下几种情况：<\/p>

ToStringBean利用链<\/li>
EqualsBean利用链<\/li>
BadAttributeValueExpException利用链<\/li>
JdbcRowSetImpl利用链<\/li> <\/ol>
3. ToStringBean利用链分析<\/h2>
3.1 调用链路径<\/h3>
HashMap.readObject() -> EqualsBean.hashCode() -> EqualsBean.beanHashCode() -> ToStringBean.toString() <\/code><\/pre> 3.2 关键点分析<\/h3> Sink点<\/strong>: toString()<\/code>函数<\/li> Source点<\/strong>: HashMap<\/code>的readObject<\/code>方法<\/li> <\/ol> 3.3 Tabby查询优化<\/h3> 初始查询可能无法直接找到目标链，需要逐步优化：<\/p> 显式指定EqualsBean<\/code>类，避免关联到其他类的hashCode<\/code>方法<\/li> 处理java.lang.Object#toString<\/code>到ToStringBean#toString<\/code>的关联关系<\/li> 添加alias关系来完善调用链<\/li> <\/ol> 3.4 查询示例<\/h3> \/* 初始查询可能无法直接找到目标链 *\/<\/span> <\/span><\/span>\/* 需要显式指定EqualsBean类 *\/<\/span> <\/span><\/span>FROM<\/span> java.util.HashMap#<\/span>readObject() AS<\/span> source<\/span> <\/span><\/span>MATCH<\/span> source<\/span>-<\/span>[*<\/span>]-><\/span>(sink:Method<\/span> {<\/span>NAME:"toString"<\/span>}<\/span>) <\/span><\/span>WHERE<\/span> sink.CLASSNAME =<\/span> "com.rometools.rome.feed.impl.ToStringBean"<\/span> <\/span><\/span><\/code><\/pre>3.5 POC示例<\/h3> \/\/ ToStringBean POC示例代码 <\/span><\/span><\/span><\/span>EqualsBean equalsBean =<\/span> new<\/span> EqualsBean(<\/span>ToStringBean.<\/span>class<\/span>,<\/span> new<\/span> Object());<\/span> <\/span><\/span>HashMap map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>equalsBean,<\/span> "value"<\/span>);<\/span> <\/span><\/span>\/\/ 序列化map对象进行利用 <\/span><\/span><\/span><\/code><\/pre>4. EqualsBean利用链分析<\/h2> 4.1 调用链路径<\/h3> HashSet.readObject() -> EqualsBean.equals() -> EqualsBean.beanEquals() <\/code><\/pre> 4.2 关键点分析<\/h3> Sink点<\/strong>: EqualsBean.beanEquals<\/code>方法<\/li> Source点<\/strong>: HashSet.readObject<\/code>方法<\/li> <\/ol> 4.3 Tabby查询<\/h3> FROM<\/span> java.util.HashSet#<\/span>readObject() AS<\/span> source<\/span> <\/span><\/span>MATCH<\/span> source<\/span>-<\/span>[*<\/span>]-><\/span>(sink:Method<\/span> {<\/span>NAME:"beanEquals"<\/span>}<\/span>) <\/span><\/span>WHERE<\/span> sink.CLASSNAME =<\/span> "com.rometools.rome.feed.impl.EqualsBean"<\/span> <\/span><\/span><\/code><\/pre>5. BadAttributeValueExpException利用链<\/h2> 5.1 特点<\/h3> Source点变化<\/strong>: 使用BadAttributeValueExpException<\/code>作为起点<\/li> Sink点不变<\/strong>: 仍然是ToStringBean.toString()<\/code><\/li> <\/ul> 5.2 关键点<\/h3> 需要处理Object.toString<\/code>到ObjectBean.toString<\/code>的关联关系，查询时可以限定具体类来减少干扰。<\/p> 5.3 Tabby查询示例<\/h3> FROM<\/span> javax.management.BadAttributeValueExpException#<\/span>readObject() AS<\/span> source<\/span> <\/span><\/span>MATCH<\/span> source<\/span>-<\/span>[*<\/span>]-><\/span>(sink:Method<\/span> {<\/span>NAME:"toString"<\/span>}<\/span>) <\/span><\/span>WHERE<\/span> sink.CLASSNAME =<\/span> "com.rometools.rome.feed.impl.ToStringBean"<\/span> <\/span><\/span><\/code><\/pre>6. JdbcRowSetImpl利用链分析<\/h2> 6.1 调用链路径<\/h3> JdbcRowSetImpl.getDatabaseMetaData() -> JdbcRowSetImpl.connect() -> InitialContext.lookup() <\/code><\/pre> 6.2 关键点分析<\/h3> 利用JdbcRowSetImpl<\/code>中的getter方法<\/li> 不同于之前的TemplatesImpl利用链，这里通过JNDI注入实现利用<\/li> <\/ol> 6.3 替代路径<\/h3> com.sun.rowset.JdbcRowSetImpl#getParameterMetaData<\/code>也可以调用到lookup<\/code>方法，形成新的利用链。<\/p> 6.4 Tabby查询示例<\/h3> \/* 主利用链查询 *\/<\/span> <\/span><\/span>FROM<\/span> com.sun.rowset.JdbcRowSetImpl#<\/span>getDatabaseMetaData() AS<\/span> source<\/span> <\/span><\/span>MATCH<\/span> source<\/span>-<\/span>[*<\/span>]-><\/span>(sink:Method<\/span> {<\/span>NAME:"lookup"<\/span>}<\/span>) <\/span><\/span>WHERE<\/span> sink.CLASSNAME =<\/span> "javax.naming.InitialContext"<\/span> <\/span><\/span> <\/span><\/span>\/* 替代利用链查询 *\/<\/span> <\/span><\/span>FROM<\/span> com.sun.rowset.JdbcRowSetImpl#<\/span>getParameterMetaData() AS<\/span> source<\/span> <\/span><\/span>MATCH<\/span> source<\/span>-<\/span>[*<\/span>]-><\/span>(sink:Method<\/span> {<\/span>NAME:"lookup"<\/span>}<\/span>) <\/span><\/span>WHERE<\/span> sink.CLASSNAME =<\/span> "javax.naming.InitialContext"<\/span> <\/span><\/span><\/code><\/pre>7. 总结与防御建议<\/h2> 7.1 利用链总结<\/h3> ToStringBean链<\/strong>: 通过HashMap<\/code>触发toString<\/code>调用<\/li> EqualsBean链<\/strong>: 通过HashSet<\/code>触发equals<\/code>调用<\/li> BadAttributeValueExpException链<\/strong>: 通过异常对象触发toString<\/code><\/li> JdbcRowSetImpl链<\/strong>: 通过JNDI注入实现远程代码执行<\/li> <\/ol> 7.2 防御建议<\/h3> 升级ROME库到最新安全版本<\/li> 限制反序列化操作，使用白名单机制<\/li> 禁用危险的JNDI查找功能<\/li> 使用安全工具检测和阻断恶意序列化数据<\/li> <\/ol> 7.3 分析技巧<\/h3> 在Tabby分析时，需要逐步细化查询条件<\/li> 注意处理父类方法到子类实现的多态关系<\/li> 可以通过添加alias关系来完善调用链<\/li> 同一类中可能存在多个可利用的入口点<\/li> <\/ol> 通过深入理解这些利用链的原理和Tabby的分析方法，可以更好地发现和防御反序列化漏洞。<\/p>

ROME反序列化链分析与利用指南<\/h1>

3. ToStringBean利用链分析<\/h2>

4. EqualsBean利用链分析<\/h2>

5. BadAttributeValueExpException利用链<\/h2>

5.2 关键点<\/h3>
需要处理`Object.toString<\/code>到ObjectBean.toString<\/code>的关联关系，查询时可以限定具体类来减少干扰。<\/p>`

6. JdbcRowSetImpl利用链分析<\/h2>

6.3 替代路径<\/h3>
`com.sun.rowset.JdbcRowSetImpl#getParameterMetaData<\/code>也可以调用到lookup<\/code>方法，形成新的利用链。<\/p>`

7. 总结与防御建议<\/h2>