JDK17反射机制绕过深入剖析<\/h1>

问题背景<\/h2>
在JDK17中，Java的反射机制受到了更严格的模块化限制，导致传统的反射调用方式（如`defineClass<\/code>方法加载恶意字节码）会遇到访问限制问题。本文深入分析JDK17反射机制的限制及绕过方法。<\/p>`

反射调用限制分析<\/h2>
当通过反射调用defineClass<\/code>方法时，会在setAccessible<\/code>方法处报错。深入跟踪发现关键在于checkCanSetAccessible<\/code>方法的限制逻辑：<\/p>

调用者模块与声明模块相同<\/strong>：如果调用者的模块(callerModule<\/code>)和声明该方法的模块(declaringModule<\/code>)是同一个模块，返回true<\/code><\/li>
调用者模块是java.base<\/strong>：如果调用者所在的模块是java.base<\/code>，返回true<\/code><\/li>
未命名模块<\/strong>：如果declaringModule<\/code>是一个未命名模块(Unnamed Module)，返回true<\/code><\/li>
公共类与公共成员<\/strong>：如果声明的类是public<\/code>，并且该类所在的包被导出给调用者模块(declaringModule.isExported(pn, callerModule)<\/code>)，且成员是public<\/code>，则可以访问<\/li>
protected静态成员<\/strong>：如果成员是protected<\/code>且static<\/code>，并且调用者类是声明类的子类(isSubclassOf(caller, declaringClass)<\/code>)，则可以访问<\/li>
开放包<\/strong>：如果声明类的包通过open<\/code>关键字开放给调用者模块(declaringModule.isOpen(pn, callerModule)<\/code>)，则可以访问<\/li>
<\/ol>
Unsafe绕过技术<\/h2>
基本原理<\/h3>
在JDK9+的模块化机制中，sun.misc<\/code>和sun.reflect<\/code>包下的类可以正常反射使用。关键利用点在于：<\/p>
通过Unsafe类修改调用类的module<\/code>属性为java.base<\/code>，使checkCanSetAccessible<\/code>方法返回true<\/code>，从而允许反射调用。<\/p>
实现步骤<\/h3>

获取Unsafe对象<\/strong>：<\/li>
<\/ol>
Field theUnsafe =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>theUnsafe.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> theUnsafe.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
获取java.base模块引用<\/strong>：<\/li>
<\/ol>
Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
修改当前类的module属性<\/strong>：<\/li>
<\/ol>
Class<?><\/span> currentClass =<\/span> getClass();<\/span>
<\/span><\/span>unsafe.<\/span>putObject<\/span>(<\/span>currentClass,<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>)),<\/span> baseModule);<\/span>
<\/span><\/span><\/code><\/pre>技术原理<\/h3>

declaringModule<\/code>通过declaringClass.getModule()<\/code>获取，为module java.base<\/code><\/li>
将当前类的module<\/code>属性设置为Object.class.getModule()<\/code>的值（也是java.base<\/code>）<\/li>
Unsafe的putObject<\/code>方法直接操作JVM内存，绕过私有属性限制<\/li>
设为同一module后，setAccessible(true)<\/code>不会报错<\/li>
<\/ul>
TemplatesImpl类的模块化限制<\/h2>
问题分析<\/h3>
JDK17的模块化机制导致无法直接使用TemplatesImpl<\/code>类。尝试使用CB链时会直接报错，因为：<\/p>

类访问限制<\/strong>：与之前情况不同，这里的问题是类本身就不能访问<\/li>
反射获取实例<\/strong>：可以使用Unsafe反射获取TemplatesImpl<\/code>实例并赋值<\/li>
反序列化问题<\/strong>：在调用compare<\/code>方法时仍会报错，因为模块化机制限制了getter<\/code>方法的调用<\/li>
<\/ol>
代理类绕过尝试<\/h3>
通过JdkDynamicAopProxy<\/code>代理类间接调用：<\/p>

代理类调用getOutputProperties<\/code>方法（public<\/code>方法）<\/li>
代理类可以自由调用<\/li>
最终会调用到TemplatesImpl<\/code>的getOutputProperties<\/code>方法<\/li>
<\/ol>
问题出现<\/strong>：<\/p>

到达defineTransletClasses<\/code>方法后<\/li>
调用defineClass<\/code>加载恶意类时失败<\/li>
原因：恶意类继承AbstractTranslet<\/code>，而AbstractTranslet<\/code>受模块化限制<\/li>
<\/ul>
继承限制<\/h3>

不继承AbstractTranslet<\/code>：无法通过判断，不会实例化恶意类<\/li>
继承AbstractTranslet<\/code>：受模块化限制导致加载失败<\/li>
<\/ul>
JdbcRowSetImpl类分析<\/h2>
JdbcRowSetImpl<\/code>类的getDatabaseMetaData<\/code>方法可用于JNDI注入：<\/p>

是一个getter<\/code>方法<\/li>
问题：仅在JdbcRowSetImpl<\/code>类中存在，无法用代理类绕过<\/li>
<\/ol>
适用场景总结<\/h2>
对于以下情况可以使用代理类绕过：<\/p>

方法受模块化影响<\/li>
接口类有对应方法<\/li>
sink点不涉及模块化限制<\/li>
<\/ol>
完整绕过示例代码<\/h2>
\/\/ 获取Unsafe实例
<\/span><\/span><\/span><\/span>Field theUnsafe =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>theUnsafe.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> theUnsafe.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 获取java.base模块
<\/span><\/span><\/span><\/span>Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修改当前类的module属性
<\/span><\/span><\/span><\/span>Class<?><\/span> currentClass =<\/span> getClass();<\/span>
<\/span><\/span>unsafe.<\/span>putObject<\/span>(<\/span>currentClass,<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>)),<\/span> baseModule);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 现在可以进行反射调用
<\/span><\/span><\/span><\/span>Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.misc.Trampoline"<\/span>);<\/span>
<\/span><\/span>Method method =<\/span> clazz.<\/span>getDeclaredMethod<\/span>(<\/span>"invoke"<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>);<\/span>
<\/span><\/span>method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>结论<\/h2>
JDK17的模块化机制增加了反射使用的限制，但通过Unsafe类直接操作内存修改模块属性，可以在特定条件下绕过这些限制。然而，对于某些类（如TemplatesImpl<\/code>）的核心功能仍受到严格限制，需要寻找其他利用链或方法。<\/p>

JDK17反射机制绕过深入剖析<\/h1>

问题背景<\/h2> 在JDK17中，Java的反射机制受到了更严格的模块化限制，导致传统的反射调用方式（如defineClass<\/code>方法加载恶意字节码）会遇到访问限制问题。本文深入分析JDK17反射机制的限制及绕过方法。<\/p>

Unsafe绕过技术<\/h2>

TemplatesImpl类的模块化限制<\/h2>

问题背景<\/h2>
在JDK17中，Java的反射机制受到了更严格的模块化限制，导致传统的反射调用方式（如`defineClass<\/code>方法加载恶意字节码）会遇到访问限制问题。本文深入分析JDK17反射机制的限制及绕过方法。<\/p>`